Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible infection name: Gen:Adware.MPlug.1(B), ADCLICK-DS Trojan, AB


  • This topic is locked This topic is locked

#16
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

does this only happen on one web page?


gringo
  • 0

Advertisements


#17
Arkanfel

Arkanfel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello Gringo,

No, the popup happens on just about any other web page. Either that, or p.employmentapplicationsforally.asia shows up as a page that is blocked by Requestpolicy. I've started to see that url as blocked on other pages, where it was never a part of their site to begin with. Say I'm blocking pages on facebook, youtube, duckduckgo, twitter, ebay, wikipedia, or some other page. On the list of blocked sites it is there, albeit seemingly at random; where it wasn't before. Thanks for helping me out.

Arkanfel
  • 0

#18
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Arkanfel

Malwarebytes Anti-Rootkit

1.Download Malwarebytes Anti-Rootkit
2.Unzip the contents to a folder in a convenient location.
3.Open the folder where the contents were unzipped and run mbar.exe
4.Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
5.Click on the Cleanup button to remove any threats and reboot if prompted to do so.
6.Wait while the system shuts down and the cleanup process is performed.
7.Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
8.If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
•Internet access
•Windows Update
•Windows Firewall9.If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
10.Verify that your system is now functioning normally.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

When you are complete please send me both reports

Gringo
  • 1

#19
Arkanfel

Arkanfel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello Gringo

I have finished both tests, and I still see the z.employmentapplicationsforally.asia in RequestPolicy's block list, and I have set it as Untrusted on NoScript. I've done a search for this particular site today using DuckDuckGo and found a site called jsunpack: http://jsunpack.jeek...dec/go/?list=1. It is a generic JavaScript unpacker, with a warning "CAUTION: jsunpack was designed for security researchers and computer professionals" On that same site it has a list of "Recent submissions" with RSS available, and "Recent Malicious URLS and uploads" also with an RSS available. Not only that, but it has a Files Explanation which I found to be very interesting as far as what it might be. I wouldn't call myself a professional, but looking at the files explanation gave me some ideas that this might have something to do with malicious JavaScript. Because there have been some versions of Java in the past that have had numerous vulnerabilities in security, at which point I disable it to avoid being compromised. I found this while looking at the jsunpack Files Explanation it has a typo at 'originally' but that's it:

The Extracted URLs lists, (2 files) for instance, indicates how many decodings or other files were created when trying to decode JavaScript.
If this column shows (1 files) it means that there were no decodings and that a static scanner would be just as effective at detecting content. However, if there are more than one file, a decoding likely occurred, and jsunpack can match against additional content. A malicious URL with only (1 files) is less likely to be malicious because attackers commonly hide their content when delivering exploits or other malicious content.
The Extracted URLs displays files grouped by URL, so the originally file that triggered the rule and all of the other files are all connected to another.
It is more common that the attacker will try to hide content and create 2 or more decodings. Jsunpack was originally designed to handle complicated cases of decoding where there were 5 stages of decoding, although such cases are rare, generally the more decoding levels (and therefore files), the more likely the attacker is trying to hide something of value.

Lastly, thanks again for your time. I'm thinking that the above paragraph may partially explain why it's such a sticky bug. Of the urls I've seen over the course of this problem in popups and such, here's a quick recap: p.employmentapplicationforally.asia, z.employmentapplicationsforally.asia, y.employmentapplicationsforally.asia, cpvfeed.mediatraffic.com, cpadominator.com, n9s4.info, and mysweetdeals.org. Even though all of them seem to be gone now except the 'z' one, I've come to consider that maybe all of those were decodings to hide something more valuable. It would be nice to finally know what it is, but anyway, Internet access is fine, Windows Update is fine, and so is Windows Firewall. Here's Malwarebytes Anti-Rootkit results, I'll post the other report next:

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.30.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: JOHN-PC [administrator]

6/30/2013 4:24:57 AM
mbar-log-2013-06-30 (04-24-57).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Kernel memory modifications detected. Deep Anti-Rootkit Scan engaged.
Objects scanned: 271048
Time elapsed: 13 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
  • 0

#20
Arkanfel

Arkanfel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is the report from running aswMBR, andit has both results of both QuickScan, and a full C:/ Scan. I ran it over C: a second time because I wanted to be certain it detected everything it could at the time it was run. Since then, all I see is 'z.employmentapplicationsforally.asia' on facebook, twitter, ebay, youtube, etc. seemingly at random, but no further popups. Something must be working :thumbsup:. Thanks again:

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-30 04:55:13
-----------------------------
04:55:13.573 OS Version: Windows x64 6.1.7601 Service Pack 1
04:55:13.573 Number of processors: 2 586 0x170A
04:55:13.574 ComputerName: JOHN-PC UserName:
04:55:17.108 Initialize success
04:55:19.221 AVAST engine defs: 13063000
04:56:01.961 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
04:56:01.974 Disk 0 Vendor: WDC_WD2500AAJS-75M0A0 01.03E01 Size: 238418MB BusType: 3
04:56:01.992 Disk 0 MBR read successfully
04:56:01.994 Disk 0 MBR scan
04:56:01.997 Disk 0 Windows 7 default MBR code
04:56:02.002 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
04:56:02.012 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 238316 MB offset 206848
04:56:02.022 Disk 0 scanning C:\Windows\system32\drivers
04:56:14.015 Service scanning
04:56:32.647 Modules scanning
04:56:32.653 Disk 0 trace - called modules:
04:56:32.674 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800248c2c0]<<sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
04:56:32.678 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003050520]
04:56:32.682 3 CLASSPNP.SYS[fffff880013b543f] -> nt!IofCallDriver -> [0xfffffa8002ed5520]
04:56:32.687 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002ed1680]
04:56:32.691 \Driver\atapi[0xfffffa8002e9b640] -> IRP_MJ_CREATE -> 0xfffffa800248c2c0
04:56:33.305 AVAST engine scan C:\Windows
04:56:36.233 AVAST engine scan C:\Windows\system32
04:59:15.768 AVAST engine scan C:\Windows\system32\drivers
04:59:35.946 AVAST engine scan C:\Users\Administrator
05:12:03.994 AVAST engine scan C:\ProgramData
05:14:38.764 Scan finished successfully
05:21:14.396 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Downloads\MBR.dat"
05:21:14.401 The log file has been saved successfully to "C:\Users\Administrator\Downloads\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-30 05:29:54
-----------------------------
05:29:54.097 OS Version: Windows x64 6.1.7601 Service Pack 1
05:29:54.097 Number of processors: 2 586 0x170A
05:29:54.106 ComputerName: JOHN-PC UserName:
05:29:56.329 Initialize success
05:29:57.025 AVAST engine defs: 13063000
05:30:00.085 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
05:30:00.088 Disk 0 Vendor: WDC_WD2500AAJS-75M0A0 01.03E01 Size: 238418MB BusType: 3
05:30:00.120 Disk 0 MBR read successfully
05:30:00.122 Disk 0 MBR scan
05:30:00.125 Disk 0 Windows 7 default MBR code
05:30:00.137 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
05:30:00.147 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 238316 MB offset 206848
05:30:00.189 Disk 0 scanning C:\Windows\system32\drivers
05:30:25.730 Service scanning
05:30:44.674 Modules scanning
05:30:44.674 Disk 0 trace - called modules:
05:30:44.701 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800248c2c0]<<sptd.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
05:30:44.701 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003050520]
05:30:44.701 3 CLASSPNP.SYS[fffff880013b543f] -> nt!IofCallDriver -> [0xfffffa8002ed5520]
05:30:44.702 5 ACPI.sys[fffff8800100b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002ed1680]
05:30:44.702 \Driver\atapi[0xfffffa8002e9b640] -> IRP_MJ_CREATE -> 0xfffffa800248c2c0
05:30:45.677 AVAST engine scan C:\
07:59:17.561 Scan finished successfully
16:04:25.463 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Downloads\MBR.dat"
16:04:25.527 The log file has been saved successfully to "C:\Users\Administrator\Downloads\aswMBR.txt"

Edit: Minor edit for clarity and typos

Edited by Arkanfel, 30 June 2013 - 06:49 PM.

  • 0

#21
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Arkanfel

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
  • 1

#22
Arkanfel

Arkanfel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello Gringo,

Here's the OTL log. Thanks, I appreciate your work.

OTL logfile created on: 7/2/2013 4:52:59 AM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Administrator\Downloads
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.24 Gb Available Physical Memory | 41.31% Memory free
7.49 Gb Paging File | 5.06 Gb Available in Paging File | 67.47% Paging File free
Paging file location(s): C:\pagefile.sys 4605 4605E:\pagef [Binary data over 200 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 232.73 Gb Total Space | 69.95 Gb Free Space | 30.05% Space Free | Partition Type: NTFS

Computer Name: JOHN-PC | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Administrator\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\bin\rubyw.exe (http://www.ruby-lang.org/)
PRC - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\bin\rubyw.exe (http://www.ruby-lang.org/)
PRC - C:\Program Files (x86)\Aurora\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Aurora\plugin-container.exe (Mozilla Corporation)
PRC - C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
PRC - C:\Program Files (x86)\Online Armor\oaui.exe (Emsisoft GmbH)
PRC - C:\Program Files (x86)\Online Armor\OAsrv.exe (Emsisoft GmbH)
PRC - C:\Program Files (x86)\Online Armor\oahlp.exe (Emsisoft GmbH)
PRC - C:\Program Files (x86)\Online Armor\oacat.exe (Emsisoft GmbH)
PRC - C:\Program Files\pia_manager\pia_manager.exe ()
PRC - C:\Program Files\pia_manager\openvpn.exe ()
PRC - C:\Program Files\pia_manager\pia_tray\pia_tray.exe ()
PRC - c:\Program Files (x86)\McAfee\SiteAdvisor\saUI.exe (McAfee, Inc.)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files (x86)\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe (AMD)


========== Modules (No Company Name) ==========

MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\bin\libeay32-1.0.0-msvcrt.dll ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\bin\ssleay32-1.0.0-msvcrt.dll ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\openssl.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\win32ole.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\zlib.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\socket.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\bin\ZLIB1.dll ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\src\rgloader\rgloader193.mswin.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\site_ruby\1.9.1\rgloader\rgloader193.mswin.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\dl.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\json\ext\generator.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\fiddle.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\gems\1.9.1\gems\win32-api-1.4.8-x86-mingw32\lib\win32\ruby19\win32\api.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\stringio.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\json\ext\parser.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\digest.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\transdb.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\enc\encdb.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\etc.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_32le.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_32be.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_16le.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\enc\utf_16be.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrB8D3.tmp\lib\ruby\1.9.1\i386-mingw32\fcntl.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\gems\1.9.1\gems\win32-api-1.4.8-x86-mingw32\lib\win32\ruby19\win32\api.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\1.9.1\i386-mingw32\win32ole.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\src\rgloader\rgloader193.mswin.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\site_ruby\1.9.1\rgloader\rgloader193.mswin.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\1.9.1\i386-mingw32\dl.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\1.9.1\i386-mingw32\fiddle.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\1.9.1\i386-mingw32\enc\trans\transdb.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\1.9.1\i386-mingw32\enc\encdb.so ()
MOD - C:\Users\Administrator\AppData\Local\Temp\ocrA65C.tmp\lib\ruby\1.9.1\i386-mingw32\etc.so ()
MOD - C:\Program Files (x86)\Aurora\mozjs.dll ()
MOD - C:\Program Files (x86)\Steam\bin\chromehtml.dll ()
MOD - C:\Program Files (x86)\Steam\SDL2.dll ()
MOD - C:\Program Files (x86)\Steam\bin\libcef.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\zlib1.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\libxml2.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\PocoFoundation.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\khost.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\CFLite.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\PocoNet.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\PocoXML.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\runtime\1.2.0.RC6d\PocoUtil.dll ()
MOD - C:\Program Files\pia_manager\pia_manager.exe ()
MOD - C:\Program Files\pia_manager\openvpn.exe ()
MOD - C:\Program Files\pia_manager\pia_tray\modules\tinetwork\1.2.0.RC6d\tinetworkmodule.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\modules\tiui\1.2.0.RC6d\tiuimodule.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\modules\tiprocess\1.2.0.RC6d\tiprocessmodule.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\modules\tiapp\1.2.0.RC6d\tiappmodule.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\modules\tifilesystem\1.2.0.RC6d\tifilesystemmodule.dll ()
MOD - C:\Program Files\pia_manager\pia_tray\pia_tray.exe ()
MOD - C:\Program Files\pia_manager\lzo2.dll ()
MOD - C:\Program Files (x86)\Steam\bin\avcodec-53.dll ()
MOD - C:\Program Files (x86)\Steam\bin\avformat-53.dll ()
MOD - C:\Program Files (x86)\Steam\bin\avutil-51.dll ()


========== Services (SafeList) ==========

SRV:64bit: - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe (SUPERAntiSpyware.com)
SRV:64bit: - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (Intel® -- C:\Windows\SysNative\IPROSetMonitor.exe (Intel Corporation)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (AERTFilters) -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe (Andrea Electronics Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (Steam Client Service) -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe (Valve Corporation)
SRV - (SvcOnlineArmor) -- C:\Program Files (x86)\Online Armor\OAsrv.exe (Emsisoft GmbH)
SRV - (OAcat) -- C:\Program Files (x86)\Online Armor\oacat.exe (Emsisoft GmbH)
SRV - (BRSptSvc) -- C:\ProgramData\BitRaider\BRSptSvc.exe (BitRaider, LLC)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (McAfee SiteAdvisor Service) -- c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe (McAfee, Inc.)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (Secunia PSI Agent) -- C:\Program Files (x86)\Secunia\PSI\psia.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files (x86)\Secunia\PSI\sua.exe (Secunia)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (Skype C2C Service) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe (Skype Technologies S.A.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (aswSnx) -- C:\Windows\SysNative\drivers\aswSnx.sys (AVAST Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (AVAST Software)
DRV:64bit: - (aswVmm) -- C:\Windows\SysNative\drivers\aswVmm.sys ()
DRV:64bit: - (OAnet) -- C:\Windows\SysNative\drivers\OAnet.sys (Emsisoft)
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\drivers\aswRdr2.sys (AVAST Software)
DRV:64bit: - (aswRvrt) -- C:\Windows\SysNative\drivers\aswRvrt.sys ()
DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (AVAST Software)
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (AVAST Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (AVAST Software)
DRV:64bit: - (PSI) -- C:\Windows\SysNative\drivers\psi_mf_amd64.sys (Secunia)
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (tap0901) -- C:\Windows\SysNative\drivers\tap0901.sys (The OpenVPN Project)
DRV:64bit: - (sptd) -- C:\Windows\SysNative\drivers\sptd.sys (Duplex Secure Ltd.)
DRV:64bit: - (SCDEmu) -- C:\Windows\SysNative\drivers\scdemu.sys (Power Software Ltd)
DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)
DRV:64bit: - (gfibto) -- C:\Windows\SysNative\drivers\gfibto.sys (GFI Software)
DRV:64bit: - (atikmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (SmbDrvI) -- C:\Windows\SysNative\drivers\Smb_driver_Intel.sys (Synaptics Incorporated)
DRV:64bit: - (e1express) -- C:\Windows\SysNative\drivers\e1e6232e.sys (Intel Corporation)
DRV:64bit: - (whfltr2k) -- C:\Windows\SysNative\drivers\whfltr2k.sys ()
DRV:64bit: - (iusb3hcs) -- C:\Windows\SysNative\drivers\iusb3hcs.sys (Intel Corporation)
DRV:64bit: - (pmkbdfltr) -- C:\Windows\SysNative\drivers\pmkbdfltr.sys (PenMount)
DRV:64bit: - (RTL8023x64) -- C:\Windows\SysNative\drivers\Rtnic64.sys (Realtek Semiconductor Corporation )
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV:64bit: - (RTHDMIAzAudService) -- C:\Windows\SysNative\drivers\RtHDMIVX.sys (Realtek Semiconductor Corp.)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (SmartDefragDriver) -- C:\Windows\SysNative\drivers\SmartDefragDriver.sys ()
DRV:64bit: - (dmvsc) -- C:\Windows\SysNative\drivers\dmvsc.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (vpcvmm) -- C:\Windows\SysNative\drivers\vpcvmm.sys (Microsoft Corporation)
DRV:64bit: - (vpcbus) -- C:\Windows\SysNative\drivers\vpchbus.sys (Microsoft Corporation)
DRV:64bit: - (vpcusb) -- C:\Windows\SysNative\drivers\vpcusb.sys (Microsoft Corporation)
DRV:64bit: - (vpcnfltr) -- C:\Windows\SysNative\drivers\vpcnfltr.sys (Microsoft Corporation)
DRV:64bit: - (sscdserd) -- C:\Windows\SysNative\drivers\sscdserd.sys (MCCI Corporation)
DRV:64bit: - (sscdmdm) -- C:\Windows\SysNative\drivers\sscdmdm.sys (MCCI Corporation)
DRV:64bit: - (sscdbus) -- C:\Windows\SysNative\drivers\sscdbus.sys (MCCI Corporation)
DRV:64bit: - (sscdmdfl) -- C:\Windows\SysNative\drivers\sscdmdfl.sys (MCCI Corporation)
DRV:64bit: - (xusb21) -- C:\Windows\SysNative\drivers\xusb21.sys (Microsoft Corporation)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (1394hub) -- C:\Windows\SysNative\svchost.exe (Microsoft Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (OAmon) -- C:\Windows\SysWOW64\drivers\OAmon.sys (Emsisoft)
DRV - (OADevice) -- C:\Windows\SysWOW64\drivers\OADriver.sys ()
DRV - (oahlpXX) -- C:\Windows\SysWOW64\drivers\oahlp64.sys ()
DRV - (BRDriver64) -- C:\ProgramData\BitRaider\BRDriver64.sys (BitRaider)
DRV - (WinRing0_1_2_0) -- C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys (OpenLibSys.org)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory =
IE - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Google"
FF - prefs.js..browser.search.defaultenginename: "DuckDuckGo"
FF - prefs.js..browser.search.defaultenginename,S: S", ""
FF - prefs.js..browser.search.defaultthis.engineName: ""
FF - prefs.js..browser.search.defaulturl: ""
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.order.1,S: S", ""
FF - prefs.js..browser.search.selectedEngine: "DuckDuckGo"
FF - prefs.js..browser.search.selectedEngine,S: S", ""
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "https://duckduckgo.com"
FF - prefs.js..extensions.enabledAddons: adblockpopups%40jessehakanen.net:0.7
FF - prefs.js..extensions.enabledAddons: anticontainer%40downthemall.net:1.2.3
FF - prefs.js..extensions.enabledAddons: testpilot%40labs.mozilla.com:1.2.2
FF - prefs.js..extensions.enabledAddons: %7B455D905A-D37C-4643-A9E2-F6FEFAA0424A%7D:0.8.16
FF - prefs.js..extensions.enabledAddons: %7BDDC359D1-844A-42a7-9AA1-88A850A938A8%7D:2.0.16
FF - prefs.js..extensions.enabledAddons: %7B23fcfd51-4958-4f00-80a3-ae97e717ed8b%7D:2.1.2.172
FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.15
FF - prefs.js..extensions.enabledAddons: %7Be001c731-5e37-4538-a5cb-8168736a2360%7D:0.9.9.119
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.6.6
FF - prefs.js..extensions.enabledAddons: requestpolicy%40requestpolicy.com:0.5.27
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:8.0.1489
FF - prefs.js..extensions.enabledAddons: firefox%40ghostery.com:2.9.6
FF - prefs.js..extensions.enabledAddons: https-everywhere%40eff.org:3.2.3
FF - prefs.js..extensions.enabledAddons: %7B4ED1F68A-5463-4931-9384-8FFF5ED91D92%7D:3.6.2
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:24.0a2
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
FF - prefs.js..network.proxy.socks: "127.0.0.1"
FF - prefs.js..network.proxy.socks_port: 9049
FF - prefs.js..network.proxy.type: 4
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.0-git-20121003-1150: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.0-git-20121013-0402: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Plus Web Player Plug-In,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.21.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.0-git-20120606-0237: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@g2.com/iggweb3dupdater: C:\Users\Administrator\AppData\Roaming\IGG\Web3D\1.0.0.38\NPIGGWeb3DUpdater.dll (IGG)
FF - HKCU\Software\MozillaPlugins\@g2.com/joyconnectshell: C:\Users\Administrator\AppData\Roaming\IGG\Web3D\1.0.0.38\NPJoyConnectShell.dll (IGG)
FF - HKCU\Software\MozillaPlugins\@gentek.com/thinclient: C:\IGG\twclient_us\npthinclient.dll (Generic Network)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\Administrator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Aurora 24.0a2\extensions\\Components: C:\Program Files (x86)\Aurora\components [2013/07/01 16:12:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Aurora 24.0a2\extensions\\Plugins: C:\Program Files (x86)\Aurora\plugins [2013/07/01 16:12:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013/05/10 22:50:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files (x86)\McAfee\SiteAdvisor [2013/06/17 16:39:34 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/06/27 20:15:29 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/06/17 16:06:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 21.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013/06/17 22:36:51 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Aurora 24.0a2\extensions\\Components: C:\Program Files (x86)\Aurora\components [2013/07/01 16:12:48 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Aurora 24.0a2\extensions\\Plugins: C:\Program Files (x86)\Aurora\plugins [2013/07/01 16:12:50 | 000,000,000 | ---D | M]

[2012/10/13 11:26:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Extensions
[2013/06/29 03:12:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions
[2013/05/28 15:59:08 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2013/06/11 22:57:37 | 000,000,000 | ---D | M] (Bitdefender QuickScan) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
[2013/05/28 15:59:07 | 000,000,000 | ---D | M] (Vauudix) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2013/06/29 03:12:26 | 000,000,000 | ---D | M] (Ghostery) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2013/06/29 03:12:19 | 000,000,000 | ---D | M] (HTTPS-Everywhere) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2013/03/03 14:37:52 | 000,134,804 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2013/03/04 23:09:59 | 000,094,120 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2012/10/13 22:20:25 | 000,123,385 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2013/06/26 05:25:31 | 000,172,839 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2012/10/13 11:27:00 | 000,620,484 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
[2012/11/21 18:55:11 | 000,026,551 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\{02c6f6b9-d610-4e7e-9441-243c96c8dfab}.xpi
[2012/10/13 11:33:21 | 000,075,799 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\{455D905A-D37C-4643-A9E2-F6FEFAA0424A}.xpi
[2013/06/22 15:37:25 | 000,534,298 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2013/05/09 01:01:14 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/04/04 23:52:22 | 000,714,654 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
[2013/07/02 04:46:49 | 000,001,911 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\animelyricscom.xml
[2013/01/28 07:58:12 | 000,002,289 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\dailymotion.xml
[2012/10/13 11:31:56 | 000,010,345 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\duckduckgo.xml
[2013/03/15 08:39:21 | 000,001,635 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\firefox-add-ons.xml
[2013/06/09 13:46:33 | 000,012,707 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\imdb.xml
[2012/11/09 20:12:24 | 000,001,886 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\lyricwiki-en.xml
[2013/01/24 05:49:09 | 000,002,580 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\wikihack-en.xml
[2013/06/28 21:27:36 | 000,002,057 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\searchplugins\youtube-video-search.xml
[2013/06/11 23:44:39 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2013/01/11 18:27:34 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013/06/11 23:44:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2013/06/11 23:44:40 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2013/05/10 22:50:01 | 000,000,000 | ---D | M] (No name found) -- C:\PROGRAM FILES (X86)\DIVX\DIVX PLUS WEB PLAYER\FIREFOX\DIVXHTML5
[2013/06/17 16:39:34 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES (X86)\MCAFEE\SITEADVISOR
[2013/06/27 20:15:29 | 000,000,000 | ---D | M] (avast! Online Security) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF

========== Chrome ==========

CHR - default_search_provider: DuckDuckGo (Enabled)
CHR - default_search_provider: search_url = https://duckduckgo.c...q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\27.0.1453.116\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll
CHR - plugin: QuickTime Plug-in 7.7.3 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.3 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.3 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.3 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.3 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.3 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.3 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Thinclient (Enabled) = C:\IGG\twclient_us\npthinclient.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
CHR - plugin: Java™ Platform SE 7 U17 (Enabled) = C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Nexon Game Controller (Enabled) = C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
CHR - plugin: Unity Player (Enabled) = C:\Users\Administrator\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
CHR - plugin: IGG Web3D Updater NP Plugin for Mozilla (Enabled) = C:\Users\Administrator\AppData\Roaming\IGG\Web3D\1.0.0.38\NPIGGWeb3DUpdater.dll
CHR - plugin: JoyConnectShell NP Plugin for Mozilla (Enabled) = C:\Users\Administrator\AppData\Roaming\IGG\Web3D\1.0.0.38\NPJoyConnectShell.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_6_602_180.dll
CHR - plugin: Java Deployment Toolkit 7.0.170.2 (Enabled) = C:\Windows\SysWOW64\npDeployJava1.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll
CHR - Extension: Google Docs = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: DuckDuckGo for Chrome = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpphkkgodbfncbcpgopijlfakfgmclao\42.5.8_0\
CHR - Extension: Vauudix = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\celebkbghbfpocebejpafoolfpfhmndj\1\
CHR - Extension: Adblock Plus = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.4.1_0\
CHR - Extension: Google Search = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: High Contrast = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph\0.5_0\
CHR - Extension: SiteAdvisor = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.6.2.1341_0\
CHR - Extension: avast! Online Security = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\8.0.8_0\
CHR - Extension: DivX Plus Web Player HTML5 \u003Cvideo\u003E = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm\2.1.2.172_0\
CHR - Extension: Gmail = C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2013/06/25 22:38:54 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2:64bit: - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O2:64bit: - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3:64bit: - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O3:64bit: - HKLM\..\Toolbar: (avast! Online Security) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4:64bit: - HKLM..\Run: [@OnlineArmor GUI] C:\Program Files (x86)\Online Armor\oaui.exe (Emsisoft GmbH)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [AMD AVT] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500..\Run: [HydraVisionDesktopManager] C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe (AMD)
O4 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3335941772-1571032007-1963969458-500\..Trusted Domains: sony.com ([]* in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 8.8.8.8 8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2A57CBF1-97F4-48DD-AE59-35C9D78F1DFD}: DhcpNameServer = 8.8.8.8 8.8.4.4
O18:64bit: - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (SmartDefragBootTime.exe)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/07/01 23:35:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenAL
[2013/07/01 18:00:27 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Faerie Solitaire
[2013/07/01 16:12:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Aurora
[2013/06/30 20:36:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Marvel Heroes
[2013/06/27 22:26:48 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\RK_Quarantine
[2013/06/27 21:52:22 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2013/06/27 20:16:07 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013/06/27 20:16:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013/06/27 20:16:06 | 000,378,944 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013/06/27 20:16:03 | 000,072,016 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013/06/27 20:16:03 | 000,064,288 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013/06/27 20:15:59 | 001,030,952 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013/06/27 20:15:55 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013/06/27 20:15:14 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013/06/26 18:40:40 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/06/26 18:22:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/06/26 00:32:50 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/06/26 00:22:25 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013/06/25 22:09:06 | 000,000,000 | --SD | C] -- C:\Windows\SysWow64\Microsoft
[2013/06/25 15:14:16 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/06/25 15:13:12 | 000,000,000 | ---D | C] -- C:\JRT
[2013/06/23 00:16:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NVIDIA Corporation
[2013/06/23 00:16:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AGEIA Technologies
[2013/06/23 00:12:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Gazillion Entertainment
[2013/06/23 00:11:33 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\BitRaider
[2013/06/23 00:10:50 | 000,000,000 | ---D | C] -- C:\ProgramData\BitRaider
[2013/06/22 22:20:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos
[2013/06/22 22:20:10 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
[2013/06/22 22:20:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sophos
[2013/06/22 00:18:15 | 000,000,000 | ---D | C] -- C:\bintheredunthat
[2013/06/20 21:29:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2013/06/20 21:28:58 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2013/06/20 21:28:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2013/06/20 21:28:58 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2013/06/20 21:28:58 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2013/06/20 20:26:51 | 000,000,000 | ---D | C] -- C:\Users\Administrator\Desktop\GooredFix Backups
[2013/06/20 19:31:58 | 000,000,000 | ---D | C] -- C:\Device
[2013/06/20 19:22:50 | 000,000,000 | ---D | C] -- C:\_OTM
[2013/06/20 16:59:14 | 000,312,232 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
[2013/06/20 16:58:51 | 000,189,352 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
[2013/06/20 16:58:51 | 000,188,840 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
[2013/06/20 16:58:51 | 000,108,968 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
[2013/06/18 23:42:02 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/06/18 23:42:02 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/06/18 23:42:02 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/06/18 23:03:40 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
[2013/06/18 02:22:48 | 000,000,000 | ---D | C] -- C:\ProgramData\ATI
[2013/06/17 22:38:39 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
[2013/06/17 22:38:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2013/06/17 22:38:15 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2013/06/17 22:38:15 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2013/06/17 22:36:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Adobe
[2013/06/17 22:32:24 | 001,070,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSCOMCTL.OCX
[2013/06/17 22:32:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpywareBlaster
[2013/06/17 22:32:23 | 000,129,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\MSSTDFMT.DLL
[2013/06/17 22:32:22 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpywareBlaster
[2013/06/17 16:39:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\McAfee
[2013/06/17 16:39:21 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2013/06/17 16:39:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee
[2013/06/17 16:19:01 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\OnlineArmor
[2013/06/17 16:19:01 | 000,000,000 | ---D | C] -- C:\ProgramData\OnlineArmor
[2013/06/17 16:16:47 | 000,052,368 | ---- | C] (Emsisoft) -- C:\Windows\SysWow64\drivers\OAmon.sys
[2013/06/17 16:16:47 | 000,035,376 | ---- | C] (Emsisoft) -- C:\Windows\SysNative\drivers\OAnet.sys
[2013/06/17 16:16:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Online Armor
[2013/06/17 16:16:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Online Armor
[2013/06/17 16:06:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2013/06/17 16:06:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2013/06/17 16:05:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2013/06/17 16:05:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2013/06/17 15:55:33 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Secunia PSI
[2013/06/17 15:55:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Secunia
[2013/06/17 15:43:40 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/06/17 15:43:01 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/06/17 15:05:49 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Awesomium
[2013/06/11 23:14:15 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2013/06/11 23:09:37 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013/06/11 22:58:07 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\QuickScan
[2013/06/11 20:29:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2013/06/11 17:55:09 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013/06/11 17:55:08 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013/06/11 17:55:07 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013/06/11 17:55:07 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013/06/11 17:55:07 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013/06/11 17:55:07 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013/06/11 17:55:07 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013/06/11 17:55:06 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013/06/11 17:55:05 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013/06/11 17:55:05 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013/06/11 17:55:05 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013/06/11 17:55:05 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013/06/11 17:55:04 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013/06/11 17:55:04 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013/06/11 17:55:04 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013/06/11 17:45:48 | 000,751,104 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\win32spl.dll
[2013/06/11 17:45:48 | 000,492,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\win32spl.dll
[2013/06/11 17:45:46 | 001,464,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll
[2013/06/11 17:45:46 | 001,192,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certutil.exe
[2013/06/11 17:45:46 | 000,903,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certutil.exe
[2013/06/11 17:45:46 | 000,139,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll
[2013/06/11 17:45:45 | 000,052,224 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\certenc.dll
[2013/06/11 17:45:45 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\certenc.dll
[2013/06/11 17:45:31 | 001,424,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll
[2013/06/11 17:45:26 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptdlg.dll
[2013/06/11 17:45:26 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cryptdlg.dll
[2013/06/11 17:45:16 | 001,887,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d11.dll
[2013/06/11 17:45:16 | 001,505,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d11.dll
[2013/06/07 13:53:43 | 000,000,000 | ---D | C] -- C:\Program Files\Intel
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/07/02 04:52:01 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/02 04:51:51 | 000,012,777 | ---- | M] () -- C:\Users\Administrator\Desktop\malware removal.rtf
[2013/07/02 04:20:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/07/02 00:52:01 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/01 23:35:21 | 000,466,456 | ---- | M] (Creative Labs) -- C:\Windows\SysNative\wrap_oal.dll
[2013/07/01 23:35:20 | 000,444,952 | ---- | M] (Creative Labs) -- C:\Windows\SysWow64\wrap_oal.dll
[2013/07/01 23:35:20 | 000,122,904 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysNative\OpenAL32.dll
[2013/07/01 23:35:20 | 000,109,080 | ---- | M] (Portions © Creative Labs Inc. and NVIDIA Corp.) -- C:\Windows\SysWow64\OpenAL32.dll
[2013/07/01 20:50:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/07/01 20:50:15 | 2414,481,408 | -HS- | M] () -- C:\hiberfil.sys
[2013/07/01 15:49:19 | 000,005,428 | ---- | M] () -- C:\Users\Administrator\Desktop\possible money.rtf
[2013/06/29 00:52:51 | 000,002,513 | ---- | M] () -- C:\Users\Administrator\passgen3.ini
[2013/06/27 21:39:39 | 000,052,368 | ---- | M] (Emsisoft) -- C:\Windows\SysWow64\drivers\OAmon.sys
[2013/06/27 21:39:38 | 000,061,632 | ---- | M] () -- C:\Windows\SysWow64\drivers\OADriver.sys
[2013/06/27 21:36:59 | 000,062,016 | ---- | M] () -- C:\Windows\SysWow64\drivers\oahlp64.sys
[2013/06/27 20:16:14 | 001,030,952 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013/06/27 20:16:14 | 000,378,944 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013/06/27 20:16:14 | 000,189,936 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013/06/27 20:16:14 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum
[2013/06/27 20:16:14 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum
[2013/06/27 20:16:14 | 000,000,175 | ---- | M] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum
[2013/06/27 20:15:55 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2013/06/25 22:38:54 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2013/06/25 22:16:29 | 000,000,180 | ---- | M] () -- C:\Users\Administrator\Documents\cc_20130625_221627.reg
[2013/06/25 22:16:19 | 000,014,984 | ---- | M] () -- C:\Users\Administrator\Documents\cc_20130625_221615.reg
[2013/06/25 22:16:02 | 000,823,994 | ---- | M] () -- C:\Users\Administrator\Documents\cc_20130625_221557.reg
[2013/06/22 06:05:20 | 008,963,995 | ---- | M] () -- C:\Users\Administrator\AppData\Local\census.cache
[2013/06/22 05:13:59 | 000,111,746 | ---- | M] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2013/06/22 01:54:18 | 000,000,036 | ---- | M] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2013/06/21 23:50:29 | 000,007,608 | ---- | M] () -- C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
[2013/06/21 23:45:18 | 000,000,035 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\SetValue.bat
[2013/06/20 19:32:06 | 007,340,032 | ---- | M] () -- C:\Users\Administrator\ntuser.bak
[2013/06/20 16:58:43 | 000,108,968 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
[2013/06/20 16:58:41 | 000,312,232 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
[2013/06/20 16:58:41 | 000,189,352 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
[2013/06/20 16:58:40 | 000,188,840 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
[2013/06/20 16:58:39 | 001,093,032 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\npDeployJava1.dll
[2013/06/20 16:58:39 | 000,972,712 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\deployJava1.dll
[2013/06/19 23:01:29 | 000,035,376 | ---- | M] (Emsisoft) -- C:\Windows\SysNative\drivers\OAnet.sys
[2013/06/19 03:12:29 | 000,050,672 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/06/19 03:12:29 | 000,050,672 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/06/17 15:06:22 | 000,006,598 | ---- | M] () -- C:\Users\Administrator\Desktop\trimet.rtf
[2013/06/14 09:39:40 | 000,692,104 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013/06/14 09:39:40 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013/06/12 00:00:07 | 000,866,720 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\npDeployJava1.dll
[2013/06/12 00:00:07 | 000,788,896 | ---- | M] (Oracle Corporation) -- C:\Windows\SysWow64\deployJava1.dll
[2013/06/11 23:49:51 | 000,000,838 | ---- | M] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2013/06/11 20:49:28 | 000,447,265 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\HOSTS.MVP
[2013/06/11 17:52:12 | 001,831,696 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/06/11 17:52:12 | 000,652,780 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/06/11 17:52:12 | 000,419,808 | ---- | M] () -- C:\Windows\SysNative\perfh012.dat
[2013/06/11 17:52:12 | 000,417,398 | ---- | M] () -- C:\Windows\SysNative\perfh011.dat
[2013/06/11 17:52:12 | 000,121,882 | ---- | M] () -- C:\Windows\SysNative\perfc011.dat
[2013/06/11 17:52:12 | 000,121,712 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/06/11 17:52:12 | 000,120,000 | ---- | M] () -- C:\Windows\SysNative\perfc012.dat
[2013/06/11 17:52:01 | 001,831,696 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/06/08 21:17:25 | 000,000,693 | ---- | M] () -- C:\Users\Administrator\Libraries - Shortcut.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/06/27 20:16:14 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys.sum
[2013/06/27 20:16:14 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSP.sys.sum
[2013/06/27 20:16:14 | 000,000,175 | ---- | C] () -- C:\Windows\SysNative\drivers\aswSnx.sys.sum
[2013/06/27 20:15:58 | 000,189,936 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013/06/27 20:15:57 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013/06/25 22:16:28 | 000,000,180 | ---- | C] () -- C:\Users\Administrator\Documents\cc_20130625_221627.reg
[2013/06/25 22:16:16 | 000,014,984 | ---- | C] () -- C:\Users\Administrator\Documents\cc_20130625_221615.reg
[2013/06/25 22:15:59 | 000,823,994 | ---- | C] () -- C:\Users\Administrator\Documents\cc_20130625_221557.reg
[2013/06/25 14:27:14 | 000,012,777 | ---- | C] () -- C:\Users\Administrator\Desktop\malware removal.rtf
[2013/06/22 06:05:20 | 008,963,995 | ---- | C] () -- C:\Users\Administrator\AppData\Local\census.cache
[2013/06/22 05:13:59 | 000,111,746 | ---- | C] () -- C:\Users\Administrator\AppData\Local\ars.cache
[2013/06/22 01:54:18 | 000,000,036 | ---- | C] () -- C:\Users\Administrator\AppData\Local\housecall.guid.cache
[2013/06/21 23:45:18 | 000,000,035 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\SetValue.bat
[2013/06/18 23:42:02 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/06/18 23:42:02 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/06/18 23:42:02 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/06/18 23:42:02 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/06/18 23:42:02 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/06/17 22:36:51 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2013/06/17 16:16:47 | 000,062,016 | ---- | C] () -- C:\Windows\SysWow64\drivers\oahlp64.sys
[2013/06/17 16:16:47 | 000,061,632 | ---- | C] () -- C:\Windows\SysWow64\drivers\OADriver.sys
[2013/06/17 15:55:26 | 000,001,069 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
[2013/06/11 23:49:51 | 000,000,838 | ---- | C] () -- C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2013/06/11 23:14:15 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2013/06/08 21:17:25 | 000,000,693 | ---- | C] () -- C:\Users\Administrator\Libraries - Shortcut.lnk
[2013/04/11 19:00:46 | 000,000,052 | ---- | C] () -- C:\Users\Administrator\jagex_cl_runescape_LIVE.dat
[2013/04/11 19:00:46 | 000,000,024 | ---- | C] () -- C:\Users\Administrator\random.dat
[2013/02/25 16:38:50 | 000,000,056 | ---- | C] () -- C:\Windows\kgt2k.INI
[2013/01/13 03:37:22 | 000,000,032 | ---- | C] () -- C:\Windows\scummvm.ini
[2012/12/14 05:48:04 | 000,080,896 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2012/12/04 03:09:51 | 001,831,696 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/11/15 12:30:54 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/10/15 16:21:19 | 000,004,140 | ---- | C] () -- C:\ProgramData\mtbjfghn.xbe
[2012/10/14 20:34:49 | 000,002,513 | ---- | C] () -- C:\Users\Administrator\passgen3.ini
[2012/10/13 12:05:11 | 000,007,608 | ---- | C] () -- C:\Users\Administrator\AppData\Local\Resmon.ResmonCfg
[2012/10/13 11:13:16 | 007,340,032 | ---- | C] () -- C:\Users\Administrator\ntuser.bak
[2012/10/13 02:01:20 | 000,000,406 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/07/03 22:34:16 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012/07/03 22:34:16 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2012/04/18 19:39:10 | 000,028,672 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
[2011/09/12 15:06:16 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat

========== ZeroAccess Check ==========

[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/02/26 22:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/26 21:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2012/08/21 06:11:31 | 000,857,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2012/08/21 06:37:44 | 000,636,928 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2012/08/21 06:08:38 | 000,453,120 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Alternate Data Streams ==========

@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:5C321E34

< End of report >
  • 0

#23
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Arkanfel

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image text box.
    :OTL
    FF - user.js - File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.0-git-20121003-1150: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.0-git-20121013-0402: C:\Program Files\VideoLAN\VLC\npvlc.dll File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll File not found
    O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"
    FF - prefs.js..network.proxy.socks: "127.0.0.1"
    FF - prefs.js..network.proxy.socks_port: 9049
    [2013/05/28 15:59:07 | 000,000,000 | ---D | M] (Vauudix) -- C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]
    :Files
    ipconfig /flushdns /c
    C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\celebkbghbfpocebejpafoolfpfhmndj
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo
  • 0

#24
Arkanfel

Arkanfel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello Gringo,

Thank you for the fix. It seems like that has taken care of the problem. I am not seeing any popups or appearance of the strange URL. I'll let you know if anything changes. Thanks again for all of your help and sticking around. Again, I saw a lot of things in the results that I was certain I'd removed a while ago. Here's the log, it didn't reboot the computer for some reason, and so I manually rebooted to make sure:

========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.2\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.0-git-20121003-1150\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.0-git-20121013-0402\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@nexon.net/NxGame\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com\ deleted successfully.
File Protocol\Handler\skype4com - No CLSID value found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
Prefs.js: "127.0.0.1" removed from network.proxy.no_proxies_on
Prefs.js: "127.0.0.1" removed from network.proxy.socks
Prefs.js: 9049 removed from network.proxy.socks_port
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected]\content folder moved successfully.
C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wa6y94a1.default\extensions\[email protected] folder moved successfully.
File RITY] not found.
File ptyjava] not found.
File PTYFLASH] not found.
File boot] not found.

OTL by OldTimer - Version 3.2.69.0 log created on 07032013_183009
  • 0

#25
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello Arkanfel

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
  • 0

Advertisements


#26
Arkanfel

Arkanfel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello,

Here it is, and thanks:

3D Sound Back Beta0.1
7-Zip 9.20
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03)
Adobe Shockwave Player 12.0
Amazon Kindle
Angry Birds
Angry Birds Seasons
Antichamber
Apple Application Support
Apple Software Update
Audiosurf
Aurora 23.0a2 (x86 en-US)
BitRaider Web Client
Black Mirror
calibre
Catalyst Control Center
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
ConvertHelper 2.2
D-Fend Reloaded 1.3.2 (deinstall)
DAEMON Tools Lite
Dangerous Dave Pack
Diablo III
DivX Setup
Don't Starve
eMule
ffdshow v1.1.3800 [2011-03-28]
Game Booster 3
GOG.com Downloader version 3.5.7
Google Chrome
Google Drive
Google Update Helper
Guild Wars
HydraVision
IGG Web3D Player version 1.0.0.38
Infinite Password Generator 3.1
Kingdoms of Amalur: Reckoning
Malwarebytes Anti-Malware version 1.75.0.1300
Marvel Heroes
McAfee SiteAdvisor
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0 Refresh
Mozilla Firefox 21.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2758694)
NVIDIA PhysX
Online Armor 6.0
OpenVPN 2.2.2
Origin
PowerISO
Private Internet Access Support Files
QuickTime
Realtek HDMI Audio Driver for ATI
Realtek High Definition Audio Driver
ScummVM 0.9.1
Secunia PSI (3.0.0.7009)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Skype Click to Call
Skype™ 6.3
Smart Defrag 2
Sophos Virus Removal Tool
Space Empires IV Deluxe
Spelling Dictionaries Support For Adobe Reader 9
Spotify
SpywareBlaster 5.0
Steam
Super House of Dead Ninjas
swMSM
System Requirements Lab for Intel
The Binding of Isaac
The Real Texas
Torchlight II
Ultima Online Enhanced Client
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Vauudix
VC80CRTRedist - 8.0.50727.6195
World of Warcraft
Zip Motion Block Video codec (Remove Only)
μTorrent
天鳳 v1.3
  • 0

#27
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. default settings are fine
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic


"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

  • 0

#28
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
  • 0

#29
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP