Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

son's laptop VERY infected! un-usable. HELP. [Solved]


  • This topic is locked This topic is locked

#16
AdamIsAdam

AdamIsAdam

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 185 posts

Here's a fresh new OTL scan log:

 

OTL logfile created on: 4/11/2014 9:59:00 PM - Run 4
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\Aaron\Desktop
64bit- An unknown product  (Version = 6.2.9200) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16843)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.87 Gb Total Physical Memory | 1.95 Gb Available Physical Memory | 50.45% Memory free
4.68 Gb Paging File | 2.60 Gb Available in Paging File | 55.46% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.70 Gb Total Space | 401.00 Gb Free Space | 88.00% Space Free | Partition Type: NTFS
Drive W: | 500.00 Mb Total Space | 229.53 Mb Free Space | 45.91% Space Free | Partition Type: NTFS
Drive X: | 8.92 Gb Total Space | 0.28 Gb Free Space | 3.16% Space Free | Partition Type: NTFS
 
Computer Name: AARONLAPTOP | User Name: Aaron | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/04/09 23:16:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Aaron\Desktop\OTL.exe
PRC - [2014/03/14 20:50:42 | 000,859,976 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
PRC - [2014/01/07 22:02:18 | 000,295,512 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
PRC - [2013/08/14 16:19:24 | 000,039,056 | ---- | M] () -- C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
PRC - [2012/12/26 04:41:44 | 000,081,536 | ---- | M] (Atheros) -- C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
PRC - [2012/12/03 02:18:30 | 000,111,136 | ---- | M] (CyberLink) -- C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
PRC - [2012/11/19 15:15:20 | 000,285,240 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
PRC - [2012/11/19 15:15:20 | 000,014,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
PRC - [2012/10/23 17:43:52 | 000,102,928 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
PRC - [2012/09/13 00:18:36 | 004,037,480 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell Backup and Recovery\Toaster.exe
PRC - [2012/09/13 00:18:34 | 001,914,728 | ---- | M] (SoftThinks SAS) -- C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
PRC - [2012/08/06 13:58:50 | 000,491,880 | ---- | M] (SoftThinks - Dell) -- C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\DBRUpd.exe
PRC - [2012/07/17 21:10:32 | 000,364,416 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2012/07/17 21:10:30 | 000,276,864 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2012/07/17 21:10:16 | 000,165,760 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/03/25 21:17:11 | 000,399,872 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\752e9098ea35897508c969beff803f91\System.Xml.Linq.ni.dll
MOD - [2014/03/25 21:17:10 | 007,660,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\d7aaae3b1c95a1a658446d302b9a7f88\System.Xml.ni.dll
MOD - [2014/03/25 21:17:04 | 001,900,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\0e9817b12da250f8d4c680e1cb26e1c0\System.Xaml.ni.dll
MOD - [2014/03/25 21:17:02 | 012,877,824 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\11b4af16e791a6b0ada4a97d3e64e27a\System.Windows.Forms.ni.dll
MOD - [2014/03/25 21:16:48 | 019,713,024 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\35742fb7e85a09be10d83cae494cd828\System.ServiceModel.ni.dll
MOD - [2014/03/14 20:50:40 | 013,637,448 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll
MOD - [2014/03/14 20:50:40 | 000,394,568 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppgooglenaclpluginchrome.dll
MOD - [2014/03/14 20:50:38 | 004,061,000 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll
MOD - [2014/03/14 20:50:35 | 000,716,616 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\libglesv2.dll
MOD - [2014/03/14 20:50:34 | 000,100,168 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\libegl.dll
MOD - [2014/03/14 20:50:32 | 001,647,432 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ffmpegsumo.dll
MOD - [2014/03/14 20:50:30 | 000,051,016 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\chrome_elf.dll
MOD - [2014/03/13 21:35:21 | 002,822,656 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\deba9405e920eefee41a8efe93e93cc6\System.Runtime.Serialization.ni.dll
MOD - [2014/03/13 21:35:17 | 001,180,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\dd78e73a53e65bcad68c4e570bdacb05\System.Management.ni.dll
MOD - [2014/03/13 21:35:16 | 001,644,544 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\61be23d6a688188e3419a1eb46fc9d9d\System.Drawing.ni.dll
MOD - [2014/03/13 21:35:06 | 000,975,872 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\ffb7bbc6548ff34bc125a8fec79315dc\System.Configuration.ni.dll
MOD - [2014/03/13 21:35:05 | 000,475,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\d3abe72a65b16c5ca129dd4509450190\PresentationFramework.Aero2.ni.dll
MOD - [2014/03/13 21:35:04 | 018,785,280 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\952cc4d9a277dc4b0abc0de4a64b11a6\PresentationFramework.ni.dll
MOD - [2014/03/13 21:34:49 | 011,021,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\d860b38580f4403397d67fa84d624447\PresentationCore.ni.dll
MOD - [2014/03/13 21:34:40 | 003,941,888 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\e2fb4aca9e25e4eaac703466d36b17ed\WindowsBase.ni.dll
MOD - [2014/03/13 21:34:35 | 007,041,536 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\bca236f576ea12db3a9191f4586a445a\System.Core.ni.dll
MOD - [2014/03/13 21:34:29 | 010,051,072 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\System\f0602360211041a6be208f0b4138dddd\System.ni.dll
MOD - [2014/03/13 21:34:21 | 016,953,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\391541c89ed7585fc7e8936c43cee387\mscorlib.ni.dll
MOD - [2013/04/21 21:44:32 | 000,087,952 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2013/04/21 21:44:04 | 001,242,952 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2012/09/13 00:18:38 | 002,003,304 | ---- | M] () -- C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\STRestoreAPI.dll
MOD - [2012/08/06 13:59:24 | 000,117,608 | ---- | M] () -- C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\zlib1.dll
MOD - [2012/08/06 13:59:16 | 001,153,384 | ---- | M] () -- C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\libxml2.dll
MOD - [2012/06/08 14:34:06 | 000,016,400 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
MOD - [2012/06/07 23:34:06 | 000,627,216 | ---- | M] () -- C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2013/10/25 03:34:55 | 000,016,048 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV:64bit: - [2013/08/16 01:39:26 | 002,371,728 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\WSService.dll -- (WSService)
SRV:64bit: - [2013/06/24 18:54:45 | 000,263,680 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\wcmsvc.dll -- (Wcmsvc)
SRV:64bit: - [2013/06/01 05:19:58 | 000,207,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\DeviceSetupManager.dll -- (DsmSvc)
SRV:64bit: - [2013/05/04 02:58:02 | 000,470,528 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\netprofmsvc.dll -- (netprofm)
SRV:64bit: - [2013/05/04 02:57:05 | 000,179,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\bisrv.dll -- (BrokerInfrastructure)
SRV:64bit: - [2013/04/09 00:48:42 | 000,169,472 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\AudioEndpointBuilder.dll -- (AudioEndpointBuilder)
SRV:64bit: - [2013/03/29 12:36:27 | 002,675,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\spool\drivers\x64\3\PrintConfig.dll -- (PrintNotify)
SRV:64bit: - [2013/03/01 22:45:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\TimeBrokerServer.dll -- (TimeBroker)
SRV:64bit: - [2013/03/01 22:45:05 | 000,180,224 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\SystemEventsBrokerServer.dll -- (SystemEventsBroker)
SRV:64bit: - [2013/01/09 19:23:16 | 001,964,544 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\wlidsvc.dll -- (wlidsvc)
SRV:64bit: - [2013/01/09 19:22:35 | 000,438,272 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\lsm.dll -- (LSM)
SRV:64bit: - [2012/11/23 17:49:18 | 000,201,872 | ---- | M] (Realtek Semiconductor) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe -- (RtkAudioService)
SRV:64bit: - [2012/09/20 02:31:18 | 000,116,736 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\fhsvc.dll -- (fhsvc)
SRV:64bit: - [2012/07/25 23:07:47 | 000,065,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wiarpc.dll -- (WiaRpc)
SRV:64bit: - [2012/07/25 23:07:40 | 000,283,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\vaultsvc.dll -- (VaultSvc)
SRV:64bit: - [2012/07/25 23:07:25 | 000,012,800 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\svsvc.dll -- (svsvc)
SRV:64bit: - [2012/07/25 23:06:34 | 000,743,936 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\netlogon.dll -- (Netlogon)
SRV:64bit: - [2012/07/25 23:06:33 | 000,161,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\NcaSvc.dll -- (NcaSvc)
SRV:64bit: - [2012/07/25 23:06:33 | 000,073,728 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\NcdAutoSetup.dll -- (NcdAutoSetup)
SRV:64bit: - [2012/07/25 23:05:55 | 000,059,904 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\keyiso.dll -- (KeyIso)
SRV:64bit: - [2012/07/25 23:05:34 | 000,037,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\efssvc.dll -- (EFS)
SRV:64bit: - [2012/07/25 23:05:24 | 000,342,016 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\das.dll -- (DeviceAssociationService)
SRV:64bit: - [2012/07/25 23:05:08 | 000,122,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\AUInstallAgent.dll -- (AllUserInstallAgent)
SRV:64bit: - [2012/07/25 20:24:02 | 000,336,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicvss)
SRV:64bit: - [2012/07/25 20:24:02 | 000,336,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmictimesync)
SRV:64bit: - [2012/07/25 20:24:02 | 000,336,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicshutdown)
SRV:64bit: - [2012/07/25 20:24:02 | 000,336,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicrdv)
SRV:64bit: - [2012/07/25 20:24:02 | 000,336,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmickvpexchange)
SRV:64bit: - [2012/07/25 20:24:02 | 000,336,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\icsvc.dll -- (vmicheartbeat)
SRV:64bit: - [2012/04/20 17:16:12 | 000,635,104 | ---- | M] (Intel® Corporation) [Auto | Running] -- c:\Program Files\Intel\iCLS Client\HeciServer.exe -- (Intel®
SRV:64bit: - [2009/11/17 22:14:26 | 000,098,208 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe -- (AERTFilters)
SRV - [2013/08/14 16:19:24 | 000,039,056 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)
SRV - [2013/03/29 12:36:27 | 002,675,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\system32\spool\DRIVERS\x64\3\PrintConfig.dll -- (PrintNotify)
SRV - [2012/12/28 16:41:58 | 000,226,944 | ---- | M] (Qualcomm Atheros Commnucations) [Auto | Running] -- C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe -- (AtherosSvc)
SRV - [2012/12/26 04:41:44 | 000,081,536 | ---- | M] (Atheros) [Auto | Running] -- C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe -- (ZAtheros Wlan Agent)
SRV - [2012/11/19 15:15:20 | 000,014,904 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2012/10/16 06:39:32 | 000,277,024 | ---- | M] (Intel Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\IntelCpHeciSvc.exe -- (cphs)
SRV - [2012/09/13 00:18:34 | 001,914,728 | ---- | M] (SoftThinks SAS) [Auto | Running] -- C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe -- (SftService)
SRV - [2012/07/25 23:20:04 | 000,018,432 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysWOW64\StorSvc.dll -- (StorSvc)
SRV - [2012/07/17 21:10:32 | 000,364,416 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2012/07/17 21:10:30 | 000,276,864 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2012/07/17 21:10:16 | 000,165,760 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe -- (jhi_service)
SRV - [2012/06/19 17:33:06 | 000,173,056 | ---- | M] (Dell Products, LP.) [Auto | Stopped] -- c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe -- (DellDigitalDelivery)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2013/10/25 03:34:52 | 000,035,856 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\WdBoot.sys -- (WdBoot)
DRV:64bit: - [2013/10/24 18:34:32 | 000,248,240 | ---- | M] (Microsoft Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\Drivers\WdFilter.sys -- (WdFilter)
DRV:64bit: - [2013/10/10 07:53:35 | 000,096,600 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\wfplwfs.sys -- (WFPLWFS)
DRV:64bit: - [2013/10/05 02:10:20 | 000,285,016 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\spaceport.sys -- (spaceport)
DRV:64bit: - [2013/10/01 22:50:07 | 000,447,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\USBHUB3.SYS -- (USBHUB3)
DRV:64bit: - [2013/09/18 21:49:28 | 000,067,808 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\SysNative\Drivers\mozy.sys -- (mozyFilter)
DRV:64bit: - [2013/08/16 01:41:13 | 000,058,200 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\Drivers\dam.sys -- (dam)
DRV:64bit: - [2013/08/10 02:30:22 | 000,151,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\tpm.sys -- (TPM)
DRV:64bit: - [2013/07/09 04:04:07 | 000,120,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\msgpioclx.sys -- (GPIOClx0101)
DRV:64bit: - [2013/07/01 21:41:47 | 000,337,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\USBXHCI.SYS -- (USBXHCI)
DRV:64bit: - [2013/07/01 21:41:47 | 000,213,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\UCX01000.SYS -- (UCX01000)
DRV:64bit: - [2013/06/29 02:15:54 | 000,195,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2013/05/31 23:08:57 | 000,037,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\BthAvrcpTg.sys -- (BthAvrcpTg)
DRV:64bit: - [2013/03/29 12:36:26 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\fxppm.sys -- (FxPPM)
DRV:64bit: - [2013/03/29 12:35:21 | 000,027,880 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2013/03/29 12:35:18 | 000,029,952 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\BthhfHid.sys -- (bthhfhid)
DRV:64bit: - [2013/03/29 12:35:15 | 000,039,936 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\hidi2c.sys -- (hidi2c)
DRV:64bit: - [2013/03/29 12:34:40 | 000,056,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\sdstor.sys -- (sdstor)
DRV:64bit: - [2013/03/29 12:34:40 | 000,023,552 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\WSDScan.sys -- (WSDScan)
DRV:64bit: - [2013/03/02 06:57:46 | 000,077,544 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\storahci.sys -- (storahci)
DRV:64bit: - [2013/03/02 06:39:38 | 000,069,864 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\pdc.sys -- (pdc)
DRV:64bit: - [2013/01/24 22:12:08 | 000,010,752 | ---- | M] (OSR Open Systems Resources, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\DellRbtn.sys -- (DellRbtn)
DRV:64bit: - [2013/01/17 13:07:14 | 003,735,040 | ---- | M] (Qualcomm Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\athw8x.sys -- (athr)
DRV:64bit: - [2013/01/09 21:53:32 | 000,028,904 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\msgpiowin32.sys -- (msgpiowin32)
DRV:64bit: - [2012/12/28 16:19:48 | 000,578,792 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\btfilter.sys -- (BtFilter)
DRV:64bit: - [2012/12/28 16:19:40 | 000,136,424 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\btath_rcp.sys -- (BTATH_RCP)
DRV:64bit: - [2012/12/28 16:19:38 | 000,179,432 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\btath_hcrp.sys -- (BTATH_HCRP)
DRV:64bit: - [2012/12/28 16:19:38 | 000,077,464 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\btath_lwflt.sys -- (BTATH_LWFLT)
DRV:64bit: - [2012/12/28 16:19:36 | 000,115,432 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\btath_avdt.sys -- (btath_avdt)
DRV:64bit: - [2012/12/28 16:19:36 | 000,089,320 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\btath_flt.sys -- (AthBTPort)
DRV:64bit: - [2012/12/28 16:19:36 | 000,033,944 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\btath_bus.sys -- (BTATH_BUS)
DRV:64bit: - [2012/12/28 16:19:34 | 000,345,832 | ---- | M] (Qualcomm Atheros) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\btath_a2dp.sys -- (BTATH_A2DP)
DRV:64bit: - [2012/12/21 03:24:02 | 000,466,824 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2012/12/21 03:24:02 | 000,032,136 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\Smb_driver_Intel.sys -- (SmbDrvI)
DRV:64bit: - [2012/12/21 03:24:00 | 000,028,040 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\Smb_driver_AMDASF.sys -- (SmbDrv)
DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/12/04 19:50:56 | 000,652,344 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\iaStorA.sys -- (iaStorA)
DRV:64bit: - [2012/10/16 06:39:10 | 005,343,584 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2012/09/20 03:55:27 | 003,265,256 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2012/09/20 03:55:24 | 000,533,224 | ---- | M] (Broadcom Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/26 01:26:46 | 000,025,328 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/07/26 01:26:45 | 000,033,792 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\condrv.sys -- (condrv)
DRV:64bit: - [2012/07/26 01:00:58 | 000,322,800 | ---- | M] (VIA Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\VSTXRAID.SYS -- (VSTXRAID)
DRV:64bit: - [2012/07/26 01:00:58 | 000,106,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\VerifierExt.sys -- (VerifierExt)
DRV:64bit: - [2012/07/26 01:00:58 | 000,097,008 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\uaspstor.sys -- (UASPStor)
DRV:64bit: - [2012/07/26 01:00:57 | 000,077,040 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\acpiex.sys -- (acpiex)
DRV:64bit: - [2012/07/26 01:00:55 | 000,064,240 | ---- | M] (Marvell Semiconductor, Inc.) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\mvumis.sys -- (mvumis)
DRV:64bit: - [2012/07/26 01:00:55 | 000,030,960 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2012/07/26 01:00:52 | 000,092,400 | ---- | M] (LSI Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2012/07/26 01:00:52 | 000,081,136 | ---- | M] (LSI Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\lsi_sss.sys -- (LSI_SSS)
DRV:64bit: - [2012/07/26 01:00:52 | 000,064,752 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2012/07/26 01:00:51 | 000,113,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\EhStorTcgDrv.sys -- (EhStorTcgDrv)
DRV:64bit: - [2012/07/26 01:00:51 | 000,081,136 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\EhStorClass.sys -- (EhStorClass)
DRV:64bit: - [2012/07/26 01:00:49 | 000,258,288 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2012/07/26 01:00:49 | 000,106,736 | ---- | M] (LSI) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\3ware.sys -- (3ware)
DRV:64bit: - [2012/07/26 01:00:49 | 000,076,016 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2012/07/26 01:00:48 | 000,026,352 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Stopped] -- C:\Windows\SysNative\Drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2012/07/26 00:57:54 | 000,361,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\clfs.sys -- (CLFS)
DRV:64bit: - [2012/07/26 00:53:16 | 000,067,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\vpci.sys -- (vpci)
DRV:64bit: - [2012/07/25 23:17:38 | 000,036,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2012/07/25 22:29:47 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV:64bit: - [2012/07/25 22:29:14 | 000,010,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\mshidumdf.sys -- (mshidumdf)
DRV:64bit: - [2012/07/25 22:29:08 | 000,048,640 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\BasicDisplay.sys -- (BasicDisplay)
DRV:64bit: - [2012/07/25 22:29:03 | 000,024,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\HyperVideo.sys -- (HyperVideo)
DRV:64bit: - [2012/07/25 22:28:52 | 000,029,696 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\BasicRender.sys -- (BasicRender)
DRV:64bit: - [2012/07/25 22:27:58 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\vmgencounter.sys -- (gencounter)
DRV:64bit: - [2012/07/25 22:27:41 | 000,018,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\kdnic.sys -- (kdnic)
DRV:64bit: - [2012/07/25 22:27:37 | 000,010,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\acpitime.sys -- (acpitime)
DRV:64bit: - [2012/07/25 22:27:33 | 000,023,552 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\npsvctrig.sys -- (npsvctrig)
DRV:64bit: - [2012/07/25 22:27:29 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\WpdUpFltr.sys -- (WpdUpFltr)
DRV:64bit: - [2012/07/25 22:27:16 | 000,010,240 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\acpipagr.sys -- (acpipagr)
DRV:64bit: - [2012/07/25 22:27:01 | 000,011,776 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\hyperkbd.sys -- (hyperkbd)
DRV:64bit: - [2012/07/25 22:26:46 | 000,062,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\SerCx.sys -- (SerCx)
DRV:64bit: - [2012/07/25 22:26:43 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\SpbCx.sys -- (SpbCx)
DRV:64bit: - [2012/07/25 22:26:34 | 000,030,208 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2012/07/25 22:26:13 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\bthhfenum.sys -- (BthHFEnum)
DRV:64bit: - [2012/07/25 22:25:57 | 000,033,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2012/07/25 22:25:56 | 000,057,344 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2012/07/25 22:25:13 | 000,045,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\wpcfltr.sys -- (wpcfltr)
DRV:64bit: - [2012/07/25 22:25:02 | 000,202,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\BthLEEnum.sys -- (BthLEEnum)
DRV:64bit: - [2012/07/25 22:25:01 | 000,126,464 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\NdisImPlatform.sys -- (NdisImPlatform)
DRV:64bit: - [2012/07/25 22:23:53 | 000,068,608 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\mslldp.sys -- (MsLldp)
DRV:64bit: - [2012/07/25 22:23:42 | 000,097,792 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\Drivers\Ndu.sys -- (Ndu)
DRV:64bit: - [2012/07/02 19:16:02 | 000,062,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2012/06/25 13:24:50 | 000,092,536 | ---- | M] (CyberLink) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\CLVirtualDrive.sys -- (CLVirtualDrive)
DRV:64bit: - [2012/06/19 12:40:50 | 000,342,528 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\IntcDAud.sys -- (IntcDAud)
DRV:64bit: - [2012/06/15 04:50:46 | 000,315,536 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\RtsUVStor.sys -- (RSUSBVSTOR)
DRV:64bit: - [2012/06/13 01:41:22 | 000,683,664 | ---- | M] (Realtek                                            ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\Rt630x64.sys -- (RTL8168)
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {976923C6-DA30-4BD7-B86F-9D09D28B8A6F}
IE:64bit: - HKLM\..\SearchScopes\{976923C6-DA30-4BD7-B86F-9D09D28B8A6F}: "URL" = http://www.bing.com/...E10TR&pc=MDDCJS
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{976923C6-DA30-4BD7-B86F-9D09D28B8A6F}: "URL" = http://www.bing.com/...E10TR&pc=MDDCJS
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dell13.msn.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.dell13.us.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 8E FA 83 84 83 55 CF 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {976923C6-DA30-4BD7-B86F-9D09D28B8A6F}
IE - HKCU\..\SearchScopes\{6303A7C4-D3D3-4AFD-9AE9-BD96E8087C70}: "URL" = http://us.yhs4.searc...669,0,IE10,7635
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3505.0912: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.3.51: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.3.51: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2014/01/07 22:03:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014/01/07 22:03:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\McAfee\MSK
 
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: https://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\pdf.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll
CHR - plugin: Intel® Identity Protection Technology (Enabled) = C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
CHR - plugin: Intel® Identity Protection Technology (Enabled) = C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit)  (Enabled) = C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Download Plugin (Enabled) = C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll
CHR - plugin: Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit)  (Enabled) = C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll
CHR - plugin: RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit)  (Enabled) = C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll
CHR - plugin: RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit)  (Enabled) = C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll
CHR - plugin: RealDownloader Plugin (Enabled) = C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: saviinshopi = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghfdfiegkgbdimlphpinjpagpndecdol\2.3\
CHR - Extension: RealDownloader = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.3_0\
CHR - Extension: Google Wallet = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: Gmail = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
CHR - Extension: Plus-HD-4.7 = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\poahhcggenldhhngmcdolbgdjnpicfim\1.26.80_0\crossrider
CHR - Extension: Plus-HD-4.7 = C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\poahhcggenldhhngmcdolbgdjnpicfim\1.26.80_0\
 
O1 HOSTS File: ([2014/04/10 15:51:17 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\Drivers\etc\Hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1       localhost
O2:64bit: - BHO: (Highlightly) - {83F2328D-0D6A-42B4-B0C4-02A929EDD4BE} - C:\Program Files\Highlightly\IE\HighlightlyClientIE.dll File not found
O2:64bit: - BHO: (CIESpeechBHO Class) - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (CoolSaleCCoouupon) - {F9A24303-F75F-7EB4-646B-43A84087F2BB} - C:\ProgramData\CoolSaleCCoouupon\S9pha0c33.x64.dll File not found
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (CoolSaleCCoouupon) - {F9A24303-F75F-7EB4-646B-43A84087F2BB} - C:\ProgramData\CoolSaleCCoouupon\S9pha0c33.dll File not found
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (2nd &Speech Center) - {CFE40ED8-564E-4693-A9D9-80DB70C8E460} - C:\Program Files (x86)\2nd Speech Center\tts4ie.dll ()
O4:64bit: - HKLM..\Run: [BtPreLoad] C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtPreLoad.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [QuickSet] c:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4:64bit: - HKLM..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe (Intel Corporation)
O4 - HKLM..\Run: [RemoteControl10] C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [2ndSpeechCenter] C:\Program Files (x86)\2nd Speech Center\iisc.exe (Zero2000 Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: BtvStack = "C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe" (Qualcomm Atheros Commnucations)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableCursorSuppression = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
O9:64bit: - Extra 'Tools' menuitem : Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6AB39005-951C-40F9-8101-1829CAC4C71E}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7FCC00E1-6479-4BA3-B31F-6E7220B5C6FD}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{87750D40-9186-4926-9DB7-6C946570A84F}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8983D5C6-905E-4F72-A96B-60FE23356F66}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C02CAB3E-C922-4371-A1DD-E72CF76EF979}: NameServer = 208.69.150.252,208.69.150.250
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O30 - LSA: Security Packages - (livessp) -  File not found
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/04/11 21:53:14 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Aaron\Desktop\aswmbr.exe
[2014/04/11 08:57:50 | 004,139,360 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Aaron\Desktop\TDSSKiller.exe
[2014/04/10 16:26:54 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/04/10 16:25:21 | 001,016,261 | ---- | C] (Thisisu) -- C:\Users\Aaron\Desktop\JRT.exe
[2014/04/10 16:10:10 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/04/10 15:51:02 | 000,000,000 | ---D | C] -- C:\_OTL
[2014/04/10 02:33:53 | 000,000,000 | ---D | C] -- C:\ProgramData\884fa2bfc9b8d6c1
[2014/04/09 23:16:26 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Aaron\Desktop\OTL.exe
[2014/03/26 18:00:47 | 000,000,000 | ---D | C] -- C:\Users\Aaron\Documents\AvsPicture
[2014/03/26 18:00:47 | 000,000,000 | ---D | C] -- C:\Users\Aaron\Documents\AvsDesktop
[2014/03/26 18:00:47 | 000,000,000 | ---D | C] -- C:\Users\Aaron\Documents\Avs Videos
[2014/03/26 17:58:54 | 000,000,000 | ---D | C] -- C:\Users\Aaron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\uPlayer
[2014/03/26 17:58:47 | 000,000,000 | ---D | C] -- C:\Users\Aaron\AppData\Roaming\uPlayer
[2014/03/26 17:58:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\uPlayer
 
========== Files - Modified Within 30 Days ==========
 
[2014/04/11 21:58:08 | 000,000,390 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateXML_Aaron.job
[2014/04/11 21:55:30 | 000,000,512 | ---- | M] () -- C:\Users\Aaron\Desktop\MBR.dat
[2014/04/11 21:53:17 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\Aaron\Desktop\aswmbr.exe
[2014/04/11 21:33:18 | 000,850,046 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/04/11 21:33:18 | 000,720,456 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/04/11 21:33:18 | 000,133,284 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/04/11 21:30:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/04/11 21:29:32 | 000,000,400 | ---- | M] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_Aaron.job
[2014/04/11 21:29:30 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/04/11 21:28:27 | 268,435,456 | -HS- | M] () -- C:\swapfile.sys
[2014/04/11 21:28:23 | 3326,308,352 | -HS- | M] () -- C:\hiberfil.sys
[2014/04/11 08:57:52 | 004,139,360 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Aaron\Desktop\TDSSKiller.exe
[2014/04/10 23:21:14 | 000,004,488 | ---- | M] () -- C:\Windows\mozy.flt
[2014/04/10 23:21:14 | 000,002,928 | ---- | M] () -- C:\Windows\mozy.blk
[2014/04/10 23:09:00 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/04/10 18:45:19 | 000,002,039 | ---- | M] () -- C:\Users\Aaron\AppData\Local\server_cn.conf
[2014/04/10 18:44:49 | 000,000,341 | ---- | M] () -- C:\Users\Aaron\AppData\Local\server_cn.confini
[2014/04/10 16:25:30 | 001,016,261 | ---- | M] (Thisisu) -- C:\Users\Aaron\Desktop\JRT.exe
[2014/04/10 16:03:46 | 001,426,178 | ---- | M] () -- C:\Users\Aaron\Desktop\adwcleaner.exe
[2014/04/10 15:51:17 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\Hosts
[2014/04/09 23:16:30 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Aaron\Desktop\OTL.exe
[2014/04/09 22:53:23 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\ReclaimerUpdateFiles_Aaron.job
[2014/04/09 22:53:00 | 000,367,112 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2014/03/26 18:01:08 | 000,001,328 | ---- | M] () -- C:\Users\Aaron\AppData\Local\email_cn.conf
[2014/03/26 17:58:54 | 000,003,023 | ---- | M] () -- C:\Users\Aaron\Desktop\uPlayer.lnk
[2014/03/24 21:50:13 | 000,002,185 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
 
========== Files Created - No Company Name ==========
 
[2014/04/11 21:55:30 | 000,000,512 | ---- | C] () -- C:\Users\Aaron\Desktop\MBR.dat
[2014/04/10 16:03:40 | 001,426,178 | ---- | C] () -- C:\Users\Aaron\Desktop\adwcleaner.exe
[2014/04/09 22:52:48 | 000,367,112 | ---- | C] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2014/04/06 21:56:43 | 000,000,400 | ---- | C] () -- C:\Windows\tasks\RNUpgradeHelperLogonPrompt_Aaron.job
[2014/04/06 21:56:41 | 000,000,394 | ---- | C] () -- C:\Windows\tasks\ReclaimerUpdateFiles_Aaron.job
[2014/04/06 21:56:39 | 000,000,390 | ---- | C] () -- C:\Windows\tasks\ReclaimerUpdateXML_Aaron.job
[2014/03/26 18:01:10 | 000,000,341 | ---- | C] () -- C:\Users\Aaron\AppData\Local\server_cn.confini
[2014/03/26 18:01:08 | 000,001,328 | ---- | C] () -- C:\Users\Aaron\AppData\Local\email_cn.conf
[2014/03/26 18:01:05 | 000,002,039 | ---- | C] () -- C:\Users\Aaron\AppData\Local\server_cn.conf
[2014/03/26 17:58:54 | 000,003,023 | ---- | C] () -- C:\Users\Aaron\Desktop\uPlayer.lnk
[2014/01/07 22:09:26 | 000,000,000 | ---- | C] () -- C:\ProgramData\2928213b213e38383d3c24_c
[2013/09/17 23:12:14 | 000,083,968 | ---- | C] () -- C:\Windows\SysWow64\OEMLicense.dll
[2013/09/04 20:48:07 | 000,000,017 | ---- | C] () -- C:\Users\Aaron\AppData\Local\resmon.resmoncfg
[2013/03/29 12:34:46 | 000,866,452 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/03/29 12:05:16 | 000,598,780 | ---- | C] () -- C:\Windows\SysWow64\igvpkrng700.bin
[2013/03/29 12:05:09 | 000,064,512 | ---- | C] () -- C:\Windows\SysWow64\igdde32.dll
[2013/03/29 12:05:08 | 000,755,048 | ---- | C] () -- C:\Windows\SysWow64\igcodeckrng700.bin
[2012/07/26 04:13:10 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2012/07/26 04:13:09 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2012/07/26 03:21:26 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2012/07/25 21:17:42 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2012/07/25 16:37:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2012/07/25 16:28:31 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2012/06/02 10:31:19 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2012/04/20 16:59:44 | 000,001,536 | ---- | C] () -- C:\Windows\SysWow64\IusEventLog.dll
 
========== ZeroAccess Check ==========
 
[2013/08/18 22:57:18 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013/12/07 02:36:58 | 019,751,936 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/12/07 01:15:36 | 017,560,576 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2012/07/25 23:05:38 | 001,004,544 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2012/07/25 23:18:27 | 000,784,896 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2012/07/25 23:07:41 | 000,455,680 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2014/01/18 21:38:09 | 000,000,000 | ---D | M] -- C:\Users\Aaron\AppData\Roaming\Audacity
[2014/01/13 22:46:04 | 000,000,000 | ---D | M] -- C:\Users\Aaron\AppData\Roaming\InstallX Search Protect for Yahoo
[2013/08/16 16:50:01 | 000,000,000 | ---D | M] -- C:\Users\Aaron\AppData\Roaming\Leadertech
[2013/08/18 18:05:18 | 000,000,000 | ---D | M] -- C:\Users\Aaron\AppData\Roaming\PCDr
[2014/03/26 17:58:47 | 000,000,000 | ---D | M] -- C:\Users\Aaron\AppData\Roaming\uPlayer
 
========== Purity Check ==========
 
 
 
< End of report >

  • 0

Advertisements


#17
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
Hi :)

Looking good, the aswMBR scan was clean, so let's move on.


There's a few things we need to take care of, namely an extension in Chrome that is malware related and a few items in OTL. Once these are taken care of, we'll runs some scans looking for remnants.


Step 1: Remove Chrome Extension


Start Chrome and type this into the address bar: chrome:extensions

This will display a page of all the installed extensions. Please remove the extension in the list below by clicking the trash can icon.

Please remove these extensions:

Plus-HD-4.7

saviinshopi



Step 2: OTL Fix


Let's run an OTL fix:

Warning: This fix is to be used on this system and this system ONLY. Using this fix on any other machine other than yours can seriously damage it.

Be advised that when the fix commences, it will shut down all running processes and you may lose the desktop and icons, they will return on reboot.

Run OTL by double clicking it (Windows Vista, Windows 7, and 8, right click and select "Run as Administrator)
  • Copy the text in the quote box below (do not copy the word "quote") and paste in the in the box marked Custom Scans/Fixes as shown in the graphic below.
otlrunfix.jpg




:Commands
[createrestorepoint]

:OTL
O2:64bit: - BHO: (Highlightly) - {83F2328D-0D6A-42B4-B0C4-02A929EDD4BE} - C:\Program Files\Highlightly\IE\HighlightlyClientIE.dll File not found
O2:64bit: - BHO: (CoolSaleCCoouupon) - {F9A24303-F75F-7EB4-646B-43A84087F2BB} - C:\ProgramData\CoolSaleCCoouupon\S9pha0c33.x64.dll File not found
O2 - BHO: (CoolSaleCCoouupon) - {F9A24303-F75F-7EB4-646B-43A84087F2BB} - C:\ProgramData\CoolSaleCCoouupon\S9pha0c33.dll File not found
[2014/01/13 22:46:04 | 000,000,000 | ---D | M] -- C:\Users\Aaron\AppData\Roaming\InstallX Search Protect for Yahoo

:Files
C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\poahhcggenldhhngmcdolbgdjnpicfim
C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghfdfiegkgbdimlphpinjpagpndecdol

:Commands
[reboot]

  • Click the Run Fix button at the top of the OTL control panel.
  • Let the program run until it's finished and then reboot the computer.
  • Once your machine has rebooted, a log will open. If the log doesn't open on reboot, you can find it here: C:\_OTL\MovedFiles Please post that log in your next reply.
If you have any problems, questions, or need further explanation, please post a message in this thread and I will get back to you asap.


Things I need to see in your next post:

OTL Fix Log

Question: How is the machine running now?

  • 0

#18
AdamIsAdam

AdamIsAdam

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 185 posts
ok, here you go.
 
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83F2328D-0D6A-42B4-B0C4-02A929EDD4BE}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83F2328D-0D6A-42B4-B0C4-02A929EDD4BE}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9A24303-F75F-7EB4-646B-43A84087F2BB}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9A24303-F75F-7EB4-646B-43A84087F2BB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9A24303-F75F-7EB4-646B-43A84087F2BB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9A24303-F75F-7EB4-646B-43A84087F2BB}\ deleted successfully.
C:\Users\Aaron\AppData\Roaming\InstallX Search Protect for Yahoo folder moved successfully.
========== FILES ==========
File\Folder C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\poahhcggenldhhngmcdolbgdjnpicfim not found.
File\Folder C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghfdfiegkgbdimlphpinjpagpndecdol not found.
========== COMMANDS ==========
 
OTL by OldTimer - Version 3.2.69.0 log created on 04112014_234420

  • 0

#19
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
:thumbsup: How is the machine running now?

Let's run a sweep for remnants and check for out of date programs.



Step 1: Scan with Malwarebytes


Please download Malwarebytes Anti-Malware to your desktop
Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings_zpsb6b9ada0.jpg

Go back to the Dashboard and select Scan Now

MBAMScan_zps8ba7d192.jpg

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot_zps9089ab30.jpg

MBAMLog_zpsade07f42.jpg

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop



Step 2: Scan with ESET Online Scanner


Please note: You can use Internet Explorer or Firefox for this step. Either browser used will have to be ran in admin mode.

Right click on either the Internet Explorer icon or the Firefox icon in the Start Menu or Quick Launch Bar on the Task bar and select Run as Administrator from the menu.

If you use Firefox, you will be prompted to download esetsmartinstaller_enu.exe. Please do so, then double click it to install it.

Please click on this link and then click the ESET Online Scanner bar ---->esetbar_zps93905f48.jpg
  • Select the option YES, I accept the Terms of Use then click on Start
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Now click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Now click on Finish
  • Use notepad to open the logfile located at C:\Program Files(x86)\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Step 3: SecurityCheck Scan


Download Security Checksecuritycheck_zpsb7736812.jpg by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Things I need to see in your next post:
  • ESET Scan Log
  • MBAM Log
  • SecurityCheck Log

  • 0

#20
AdamIsAdam

AdamIsAdam

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 185 posts

can't find the ESET log.  Here's the other.

 

 Results of screen317's Security Check version 0.99.81  
   x64 (UAC is enabled)  
 Internet Explorer 10 Out of date! 
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Google Chrome 33.0.1750.146  
 Google Chrome 33.0.1750.154  
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
 
 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/12/2014
Scan Time: 8:27:15 AM
Logfile: mbam log.txt
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.04.12.01
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: Aaron
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 248096
Time Elapsed: 8 hr, 4 min, 58 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 8
PUP.Optional.Zwangi, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{47AE1BA9-0BD1-44F4-88AE-45F8F7B605EF}, No Action By User, [f30d6f915fa1a957e9d7a274a85ae31d], 
PUP.Optional.Highlightly, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{83F2328D-0D6A-42B4-B0C4-02A929EDD4BE}, No Action By User, [ef1123dd9b656799313d91812cd66d93], 
PUP.Optional.HighLightly.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\cmclajginlihohopoeofghddnhpplhom, No Action By User, [758bf50b986819e765afd6915aa82ad6], 
PUP.Optional.HDShop.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\hdshop, No Action By User, [ec140000d42c02fe9f8fec8144be7c84], 
PUP.Optional.MediaEnhance.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\media enhance, No Action By User, [df212ed209f7649c0e9eb1bcf11112ee], 
PUP.Optional.PlusHD.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Plus-HD-4.7, No Action By User, [df21758b8a767d83aaeae6834ab8d12f], 
PUP.Optional.PlusHD.A, HKU\S-1-5-21-732628660-1964460303-482053459-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Plus-HD-4.7, No Action By User, [e51be11f1fe16f91583c9ecb17eb59a7], 
PUP.Optional.TidyNetwork.A, HKU\S-1-5-21-732628660-1964460303-482053459-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\TidyNetwork, No Action By User, [8977c13f857b619fd9f1b0be758dc23e], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

  • 0

#21
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
The ESET log should be located in this directory: C:\Program Files(x86)\ESET\EsetOnlineScanner\log.txt

Also, after you ran the MBAM scan, did you click the Apply Action to remove the items it found? The log is saying that no action was taken by the user.

Is the machine running faster now and have the popups stopped?
  • 0

#22
AdamIsAdam

AdamIsAdam

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 185 posts

I found the log.  I'll post here.  The PC is running better.  So far no popups.  As for the MBAM, I thought I hit the clean up button, but do seem to recall it closed quickly, as if it didn't do any cleaning.

 

[email protected] as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=8
# IEXPLORE.EXE=10.00.9200.16384 (win8_rtm.120725-1247)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=25eaaa9a482ef04bb16ecc8ba3125ca4
# engine=17859
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-04-12 03:08:23
# local_time=2014-04-12 11:08:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT 
# compatibility_mode=5893 16776573 100 94 0 14574832 0 0
# scanned=198221
# found=18
# cleaned=0
# scan_time=9239
sh=97BCCD25561F44E9B13F05F6EEF083C9CE9BA529 ft=1 fh=641f1fb3d2e699c4 vn="Win32/Toolbar.Conduit.Y potentially unwanted application" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir"
sh=54A8802E779AE281FF1B259B5559145E5F781968 ft=1 fh=c71c001102f2b850 vn="a variant of Win32/AdWare.MultiPlug.N application" ac=I fn="C:\AdwCleaner\Quarantine\C\ProgramData\CoolSaleCCoouupon\S9pha0c33.dll.vir"
sh=2648349A062066B2B4D9F44854780414B69D59DB ft=1 fh=c71c00110fd81f90 vn="a variant of Win64/Adware.MultiPlug.A application" ac=I fn="C:\AdwCleaner\Quarantine\C\ProgramData\CoolSaleCCoouupon\S9pha0c33.x64.dll.vir"
sh=314F703F0F190BF70F0386509C10998D4E2BD10B ft=1 fh=2f9f46df1834d950 vn="Win32/Toolbar.Conduit.Y potentially unwanted application" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Aaron\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll.vir"
sh=D3CBDD7C6ED2C9D81DA4FCF9AF57CDD5D3711ED3 ft=1 fh=86dbe26399c3d0fa vn="Win32/Toolbar.Conduit.Y potentially unwanted application" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Aaron\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.2.dll.vir"
sh=8E6A6992A3C7FEC4000FA1A4D764DD597109E0B5 ft=1 fh=c71c0011cd00713e vn="Win32/NextLive.A potentially unwanted application" ac=I fn="C:\AdwCleaner\Quarantine\C\Users\Aaron\AppData\Local\genienext\nengine.dll.vir"
sh=741518CA17409E0C108EA202464829E6C664ED1E ft=1 fh=52477f93f91d8732 vn="a variant of MSIL/DomaIQ.A potentially unwanted application" ac=I fn="C:\Program Files\Uninstaller\Uninstall.exe"
sh=C7A16067BF3F2F17A5F5C5D89B824E240F741F37 ft=1 fh=93e48df091c754d1 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe"
sh=B992ED7A1B4DF30F6AF8A911FBFDE92ED9F77519 ft=1 fh=5dac4dde3cd39976 vn="a variant of MSIL/DomaIQ.A potentially unwanted application" ac=I fn="C:\Program Files (x86)\Uninstaller\Uninstall.exe"
sh=068A54F966DB6AC14BCA0E39E2A99E3F0027304D ft=1 fh=39f7a16b0423d981 vn="Win64/Toolbar.Conduit.B potentially unwanted application" ac=I fn="C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\hk64tbInst.dll"
sh=CC6AF3A384A61C1C621BA5AB43583E82FF281530 ft=1 fh=bbbd034bf7d0bf76 vn="Win32/Toolbar.Conduit.X potentially unwanted application" ac=I fn="C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\hktbInst.dll"
sh=9B3B44428CC80CC43F085AE514E7E16F7963EACC ft=1 fh=4c03fc1250fa29f9 vn="a variant of Win32/Toolbar.Conduit.P potentially unwanted application" ac=I fn="C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\ldrtbInst.dll"
sh=33457E2F2405727124C107D6DEAF24C94E992463 ft=1 fh=e719e166edfd7994 vn="a variant of Win32/Toolbar.Conduit.X potentially unwanted application" ac=I fn="C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\tbInst.dll"
sh=B5C93DA0C608B26C9487ABC49CCB643C9A15ED33 ft=1 fh=75f1c65aa8a331ed vn="a variant of Win32/PriceGong.A potentially unwanted application" ac=I fn="C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin\PriceGongIE.dll"
sh=312298DCDB1D89E22FA901ECBA3D7AFE22905F7C ft=1 fh=a6661423b3ea7b92 vn="Win32/Somoto.E potentially unwanted application" ac=I fn="C:\Users\Aaron\AppData\Roaming\Apple Computer\MobileSync\Backup\4370ec2442f37edf6770e5450cb2ec4609ec67a1\0b317ae9164ccb67232402ebf2305e446ccb00dc"
sh=D86451022DDD8348105C1D52FBFD2ADB1E2DCC30 ft=1 fh=d3e706a6307522ba vn="Win32/Toolbar.Conduit.Y potentially unwanted application" ac=I fn="C:\_OTL\MovedFiles\04102014_155102\C_Users\Aaron\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll"
sh=9DCB8E1011D5D990AAB7CD84737F74F6A8CE48C7 ft=1 fh=2e19c0e3dba80dfc vn="probably a variant of Win32/InstallIQ.A potentially unwanted application" ac=I fn="C:\_OTL\MovedFiles\04112014_234420\C_Users\Aaron\AppData\Roaming\InstallX Search Protect for Yahoo\searchprotector.exe"
sh=5DD3C1FF8B0CA2A4B9CB28B0263B7924CF0B3CE0 ft=0 fh=0000000000000000 vn="probably a variant of Win32/InstallIQ.A potentially unwanted application" ac=I fn="C:\_OTL\MovedFiles\04112014_234420\C_Users\Aaron\AppData\Roaming\InstallX Search Protect for Yahoo\searchprotector.zip"

  • 0

#23
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts

I found the log.  I'll post here.  The PC is running better.  So far no popups.  As for the MBAM, I thought I hit the clean up button, but do seem to recall it closed quickly, as if it didn't do any cleaning.

 
 
Good to hear that the popups are gone and the machine is running better. :thumbsup: 
 
Let's run MBAM again and make sure those registry keys are gone.  Also, I have an OTL Fix to get rid of a few remnant files.
 
After you have run MBAM again, please run the fix below for OTL.
 
 
Let's run an OTL fix:
Warning:  This fix is to be used on this system and this system ONLY.  Using this fix on any other machine other than yours can seriously damage it.
Be advised that when the fix commences, it will shut down all running processes and you may lose the desktop and icons, they will return on reboot.
Run OTL by double clicking it (Windows Vista, Windows 7, and 8, right click and select "Run as Administrator)
  • Copy the text in the quote box below (do not copy the word "quote") and paste in the in the box marked Custom Scans/Fixes as shown in the graphic below.
otlrunfix.jpg

:Commands
[createrestorepoint]
:Files
C:\Program Files\Uninstaller\Uninstall.exe
C:\Program Files (x86)\Uninstaller\Uninstall.exe
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A
C:\Users\Aaron\AppData\Roaming\Apple Computer\MobileSync\Backup\4370ec2442f37edf6770e5450cb2ec4609ec67a1\0b317ae9164ccb67232402ebf2305e446ccb00dc
:Commands
[reboot]

  • Click the Run Fix button at the top of the OTL control panel.
  • Let the program run until it's finished and then reboot the computer.
  • Once your machine has rebooted, a log will open.  If the log doesn't open upon reboot, it can be found here:  C:\_OTL\MovedFiles. Please post that log in your next reply.
If you have any problems, questions, or need further explanation, please post a message in this thread and I will get back to you asap.

Things I need to see in your next post:
MBAM Log
OTL Fix Log

  • 0

#24
AdamIsAdam

AdamIsAdam

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 185 posts

ok, I ran both scans.  I'm not sure I did what you asked on MBAM.  After I ran, it found several items, about a dozen.  So I'm not sure why the log says nothing found.  The default action was to ignore once.  Since last time I ran it you said I didn't take any action, this time I hit Quarantine All button.  If that's incorrect, let me know and I'll rerun it.  Below is that log and also the OTL log.

 

(EDIT: i just updated my clock so you may notice the time on the logs is an hour off)

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/13/2014
Scan Time: 8:07:02 AM
Logfile: mbam log.txt
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.04.13.02
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: Aaron
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 247173
Time Elapsed: 16 min, 53 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 8
PUP.Optional.Zwangi, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{47AE1BA9-0BD1-44F4-88AE-45F8F7B605EF}, Quarantined, [4096b17887f4ab8b65d018ff946e05fb], 
PUP.Optional.Highlightly, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{83F2328D-0D6A-42B4-B0C4-02A929EDD4BE}, Quarantined, [0acc1b0e9ae1181e588bee2407fb33cd], 
PUP.Optional.HighLightly.A, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\cmclajginlihohopoeofghddnhpplhom, Quarantined, [cf07db4e2556c472018871f660a26b95], 
PUP.Optional.HDShop.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\hdshop, Quarantined, [14c2ab7ef586ff37f2b1df8e04fed927], 
PUP.Optional.MediaEnhance.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\media enhance, Quarantined, [b1256dbc7b00fb3b59c83c3269990ef2], 
PUP.Optional.PlusHD.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Plus-HD-4.7, Quarantined, [e4f203261269dd59ee1b5911c9396898], 
PUP.Optional.PlusHD.A, HKU\S-1-5-21-732628660-1964460303-482053459-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Plus-HD-4.7, Quarantined, [3b9ba485354669cd40c90a606c96d12f], 
PUP.Optional.TidyNetwork.A, HKU\S-1-5-21-732628660-1964460303-482053459-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\TidyNetwork, Quarantined, [35a1b4753b401d19112e026d0ff322de], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\Program Files\Uninstaller\Uninstall.exe moved successfully.
C:\Program Files (x86)\Uninstaller\Uninstall.exe moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\UserDefinedItems folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_en\ToolbarTranslation folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_en folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_CT3311834\ToolbarSettings folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_CT3311834\ToolbarLogin folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_CT3311834\ToolbarHiddenSettings folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_CT3311834\ToolbarHiddenLogin folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_CT3311834\DynamicDialogs folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_CT3311834\AppsMetaData folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository\conduit_CT3311834_CT3311834 folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Repository folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\RadioPlayer folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12\bin folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}\3.6.12 folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\plugins\{5E1360DC-8FA8-40df-A8CD-FC3831B3634B} folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\plugins folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\MyStuffApps folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Logs folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\ExternalComponent folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\EmailNotifier folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\UntrustedAppApprovalDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\UntrustedAddedAppDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\ToolbarUntrustedAppsApprovalDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\ToolbarFirstTimeDialog\images folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\ToolbarFirstTimeDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\SearchProtectorRetakeoverDialog\Images folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\SearchProtectorRetakeoverDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\SearchProtectorDialog\Images folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\SearchProtectorDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\SearchProtectorBubbleDialog\images folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\SearchProtectorBubbleDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\NewSearchProtectorDialog\images folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\NewSearchProtectorDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\EngineFirstTimeDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\DetectedAppDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\DefualtImages folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs\AddedAppDialog folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\Dialogs folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A\CacheIcons folder moved successfully.
C:\Users\Aaron\AppData\LocalLow\Installl_Converter_A folder moved successfully.
C:\Users\Aaron\AppData\Roaming\Apple Computer\MobileSync\Backup\4370ec2442f37edf6770e5450cb2ec4609ec67a1\0b317ae9164ccb67232402ebf2305e446ccb00dc moved successfully.
========== COMMANDS ==========
 
OTL by OldTimer - Version 3.2.69.0 log created on 04132014_080914
 

Edited by AdamIsAdam, 13 April 2014 - 05:22 AM.

  • 0

#25
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts

ok, I ran both scans. I'm not sure I did what you asked on MBAM. After I ran, it found several items, about a dozen. So I'm not sure why the log says nothing found. The default action was to ignore once. Since last time I ran it you said I didn't take any action, this time I hit Quarantine All button. If that's incorrect, let me know and I'll rerun it. Below is that log and also the OTL log.


No need to rerun it, you got them. :thumbsup: The log shows they are quarantined and the OTL fix ran correctly as well. :)


Which brings me to my next point...



Great news, your logs are CLEAN! :thumbsup: :) But we still have a few things we need to address namely:
  • I need to remove the tools we installed on your machine.
  • I also have some information and protection against a new ransomware program called CryptoLocker.
Step 1: Tool Removal
  • Download Delfix from here
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.
  • You can uninstall ESET Online Scanner at this time.
  • I'd recommend keeping Malwarebytes Anti-Malware installed. Make sure to update it and run it at least once a week. If it finds items such as PUPs (Potentially Unwanted Programs), those can be deleted without worry. However, if it finds something like a trojan, come see us. :)
Step 2: Tips, Information, and Protection against CryptoLocker
  • Watch what you open in your emails. If you get an email from an unknown source with any attached files, do not open it.
  • Be careful of the websites you visit.
  • When installing new programs, don't be "click happy" and click through the screens. Many programs come with adware in them and are set to install them by default. Several programs require that you uncheck or select no to prevent the installation. Take you time and read each screen as you go. :)
To help protect yourself while on the web, I recommend you read How did I get infected in the first place?

A warning about CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

Please download and install CryptoPrevent to lock your machine down from this infection.

CryptoPrevent_zps1835f65d.jpg

Are there any further issues I can assist you with?
  • 0

Advertisements


#26
AdamIsAdam

AdamIsAdam

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 185 posts

THANKS!!!  I did everything you just instructed except Crypto, which I'll do right after this post.  Here's the last requested log.  If we're all done, let me know and I'll happily make a PayPal contribution to help fight the good fight.  Do you have a suggested amount?

 

# DelFix v10.6 - Logfile created 13/04/2014 at 08:25:24
# Updated 11/11/2013 by Xplode
# Username : Aaron - AARONLAPTOP
# Operating System : Windows 8  (64 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\_OTL
Deleted : C:\AdwCleaner
Deleted : C:\TDSSKiller.2.8.16.0_11.04.2014_08.56.27_log.txt
Deleted : C:\TDSSKiller.3.0.0.31_11.04.2014_21.25.25_log.txt
Deleted : C:\TDSSKiller.3.0.0.31_11.04.2014_21.29.33_log.txt
Deleted : C:\Users\Aaron\Desktop\adwcleaner.exe
Deleted : C:\Users\Aaron\Desktop\AdwCleaner[S0].txt
Deleted : C:\Users\Aaron\Desktop\aswmbr.exe
Deleted : C:\Users\Aaron\Desktop\aswMBR.txt
Deleted : C:\Users\Aaron\Desktop\Extras.Txt
Deleted : C:\Users\Aaron\Desktop\JRT.exe
Deleted : C:\Users\Aaron\Desktop\JRT.txt
Deleted : C:\Users\Aaron\Desktop\MBR.dat
Deleted : C:\Users\Aaron\Desktop\OTL.Txt
Deleted : C:\Users\Aaron\Desktop\OTL.exe
Deleted : C:\Users\Aaron\Desktop\SecurityCheck.exe
Deleted : C:\Users\Aaron\Desktop\TDSSKiller.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #29 [Windows Update | 04/10/2014 02:45:53]
Deleted : RP #30 [OTL Restore Point - 4/11/2014 11:44:30 PM | 04/12/2014 03:44:35]
Deleted : RP #31 [OTL Restore Point - 4/13/2014 8:09:25 AM | 04/13/2014 12:09:26]
 
New restore point created !
 
########## - EOF - ##########

  • 0

#27
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts

THANKS!!! I did everything you just instructed except Crypto, which I'll do right after this post. Here's the last requested log. If we're all done, let me know and I'll happily make a PayPal contribution to help fight the good fight. Do you have a suggested amount?


That DelFix log looks good, and that completes the cleaning. :thumbsup: As for a suggested amount, I really have no set amount, so whatever you decide will be highly appreciated and be perfect. :)
  • 0

#28
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,886 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP