Search similar:
|
uniqs 3451 |
|
|
|
Kathy_9 Premium Member join:2005-05-15 Cloud 9 3 edits |
Kathy_9
Premium Member
2015-Jan-28 6:39 pm
[Virus] Windows Control Processor Virus - Possibly Conhost?Adding all attachments to this post in case it makes it easier. mbam012715.txt 1970 bytes
mbam012815.txt 1069 bytes
AdwCleaner[S7].txt 3514 bytes
OTL.Txt 125944 bytes
Extras.Txt 134718 bytes
checkup.txt 1040 bytes
export_eset.txt 1189 bytes
I got hit yesterday evening and disconnected from the internet and ran Malwarebytes and Adwcleaner.
This morning I came here and read the pre-cleaning criteria and performed the required scans.
I'd like to make sure I'm clean and everything is fixed.
Thanks.
I ran Temp File Cleaner
Here's yesterday & today's Malwarebytes logs:
Malwarebytes Anti-Malware www.malwarebytes.org
Scan Date: 1/27/2015 Scan Time: 6:49:05 PM Logfile: mbam012715.txt Administrator: Yes
Version: 2.00.4.1028 Malware Database: v2015.01.21.06 Rootkit Database: v2015.01.14.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled
OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Kathy
Scan Type: Threat Scan Result: Completed Objects Scanned: 477641 Time Elapsed: 21 min, 44 sec
Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Warn PUM: Enabled
Processes: 0 (No malicious items detected)
Modules: 4 IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73], IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73], IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73], IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73],
Registry Keys: 0 (No malicious items detected)
Registry Values: 1 IPH.Trojan.Clicker.W7, HKU\S-1-5-21-3953604979-3912728852-2169977925-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|jfsfoiplafba, regsvr32.exe /s "C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll", Quarantined, [0cfec733e0a9e74f3aa0af518f718d73]
Registry Data: 0 (No malicious items detected)
Folders: 0 (No malicious items detected)
Files: 1 IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73],
Physical Sectors: 0 (No malicious items detected)
(end)
Malwarebytes Anti-Malware www.malwarebytes.org
Scan Date: 1/28/2015 Scan Time: 10:52:17 AM Logfile: mbam012815.txt Administrator: Yes
Version: 2.00.4.1028 Malware Database: v2015.01.28.07 Rootkit Database: v2015.01.14.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled
OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Kathy
Scan Type: Custom Scan Result: Completed Objects Scanned: 895938 Time Elapsed: 3 hr, 35 min, 38 sec
Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled
Processes: 0 (No malicious items detected)
Modules: 0 (No malicious items detected)
Registry Keys: 0 (No malicious items detected)
Registry Values: 0 (No malicious items detected)
Registry Data: 0 (No malicious items detected)
Folders: 0 (No malicious items detected)
Files: 0 (No malicious items detected)
Physical Sectors: 0 (No malicious items detected)
(end)
| actions · 2015-Jan-28 6:39 pm · (locked) | Kathy_9 |
Kathy_9
Premium Member
2015-Jan-28 6:40 pm
Re: Windows Control Processor Virus?Here's AdwCleaner:
# AdwCleaner v4.109 - Report created 27/01/2015 at 18:38:03 # Updated 24/01/2015 by Xplode # Database : 2015-01-26.1 [Live] # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : Kathy - KATHY-HP # Running from : C:\Users\Kathy\Documents\Security\adwcleaner_4.109.exe # Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons Folder Deleted : C:\Program Files (x86)\Coupons Folder Deleted : C:\Users\Kathy\AppData\LocalLow\HPAppData
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1 Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE} Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\B696D3C37BD0D6C33A65D38BEC459181 Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\B696D3C37BD0D6C33A65D38BEC459181 Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181 Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - localhost:21320
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17496
-\\ Mozilla Firefox v35.0.1 (x86 en-US)
*************************
AdwCleaner[R0].txt - [4390 octets] - [16/01/2014 10:11:07] AdwCleaner[R10].txt - [3137 octets] - [28/12/2014 13:42:57] AdwCleaner[R11].txt - [3540 octets] - [27/01/2015 18:35:09] AdwCleaner[R1].txt - [4187 octets] - [26/03/2014 12:54:37] AdwCleaner[R2].txt - [4247 octets] - [26/03/2014 13:12:48] AdwCleaner[R3].txt - [1334 octets] - [14/05/2014 11:16:32] AdwCleaner[R4].txt - [1260 octets] - [10/06/2014 10:31:12] AdwCleaner[R5].txt - [1536 octets] - [15/07/2014 12:00:27] AdwCleaner[R6].txt - [2090 octets] - [23/08/2014 07:10:47] AdwCleaner[R7].txt - [3125 octets] - [28/09/2014 06:29:20] AdwCleaner[R8].txt - [2796 octets] - [22/10/2014 13:24:13] AdwCleaner[R9].txt - [3914 octets] - [17/12/2014 08:14:21] AdwCleaner[S0].txt - [4565 octets] - [16/01/2014 10:22:09] AdwCleaner[S1].txt - [4285 octets] - [26/03/2014 13:13:52] AdwCleaner[S2].txt - [1405 octets] - [14/05/2014 11:17:21] AdwCleaner[S3].txt - [1324 octets] - [10/06/2014 10:33:25] AdwCleaner[S4].txt - [1607 octets] - [15/07/2014 12:01:34] AdwCleaner[S5].txt - [3186 octets] - [28/09/2014 06:50:09] AdwCleaner[S6].txt - [3160 octets] - [28/12/2014 13:52:17] AdwCleaner[S7].txt - [3362 octets] - [27/01/2015 18:38:03]
########## EOF - C:\AdwCleaner\AdwCleaner[S7].txt - [3422 octets] ########## | actions · 2015-Jan-28 6:40 pm · (locked) | Kathy_9 |
Kathy_9
Premium Member
2015-Jan-28 6:41 pm
Here's OTL: OTL logfile created on: 1/28/2015 2:33:17 PM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathy\Desktop\cleanup tools 64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.11.9600.17501) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
7.96 Gb Total Physical Memory | 4.87 Gb Available Physical Memory | 61.12% Memory free 15.92 Gb Paging File | 12.95 Gb Available in Paging File | 81.34% Paging File free Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 686.99 Gb Total Space | 507.11 Gb Free Space | 73.82% Space Free | Partition Type: NTFS Drive D: | 11.54 Gb Total Space | 1.37 Gb Free Space | 11.91% Space Free | Partition Type: NTFS Drive L: | 149.05 Gb Total Space | 7.14 Gb Free Space | 4.79% Space Free | Partition Type: NTFS
Computer Name: KATHY-HP | User Name: Kathy | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
[color=#E56717]========== Processes (SafeList) ==========[/color]
PRC - [2015/01/28 09:09:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\cleanup tools\OTL.exe PRC - [2015/01/08 22:25:26 | 039,206,888 | ---- | M] (Dropbox, Inc.) -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe PRC - [2014/12/12 19:13:07 | 002,531,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe PRC - [2014/12/12 19:13:04 | 001,701,520 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe PRC - [2014/10/28 16:15:34 | 000,244,448 | ---- | M] (Foxit Software Inc.) -- C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe PRC - [2014/09/21 05:32:26 | 000,276,376 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe PRC - [2014/07/25 03:42:26 | 000,311,616 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe PRC - [2014/07/02 12:44:41 | 000,411,936 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe PRC - [2014/05/19 15:05:10 | 003,414,560 | R--- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe PRC - [2014/05/19 15:05:10 | 001,436,192 | R--- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe PRC - [2014/04/30 15:00:36 | 000,277,360 | ---- | M] (arvato digital services llc) -- c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe PRC - [2014/03/27 07:07:18 | 000,581,568 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Online Games Manager\ogmservice.exe PRC - [2013/10/23 17:39:14 | 001,017,224 | ---- | M] (Flux Software LLC) -- C:\Users\Kathy\AppData\Local\FluxSoftware\Flux\flux.exe PRC - [2013/10/15 12:27:38 | 003,921,880 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe PRC - [2013/09/20 10:57:26 | 001,042,272 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe PRC - [2013/09/13 10:38:30 | 000,171,416 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe PRC - [2012/07/25 03:46:42 | 000,681,056 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\sua.exe PRC - [2011/04/29 23:32:54 | 000,013,592 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe PRC - [2011/04/29 23:32:50 | 000,284,440 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe PRC - [2010/09/30 02:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe PRC - [2009/12/09 13:22:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\SysWOW64\nlssrv32.exe PRC - [2009/09/30 23:02:50 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe PRC - [2009/09/30 23:02:48 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe PRC - [2009/08/27 17:09:10 | 001,253,376 | ---- | M] (MAGIX AG) -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe PRC - [2008/11/20 12:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
[color=#E56717]========== Modules (No Company Name) ==========[/color]
MOD - [2015/01/28 10:24:51 | 000,043,008 | ---- | M] () -- c:\Users\Kathy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpdfu1x9.dll MOD - [2015/01/08 15:44:46 | 000,863,744 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll MOD - [2015/01/08 15:44:46 | 000,750,080 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\libGLESv2.dll MOD - [2015/01/08 15:44:46 | 000,200,704 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll MOD - [2015/01/08 15:44:46 | 000,047,616 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\libEGL.dll MOD - [2014/11/12 17:35:18 | 000,492,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\26dd84b091ca389fd2edaa92db62ddea\IAStorUtil.ni.dll MOD - [2014/11/12 17:31:03 | 000,774,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\875c35969785fa170d186e7ca546ac9e\System.Runtime.Remoting.ni.dll MOD - [2014/10/16 16:36:03 | 011,922,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\b4001d722e320fa42cd87b04b5249b2d\System.Web.ni.dll MOD - [2014/10/16 16:35:38 | 012,435,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1453d9e9a4989833ef3db4b22549ba1a\System.Windows.Forms.ni.dll MOD - [2014/10/16 16:35:34 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\836e10dfd0811b303553216f5cb092ef\System.Drawing.ni.dll MOD - [2014/10/16 16:35:30 | 005,467,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d49908aa93a23c84847b1f8b1b667860\System.Xml.ni.dll MOD - [2014/10/16 16:35:28 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\237d509a79aeef6e4635b09450d98f2a\System.Configuration.ni.dll MOD - [2014/10/16 16:35:19 | 003,348,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d97a5aa0eb7697aca7c6e90ae471af2b\WindowsBase.ni.dll MOD - [2014/10/16 16:35:17 | 007,991,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll MOD - [2014/10/11 13:05:58 | 001,044,776 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2014/09/11 17:20:39 | 000,014,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\ac4c46817e44dd944492753e8c7be3e5\IAStorCommon.ni.dll MOD - [2014/09/11 16:31:30 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll MOD - [2014/07/31 11:16:44 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
[color=#E56717]========== Services (SafeList) ==========[/color]
SRV:64bit: - [2014/12/12 19:13:04 | 001,148,560 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe -- (GfExperienceService) SRV:64bit: - [2014/12/12 19:13:03 | 019,823,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe -- (NvStreamSvc) SRV:64bit: - [2014/11/21 21:35:29 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService) SRV:64bit: - [2014/08/23 08:42:34 | 000,172,344 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE) SRV:64bit: - [2013/05/27 00:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2015/01/27 20:05:00 | 000,114,800 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2015/01/25 06:03:10 | 000,267,440 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc) SRV - [2014/12/12 19:13:04 | 001,701,520 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe -- (NvNetworkService) SRV - [2014/12/03 11:24:56 | 000,154,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe -- (McAfee SiteAdvisor Service) SRV - [2014/10/28 16:15:34 | 000,244,448 | ---- | M] (Foxit Software Inc.) [Auto | Running] -- C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe -- (FoxitCloudUpdateService) SRV - [2014/09/21 05:32:26 | 000,276,376 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe -- (NIS) SRV - [2014/07/02 12:44:41 | 000,411,936 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service) SRV - [2014/05/19 15:05:10 | 001,436,192 | R--- | M] (Fitbit, Inc.) [Auto | Running] -- C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe -- (Fitbit Connect) SRV - [2014/04/30 15:00:36 | 000,277,360 | ---- | M] (arvato digital services llc) [Auto | Running] -- c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2) SRV - [2014/03/27 07:07:18 | 000,581,568 | ---- | M] (RealNetworks, Inc.) [Auto | Running] -- C:\Program Files (x86)\Online Games Manager\ogmservice.exe -- (ogmservice) SRV - [2014/03/23 22:32:02 | 000,225,792 | ---- | M] (NETGEAR) [Auto | Running] -- C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe -- (NETGEARGenieDaemon) SRV - [2014/03/20 17:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) SRV - [2013/11/04 18:31:56 | 000,092,160 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe -- (HP Support Assistant Service) SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2012/07/25 03:46:44 | 001,326,176 | ---- | M] (Secunia) [On_Demand | Stopped] -- C:\Program Files (x86)\Secunia\PSI\psia.exe -- (Secunia PSI Agent) SRV - [2012/07/25 03:46:42 | 000,681,056 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\sua.exe -- (Secunia Update Agent) SRV - [2011/04/29 23:32:54 | 000,013,592 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc) SRV - [2010/10/22 13:08:18 | 001,039,360 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\Hp\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC) SRV - [2010/09/30 02:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor9.0) SRV - [2010/02/26 18:27:16 | 000,127,984 | ---- | M] (CinemaNow, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe -- (CinemaNow Service) SRV - [2010/01/04 13:03:42 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService) SRV - [2009/12/09 13:22:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\SysWOW64\nlssrv32.exe -- (nlsX86cc) SRV - [2009/09/30 23:02:50 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) SRV - [2009/09/30 23:02:48 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) SRV - [2009/08/27 17:09:10 | 001,253,376 | ---- | M] (MAGIX AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs) SRV - [2008/08/07 11:10:02 | 003,276,800 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
DRV:64bit: - [2014/12/12 19:13:03 | 000,019,600 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys -- (NvStreamKms) DRV:64bit: - [2014/11/22 05:46:30 | 000,038,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvvad64v.sys -- (nvvad_WaveExtensible) DRV:64bit: - [2014/08/25 21:20:22 | 000,876,248 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\srtsp64.sys -- (SRTSP) DRV:64bit: - [2014/08/25 21:20:22 | 000,037,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\srtspx64.sys -- (SRTSPX) DRV:64bit: - [2014/08/06 14:48:16 | 000,266,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\ironx64.sys -- (SymIRON) DRV:64bit: - [2014/07/02 16:29:29 | 000,197,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA) DRV:64bit: - [2014/06/19 07:20:04 | 000,035,344 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF) DRV:64bit: - [2014/06/16 01:01:38 | 000,206,080 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm) DRV:64bit: - [2014/06/16 01:01:38 | 000,110,336 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus) DRV:64bit: - [2014/03/03 23:18:12 | 001,148,120 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\symefa64.sys -- (SymEFA) DRV:64bit: - [2014/02/17 20:32:41 | 000,593,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\symnets.sys -- (SymNetS) DRV:64bit: - [2013/11/16 16:06:15 | 000,177,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent) DRV:64bit: - [2013/09/25 21:50:25 | 000,162,392 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\ccsetx64.sys -- (ccSet_NIS) DRV:64bit: - [2013/09/09 21:47:26 | 000,493,656 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\symds64.sys -- (SymDS) DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM) DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec) DRV:64bit: - [2011/07/22 11:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV) DRV:64bit: - [2011/07/12 16:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL) DRV:64bit: - [2011/04/26 10:07:36 | 000,557,848 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor) DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2010/11/20 08:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2010/09/01 03:30:58 | 000,017,976 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\psi_mf.sys -- (PSI) DRV:64bit: - [2010/07/01 12:11:24 | 000,012,352 | ---- | M] () [Kernel | "Start" not found. | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5) DRV:64bit: - [2010/03/19 02:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64) DRV:64bit: - [2010/03/04 09:43:00 | 000,346,144 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167) DRV:64bit: - [2009/09/17 15:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) DRV:64bit: - [2009/09/11 19:18:28 | 000,032,768 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir3.sys -- (hcw85cir) DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV - [2015/01/27 05:16:00 | 002,137,304 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150127.040\ex64.sys -- (NAVEX15) DRV - [2015/01/27 05:16:00 | 000,129,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150127.040\eng64.sys -- (NAVENG) DRV - [2015/01/13 20:53:48 | 000,668,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20150127.001\IDSviA64.sys -- (IDSVia64) DRV - [2015/01/06 14:15:26 | 001,622,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20150106.001\BHDrvx64.sys -- (BHDrvx64) DRV - [2014/12/11 11:17:40 | 000,487,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl) DRV - [2014/12/11 11:17:40 | 000,142,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
[color=#E56717]========== Internet Explorer ==========[/color]
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:64bit: - HKLM\..\SearchScopes\{D73B6FF7-373F-4202-9D38-01BE29E25ABD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{D73B6FF7-373F-4202-9D38-01BE29E25ABD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.dslreports.com/postlist [Binary data over 200 bytes] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?fr=avantsearch6 IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKCU\..\SearchScopes\{012681AE-6BA1-4CDF-8234-DEC3105293B4}: "URL" = https://www.google.com/search?q={searchTerms} IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKCU\..\SearchScopes\{180780f0-b348-4b44-8210-94a8f3ee15b2}: "URL" = http://search.comcast.net/search/?cat=Web&con=toolbar&q={searchTerms} IE - HKCU\..\SearchScopes\{3D41F773-C2A2-4541-8F58-DF94FA1311D3}: "URL" = http://search.yahoo.com/search?ei=utf-8&fr=chr-vmn&type=photopos2_0yach&q={searchTerms} IE - HKCU\..\SearchScopes\{8E7A3594-CB07-44C6-8823-6935F931F523}: "URL" = https://search.yahoo.com/search?fr=mcafee&type=B010US0D20140409&p={SearchTerms} IE - HKCU\..\SearchScopes\{D73B6FF7-373F-4202-9D38-01BE29E25ABD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:21320
[color=#E56717]========== FireFox ==========[/color]
FF - prefs.js..browser.search.defaultenginename: "Google" FF - prefs.js..browser.search.isUS: true FF - prefs.js..browser.search.order.1: "Secure Search" FF - prefs.js..browser.startup.homepage: "http://z6.invisionfree.com/The_Mystical_Garden/index.php?act=idx|http://xfinitytv.comcast.net/mytv/list#filter=all|https://www.youtube.com/user/LeviFiction|https://www.flickr.com/photos/37153430@N03/|https://www.google.com/webhp?tab=ww&ei=q_y2VNyUG7j7sATKw4H4Bg&ved=0CAYQ1S4|http://www.dslreports.com/postlist|http://forum.corel.com/EN/viewforum.php?f=56|http://dmbeta.corel.com/bugzilla/buglist.cgi?bug_status=__open__&columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cpriority%2Cversion%2Cshort_desc%2Cchangeddate%2Creporter_realname&list_id=9038&order=bug_id%20DESC&product=PSPX7&query_based_on=Open%20Tickets&query_format=specific|https://www.corelyourway.com/PORTAL/default.aspx?logout=1|http://www2.topazlabs.com/forum/forum.php|http://discuss.topazlabs.com/|http://www.ipernity.com/home/304495|https://us-mg4.mail.yahoo.com/neo/launch?.rand=ctr7ik8joegpv#8889610948|https://king.com/#!|https://www.pinterest.com/mscatz9/|https://www.fitbit.com/|https://www.nutriliving.com/|https://onedrive.live.com/?cid=e84cd2b2625dca07&mkt=en-US&mkt=en-US" FF - prefs.js..extensions.enabledAddons: %7Bab91efd4-6975-4081-8552-1b3922ed79e2%7D:1.0.19.2 FF - prefs.js..extensions.enabledAddons: %7Baff87fa2-a58e-4edd-b852-0a20203c1e17%7D:0.9 FF - prefs.js..extensions.enabledAddons: %7B4176DFF4-4698-11DE-BEEB-45DA55D89593%7D:0.8.40 FF - prefs.js..extensions.enabledAddons: personas%40christopher.beard:1.7.3 FF - prefs.js..extensions.enabledAddons: %7Baf79f858-4b25-4ca4-822b-b5db1be628fc%7D:0.4.1 FF - prefs.js..extensions.enabledAddons: %7Be4a8a97b-f2ed-450b-b12d-ee082ba24781%7D:2.3 FF - prefs.js..extensions.enabledAddons: btpersonas%40brandthunder.com:1.6.5.1 FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.9.11rc1 FF - prefs.js..extensions.enabledAddons: %7B4ED1F68A-5463-4931-9384-8FFF5ED91D92%7D:3.7.1 FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:35.0.1 FF - prefs.js..extensions.enabledItems: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}:2.0.21 FF - prefs.js..extensions.enabledItems: {9dfaef2c-b772-4bde-b5fc-1f69bd105c17}:3.1 FF - prefs.js..extensions.enabledItems: {AE37D527-6604-461c-8102-975CF8053A2F}:0.5.3.1 FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10 FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.67 FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.2.3rc4 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26 FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.2 FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:2012.2.1.6 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29 FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&type=A110US0&p=" FF - user.js - File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll File not found FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll () FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation) FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation) FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.14\npapicomadapter.dll (Oberon-Media ) FF - HKLM\Software\MozillaPlugins\@rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5: C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) FF - HKCU\Software\MozillaPlugins\@hulu.com/Hulu Desktop: C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.11.1\npHDPlg.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/07/17 14:02:00 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn\ [2015/01/28 10:23:27 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files (x86)\McAfee\SiteAdvisor [2015/01/28 10:22:34 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2015/01/27 20:04:57 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2015/01/27 20:04:57 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/07/17 14:02:00 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2015/01/27 20:04:57 | 000,000,000 | ---D | M] FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2015/01/27 20:04:57 | 000,000,000 | ---D | M]
[2014/03/16 06:28:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Extensions [2015/01/17 08:38:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions [2013/01/16 18:25:36 | 000,000,000 | ---D | M] (HP Detect) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2} [2014/09/05 19:03:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014/11/29 07:08:57 | 000,000,000 | ---D | M] ("Default Theme Engine - Personas Interactive") -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\btpersonas@brandthunder.com [2015/01/13 19:17:30 | 000,127,486 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\elemhidehelper@adblockplus.org.xpi [2014/10/06 19:07:34 | 000,051,082 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi [2014/05/03 17:47:41 | 000,348,260 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\personas@christopher.beard.xpi [2014/10/17 09:02:15 | 000,023,913 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\the-addon-bar@GeekInTraining-GiT.xpi [2014/05/02 11:05:17 | 000,222,800 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}.xpi [2015/01/17 08:38:43 | 000,544,332 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013/11/28 17:44:22 | 000,058,723 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{9dfaef2c-b772-4bde-b5fc-1f69bd105c17}.xpi [2014/10/01 06:49:36 | 000,071,151 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{af79f858-4b25-4ca4-822b-b5db1be628fc}.xpi [2012/05/05 06:51:22 | 000,042,737 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}.xpi [2015/01/14 19:17:30 | 000,985,112 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012/01/21 13:51:42 | 000,138,614 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2014/10/30 06:14:36 | 000,304,000 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2015/01/27 20:04:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions [2015/01/27 20:05:03 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2015/01/28 10:22:34 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES (X86)\MCAFEE\SITEADVISOR [2009/11/06 10:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll [2009/11/06 10:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll
O1 HOSTS File: ([2015/01/27 20:12:36 | 000,450,892 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com O1 - Hosts: 127.0.0.1 008k.com O1 - Hosts: 127.0.0.1 www.00hq.com O1 - Hosts: 127.0.0.1 00hq.com O1 - Hosts: 127.0.0.1 010402.com O1 - Hosts: 127.0.0.1 www.032439.com O1 - Hosts: 127.0.0.1 032439.com O1 - Hosts: 127.0.0.1 www.0scan.com O1 - Hosts: 127.0.0.1 0scan.com O1 - Hosts: 127.0.0.1 www.1000gratisproben.com O1 - Hosts: 127.0.0.1 1000gratisproben.com O1 - Hosts: 127.0.0.1 1001namen.com O1 - Hosts: 127.0.0.1 www.1001namen.com O1 - Hosts: 127.0.0.1 100888290cs.com O1 - Hosts: 127.0.0.1 www.100888290cs.com O1 - Hosts: 127.0.0.1 www.100sexlinks.com O1 - Hosts: 127.0.0.1 100sexlinks.com O1 - Hosts: 127.0.0.1 www.10sek.com O1 - Hosts: 127.0.0.1 10sek.com O1 - Hosts: 127.0.0.1 www.1-2005-search.com O1 - Hosts: 127.0.0.1 1-2005-search.com O1 - Hosts: 127.0.0.1 www.123fporn.info O1 - Hosts: 15473 more lines... O2:64bit: - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coieplg.dll (Symantec Corporation) O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.) O2:64bit: - BHO: (HP Network Check Helper) - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard) O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coieplg.dll (Symantec Corporation) O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\ips\ipsbho.dll (Symantec Corporation) O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O2 - BHO: (HP Network Check Helper) - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard) O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.) O3:64bit: - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coieplg.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coieplg.dll (Symantec Corporation) O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coieplg.dll (Symantec Corporation) O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coieplg.dll (Symantec Corporation) O4:64bit: - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard) O4:64bit: - HKLM..\Run: [NvBackend] C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe (NVIDIA Corporation) O4:64bit: - HKLM..\Run: [ShadowPlay] C:\Windows\SysNative\nvspcap64.dll (NVIDIA Corporation) O4 - HKLM..\Run: [] File not found O4 - HKLM..\Run: [Fitbit Connect] C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe (Fitbit, Inc.) O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.) O4 - HKCU..\Run: [f.lux] C:\Users\Kathy\AppData\Local\FluxSoftware\Flux\flux.exe (Flux Software LLC) O4 - HKCU..\Run: [Fitbit Connect] C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe (Fitbit, Inc.) O4:64bit: - HKLM..\RunOnce: [NCPluginUpdater] C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe (Hewlett-Packard) O4 - Startup: C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) O4 - Startup: C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Christmas Market.lnk = File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.) O9:64bit: - Extra Button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard) O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard) O9 - Extra Button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard) O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard) O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O1364bit: - gopher Prefix: missing O13 - gopher Prefix: missing O16:64bit: - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8CD70BC0-E643-41B1-8904-BF7838CC2632}: DhcpNameServer = 192.168.1.1 O18:64bit: - Protocol\Handler\belarc - No CLSID value found O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.) O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.) O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18:64bit: - Protocol\Handler\wlpg - No CLSID value found O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.) O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O18 - Protocol\Handler\gopher - No CLSID value found O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.) O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O32 - HKLM CDRom: AutoRun - 1 O33 - MountPoints2\{41291a6d-2b9c-11e3-a6a4-6c626d02a10d}\Shell - "" = AutoRun O33 - MountPoints2\{41291a6d-2b9c-11e3-a6a4-6c626d02a10d}\Shell\AutoRun\command - "" = M:\OpenSecureFiles.exe O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
[2015/01/28 09:17:57 | 000,000,000 | ---D | C] -- C:\Users\Kathy\Desktop\cleanup tools [2015/01/28 09:04:55 | 000,000,000 | ---D | C] -- C:\Users\Kathy\Desktop\Cleanup [2015/01/27 20:04:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2015/01/25 19:54:12 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft [2015/01/25 19:33:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSECache [2015/01/13 23:05:40 | 000,052,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TSWbPrxy.exe [2015/01/13 23:05:39 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ncsi.dll [2015/01/13 23:05:37 | 005,553,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe [2015/01/13 23:05:37 | 003,971,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe [2015/01/13 23:05:37 | 003,916,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe [2015/01/13 23:05:36 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll [2015/01/13 23:05:36 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rstrui.exe [2015/01/13 23:05:36 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srclient.dll [2015/01/09 10:18:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Corel PaintShop Pro X7 [2014/12/31 10:50:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MAGIX Services [1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
[2015/01/28 14:03:10 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job [2015/01/28 14:00:01 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2015/01/28 10:52:17 | 000,129,752 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys [2015/01/28 10:33:14 | 000,021,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2015/01/28 10:33:14 | 000,021,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2015/01/28 10:24:10 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2015/01/28 10:23:08 | 000,000,332 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForKathy.job [2015/01/28 10:22:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2015/01/28 10:22:37 | 2115,301,375 | -HS- | M] () -- C:\hiberfil.sys [2015/01/27 20:12:36 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2015/01/27 20:00:04 | 000,786,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2015/01/27 20:00:04 | 000,665,304 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2015/01/27 20:00:04 | 000,123,112 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2015/01/27 19:43:49 | 000,001,095 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Christmas Market.lnk [2015/01/27 19:41:11 | 000,532,688 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT [2015/01/25 06:03:08 | 000,701,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe [2015/01/25 06:03:08 | 000,071,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl [2015/01/21 10:47:30 | 000,001,298 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk [2015/01/21 08:12:47 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20150127-201236.backup [2015/01/14 17:41:43 | 000,001,139 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015/01/11 20:15:31 | 000,001,253 | ---- | M] () -- C:\Users\Kathy\Desktop\clipbrd.lnk [2014/12/31 10:50:24 | 000,000,544 | ---- | M] () -- C:\Windows\tasks\PCDRScheduledMaintenance.job [2014/12/31 08:38:40 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20150121-081247.backup [2014/12/31 08:37:45 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20141231-083839.backup [1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]
[color=#E56717]========== Files Created - No Company Name ==========[/color]
[2015/01/27 19:48:59 | 000,000,332 | ---- | C] () -- C:\Windows\tasks\HPCeeScheduleForKathy.job [2015/01/27 19:40:47 | 000,532,688 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT [2015/01/11 20:14:57 | 000,001,253 | ---- | C] () -- C:\Users\Kathy\Desktop\clipbrd.lnk [2015/01/08 11:00:46 | 000,001,139 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2014/12/14 12:20:14 | 000,000,218 | ---- | C] () -- C:\Users\Kathy\AppData\Local\recently-used.xbel [2014/12/02 10:11:34 | 000,000,056 | RHS- | C] () -- C:\Windows\SysWow64\06D81F1B6D.sys [2014/12/02 10:03:46 | 000,003,350 | -HS- | C] () -- C:\Windows\SysWow64\KGyGaAvL.sys [2014/07/30 09:02:59 | 000,775,967 | ---- | C] () -- C:\Users\Kathy\Apo7X-140730-3.png [2014/07/30 09:02:53 | 000,002,807 | ---- | C] () -- C:\Users\Kathy\renders7X.flame [2014/06/29 09:34:37 | 000,000,184 | ---- | C] () -- C:\Users\Kathy\AppData\Local\atidt64.dll [2014/04/30 18:47:48 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\issacapi_bs-2.3.dll [2014/04/30 18:47:48 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\issacapi_pe-2.3.dll [2014/04/30 18:47:48 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\issacapi_se-2.3.dll [2014/04/30 18:47:48 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe [2014/04/30 18:47:46 | 000,974,848 | ---- | C] () -- C:\Windows\SysWow64\cis-2.4.dll [2014/04/11 13:21:53 | 000,001,099 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\ShiftN.ini [2014/02/20 15:59:21 | 000,121,019 | ---- | C] () -- C:\Windows\POS Themes Backgrounds (Fireworks Pack) Uninstaller.exe [2013/08/24 08:47:10 | 000,000,131 | RHS- | C] () -- C:\Windows\FF3STET.BIN [2013/07/05 09:31:55 | 000,000,000 | ---- | C] () -- C:\Windows\Graffiti5.3.ini [2012/12/19 18:53:02 | 000,000,917 | ---- | C] () -- C:\Users\Kathy\My Photo Stuff - Shortcut.lnk [2012/12/17 07:48:25 | 000,004,943 | ---- | C] () -- C:\ProgramData\pyknfeyt.slj [2012/10/20 08:54:20 | 000,048,441 | ---- | C] () -- C:\Users\Kathy\.TransferManager.db [2012/04/01 08:44:19 | 000,000,310 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\FotoSketcher.ini [2010/07/24 14:59:06 | 000,007,598 | ---- | C] () -- C:\Users\Kathy\AppData\Local\Resmon.ResmonCfg [2010/07/17 09:00:17 | 000,052,224 | ---- | C] () -- C:\Users\Kathy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/07/17 08:57:43 | 000,008,402 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys [2010/07/17 08:57:43 | 000,000,088 | RHS- | C] () -- C:\ProgramData\E651D35387.sys
[color=#E56717]========== ZeroAccess Check ==========[/color]
[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2014/06/24 21:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2014/06/24 20:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 07:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
[color=#E56717]========== LOP Check ==========[/color]
[2012/09/19 17:10:30 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\.oit [2014/06/16 13:32:45 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Alien Skin [2012/06/30 06:35:58 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Anthropics [2014/03/04 11:42:14 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\AnvSoft [2014/06/10 10:02:44 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\ArcticLine [2014/09/30 06:39:24 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\ASAP Utilities [2014/08/06 09:34:37 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Ashampoo [2013/08/24 08:39:00 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Athentech [2014/02/22 11:37:28 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Avant Downloader [2011/07/16 17:46:36 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 [2013/08/23 06:22:29 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.comcast.callerid [2013/08/22 09:16:47 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1 [2014/11/23 19:21:21 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.jacquielawson.marketadventcalendar2014 [2011/12/18 19:40:27 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.prakaz.project.photogettr.FBAB9E68ED32BC183252F597C39DBF71CF315A79.1 [2015/01/28 10:25:07 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Dropbox [2011/02/05 20:59:34 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge 2 [2014/05/11 08:55:26 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge 4 [2010/10/05 17:10:01 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 1 - Metals [2011/06/12 07:59:17 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 2 - Photo Effects [2011/07/08 18:13:33 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 3 - Frames [2010/09/04 16:42:47 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 4 - Distortions [2011/06/12 07:57:35 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 5 - Hearts [2011/06/12 08:14:53 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 6 - Patterns [2014/04/10 18:27:31 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Foxit Software [2011/12/25 07:47:06 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\FUJIFILM [2014/12/20 20:34:50 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\inkscape [2014/09/26 09:55:56 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\IrfanView [2014/04/22 08:35:46 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Jasc [2014/08/11 09:44:50 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\KC Softwares [2014/08/13 06:47:30 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\MAGIX [2012/02/15 19:56:56 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\mehdiplugins [2014/03/21 10:55:01 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Nik Software [2014/07/03 18:32:00 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Oberon Media [2015/01/18 09:18:29 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\onOne Software [2014/10/08 08:19:15 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Oracle [2014/05/10 08:27:46 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PearlMountain [2010/11/27 13:31:20 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PhotoFiltre [2015/01/09 10:11:10 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PhotoScape [2011/07/16 16:48:57 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1 [2010/07/16 16:04:01 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PictureMover [2011/03/12 15:16:54 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Picturenaut [2014/09/23 09:51:55 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Pixarra [2011/11/14 12:11:30 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\proDAD [2014/08/15 14:52:45 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Recolored [2014/12/10 11:29:08 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Samsung [2012/01/03 20:06:25 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\SystemRequirementsLab [2013/12/05 20:26:46 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\ThePluginSite [2013/07/05 14:32:19 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Ulead Systems [2014/04/10 10:13:50 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Visan [2014/06/04 09:32:33 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Windows Live Writer [2014/07/09 14:48:00 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Zoner
[color=#E56717]========== Purity Check ==========[/color]
[color=#E56717]========== Alternate Data Streams ==========[/color]
@Alternate Data Stream - 354 bytes -> C:\ProgramData\Temp:B34A7CD6 @Alternate Data Stream - 193 bytes -> C:\ProgramData\Temp:F8B88761 @Alternate Data Stream - 188 bytes -> C:\ProgramData\Temp:5CB1E0D3 @Alternate Data Stream - 153 bytes -> C:\ProgramData\Temp:BFE23423 @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:810B9F0D @Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34 @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:89EAFAFC | actions · 2015-Jan-28 6:41 pm · (locked) | Kathy_9 |
Kathy_9
Premium Member
2015-Jan-28 6:46 pm
Here's Extras:Attaching per forum request as it exceeds 65K. | actions · 2015-Jan-28 6:46 pm · (locked) | Kathy_9 |
Kathy_9
Premium Member
2015-Jan-28 6:47 pm
Here's Security Check:
Results of screen317's Security Check version 0.99.95 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 11 [u]``````````````Antivirus/Firewall Check:``````````````[/u] Windows Firewall Enabled! Norton Internet Security [size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size] [u]`````````Anti-malware/Other Utilities Check:`````````[/u] MVPS Hosts File SpywareBlaster 5.0 Spybot - Search & Destroy McAfee SiteAdvisor Secunia PSI (3.0.0.3001) Java 7 Update 71 [color=green] Java 64-bit 8 Update 31[/color] Adobe Flash Player 16.0.0.296 Mozilla Firefox (Meeting.) [u]````````Process Check: objlist.exe by Laurent````````[/u] [color=red]Spybot Teatimer.exe is disabled![/color] Online Games Manager ogmservice.exe [u]`````````````````System Health check`````````````````[/u] Total Fragmentation on Drive C: 0% [u]````````````````````End of Log``````````````````````[/u] | actions · 2015-Jan-28 6:47 pm · (locked) | Kathy_9 |
Kathy_9
Premium Member
2015-Jan-28 6:48 pm
Here's Eset Online Scan:
C:\Users\All Users\comcastModemRelease\dtuser.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSS.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSHelper.dll a variant of Win32/Systweak.N potentially unwanted application deleted - quarantined C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe a variant of Win32/Systweak potentially unwanted application deleted - quarantined C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSSystemCleaner.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined C:\ProgramData\comcastModemRelease\dtuser.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application deleted - quarantined | actions · 2015-Jan-28 6:48 pm · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
Re: [Virus] Windows Control Processor Virus - Possibly Conhost?Hi Kathy_0 quote: Adding all attachments to this post in case it makes it easier.
That does make it easier, as the board software adds line returns making it hard to read, and harder to include in a fix. Please go to Start > Programs and Features, and uninstall the following if found: Coupon Printer- Copy the text in the quote box below to the clipboard by highlighting all the text inside the box (be sure you include the colon before OTL) and pressing CTRL + C (or, after highlighting, right-click and choose Copy): quote: :OTL [2009/11/06 10:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll [2009/11/06 10:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll @Alternate Data Stream - 354 bytes -> C:\ProgramData\Temp:B34A7CD6 @Alternate Data Stream - 193 bytes -> C:\ProgramData\Temp:F8B88761 @Alternate Data Stream - 188 bytes -> C:\ProgramData\Temp:5CB1E0D3 @Alternate Data Stream - 153 bytes -> C:\ProgramData\Temp:BFE23423 @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:810B9F0D @Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34 @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:89EAFAFC :Commands [EmptyTemp] [EMPTYFLASH] [CREATERESTOREPOINT]
- Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. - Click the red Run Fix button. - A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. - Close OTL.exe Download the below tool Farbar Recovery Scan Tool (64 bit) http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
and save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will create a log (FRST.txt) in the same directory the tool is run. The first time the tool is run, it makes creates another log (Addition.txt). Please attach both files. Please attach the log from OTL, the two files from FRST (FRST.txt and Addition.txt), and note any errors encountered. | actions · 2015-Jan-30 7:14 am · (locked) | | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Jan-30 8:59 am
Good morning and thanks for helping. 1. Coupon Printer was not found in the Control Panel 2. Carefully copied and ran OTL Fix but did not get a log. It ran for a second or two and then I got the screen that offers the different F-Key Functions. I just let it sit there and eventually it booted back to my login to desktop screen. 3. Once I logged in a got a Windows dialog box complaining of an unexpected error. I'll attach the text. 4. Tried to download Farbar Recovery Scan Tool but Norton interfered. I'll attach that also. Please let me know what to do next - thanks. | actions · 2015-Jan-30 8:59 am · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
I just checked on a system with Norton, and it is interferring with the download of FRST. It sometimes happens, particularly with heuristic analysis, that some of the tools we use are identified incorrectly as a risk as a false positive. While logged on as Administrator, right-click on the Norton icon in the System Tray and select: Disable Antivirus Auto-ProtectIn the window that opens, select the option for 15 minutes. Now download FRST again: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Then follow the previous instructions to run FRST: Save it to a folder on your computer's Desktop. Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will create a log (FRST.txt) in the same directory the tool is run. The first time the tool is run, it makes creates another log (Addition.txt). Please attach both files. Then go back and re-enable Norton: Right-click on the Norton icon in the System Tray Select Enable Antivirus Auto-ProtectPlease attach both files from FRST, and note any errors encountered. | actions · 2015-Jan-31 9:46 am · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Jan-31 1:05 pm
Both logs attached and AV Auto Protect has been re-enabled. You didn't say anything about the OTL log that didn't appear. Should I just forget about that? Thanks. | actions · 2015-Jan-31 1:05 pm · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
Not sure why OTL had a problem with the fix, but everything that was in there can be fixed without OTL.
But first: Do you know why you are running a proxy? Was that intentionally configured, or were you not aware of it?
Do you know why you have all those entries under scheduled tasks that point to pcalua.exe (Program Compatibility Assistant), most point to files in a download folder. Some of them also reference a key generator to illegally bypass registration. Using key generators, cracks, or even just visiting the sites that host that type of illegal software is the quickest way to get infected.
Were you intentionally running McAfee Site Advisor, or was that an unintentional installation? | actions · 2015-Feb-1 9:57 am · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Feb-1 10:41 am
I was not aware of a proxy.
Not sure about scheduled tasks pointing to pcalua.exe. I have no idea what that is. The only tasks that I have scheduled is weekly system backup that I disabled yesterday until this is fixed and Super Anti-spyware.
Also don't know about any key generator.
McAfee Site Advisor is unintentional.
Thank you. | actions · 2015-Feb-1 10:41 am · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
quote: Also don't know about any key generator.
Are there other users on the system? This downloaded program included a key generator to bypass registration: C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE I would recommend removing that, and uninstalling Alien Skin Eye Candy 6 Sorry for the delay, but the Scheduled Tasks took some time to research. Before proceeding please follow the instructions here to create a Restore Point: » windows.microsoft.com/en ··· re-pointGo to Start > Control Panel > Programs and Features and uninstall the following program: McAfee SiteAdvisorNOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. start
ProxyServer: [S-1-5-21-3953604979-3912728852-2169977925-1001] => localhost:21320
HKLM-x32\...\Run: [] => [X]
Startup: C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Christmas Market.lnk
ShortcutTarget: JL Christmas Market.lnk -> C:\Program Files (x86)\JL Christmas Market\JL Christmas Market.exe (No File)
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
2012-12-17 07:48 - 2012-12-17 07:48 - 0004943 _____ () C:\ProgramData\pyknfeyt.slj
HKU\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Classes\exefile: <===== ATTENTION!
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
AlternateDataStreams: C:\ProgramData\Temp:5CB1E0D3
AlternateDataStreams: C:\ProgramData\Temp:810B9F0D
AlternateDataStreams: C:\ProgramData\Temp:89EAFAFC
AlternateDataStreams: C:\ProgramData\Temp:B34A7CD6
AlternateDataStreams: C:\ProgramData\Temp:BFE23423
AlternateDataStreams: C:\ProgramData\Temp:F8B88761
Task: {0F68B6FA-AA73-4C95-8855-2AF1BC4EC8BF} - System32\Tasks\{1ACEDBC1-4893-4B59-A31A-B2103F544D5D} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a1.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {10D004D7-7A63-490A-A72E-D97BA25E348C} - System32\Tasks\{817ABCA4-752C-40C9-8C6A-1AEE82A7F3EB} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Filter Forge Freepack 2 Setup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {16D3DA01-A888-431D-9AAD-7AA1D53113AE} - System32\Tasks\{9A054153-16E7-44D0-8617-DAED3D09692F} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a6.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {1B097FAE-A3EF-414F-82B2-3CE8C78F79FE} - System32\Tasks\{60255A92-AA8A-4722-B8D2-8480105C685D} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Blow.Up.v2.0.4.Incl.Keymaker-CORE\Blow Up\blow-up-2.0.4.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Blow.Up.v2.0.4.Incl.Keymaker-CORE\Blow Up"
Task: {23CFA168-2573-4DE5-B700-72800B091ED1} - System32\Tasks\{6E0203FC-056F-4389-9F0A-C672C3519FC0} => pcalua.exe -a C:\Users\Kathy\Downloads\abrViewer.Net_1.0.2_Install.exe -d C:\Users\Kathy\Downloads
Task: {23F143FF-EE2B-44C1-BF36-FE613AFDCAF7} - System32\Tasks\{E6B3D9CA-3361-4E3B-8F95-76F84DEBF3D6} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupPerfectum2030646.exe -d C:\Users\Kathy\Downloads
Task: {24513946-E213-4F53-A6CF-A7F24C3D9855} - System32\Tasks\{C1F0ADFE-581E-43C3-A410-530840C40A9B} => pcalua.exe -a C:\Users\Kathy\Downloads\VinesAndBranchesFrames.exe -d C:\Users\Kathy\Downloads
Task: {2B80A7F5-4894-4B55-BE33-49F6D5545AC9} - System32\Tasks\{A02E134D-AB69-4F52-ACE0-BE7583AE672E} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a2.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {2CFB67FF-3C62-4148-8C25-086471593A3D} - System32\Tasks\{26D14018-367C-4E6B-92CD-F0FFD806C51D} => pcalua.exe -a C:\Users\Kathy\Downloads\Paint.NET.MegaloFileTypesPack.v11.exe -d C:\Users\Kathy\Downloads
Task: {2F489FFD-282E-49E2-BC73-D1EBAFE78E69} - System32\Tasks\{05E1F391-7E78-48E5-921D-24A631FA35B6} => pcalua.exe -a C:\Users\Kathy\AppData\Local\Temp\wz1b20\Allkang.exe -d "C:\Users\Kathy\Documents\My PSP Files\Plugins"
Task: {37F04516-63C8-4B93-A96B-886D703A6CA6} - System32\Tasks\{46CB1BFC-5977-45F1-AF59-CBF2BD530278} => pcalua.exe -a C:\Users\Kathy\Downloads\FFS3_Bonus_Dazzling_Look.exe -d C:\Users\Kathy\Downloads
Task: {3CE9293B-AC5A-4171-AEBB-C7275FC81B41} - System32\Tasks\{1185A5DA-971C-4643-864B-B109284106D8} => pcalua.exe -a C:\Users\Kathy\AppData\Local\Temp\wzc7a6\Allkang.exe -d "C:\Users\Kathy\Documents\My PSP Files\Plugins"
Task: {409717B8-AA34-4AA6-A0B2-97118E169590} - System32\Tasks\{9B26A640-96B9-4D1E-8F94-4CC8774481F6} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a4.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {435988D0-ED14-4D6C-B778-A0D1B67825CD} - System32\Tasks\{C09F4890-D064-460D-B9A0-17D090FC2DC5} => pcalua.exe -a C:\Users\Kathy\Downloads\dreamy_setup.exe -d C:\Users\Kathy\Downloads
Task: {48486E61-A6E9-4C3E-BA70-D5164CF8B32C} - System32\Tasks\{F012A54E-F532-4328-B6BE-EF7CD3457D66} => pcalua.exe -a C:\Users\Kathy\Downloads\HolidaysTubes.exe -d C:\Users\Kathy\Downloads
Task: {4AB896EC-9B97-4994-9465-B47754BFD73E} - System32\Tasks\{3F7B2B61-550F-4B18-B344-1CC84F408F6F} => pcalua.exe -a C:\Windows\unvise32.exe -c c:\users\kathy\documents\my psp files\DreamSuite Bonus\DreamSuite Bonus Uninstall.log
Task: {4EA4C385-1F08-4E3D-B256-B13B53E6B91F} - System32\Tasks\{FE4B931D-5F23-43CD-AB1F-FCBA4A37E184} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupRedfield++.exe -d C:\Users\Kathy\Downloads
Task: {5037EBD1-8B98-4293-86C2-BE458CB4543F} - System32\Tasks\{688AF097-B09D-4848-8A43-F71B003C1A1C} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a3.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {5D87CEB5-C5D9-445D-9509-D9C7C466EC16} - System32\Tasks\{8A0AB714-BC02-4470-A541-D15333780125} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupFaceControl.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {5FABC0F1-A717-4820-8ABA-F372F537A383} - System32\Tasks\{A26AA06A-F5DD-4ECB-A5EC-359C9BF4E1CA} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Filter Forge Freepack 3 Setup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {6DCC21BB-79F4-49F6-A12E-23581340AB33} - System32\Tasks\{79574649-A98F-4024-861D-FFEE5AE2F6BE} => pcalua.exe -a C:\Users\Kathy\Downloads\WinterHolidayFrames.exe -d C:\Users\Kathy\Downloads
Task: {6F0E738A-CA24-43B4-A83A-868A9838D5F5} - System32\Tasks\{C9AB444D-F1E7-4872-B745-BDEE09F98966} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupPerfectum354948(2).exe -d C:\Users\Kathy\Downloads
Task: {77B0D1F5-759F-4A88-93EE-A82244904658} - System32\Tasks\{99F71CC1-ABF2-4F75-9B2D-EE1A50D5F7E8} => pcalua.exe -a C:\Users\Kathy\Downloads\filtersunlimited20e-full(2).exe -d C:\Users\Kathy\Downloads
Task: {83088B9A-849A-4F52-A20B-FBBADBF287C7} - System32\Tasks\{8ECA9A7A-69CA-4157-A49C-2BB3F157C332} => pcalua.exe -a C:\Users\Kathy\Downloads\English_Jasc_Paint_Shop_Xtras_Creative_Edition_2.exe -d C:\Users\Kathy\Downloads
Task: {867F4EEF-99BF-4791-AC24-F8AECF335902} - System32\Tasks\{0C4B8021-1289-4687-BA95-F8188A899F1D} => pcalua.exe -a C:\Users\Kathy\Downloads\tbrusha.exe -d C:\Users\Kathy\Downloads
Task: {8BFB36B2-E1DB-438C-A1E9-2986E4E21E6C} - System32\Tasks\{54FAC0A8-DFB2-4047-AD3B-BA2D71F8557E} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\English_Jasc_Paint_Shop_Xtras_Creative_Edition_2.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {8C99E783-7216-4008-8ACC-0630AE4C928E} - System32\Tasks\{80699B44-D1D7-4B4A-AA82-22C2ABD67CF9} => pcalua.exe -a C:\Users\Kathy\Downloads\tbrusha_1818-June2014.exe -d C:\Users\Kathy\Downloads
Task: {94266A31-4955-4D26-B12D-A06F087F4768} - System32\Tasks\{89AD1CAC-2EB4-4094-B85C-2BAFD6D6FACD} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupRedfieldPlugins.exe -d C:\Users\Kathy\Downloads
Task: {9604DB45-4634-46F4-A4C7-0F22C67423E0} - System32\Tasks\{6760397B-C9DA-48A4-A74A-B4F650C01D45} => pcalua.exe -a C:\Users\Kathy\Downloads\irfanview_plugins_438_setup.exe -d C:\Users\Kathy\Downloads
Task: {96BB3AA0-033D-405F-9797-ABD2FB557381} - System32\Tasks\{3BC92536-CBFF-4F3C-8E61-4D0FCA2EE7F3} => pcalua.exe -a "C:\Program Files (x86)\Corel\Corel Painter Photo Essentials 4\MSILauncher.exe" -c "{707EB912-C597-49D8-9460-46CC9AB03EBE}"
Task: {98A2FE91-B2D9-43EE-92F6-FFB5FAB248CD} - System32\Tasks\{F387808A-4A59-4D47-A873-71DE9F6A188E} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupRedfield++.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {9BB076C3-BE92-4EE3-8E1C-4A2D71B8F6C2} - System32\Tasks\{5017321A-DA9E-4324-BB8C-7F38B03A5D79} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a5.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {A1F56E65-A2EF-43A9-829C-C31A3996DD60} - System32\Tasks\{A055966E-7A14-4DD5-BC37-89DC3E15783F} => pcalua.exe -a "C:\Users\Kathy\Documents\My PSP Files\Plugins\PhotoFreebies\PluginInstaller.exe" -d "C:\Users\Kathy\Documents\My PSP Files\Plugins\PhotoFreebies"
Task: {A812FCF0-5DA3-4192-9240-462E4AF9DE2D} - System32\Tasks\{5280E8EF-12A5-4AAF-9B02-E882A9FB4C65} => pcalua.exe -a C:\Users\Kathy\Downloads\Effects-MegaloPack.Paint.NET.v18.exe -d C:\Users\Kathy\Downloads
Task: {A8F4D32A-06C9-4084-87E9-DA44EDE49ED0} - System32\Tasks\{320201B5-75C4-4D23-8899-5C18E5588035} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupFineTouch.exe -d C:\Users\Kathy\Downloads
Task: {AA136032-C479-4B1F-830C-DD6BC68A04D1} - System32\Tasks\{AC47AC0F-C4CB-4D25-AF8F-CB5F4A17C0CE} => pcalua.exe -a "C:\Program Files (x86)\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" -d "C:\Program Files (x86)\VS Revo Group\Revo Uninstaller"
Task: {AA29C07A-99D0-4016-AA26-87380824333B} - System32\Tasks\{1C5D3556-C7DE-4C10-8B1D-CABE891932FD} => pcalua.exe -a C:\Users\Kathy\Downloads\05_21_framesPSPA.exe -d C:\Users\Kathy\Downloads
Task: {AA729155-DC08-4E26-AF1A-412F3E445FEC} - System32\Tasks\{1F955483-CDF2-4D2C-B25D-0D5A9FFD213E} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\GMLMatting0.3_setup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {AEA01EC8-2987-4F90-B6DE-3A2731A82D54} - System32\Tasks\{15632644-87BC-4372-954F-6D70AB2C4E20} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupRedfieldPlugins.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {AF2FBE90-DAB8-4F9D-8CAD-C077A18F012C} - System32\Tasks\{F6CA2137-D906-4A26-96E8-4F503FE33A7D} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupPerfectum2030646.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {B249E3C7-4BCF-4735-AA94-EC16C722DEAE} - System32\Tasks\{C25FEE84-56BF-464C-8E9E-0CE659BC9562} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupPerfectum354948.exe -d C:\Users\Kathy\Downloads
Task: {BAA652EE-0427-40D3-B204-4947323BE925} - System32\Tasks\{E4FA5BC4-6550-4D72-B806-E2DCD4A871D2} => pcalua.exe -a C:\PROGRA~2\Corel\CORELP~1\X3\PSPCLA~1\PlugIns\ALIENS~1\EYECAN~1\Unwise32.exe -c C:\PROGRA~2\Corel\CORELP~1\X3\PSPCLA~1\PlugIns\ALIENS~1\EYECAN~1\INSTALL.LOG
Task: {CBBC2300-224E-4E83-A770-4931BB332CA4} - System32\Tasks\{401C0C84-8694-4178-BC42-54C1076C037B} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\vPsetup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {CCD849A2-2B43-4E4D-9343-B300B08A7044} - System32\Tasks\{95CCF640-FC8B-4E50-8CB3-45E00A2CC7CE} => pcalua.exe -a C:\Users\Kathy\Downloads\abrViewer.Net_1.0.2_Install(2).exe -d C:\Users\Kathy\Downloads
Task: {CF9D79FC-2153-46EE-8DB8-518E8738D769} - System32\Tasks\{8AD11566-1D8A-449D-91C1-0450556E9CB6} => pcalua.exe -a C:\Users\Kathy\DOCUME~1\MYPSPF~1\ALIENS~1\SNAPAR~1\Unwise32.exe -c C:\Users\Kathy\DOCUME~1\MYPSPF~1\ALIENS~1\SNAPAR~1\INSTALL.LOG
Task: {D0EC92CB-1D99-443E-8221-BBBE14B5C82D} - System32\Tasks\{7C1CA14C-691F-49F6-9E76-64D3D999FFF0} => pcalua.exe -a C:\Users\Kathy\Downloads\WhimsicalTubes.exe -d C:\Users\Kathy\Downloads
Task: {D0F79290-5950-4633-80C2-FD9A44DFFE91} - System32\Tasks\{F7764E76-7B22-4C5A-A98D-A1527A5D358D} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupSketchMaster8305210.exe -d C:\Users\Kathy\Downloads
Task: {D668AE95-DA6E-4E8E-9B03-87CAD53CBC2F} - System32\Tasks\{C2957340-8625-4CCF-B03E-D18F43AFC2BC} => pcalua.exe -a C:\Users\Kathy\Downloads\FFS3_Bonus_Dazzling_Look.exe -d C:\Users\Kathy\Downloads
Task: {E74EA48E-5F83-449A-B614-CFD3B9834CCD} - System32\Tasks\{0BFF6FFC-29C6-4C03-9C68-36C612084BE3} => pcalua.exe -a C:\Users\Kathy\Downloads\Pp10f.exe -d C:\Users\Kathy\Downloads
Task: {F1F18B2E-7FE2-4AD5-AC1C-94AFAEC284B7} - System32\Tasks\{606FADBD-F87D-4788-A8BF-AB1D0259FC9B} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupFaceControl.exe -d C:\Users\Kathy\Downloads
Task: {F5B8E532-25D3-4BD9-B688-94524D91D9C2} - System32\Tasks\{C40EADC6-69E2-4CD5-AB4F-317D39636F4A} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupSketchMaster.exe -d C:\Users\Kathy\Downloads
Task: {F90D4142-ED5C-4B47-A7B1-0CB7715AA357} - System32\Tasks\{603D2F89-3221-4C01-9DD9-D434E4C22ADC} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a7.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {FE3CDE37-98D3-4B6F-9E73-596200C670CB} - System32\Tasks\{B51086A1-FAB1-4E93-8DBB-B261856D3F47} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupFractalius.exe -d C:\Users\Kathy\Downloads
end
Save the file as fixlist.txt in to the same folder as Farbar Recovery Scan Tool (FRST) Run FRST and click Fix only once and wait If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will create a log on the Desktop (Fixlog.txt). Please attach it to your next reply. Please go to VirusTotal and submit the following file for a scan and post the link to the detection results: C:\ProgramData\ E651D35387.sysPlease attach the log from FRST (Fixlog.txt), post the link to the results from scanning the file at Virustotal, and note any errors encountered. | actions · 2015-Feb-1 6:21 pm · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Feb-1 6:30 pm
Thanks - I'll get started on your instructions and post back. My nephew sometimes uses this computer but I can put a stop to that. | actions · 2015-Feb-1 6:30 pm · (locked) | Kathy_9 |
Kathy_9
Premium Member
2015-Feb-1 6:59 pm
Alien & McAfee removed; restore point created; ran FRST fix (log attached); file scanned at Virus total » www.virustotal.com/en/fi ··· 2834912/ | actions · 2015-Feb-1 6:59 pm · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
Please re-do the instructions being sure you run FRST (Farbar Recovery Scan Tool) rather than OTL. From the last line in the log it appears you inadvertently ran OTL instead of FRST. | actions · 2015-Feb-1 8:51 pm · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Feb-2 6:38 am
You're right and I see what happened. I remember running FRST and Norton roared again so I temporarily disabled auto-protect and when I went back to run it again I hit OTL not noticing that Norton had deleted FRST. I've attached the correct log. Fixlog.txt 43767 bytes
Does this take care of the mystery proxy? Do I have to re-submit the file to VirusTotal or was that part okay?
Thanks again.
| actions · 2015-Feb-2 6:38 am · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
The Proxy Server was taken care of: quote: HKU\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
Let's check a bit further. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: » www.bleepingcomputer.com ··· combofix* Ensure you have disabled all anti virus and anti malware programs (to include Norton and Spybot Search & Destroy) so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please post the log from ComboFix (C:\ComboFix.txt) in your next reply, and note any errors encountered. | actions · 2015-Feb-2 7:05 am · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Feb-2 10:20 am
Combofix log attached. Thank you. | actions · 2015-Feb-2 10:20 am · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
Please attach the following file for review: C:\Qoobox\ComboFix-quarantined-files.txt | actions · 2015-Feb-2 9:13 pm · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Feb-3 7:37 am
Here's the log. Thank you. | actions · 2015-Feb-3 7:37 am · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
ComboFix deleted two files that I would like you to scan at VirusTotal. Please go to VirusTotal and submit the following files for a scan and post the link to the detection results for each: C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\ Photoshop.exe.virC:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\ SHFOLDER.dll.vir | actions · 2015-Feb-3 11:23 pm · (locked) | TheJoker |
to Kathy_9
Please also check to see if Photoshop still runs. The location Photoshop.exe was in doesn't appear to be the correct location. It may have been an extra unneeded copy. | actions · 2015-Feb-3 11:37 pm · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
to TheJoker
Here are the links to VirusTotal that you requested: » www.virustotal.com/en/fi ··· 3057376/» www.virustotal.com/en/fi ··· 3057546/I can't find Photoshop to try and run it but that is okay since I don't use it. Should I just try to remove it via the Control Panel. Thank you. | actions · 2015-Feb-4 8:50 am · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
You don't see it listed anywhere when you go to Start > All Programs? It's listed in your Installed Programs list. Photoshop Creative Suite would be an extremely expensive program to uninstall unnecessarily, and it's no longer available as a purchased program. It's now only available as a "cloud" program that you pay a hefty monthly subscruption for. Let's check on that. Please download SystemLook_x64 from one of the links below and save it to your Desktop. http://jpshortstuff.247fixes.com/SystemLook_x64.exe
http://images.malwareremoval.com/jpshortstuff/SystemLook_x64.exe
- Double-click SystemLook_x64.exe to run it. - Copy the content of the following codebox into the main textfield :dir
c:\program files (x86)\Adobe /s
- Click the Look button to start the scan. - When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply. Download CKScanner from here: http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop. Doubleclick CKScanner.exe (Right click and "Run as administrator" in Vista/Win7). Give permission if necessary, and click Search For Files. After a very short time, when the cursor hourglass disappears, click Save List To File. A message box will verify the file saved. Please run the program once only. Double-click the CKFiles.txt icon on your desktop and attach the log in your next reply. Please attach the logs from SystemLook and CKScanner, and note any errors encountered. | actions · 2015-Feb-4 8:06 pm · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Feb-4 8:19 pm
Correct, it is not under Start -> All Programs. The only thing in the Adobe folder is Extend Script Toolkit. I prefer PSP to PS so I won't miss it. I guess it's all what you are used to. I have PS Elements also but still prefer PSP. Systemlook log attached. Norton is complaining again about CKScanner. Do you want to test the link before I disable auto-protect/ Thanks. | actions · 2015-Feb-4 8:19 pm · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
There nothing malicious about the file. You can disable Norton, follow the instructions for CKScanner, and then re-enable Norton and attach the log.
It looks like Photoshop was installed into a non-default folder. We can move the two files back in a bit and then you can see if Photoshop works OK, and you can decide if you want to keep it or uninstall it. It's Photoshop Elements big brother. Harder to use as there so many options, but a more powerful graphics editing program. I use Photoshop Elements myself. | actions · 2015-Feb-5 7:06 am · (locked) | Kathy_9 Premium Member join:2005-05-15 Cloud 9 |
Kathy_9
Premium Member
2015-Feb-5 7:12 am
Okay - here's the file. Thank you. | actions · 2015-Feb-5 7:12 am · (locked) | TheJoker MVM join:2001-04-26 Charlottesville, VA |
to Kathy_9
Nothing wrong there. I'll be back later tonight. There is a potential item to fix with ComboFix, and after that we can start cleanup of the tools that we used. | actions · 2015-Feb-6 7:20 am · (locked) | TheJoker |
We need to make sure you have the most recent version of ComboFix. Delete your current copy of ComboFix.exe. Download ComboFix© by sUBs from this link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save the file to your Desktop. Close any open browsers. Close your AntiVirus and any anti-spyware programs you may be running. Please go here to see a list of programs that need to be disabled. For this next step, please ensure that ComboFix.exe is on your desktop: Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Save this as " CFScript.txt" and change the "Save as type" to "All Files" and place it on your Desktop. DeQuarantine::
C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\Photoshop.exe.vir
C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\SHFOLDER.dll.vir
RegNull::
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥uE¥uîYnaƒÖI]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥9uE¥9u.WOWŒô¹E(“;*ô»;*ØŽ;*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥BuE¥Bu.WÝZ>Q³ÇÈ’o*”»o*xŽo*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥QvE¥Qv.WµYaļi(D*ô·D*ØŠD*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥svE¥svîYæQi”-D]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥’vE¥’v\CU%µ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥’vE¥’v\-V7áöí]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. jpg þÿÿÿE¥’vE¥’v\bŽzÌ6]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥¦vE¥¦v~8õUègƒr]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥èvE¥èv¾Z`^Ö̲˜Ž3*d·3*HŠ3*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥îvE¥îv´)ûWŒU©ï]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥*wE¥*w¾Z'ZgY1ðÈ–-*½-*x’-*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥«t[¥«tù7¯e}[é]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥6u[¥6u€1ü[á™7]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. jpg þÿÿÿ[¥[u[¥[u€1“[¹ºŸ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥[u[¥[u€1L\@9,ö]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥€u[¥€uù7kZÜ[¼]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥u[¥uÛE·^(Ø¿¢0*äÊ0*ȝ0*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥u[¥u€1ø\-Ô¯]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥u[¥u€1]«¬Œ±]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥¤u[¥¤uù7£Z¾Ú¡o]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥°u[¥°uÛEŽYWÌ.·]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥Ov[¥Ovù7‡nQ sæ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥hv[¥hvù7öWœÜ$]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥Àv[¥Àv€1Ÿ_äœXÃ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥¢w[¥¢w€1Ï[AQÍÊ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*pspimage*e€tRº!þÿÿÿE¥}tE¥}tîYIYù$ìì–-*8½-* ’-*,*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*pspimage*eÉv¨zþÿÿÿE¥ÆvE¥Æv~8L\=0(5Ü”B*(»B*B*,*]
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe When finished, it will produce a log for you at C:\ComboFix.txt. Please attach that log in your next reply and note any errors encountered.
| actions · 2015-Feb-6 7:58 pm · (locked) |
|