dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3451

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

3 edits

Kathy_9

Premium Member

[Virus] Windows Control Processor Virus - Possibly Conhost?

Adding all attachments to this post in case it makes it easier.
mbam012715.txt
1970 bytes
mbam012815.txt
1069 bytes
AdwCleaner[S7].txt
3514 bytes
OTL.Txt
125944 bytes
Extras.Txt
134718 bytes
checkup.txt
1040 bytes
export_eset.txt
1189 bytes


I got hit yesterday evening and disconnected from the internet and ran Malwarebytes and Adwcleaner.

This morning I came here and read the pre-cleaning criteria and performed the required scans.

I'd like to make sure I'm clean and everything is fixed.

Thanks.

I ran Temp File Cleaner

Here's yesterday & today's Malwarebytes logs:


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/27/2015
Scan Time: 6:49:05 PM
Logfile: mbam012715.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.21.06
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Kathy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 477641
Time Elapsed: 21 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 4
IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73],
IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73],
IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73],
IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73],

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
IPH.Trojan.Clicker.W7, HKU\S-1-5-21-3953604979-3912728852-2169977925-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|jfsfoiplafba, regsvr32.exe /s "C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll", Quarantined, [0cfec733e0a9e74f3aa0af518f718d73]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
IPH.Trojan.Clicker.W7, C:\Users\Kathy\AppData\Local\19th Parallel\jfsfoiplafba.dll, Delete-on-Reboot, [0cfec733e0a9e74f3aa0af518f718d73],

Physical Sectors: 0
(No malicious items detected)

(end)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/28/2015
Scan Time: 10:52:17 AM
Logfile: mbam012815.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.28.07
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Kathy

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 895938
Time Elapsed: 3 hr, 35 min, 38 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)
Kathy_9

Kathy_9

Premium Member

Re: Windows Control Processor Virus?

Here's AdwCleaner:

# AdwCleaner v4.109 - Report created 27/01/2015 at 18:38:03
# Updated 24/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Kathy - KATHY-HP
# Running from : C:\Users\Kathy\Documents\Security\adwcleaner_4.109.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Deleted : C:\Program Files (x86)\Coupons
Folder Deleted : C:\Users\Kathy\AppData\LocalLow\HPAppData

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
Key Deleted : HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\B696D3C37BD0D6C33A65D38BEC459181
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\B696D3C37BD0D6C33A65D38BEC459181
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B696D3C37BD0D6C33A65D38BEC459181
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - localhost:21320

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Mozilla Firefox v35.0.1 (x86 en-US)

*************************

AdwCleaner[R0].txt - [4390 octets] - [16/01/2014 10:11:07]
AdwCleaner[R10].txt - [3137 octets] - [28/12/2014 13:42:57]
AdwCleaner[R11].txt - [3540 octets] - [27/01/2015 18:35:09]
AdwCleaner[R1].txt - [4187 octets] - [26/03/2014 12:54:37]
AdwCleaner[R2].txt - [4247 octets] - [26/03/2014 13:12:48]
AdwCleaner[R3].txt - [1334 octets] - [14/05/2014 11:16:32]
AdwCleaner[R4].txt - [1260 octets] - [10/06/2014 10:31:12]
AdwCleaner[R5].txt - [1536 octets] - [15/07/2014 12:00:27]
AdwCleaner[R6].txt - [2090 octets] - [23/08/2014 07:10:47]
AdwCleaner[R7].txt - [3125 octets] - [28/09/2014 06:29:20]
AdwCleaner[R8].txt - [2796 octets] - [22/10/2014 13:24:13]
AdwCleaner[R9].txt - [3914 octets] - [17/12/2014 08:14:21]
AdwCleaner[S0].txt - [4565 octets] - [16/01/2014 10:22:09]
AdwCleaner[S1].txt - [4285 octets] - [26/03/2014 13:13:52]
AdwCleaner[S2].txt - [1405 octets] - [14/05/2014 11:17:21]
AdwCleaner[S3].txt - [1324 octets] - [10/06/2014 10:33:25]
AdwCleaner[S4].txt - [1607 octets] - [15/07/2014 12:01:34]
AdwCleaner[S5].txt - [3186 octets] - [28/09/2014 06:50:09]
AdwCleaner[S6].txt - [3160 octets] - [28/12/2014 13:52:17]
AdwCleaner[S7].txt - [3362 octets] - [27/01/2015 18:38:03]

########## EOF - C:\AdwCleaner\AdwCleaner[S7].txt - [3422 octets] ##########
Kathy_9

Kathy_9

Premium Member

Here's OTL:
OTL logfile created on: 1/28/2015 2:33:17 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathy\Desktop\cleanup tools
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17501)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.96 Gb Total Physical Memory | 4.87 Gb Available Physical Memory | 61.12% Memory free
15.92 Gb Paging File | 12.95 Gb Available in Paging File | 81.34% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 686.99 Gb Total Space | 507.11 Gb Free Space | 73.82% Space Free | Partition Type: NTFS
Drive D: | 11.54 Gb Total Space | 1.37 Gb Free Space | 11.91% Space Free | Partition Type: NTFS
Drive L: | 149.05 Gb Total Space | 7.14 Gb Free Space | 4.79% Space Free | Partition Type: NTFS

Computer Name: KATHY-HP | User Name: Kathy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2015/01/28 09:09:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\cleanup tools\OTL.exe
PRC - [2015/01/08 22:25:26 | 039,206,888 | ---- | M] (Dropbox, Inc.) -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2014/12/12 19:13:07 | 002,531,472 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
PRC - [2014/12/12 19:13:04 | 001,701,520 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
PRC - [2014/10/28 16:15:34 | 000,244,448 | ---- | M] (Foxit Software Inc.) -- C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
PRC - [2014/09/21 05:32:26 | 000,276,376 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe
PRC - [2014/07/25 03:42:26 | 000,311,616 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
PRC - [2014/07/02 12:44:41 | 000,411,936 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
PRC - [2014/05/19 15:05:10 | 003,414,560 | R--- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
PRC - [2014/05/19 15:05:10 | 001,436,192 | R--- | M] (Fitbit, Inc.) -- C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
PRC - [2014/04/30 15:00:36 | 000,277,360 | ---- | M] (arvato digital services llc) -- c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2014/03/27 07:07:18 | 000,581,568 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Online Games Manager\ogmservice.exe
PRC - [2013/10/23 17:39:14 | 001,017,224 | ---- | M] (Flux Software LLC) -- C:\Users\Kathy\AppData\Local\FluxSoftware\Flux\flux.exe
PRC - [2013/10/15 12:27:38 | 003,921,880 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2013/09/20 10:57:26 | 001,042,272 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2013/09/13 10:38:30 | 000,171,416 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2012/07/25 03:46:42 | 000,681,056 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\sua.exe
PRC - [2011/04/29 23:32:54 | 000,013,592 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2011/04/29 23:32:50 | 000,284,440 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
PRC - [2010/09/30 02:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
PRC - [2009/12/09 13:22:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\SysWOW64\nlssrv32.exe
PRC - [2009/09/30 23:02:50 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2009/09/30 23:02:48 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
PRC - [2009/08/27 17:09:10 | 001,253,376 | ---- | M] (MAGIX AG) -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
PRC - [2008/11/20 12:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe

[color=#E56717]========== Modules (No Company Name) ==========[/color]

MOD - [2015/01/28 10:24:51 | 000,043,008 | ---- | M] () -- c:\Users\Kathy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpdfu1x9.dll
MOD - [2015/01/08 15:44:46 | 000,863,744 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
MOD - [2015/01/08 15:44:46 | 000,750,080 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\libGLESv2.dll
MOD - [2015/01/08 15:44:46 | 000,200,704 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
MOD - [2015/01/08 15:44:46 | 000,047,616 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\libEGL.dll
MOD - [2014/11/12 17:35:18 | 000,492,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\26dd84b091ca389fd2edaa92db62ddea\IAStorUtil.ni.dll
MOD - [2014/11/12 17:31:03 | 000,774,144 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\875c35969785fa170d186e7ca546ac9e\System.Runtime.Remoting.ni.dll
MOD - [2014/10/16 16:36:03 | 011,922,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\b4001d722e320fa42cd87b04b5249b2d\System.Web.ni.dll
MOD - [2014/10/16 16:35:38 | 012,435,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1453d9e9a4989833ef3db4b22549ba1a\System.Windows.Forms.ni.dll
MOD - [2014/10/16 16:35:34 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\836e10dfd0811b303553216f5cb092ef\System.Drawing.ni.dll
MOD - [2014/10/16 16:35:30 | 005,467,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d49908aa93a23c84847b1f8b1b667860\System.Xml.ni.dll
MOD - [2014/10/16 16:35:28 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\237d509a79aeef6e4635b09450d98f2a\System.Configuration.ni.dll
MOD - [2014/10/16 16:35:19 | 003,348,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d97a5aa0eb7697aca7c6e90ae471af2b\WindowsBase.ni.dll
MOD - [2014/10/16 16:35:17 | 007,991,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll
MOD - [2014/10/11 13:05:58 | 001,044,776 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2014/09/11 17:20:39 | 000,014,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\ac4c46817e44dd944492753e8c7be3e5\IAStorCommon.ni.dll
MOD - [2014/09/11 16:31:30 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
MOD - [2014/07/31 11:16:44 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll

[color=#E56717]========== Services (SafeList) ==========[/color]

SRV:64bit: - [2014/12/12 19:13:04 | 001,148,560 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe -- (GfExperienceService)
SRV:64bit: - [2014/12/12 19:13:03 | 019,823,248 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe -- (NvStreamSvc)
SRV:64bit: - [2014/11/21 21:35:29 | 000,114,688 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2014/08/23 08:42:34 | 000,172,344 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2013/05/27 00:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2015/01/27 20:05:00 | 000,114,800 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2015/01/25 06:03:10 | 000,267,440 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/12/12 19:13:04 | 001,701,520 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe -- (NvNetworkService)
SRV - [2014/12/03 11:24:56 | 000,154,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe -- (McAfee SiteAdvisor Service)
SRV - [2014/10/28 16:15:34 | 000,244,448 | ---- | M] (Foxit Software Inc.) [Auto | Running] -- C:\Program Files (x86)\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe -- (FoxitCloudUpdateService)
SRV - [2014/09/21 05:32:26 | 000,276,376 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe -- (NIS)
SRV - [2014/07/02 12:44:41 | 000,411,936 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
SRV - [2014/05/19 15:05:10 | 001,436,192 | R--- | M] (Fitbit, Inc.) [Auto | Running] -- C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe -- (Fitbit Connect)
SRV - [2014/04/30 15:00:36 | 000,277,360 | ---- | M] (arvato digital services llc) [Auto | Running] -- c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2014/03/27 07:07:18 | 000,581,568 | ---- | M] (RealNetworks, Inc.) [Auto | Running] -- C:\Program Files (x86)\Online Games Manager\ogmservice.exe -- (ogmservice)
SRV - [2014/03/23 22:32:02 | 000,225,792 | ---- | M] (NETGEAR) [Auto | Running] -- C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe -- (NETGEARGenieDaemon)
SRV - [2014/03/20 17:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013/11/04 18:31:56 | 000,092,160 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe -- (HP Support Assistant Service)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2012/07/25 03:46:44 | 001,326,176 | ---- | M] (Secunia) [On_Demand | Stopped] -- C:\Program Files (x86)\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
SRV - [2012/07/25 03:46:42 | 000,681,056 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2011/04/29 23:32:54 | 000,013,592 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2010/10/22 13:08:18 | 001,039,360 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\Hp\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2010/09/30 02:06:46 | 000,169,408 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor9.0)
SRV - [2010/02/26 18:27:16 | 000,127,984 | ---- | M] (CinemaNow, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe -- (CinemaNow Service)
SRV - [2010/01/04 13:03:42 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/12/09 13:22:56 | 000,057,344 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\SysWOW64\nlssrv32.exe -- (nlsX86cc)
SRV - [2009/09/30 23:02:50 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2009/09/30 23:02:48 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2009/08/27 17:09:10 | 001,253,376 | ---- | M] (MAGIX AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs)
SRV - [2008/08/07 11:10:02 | 003,276,800 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)

[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV:64bit: - [2014/12/12 19:13:03 | 000,019,600 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys -- (NvStreamKms)
DRV:64bit: - [2014/11/22 05:46:30 | 000,038,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvvad64v.sys -- (nvvad_WaveExtensible)
DRV:64bit: - [2014/08/25 21:20:22 | 000,876,248 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2014/08/25 21:20:22 | 000,037,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2014/08/06 14:48:16 | 000,266,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\ironx64.sys -- (SymIRON)
DRV:64bit: - [2014/07/02 16:29:29 | 000,197,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
DRV:64bit: - [2014/06/19 07:20:04 | 000,035,344 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\npf.sys -- (NPF)
DRV:64bit: - [2014/06/16 01:01:38 | 000,206,080 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudmdm.sys -- (ssudmdm)
DRV:64bit: - [2014/06/16 01:01:38 | 000,110,336 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ssudbus.sys -- (dg_ssudbus)
DRV:64bit: - [2014/03/03 23:18:12 | 001,148,120 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\symefa64.sys -- (SymEFA)
DRV:64bit: - [2014/02/17 20:32:41 | 000,593,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\symnets.sys -- (SymNetS)
DRV:64bit: - [2013/11/16 16:06:15 | 000,177,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2013/09/25 21:50:25 | 000,162,392 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\ccsetx64.sys -- (ccSet_NIS)
DRV:64bit: - [2013/09/09 21:47:26 | 000,493,656 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1506000.020\symds64.sys -- (SymDS)
DRV:64bit: - [2012/08/21 12:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/07/22 11:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 16:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/04/26 10:07:36 | 000,557,848 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 08:33:35 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 06:07:05 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/09/01 03:30:58 | 000,017,976 | ---- | M] (Secunia) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\psi_mf.sys -- (PSI)
DRV:64bit: - [2010/07/01 12:11:24 | 000,012,352 | ---- | M] () [Kernel | "Start" not found. | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV:64bit: - [2010/03/19 02:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2010/03/04 09:43:00 | 000,346,144 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Rt64win7.sys -- (RTL8167)
DRV:64bit: - [2009/09/17 15:54:54 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2009/09/11 19:18:28 | 000,032,768 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir3.sys -- (hcw85cir)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV - [2015/01/27 05:16:00 | 002,137,304 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150127.040\ex64.sys -- (NAVEX15)
DRV - [2015/01/27 05:16:00 | 000,129,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20150127.040\eng64.sys -- (NAVENG)
DRV - [2015/01/13 20:53:48 | 000,668,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20150127.001\IDSviA64.sys -- (IDSVia64)
DRV - [2015/01/06 14:15:26 | 001,622,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20150106.001\BHDrvx64.sys -- (BHDrvx64)
DRV - [2014/12/11 11:17:40 | 000,487,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2014/12/11 11:17:40 | 000,142,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

[color=#E56717]========== Standard Registry (SafeList) ==========[/color]

[color=#E56717]========== Internet Explorer ==========[/color]

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{D73B6FF7-373F-4202-9D38-01BE29E25ABD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{D73B6FF7-373F-4202-9D38-01BE29E25ABD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.dslreports.com/postlist [Binary data over 200 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/?fr=avantsearch6
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{012681AE-6BA1-4CDF-8234-DEC3105293B4}: "URL" = https://www.google.com/search?q={searchTerms}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{180780f0-b348-4b44-8210-94a8f3ee15b2}: "URL" = http://search.comcast.net/search/?cat=Web&con=toolbar&q={searchTerms}
IE - HKCU\..\SearchScopes\{3D41F773-C2A2-4541-8F58-DF94FA1311D3}: "URL" = http://search.yahoo.com/search?ei=utf-8&fr=chr-vmn&type=photopos2_0yach&q={searchTerms}
IE - HKCU\..\SearchScopes\{8E7A3594-CB07-44C6-8823-6935F931F523}: "URL" = https://search.yahoo.com/search?fr=mcafee&type=B010US0D20140409&p={SearchTerms}
IE - HKCU\..\SearchScopes\{D73B6FF7-373F-4202-9D38-01BE29E25ABD}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = localhost:21320

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.isUS: true
FF - prefs.js..browser.search.order.1: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://z6.invisionfree.com/The_Mystical_Garden/index.php?act=idx|http://xfinitytv.comcast.net/mytv/list#filter=all|https://www.youtube.com/user/LeviFiction|https://www.flickr.com/photos/37153430@N03/|https://www.google.com/webhp?tab=ww&ei=q_y2VNyUG7j7sATKw4H4Bg&ved=0CAYQ1S4|http://www.dslreports.com/postlist|http://forum.corel.com/EN/viewforum.php?f=56|http://dmbeta.corel.com/bugzilla/buglist.cgi?bug_status=__open__&columnlist=product%2Ccomponent%2Cassigned_to%2Cbug_status%2Cresolution%2Cpriority%2Cversion%2Cshort_desc%2Cchangeddate%2Creporter_realname&list_id=9038&order=bug_id%20DESC&product=PSPX7&query_based_on=Open%20Tickets&query_format=specific|https://www.corelyourway.com/PORTAL/default.aspx?logout=1|http://www2.topazlabs.com/forum/forum.php|http://discuss.topazlabs.com/|http://www.ipernity.com/home/304495|https://us-mg4.mail.yahoo.com/neo/launch?.rand=ctr7ik8joegpv#8889610948|https://king.com/#!|https://www.pinterest.com/mscatz9/|https://www.fitbit.com/|https://www.nutriliving.com/|https://onedrive.live.com/?cid=e84cd2b2625dca07&mkt=en-US&mkt=en-US"
FF - prefs.js..extensions.enabledAddons: %7Bab91efd4-6975-4081-8552-1b3922ed79e2%7D:1.0.19.2
FF - prefs.js..extensions.enabledAddons: %7Baff87fa2-a58e-4edd-b852-0a20203c1e17%7D:0.9
FF - prefs.js..extensions.enabledAddons: %7B4176DFF4-4698-11DE-BEEB-45DA55D89593%7D:0.8.40
FF - prefs.js..extensions.enabledAddons: personas%40christopher.beard:1.7.3
FF - prefs.js..extensions.enabledAddons: %7Baf79f858-4b25-4ca4-822b-b5db1be628fc%7D:0.4.1
FF - prefs.js..extensions.enabledAddons: %7Be4a8a97b-f2ed-450b-b12d-ee082ba24781%7D:2.3
FF - prefs.js..extensions.enabledAddons: btpersonas%40brandthunder.com:1.6.5.1
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.9.11rc1
FF - prefs.js..extensions.enabledAddons: %7B4ED1F68A-5463-4931-9384-8FFF5ED91D92%7D:3.7.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:35.0.1
FF - prefs.js..extensions.enabledItems: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3}:2.0.21
FF - prefs.js..extensions.enabledItems: {9dfaef2c-b772-4bde-b5fc-1f69bd105c17}:3.1
FF - prefs.js..extensions.enabledItems: {AE37D527-6604-461c-8102-975CF8053A2F}:0.5.3.1
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.10
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.67
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.2.3rc4
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:3.2
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:2012.2.1.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}:6.0.29
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&type=A110US0&p="
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.71.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.14\npapicomadapter.dll (Oberon-Media )
FF - HKLM\Software\MozillaPlugins\@rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5: C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@hulu.com/Hulu Desktop: C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.11.1\npHDPlg.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/07/17 14:02:00 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn\ [2015/01/28 10:23:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files (x86)\McAfee\SiteAdvisor [2015/01/28 10:22:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2015/01/27 20:04:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2015/01/27 20:04:57 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/07/17 14:02:00 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2015/01/27 20:04:57 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 35.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2015/01/27 20:04:57 | 000,000,000 | ---D | M]

[2014/03/16 06:28:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Extensions
[2015/01/17 08:38:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions
[2013/01/16 18:25:36 | 000,000,000 | ---D | M] (HP Detect) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
[2014/09/05 19:03:34 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2014/11/29 07:08:57 | 000,000,000 | ---D | M] ("Default Theme Engine - Personas Interactive") -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\btpersonas@brandthunder.com
[2015/01/13 19:17:30 | 000,127,486 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\elemhidehelper@adblockplus.org.xpi
[2014/10/06 19:07:34 | 000,051,082 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi
[2014/05/03 17:47:41 | 000,348,260 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\personas@christopher.beard.xpi
[2014/10/17 09:02:15 | 000,023,913 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\the-addon-bar@GeekInTraining-GiT.xpi
[2014/05/02 11:05:17 | 000,222,800 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}.xpi
[2015/01/17 08:38:43 | 000,544,332 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2013/11/28 17:44:22 | 000,058,723 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{9dfaef2c-b772-4bde-b5fc-1f69bd105c17}.xpi
[2014/10/01 06:49:36 | 000,071,151 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{af79f858-4b25-4ca4-822b-b5db1be628fc}.xpi
[2012/05/05 06:51:22 | 000,042,737 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}.xpi
[2015/01/14 19:17:30 | 000,985,112 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2012/01/21 13:51:42 | 000,138,614 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
[2014/10/30 06:14:36 | 000,304,000 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\g9zp7b9o.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
[2015/01/27 20:04:57 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2015/01/27 20:05:03 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2015/01/28 10:22:34 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES (X86)\MCAFEE\SITEADVISOR
[2009/11/06 10:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll
[2009/11/06 10:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll

O1 HOSTS File: ([2015/01/27 20:12:36 | 000,450,892 | R--- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 15473 more lines...
O2:64bit: - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coieplg.dll (Symantec Corporation)
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O2:64bit: - BHO: (HP Network Check Helper) - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coieplg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (HP Network Check Helper) - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O3:64bit: - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coieplg.dll (Symantec Corporation)
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coieplg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)
O4:64bit: - HKLM..\Run: [NvBackend] C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe (NVIDIA Corporation)
O4:64bit: - HKLM..\Run: [ShadowPlay] C:\Windows\SysNative\nvspcap64.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Fitbit Connect] C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe (Fitbit, Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe (Samsung Electronics Co., Ltd.)
O4 - HKCU..\Run: [f.lux] C:\Users\Kathy\AppData\Local\FluxSoftware\Flux\flux.exe (Flux Software LLC)
O4 - HKCU..\Run: [Fitbit Connect] C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe (Fitbit, Inc.)
O4:64bit: - HKLM..\RunOnce: [NCPluginUpdater] C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe (Hewlett-Packard)
O4 - Startup: C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Christmas Market.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O9:64bit: - Extra Button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)
O9:64bit: - Extra 'Tools' menuitem : @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)
O9 - Extra Button: @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (Hewlett-Packard)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16:64bit: - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8CD70BC0-E643-41B1-8904-BF7838CC2632}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\belarc - No CLSID value found
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\gopher - No CLSID value found
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{41291a6d-2b9c-11e3-a6a4-6c626d02a10d}\Shell - "" = AutoRun
O33 - MountPoints2\{41291a6d-2b9c-11e3-a6a4-6c626d02a10d}\Shell\AutoRun\command - "" = M:\OpenSecureFiles.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

[2015/01/28 09:17:57 | 000,000,000 | ---D | C] -- C:\Users\Kathy\Desktop\cleanup tools
[2015/01/28 09:04:55 | 000,000,000 | ---D | C] -- C:\Users\Kathy\Desktop\Cleanup
[2015/01/27 20:04:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox
[2015/01/25 19:54:12 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2015/01/25 19:33:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MSECache
[2015/01/13 23:05:40 | 000,052,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\TSWbPrxy.exe
[2015/01/13 23:05:39 | 000,156,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ncsi.dll
[2015/01/13 23:05:37 | 005,553,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2015/01/13 23:05:37 | 003,971,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2015/01/13 23:05:37 | 003,916,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2015/01/13 23:05:36 | 000,503,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srcore.dll
[2015/01/13 23:05:36 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rstrui.exe
[2015/01/13 23:05:36 | 000,050,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\srclient.dll
[2015/01/09 10:18:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Corel PaintShop Pro X7
[2014/12/31 10:50:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MAGIX Services
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2015/01/28 14:03:10 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2015/01/28 14:00:01 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2015/01/28 10:52:17 | 000,129,752 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2015/01/28 10:33:14 | 000,021,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2015/01/28 10:33:14 | 000,021,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2015/01/28 10:24:10 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2015/01/28 10:23:08 | 000,000,332 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForKathy.job
[2015/01/28 10:22:55 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2015/01/28 10:22:37 | 2115,301,375 | -HS- | M] () -- C:\hiberfil.sys
[2015/01/27 20:12:36 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2015/01/27 20:00:04 | 000,786,578 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2015/01/27 20:00:04 | 000,665,304 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2015/01/27 20:00:04 | 000,123,112 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2015/01/27 19:43:49 | 000,001,095 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Christmas Market.lnk
[2015/01/27 19:41:11 | 000,532,688 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2015/01/25 06:03:08 | 000,701,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2015/01/25 06:03:08 | 000,071,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2015/01/21 10:47:30 | 000,001,298 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
[2015/01/21 08:12:47 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20150127-201236.backup
[2015/01/14 17:41:43 | 000,001,139 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2015/01/11 20:15:31 | 000,001,253 | ---- | M] () -- C:\Users\Kathy\Desktop\clipbrd.lnk
[2014/12/31 10:50:24 | 000,000,544 | ---- | M] () -- C:\Windows\tasks\PCDRScheduledMaintenance.job
[2014/12/31 08:38:40 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20150121-081247.backup
[2014/12/31 08:37:45 | 000,450,892 | R--- | M] () -- C:\Windows\SysNative\drivers\etc\hosts.20141231-083839.backup
[1 C:\Program Files (x86)\*.tmp files -> C:\Program Files (x86)\*.tmp -> ]

[color=#E56717]========== Files Created - No Company Name ==========[/color]

[2015/01/27 19:48:59 | 000,000,332 | ---- | C] () -- C:\Windows\tasks\HPCeeScheduleForKathy.job
[2015/01/27 19:40:47 | 000,532,688 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2015/01/11 20:14:57 | 000,001,253 | ---- | C] () -- C:\Users\Kathy\Desktop\clipbrd.lnk
[2015/01/08 11:00:46 | 000,001,139 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2014/12/14 12:20:14 | 000,000,218 | ---- | C] () -- C:\Users\Kathy\AppData\Local\recently-used.xbel
[2014/12/02 10:11:34 | 000,000,056 | RHS- | C] () -- C:\Windows\SysWow64\06D81F1B6D.sys
[2014/12/02 10:03:46 | 000,003,350 | -HS- | C] () -- C:\Windows\SysWow64\KGyGaAvL.sys
[2014/07/30 09:02:59 | 000,775,967 | ---- | C] () -- C:\Users\Kathy\Apo7X-140730-3.png
[2014/07/30 09:02:53 | 000,002,807 | ---- | C] () -- C:\Users\Kathy\renders7X.flame
[2014/06/29 09:34:37 | 000,000,184 | ---- | C] () -- C:\Users\Kathy\AppData\Local\atidt64.dll
[2014/04/30 18:47:48 | 000,081,920 | ---- | C] () -- C:\Windows\SysWow64\issacapi_bs-2.3.dll
[2014/04/30 18:47:48 | 000,065,536 | ---- | C] () -- C:\Windows\SysWow64\issacapi_pe-2.3.dll
[2014/04/30 18:47:48 | 000,057,344 | ---- | C] () -- C:\Windows\SysWow64\issacapi_se-2.3.dll
[2014/04/30 18:47:48 | 000,030,568 | ---- | C] () -- C:\Windows\MusiccityDownload.exe
[2014/04/30 18:47:46 | 000,974,848 | ---- | C] () -- C:\Windows\SysWow64\cis-2.4.dll
[2014/04/11 13:21:53 | 000,001,099 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\ShiftN.ini
[2014/02/20 15:59:21 | 000,121,019 | ---- | C] () -- C:\Windows\POS Themes Backgrounds (Fireworks Pack) Uninstaller.exe
[2013/08/24 08:47:10 | 000,000,131 | RHS- | C] () -- C:\Windows\FF3STET.BIN
[2013/07/05 09:31:55 | 000,000,000 | ---- | C] () -- C:\Windows\Graffiti5.3.ini
[2012/12/19 18:53:02 | 000,000,917 | ---- | C] () -- C:\Users\Kathy\My Photo Stuff - Shortcut.lnk
[2012/12/17 07:48:25 | 000,004,943 | ---- | C] () -- C:\ProgramData\pyknfeyt.slj
[2012/10/20 08:54:20 | 000,048,441 | ---- | C] () -- C:\Users\Kathy\.TransferManager.db
[2012/04/01 08:44:19 | 000,000,310 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\FotoSketcher.ini
[2010/07/24 14:59:06 | 000,007,598 | ---- | C] () -- C:\Users\Kathy\AppData\Local\Resmon.ResmonCfg
[2010/07/17 09:00:17 | 000,052,224 | ---- | C] () -- C:\Users\Kathy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/07/17 08:57:43 | 000,008,402 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/07/17 08:57:43 | 000,000,088 | RHS- | C] () -- C:\ProgramData\E651D35387.sys

[color=#E56717]========== ZeroAccess Check ==========[/color]

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/06/24 21:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/06/24 20:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 07:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

[color=#E56717]========== LOP Check ==========[/color]

[2012/09/19 17:10:30 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\.oit
[2014/06/16 13:32:45 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Alien Skin
[2012/06/30 06:35:58 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Anthropics
[2014/03/04 11:42:14 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\AnvSoft
[2014/06/10 10:02:44 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\ArcticLine
[2014/09/30 06:39:24 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\ASAP Utilities
[2014/08/06 09:34:37 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Ashampoo
[2013/08/24 08:39:00 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Athentech
[2014/02/22 11:37:28 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Avant Downloader
[2011/07/16 17:46:36 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2013/08/23 06:22:29 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.comcast.callerid
[2013/08/22 09:16:47 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
[2014/11/23 19:21:21 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.jacquielawson.marketadventcalendar2014
[2011/12/18 19:40:27 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\com.prakaz.project.photogettr.FBAB9E68ED32BC183252F597C39DBF71CF315A79.1
[2015/01/28 10:25:07 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Dropbox
[2011/02/05 20:59:34 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge 2
[2014/05/11 08:55:26 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge 4
[2010/10/05 17:10:01 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 1 - Metals
[2011/06/12 07:59:17 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 2 - Photo Effects
[2011/07/08 18:13:33 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 3 - Frames
[2010/09/04 16:42:47 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 4 - Distortions
[2011/06/12 07:57:35 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 5 - Hearts
[2011/06/12 08:14:53 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Filter Forge Freepack 6 - Patterns
[2014/04/10 18:27:31 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Foxit Software
[2011/12/25 07:47:06 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\FUJIFILM
[2014/12/20 20:34:50 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\inkscape
[2014/09/26 09:55:56 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\IrfanView
[2014/04/22 08:35:46 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Jasc
[2014/08/11 09:44:50 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\KC Softwares
[2014/08/13 06:47:30 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\MAGIX
[2012/02/15 19:56:56 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\mehdiplugins
[2014/03/21 10:55:01 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Nik Software
[2014/07/03 18:32:00 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Oberon Media
[2015/01/18 09:18:29 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\onOne Software
[2014/10/08 08:19:15 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Oracle
[2014/05/10 08:27:46 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PearlMountain
[2010/11/27 13:31:20 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PhotoFiltre
[2015/01/09 10:11:10 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PhotoScape
[2011/07/16 16:48:57 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1
[2010/07/16 16:04:01 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PictureMover
[2011/03/12 15:16:54 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Picturenaut
[2014/09/23 09:51:55 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Pixarra
[2011/11/14 12:11:30 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\proDAD
[2014/08/15 14:52:45 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Recolored
[2014/12/10 11:29:08 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Samsung
[2012/01/03 20:06:25 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\SystemRequirementsLab
[2013/12/05 20:26:46 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\ThePluginSite
[2013/07/05 14:32:19 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Ulead Systems
[2014/04/10 10:13:50 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Visan
[2014/06/04 09:32:33 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Windows Live Writer
[2014/07/09 14:48:00 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Zoner

[color=#E56717]========== Purity Check ==========[/color]

[color=#E56717]========== Alternate Data Streams ==========[/color]

@Alternate Data Stream - 354 bytes -> C:\ProgramData\Temp:B34A7CD6
@Alternate Data Stream - 193 bytes -> C:\ProgramData\Temp:F8B88761
@Alternate Data Stream - 188 bytes -> C:\ProgramData\Temp:5CB1E0D3
@Alternate Data Stream - 153 bytes -> C:\ProgramData\Temp:BFE23423
@Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:810B9F0D
@Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:89EAFAFC
Kathy_9

Kathy_9

Premium Member

Extras.Txt
134,718 bytes
Here's Extras:

Attaching per forum request as it exceeds 65K.
Kathy_9

Kathy_9

Premium Member

Here's Security Check:

Results of screen317's Security Check version 0.99.95
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
[u]``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Enabled!
Norton Internet Security
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[u]`````````Anti-malware/Other Utilities Check:`````````[/u]
MVPS Hosts File
SpywareBlaster 5.0
Spybot - Search & Destroy
McAfee SiteAdvisor
Secunia PSI (3.0.0.3001)
Java 7 Update 71
[color=green] Java 64-bit 8 Update 31[/color]
Adobe Flash Player 16.0.0.296
Mozilla Firefox (Meeting.)
[u]````````Process Check: objlist.exe by Laurent````````[/u]
[color=red]Spybot Teatimer.exe is disabled![/color]
Online Games Manager ogmservice.exe
[u]`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C: 0%
[u]````````````````````End of Log``````````````````````[/u]
Kathy_9

Kathy_9

Premium Member

Here's Eset Online Scan:

C:\Users\All Users\comcastModemRelease\dtuser.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application
C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSS.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined
C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSHelper.dll a variant of Win32/Systweak.N potentially unwanted application deleted - quarantined
C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSPrivacyProtector.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined
C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSRegClean.exe a variant of Win32/Systweak potentially unwanted application deleted - quarantined
C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSRegistryOptimizer.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined
C:\Program Files (x86)\WinZip\Utils\WzSysScan\WINZIPSSSystemCleaner.exe a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined
C:\ProgramData\comcastModemRelease\dtuser.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application deleted - quarantined

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9

Re: [Virus] Windows Control Processor Virus - Possibly Conhost?

Hi Kathy_0
quote:
Adding all attachments to this post in case it makes it easier.
That does make it easier, as the board software adds line returns making it hard to read, and harder to include in a fix.

Please go to Start > Programs and Features, and uninstall the following if found:
Coupon Printer

- Copy the text in the quote box below to the clipboard by highlighting all the text inside the box (be sure you include the colon before OTL) and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
quote:
:OTL
[2009/11/06 10:37:19 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll
[2009/11/06 10:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll
@Alternate Data Stream - 354 bytes -> C:\ProgramData\Temp:B34A7CD6
@Alternate Data Stream - 193 bytes -> C:\ProgramData\Temp:F8B88761
@Alternate Data Stream - 188 bytes -> C:\ProgramData\Temp:5CB1E0D3
@Alternate Data Stream - 153 bytes -> C:\ProgramData\Temp:BFE23423
@Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:810B9F0D
@Alternate Data Stream - 128 bytes -> C:\Windows:nlsPreferences
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:89EAFAFC
:Commands
[EmptyTemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]

- Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
- Click the red Run Fix button.
- A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTL.exe

Download the below tool
Farbar Recovery Scan Tool (64 bit)

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
 

and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will create a log (FRST.txt) in the same directory the tool is run.
The first time the tool is run, it makes creates another log (Addition.txt).
Please attach both files.

Please attach the log from OTL, the two files from FRST (FRST.txt and Addition.txt), and note any errors encountered.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

Good morning and thanks for helping.

1. Coupon Printer was not found in the Control Panel
2. Carefully copied and ran OTL Fix but did not get a log. It ran for a second or two and then I got the screen that offers the different F-Key Functions. I just let it sit there and eventually it booted back to my login to desktop screen.
3. Once I logged in a got a Windows dialog box complaining of an unexpected error. I'll attach the text.
4. Tried to download Farbar Recovery Scan Tool but Norton interfered. I'll attach that also.

Please let me know what to do next - thanks.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker

MVM

I just checked on a system with Norton, and it is interferring with the download of FRST. It sometimes happens, particularly with heuristic analysis, that some of the tools we use are identified incorrectly as a risk as a false positive.

While logged on as Administrator, right-click on the Norton icon in the System Tray and select:
Disable Antivirus Auto-Protect

In the window that opens, select the option for 15 minutes.

Now download FRST again:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
 

Then follow the previous instructions to run FRST:
Save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will create a log (FRST.txt) in the same directory the tool is run.
The first time the tool is run, it makes creates another log (Addition.txt).
Please attach both files.

Then go back and re-enable Norton:
Right-click on the Norton icon in the System Tray
Select Enable Antivirus Auto-Protect

Please attach both files from FRST, and note any errors encountered.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

FRST.txt
46,008 bytes
Addition.txt
94,134 bytes
Both logs attached and AV Auto Protect has been re-enabled.

You didn't say anything about the OTL log that didn't appear. Should I just forget about that?

Thanks.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
Not sure why OTL had a problem with the fix, but everything that was in there can be fixed without OTL.

But first:
Do you know why you are running a proxy? Was that intentionally configured, or were you not aware of it?

Do you know why you have all those entries under scheduled tasks that point to pcalua.exe (Program Compatibility Assistant), most point to files in a download folder. Some of them also reference a key generator to illegally bypass registration. Using key generators, cracks, or even just visiting the sites that host that type of illegal software is the quickest way to get infected.

Were you intentionally running McAfee Site Advisor, or was that an unintentional installation?

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

I was not aware of a proxy.

Not sure about scheduled tasks pointing to pcalua.exe. I have no idea what that is.
The only tasks that I have scheduled is weekly system backup that I disabled yesterday until this is fixed and Super Anti-spyware.

Also don't know about any key generator.

McAfee Site Advisor is unintentional.

Thank you.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
quote:
Also don't know about any key generator.

Are there other users on the system?
This downloaded program included a key generator to bypass registration:
C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE

I would recommend removing that, and uninstalling Alien Skin Eye Candy 6

Sorry for the delay, but the Scheduled Tasks took some time to research.

Before proceeding please follow the instructions here to create a Restore Point:
»windows.microsoft.com/en ··· re-point

Go to Start > Control Panel > Programs and Features and uninstall the following program:
McAfee SiteAdvisor

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.
Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start
 
ProxyServer: [S-1-5-21-3953604979-3912728852-2169977925-1001] => localhost:21320
HKLM-x32\...\Run: [] => [X]
Startup: C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JL Christmas Market.lnk
ShortcutTarget: JL Christmas Market.lnk -> C:\Program Files (x86)\JL Christmas Market\JL Christmas Market.exe (No File)
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
2012-12-17 07:48 - 2012-12-17 07:48 - 0004943 _____ () C:\ProgramData\pyknfeyt.slj
HKU\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Classes\exefile:  <===== ATTENTION!
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
AlternateDataStreams: C:\ProgramData\Temp:5CB1E0D3
AlternateDataStreams: C:\ProgramData\Temp:810B9F0D
AlternateDataStreams: C:\ProgramData\Temp:89EAFAFC
AlternateDataStreams: C:\ProgramData\Temp:B34A7CD6
AlternateDataStreams: C:\ProgramData\Temp:BFE23423
AlternateDataStreams: C:\ProgramData\Temp:F8B88761
Task: {0F68B6FA-AA73-4C95-8855-2AF1BC4EC8BF} - System32\Tasks\{1ACEDBC1-4893-4B59-A31A-B2103F544D5D} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a1.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {10D004D7-7A63-490A-A72E-D97BA25E348C} - System32\Tasks\{817ABCA4-752C-40C9-8C6A-1AEE82A7F3EB} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Filter Forge Freepack 2 Setup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {16D3DA01-A888-431D-9AAD-7AA1D53113AE} - System32\Tasks\{9A054153-16E7-44D0-8617-DAED3D09692F} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a6.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {1B097FAE-A3EF-414F-82B2-3CE8C78F79FE} - System32\Tasks\{60255A92-AA8A-4722-B8D2-8480105C685D} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Blow.Up.v2.0.4.Incl.Keymaker-CORE\Blow Up\blow-up-2.0.4.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Blow.Up.v2.0.4.Incl.Keymaker-CORE\Blow Up"
Task: {23CFA168-2573-4DE5-B700-72800B091ED1} - System32\Tasks\{6E0203FC-056F-4389-9F0A-C672C3519FC0} => pcalua.exe -a C:\Users\Kathy\Downloads\abrViewer.Net_1.0.2_Install.exe -d C:\Users\Kathy\Downloads
Task: {23F143FF-EE2B-44C1-BF36-FE613AFDCAF7} - System32\Tasks\{E6B3D9CA-3361-4E3B-8F95-76F84DEBF3D6} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupPerfectum2030646.exe -d C:\Users\Kathy\Downloads
Task: {24513946-E213-4F53-A6CF-A7F24C3D9855} - System32\Tasks\{C1F0ADFE-581E-43C3-A410-530840C40A9B} => pcalua.exe -a C:\Users\Kathy\Downloads\VinesAndBranchesFrames.exe -d C:\Users\Kathy\Downloads
Task: {2B80A7F5-4894-4B55-BE33-49F6D5545AC9} - System32\Tasks\{A02E134D-AB69-4F52-ACE0-BE7583AE672E} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a2.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {2CFB67FF-3C62-4148-8C25-086471593A3D} - System32\Tasks\{26D14018-367C-4E6B-92CD-F0FFD806C51D} => pcalua.exe -a C:\Users\Kathy\Downloads\Paint.NET.MegaloFileTypesPack.v11.exe -d C:\Users\Kathy\Downloads
Task: {2F489FFD-282E-49E2-BC73-D1EBAFE78E69} - System32\Tasks\{05E1F391-7E78-48E5-921D-24A631FA35B6} => pcalua.exe -a C:\Users\Kathy\AppData\Local\Temp\wz1b20\Allkang.exe -d "C:\Users\Kathy\Documents\My PSP Files\Plugins"
Task: {37F04516-63C8-4B93-A96B-886D703A6CA6} - System32\Tasks\{46CB1BFC-5977-45F1-AF59-CBF2BD530278} => pcalua.exe -a C:\Users\Kathy\Downloads\FFS3_Bonus_Dazzling_Look.exe -d C:\Users\Kathy\Downloads
Task: {3CE9293B-AC5A-4171-AEBB-C7275FC81B41} - System32\Tasks\{1185A5DA-971C-4643-864B-B109284106D8} => pcalua.exe -a C:\Users\Kathy\AppData\Local\Temp\wzc7a6\Allkang.exe -d "C:\Users\Kathy\Documents\My PSP Files\Plugins"
Task: {409717B8-AA34-4AA6-A0B2-97118E169590} - System32\Tasks\{9B26A640-96B9-4D1E-8F94-4CC8774481F6} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a4.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {435988D0-ED14-4D6C-B778-A0D1B67825CD} - System32\Tasks\{C09F4890-D064-460D-B9A0-17D090FC2DC5} => pcalua.exe -a C:\Users\Kathy\Downloads\dreamy_setup.exe -d C:\Users\Kathy\Downloads
Task: {48486E61-A6E9-4C3E-BA70-D5164CF8B32C} - System32\Tasks\{F012A54E-F532-4328-B6BE-EF7CD3457D66} => pcalua.exe -a C:\Users\Kathy\Downloads\HolidaysTubes.exe -d C:\Users\Kathy\Downloads
Task: {4AB896EC-9B97-4994-9465-B47754BFD73E} - System32\Tasks\{3F7B2B61-550F-4B18-B344-1CC84F408F6F} => pcalua.exe -a C:\Windows\unvise32.exe -c c:\users\kathy\documents\my psp files\DreamSuite Bonus\DreamSuite Bonus Uninstall.log
Task: {4EA4C385-1F08-4E3D-B256-B13B53E6B91F} - System32\Tasks\{FE4B931D-5F23-43CD-AB1F-FCBA4A37E184} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupRedfield++.exe -d C:\Users\Kathy\Downloads
Task: {5037EBD1-8B98-4293-86C2-BE458CB4543F} - System32\Tasks\{688AF097-B09D-4848-8A43-F71B003C1A1C} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a3.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {5D87CEB5-C5D9-445D-9509-D9C7C466EC16} - System32\Tasks\{8A0AB714-BC02-4470-A541-D15333780125} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupFaceControl.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {5FABC0F1-A717-4820-8ABA-F372F537A383} - System32\Tasks\{A26AA06A-F5DD-4ECB-A5EC-359C9BF4E1CA} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Filter Forge Freepack 3 Setup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {6DCC21BB-79F4-49F6-A12E-23581340AB33} - System32\Tasks\{79574649-A98F-4024-861D-FFEE5AE2F6BE} => pcalua.exe -a C:\Users\Kathy\Downloads\WinterHolidayFrames.exe -d C:\Users\Kathy\Downloads
Task: {6F0E738A-CA24-43B4-A83A-868A9838D5F5} - System32\Tasks\{C9AB444D-F1E7-4872-B745-BDEE09F98966} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupPerfectum354948(2).exe -d C:\Users\Kathy\Downloads
Task: {77B0D1F5-759F-4A88-93EE-A82244904658} - System32\Tasks\{99F71CC1-ABF2-4F75-9B2D-EE1A50D5F7E8} => pcalua.exe -a C:\Users\Kathy\Downloads\filtersunlimited20e-full(2).exe -d C:\Users\Kathy\Downloads
Task: {83088B9A-849A-4F52-A20B-FBBADBF287C7} - System32\Tasks\{8ECA9A7A-69CA-4157-A49C-2BB3F157C332} => pcalua.exe -a C:\Users\Kathy\Downloads\English_Jasc_Paint_Shop_Xtras_Creative_Edition_2.exe -d C:\Users\Kathy\Downloads
Task: {867F4EEF-99BF-4791-AC24-F8AECF335902} - System32\Tasks\{0C4B8021-1289-4687-BA95-F8188A899F1D} => pcalua.exe -a C:\Users\Kathy\Downloads\tbrusha.exe -d C:\Users\Kathy\Downloads
Task: {8BFB36B2-E1DB-438C-A1E9-2986E4E21E6C} - System32\Tasks\{54FAC0A8-DFB2-4047-AD3B-BA2D71F8557E} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\English_Jasc_Paint_Shop_Xtras_Creative_Edition_2.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {8C99E783-7216-4008-8ACC-0630AE4C928E} - System32\Tasks\{80699B44-D1D7-4B4A-AA82-22C2ABD67CF9} => pcalua.exe -a C:\Users\Kathy\Downloads\tbrusha_1818-June2014.exe -d C:\Users\Kathy\Downloads
Task: {94266A31-4955-4D26-B12D-A06F087F4768} - System32\Tasks\{89AD1CAC-2EB4-4094-B85C-2BAFD6D6FACD} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupRedfieldPlugins.exe -d C:\Users\Kathy\Downloads
Task: {9604DB45-4634-46F4-A4C7-0F22C67423E0} - System32\Tasks\{6760397B-C9DA-48A4-A74A-B4F650C01D45} => pcalua.exe -a C:\Users\Kathy\Downloads\irfanview_plugins_438_setup.exe -d C:\Users\Kathy\Downloads
Task: {96BB3AA0-033D-405F-9797-ABD2FB557381} - System32\Tasks\{3BC92536-CBFF-4F3C-8E61-4D0FCA2EE7F3} => pcalua.exe -a "C:\Program Files (x86)\Corel\Corel Painter Photo Essentials 4\MSILauncher.exe" -c "{707EB912-C597-49D8-9460-46CC9AB03EBE}"
Task: {98A2FE91-B2D9-43EE-92F6-FFB5FAB248CD} - System32\Tasks\{F387808A-4A59-4D47-A873-71DE9F6A188E} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupRedfield++.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {9BB076C3-BE92-4EE3-8E1C-4A2D71B8F6C2} - System32\Tasks\{5017321A-DA9E-4324-BB8C-7F38B03A5D79} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a5.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {A1F56E65-A2EF-43A9-829C-C31A3996DD60} - System32\Tasks\{A055966E-7A14-4DD5-BC37-89DC3E15783F} => pcalua.exe -a "C:\Users\Kathy\Documents\My PSP Files\Plugins\PhotoFreebies\PluginInstaller.exe" -d "C:\Users\Kathy\Documents\My PSP Files\Plugins\PhotoFreebies"
Task: {A812FCF0-5DA3-4192-9240-462E4AF9DE2D} - System32\Tasks\{5280E8EF-12A5-4AAF-9B02-E882A9FB4C65} => pcalua.exe -a C:\Users\Kathy\Downloads\Effects-MegaloPack.Paint.NET.v18.exe -d C:\Users\Kathy\Downloads
Task: {A8F4D32A-06C9-4084-87E9-DA44EDE49ED0} - System32\Tasks\{320201B5-75C4-4D23-8899-5C18E5588035} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupFineTouch.exe -d C:\Users\Kathy\Downloads
Task: {AA136032-C479-4B1F-830C-DD6BC68A04D1} - System32\Tasks\{AC47AC0F-C4CB-4D25-AF8F-CB5F4A17C0CE} => pcalua.exe -a "C:\Program Files (x86)\VS Revo Group\Revo Uninstaller\Revouninstaller.exe" -d "C:\Program Files (x86)\VS Revo Group\Revo Uninstaller"
Task: {AA29C07A-99D0-4016-AA26-87380824333B} - System32\Tasks\{1C5D3556-C7DE-4C10-8B1D-CABE891932FD} => pcalua.exe -a C:\Users\Kathy\Downloads\05_21_framesPSPA.exe -d C:\Users\Kathy\Downloads
Task: {AA729155-DC08-4E26-AF1A-412F3E445FEC} - System32\Tasks\{1F955483-CDF2-4D2C-B25D-0D5A9FFD213E} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\GMLMatting0.3_setup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {AEA01EC8-2987-4F90-B6DE-3A2731A82D54} - System32\Tasks\{15632644-87BC-4372-954F-6D70AB2C4E20} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupRedfieldPlugins.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {AF2FBE90-DAB8-4F9D-8CAD-C077A18F012C} - System32\Tasks\{F6CA2137-D906-4A26-96E8-4F503FE33A7D} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins\SetupPerfectum2030646.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc\Redfield_Plugins"
Task: {B249E3C7-4BCF-4735-AA94-EC16C722DEAE} - System32\Tasks\{C25FEE84-56BF-464C-8E9E-0CE659BC9562} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupPerfectum354948.exe -d C:\Users\Kathy\Downloads
Task: {BAA652EE-0427-40D3-B204-4947323BE925} - System32\Tasks\{E4FA5BC4-6550-4D72-B806-E2DCD4A871D2} => pcalua.exe -a C:\PROGRA~2\Corel\CORELP~1\X3\PSPCLA~1\PlugIns\ALIENS~1\EYECAN~1\Unwise32.exe -c C:\PROGRA~2\Corel\CORELP~1\X3\PSPCLA~1\PlugIns\ALIENS~1\EYECAN~1\INSTALL.LOG
Task: {CBBC2300-224E-4E83-A770-4931BB332CA4} - System32\Tasks\{401C0C84-8694-4178-BC42-54C1076C037B} => pcalua.exe -a "C:\Users\Kathy\Downloads\PSP Plugins, etc\vPsetup.exe" -d "C:\Users\Kathy\Downloads\PSP Plugins, etc"
Task: {CCD849A2-2B43-4E4D-9343-B300B08A7044} - System32\Tasks\{95CCF640-FC8B-4E50-8CB3-45E00A2CC7CE} => pcalua.exe -a C:\Users\Kathy\Downloads\abrViewer.Net_1.0.2_Install(2).exe -d C:\Users\Kathy\Downloads
Task: {CF9D79FC-2153-46EE-8DB8-518E8738D769} - System32\Tasks\{8AD11566-1D8A-449D-91C1-0450556E9CB6} => pcalua.exe -a C:\Users\Kathy\DOCUME~1\MYPSPF~1\ALIENS~1\SNAPAR~1\Unwise32.exe -c C:\Users\Kathy\DOCUME~1\MYPSPF~1\ALIENS~1\SNAPAR~1\INSTALL.LOG
Task: {D0EC92CB-1D99-443E-8221-BBBE14B5C82D} - System32\Tasks\{7C1CA14C-691F-49F6-9E76-64D3D999FFF0} => pcalua.exe -a C:\Users\Kathy\Downloads\WhimsicalTubes.exe -d C:\Users\Kathy\Downloads
Task: {D0F79290-5950-4633-80C2-FD9A44DFFE91} - System32\Tasks\{F7764E76-7B22-4C5A-A98D-A1527A5D358D} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupSketchMaster8305210.exe -d C:\Users\Kathy\Downloads
Task: {D668AE95-DA6E-4E8E-9B03-87CAD53CBC2F} - System32\Tasks\{C2957340-8625-4CCF-B03E-D18F43AFC2BC} => pcalua.exe -a C:\Users\Kathy\Downloads\FFS3_Bonus_Dazzling_Look.exe -d C:\Users\Kathy\Downloads
Task: {E74EA48E-5F83-449A-B614-CFD3B9834CCD} - System32\Tasks\{0BFF6FFC-29C6-4C03-9C68-36C612084BE3} => pcalua.exe -a C:\Users\Kathy\Downloads\Pp10f.exe -d C:\Users\Kathy\Downloads
Task: {F1F18B2E-7FE2-4AD5-AC1C-94AFAEC284B7} - System32\Tasks\{606FADBD-F87D-4788-A8BF-AB1D0259FC9B} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupFaceControl.exe -d C:\Users\Kathy\Downloads
Task: {F5B8E532-25D3-4BD9-B688-94524D91D9C2} - System32\Tasks\{C40EADC6-69E2-4CD5-AB4F-317D39636F4A} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupSketchMaster.exe -d C:\Users\Kathy\Downloads
Task: {F90D4142-ED5C-4B47-A7B1-0CB7715AA357} - System32\Tasks\{603D2F89-3221-4C01-9DD9-D434E4C22ADC} => pcalua.exe -a "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE\eye-candy-6.0.0a7.exe" -d "C:\Users\Kathy\Desktop\Alien Download\Alien.Skin.Eye.Candy.v6.0.0a.Incl.Keymaker-CORE"
Task: {FE3CDE37-98D3-4B6F-9E73-596200C670CB} - System32\Tasks\{B51086A1-FAB1-4E93-8DBB-B261856D3F47} => pcalua.exe -a C:\Users\Kathy\Downloads\SetupFractalius.exe -d C:\Users\Kathy\Downloads
 
end
 

Save the file as fixlist.txt in to the same folder as Farbar Recovery Scan Tool (FRST)
Run FRST and click Fix only once and wait
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will create a log on the Desktop (Fixlog.txt). Please attach it to your next reply.

Please go to VirusTotal and submit the following file for a scan and post the link to the detection results:
C:\ProgramData\E651D35387.sys

Please attach the log from FRST (Fixlog.txt), post the link to the results from scanning the file at Virustotal, and note any errors encountered.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

Thanks - I'll get started on your instructions and post back. My nephew sometimes uses this computer but I can put a stop to that.
Kathy_9

Kathy_9

Premium Member

Alien & McAfee removed; restore point created; ran FRST fix (log attached); file scanned at Virus total »www.virustotal.com/en/fi ··· 2834912/

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
Please re-do the instructions being sure you run FRST (Farbar Recovery Scan Tool) rather than OTL. From the last line in the log it appears you inadvertently ran OTL instead of FRST.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

You're right and I see what happened. I remember running FRST and Norton roared again so I temporarily disabled auto-protect and when I went back to run it again I hit OTL not noticing that Norton had deleted FRST.

I've attached the correct log.
Fixlog.txt
43767 bytes


Does this take care of the mystery proxy? Do I have to re-submit the file to VirusTotal or was that part okay?

Thanks again.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
The Proxy Server was taken care of:
quote:
HKU\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
Let's check a bit further.

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:
»www.bleepingcomputer.com ··· combofix

* Ensure you have disabled all anti virus and anti malware programs (to include Norton and Spybot Search & Destroy) so they do not interfere with the running of ComboFix (CF).
Please go here to see a list of programs that need to be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**
**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

Please post the log from ComboFix (C:\ComboFix.txt) in your next reply, and note any errors encountered.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

ComboFix.txt
44,004 bytes
Combofix log attached.

Thank you.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
Please attach the following file for review:
C:\Qoobox\ComboFix-quarantined-files.txt

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

Here's the log. Thank you.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
ComboFix deleted two files that I would like you to scan at VirusTotal.

Please go to VirusTotal and submit the following files for a scan and post the link to the detection results for each:
C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\Photoshop.exe.vir
C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\SHFOLDER.dll.vir
TheJoker

TheJoker to Kathy_9

MVM

to Kathy_9
Please also check to see if Photoshop still runs. The location Photoshop.exe was in doesn't appear to be the correct location. It may have been an extra unneeded copy.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9 to TheJoker

Premium Member

to TheJoker
Here are the links to VirusTotal that you requested:

»www.virustotal.com/en/fi ··· 3057376/

»www.virustotal.com/en/fi ··· 3057546/

I can't find Photoshop to try and run it but that is okay since I don't use it. Should I just try to remove it via the Control Panel.

Thank you.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
You don't see it listed anywhere when you go to Start > All Programs? It's listed in your Installed Programs list. Photoshop Creative Suite would be an extremely expensive program to uninstall unnecessarily, and it's no longer available as a purchased program. It's now only available as a "cloud" program that you pay a hefty monthly subscruption for.

Let's check on that.
Please download SystemLook_x64 from one of the links below and save it to your Desktop.
http://jpshortstuff.247fixes.com/SystemLook_x64.exe
http://images.malwareremoval.com/jpshortstuff/SystemLook_x64.exe
 

- Double-click SystemLook_x64.exe to run it.
- Copy the content of the following codebox into the main textfield
:dir
c:\program files (x86)\Adobe /s
 

- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.

Download CKScanner from here:
http://downloads.malwareremoval.com/CKScanner.exe
 
Important - Save it to your desktop.
Doubleclick CKScanner.exe (Right click and "Run as administrator" in Vista/Win7).
Give permission if necessary, and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved. Please run the program once only.
Double-click the CKFiles.txt icon on your desktop and attach the log in your next reply.

Please attach the logs from SystemLook and CKScanner, and note any errors encountered.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

SystemLook.txt
1,565,796 bytes
Correct, it is not under Start -> All Programs. The only thing in the Adobe folder is Extend Script Toolkit. I prefer PSP to PS so I won't miss it. I guess it's all what you are used to. I have PS Elements also but still prefer PSP.

Systemlook log attached.

Norton is complaining again about CKScanner. Do you want to test the link before I disable auto-protect/

Thanks.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
There nothing malicious about the file. You can disable Norton, follow the instructions for CKScanner, and then re-enable Norton and attach the log.

It looks like Photoshop was installed into a non-default folder. We can move the two files back in a bit and then you can see if Photoshop works OK, and you can decide if you want to keep it or uninstall it. It's Photoshop Elements big brother. Harder to use as there so many options, but a more powerful graphics editing program. I use Photoshop Elements myself.

Kathy_9
Premium Member
join:2005-05-15
Cloud 9

Kathy_9

Premium Member

ckfiles.txt
4,378 bytes
ckfiles.txt
4,378 bytes
Okay - here's the file. Thank you.

TheJoker
MVM
join:2001-04-26
Charlottesville, VA

TheJoker to Kathy_9

MVM

to Kathy_9
Nothing wrong there. I'll be back later tonight. There is a potential item to fix with ComboFix, and after that we can start cleanup of the tools that we used.
TheJoker

TheJoker

MVM

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 

Save the file to your Desktop.
Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

Please go here to see a list of programs that need to be disabled.
For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your Desktop.

DeQuarantine::
C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\Photoshop.exe.vir
C:\Qoobox\Quarantine\C\Program Files (x86)\Adobe\SHFOLDER.dll.vir
 
RegNull::
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥uE¥uîYna&#131;ÖI]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥9uE¥9u.WOW&#140;ô¹E(&#147;;*ô»;*Ø&#142;;*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥BuE¥Bu.WÝZ>Q³ÇÈ&#146;o*&#148;»o*x&#142;o*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥QvE¥Qv.WµYaļi(&#143;D*ô·D*Ø&#138;D*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥svE¥svîYæQi&#148;-D]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥&#146;vE¥&#146;v\CU%µ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥&#146;vE¥&#146;v\-V7áöí]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. jpg þÿÿÿE¥&#146;vE¥&#146;v\b&#142;zÌ6]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥¦vE¥¦v~8õUèg&#131;r]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥èvE¥èv¾Z`^Ö̲&#152;&#142;3*d·3*H&#138;3*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥îvE¥îv´)ûW&#140;U©ï]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿE¥*wE¥*w¾Z'ZgY1ðÈ&#150;-*½-*x&#146;-*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥«t[¥«tù7¯e}[é]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥6u[¥6u&#128;1ü[á&#153;7]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. jpg þÿÿÿ[¥[u[¥[u&#128;1&#147;[¹º&#159;]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥[u[¥[u&#128;1L\@9,ö]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥&#128;u[¥&#128;uù7kZÜ[¼]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥&#129;u[¥&#129;uÛE·^&#143;(Ø¿¢0*äÊ0*È&#157;0*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥&#157;u[¥&#157;u&#128;1ø\-Ô¯]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥&#157;u[¥&#157;u&#128;1]«¬&#140;±]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥¤u[¥¤uù7£Z¾Ú¡o]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥°u[¥°uÛE&#142;YWÌ.·]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥Ov[¥Ovù7&#135;nQ sæ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥hv[¥hvù7öW&#156;Ü$]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥Àv[¥Àv&#128;1&#159;_ä&#156;XÃ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿ[¥¢w[¥¢w&#128;1Ï[AQÍÊ]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*pspimage*e&#128;tRº!þÿÿÿE¥}tE¥}tîYIYù$ìì&#150;-*8½-* &#146;-*,*]
[HKEY_USERS\S-1-5-21-3953604979-3912728852-2169977925-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*pspimage*eÉv¨zþÿÿÿE¥ÆvE¥Æv~8L\=0(5Ü&#148;B*(»B*&#144;&#144;B*,*]
 

Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt. Please attach that log in your next reply and note any errors encountered.