Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Erase C in Hiberfil.sys

Started by d.brack , Mar 18 2015 11:23 AM

Worst infected machine ever

This topic is locked

#16
zep516

Posted 20 March 2015 - 05:51 PM

Trusted Helper

Malware Removal
8,093 posts

Hello,

&

Next

A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
C:\Program Files (x86)\YouTube Download Pool\G2\youtubeserv.exe
HKU\S-1-5-21-3583772472-3013558980-347553230-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
C:\Program Files (x86)\Lavasoft\Web Companion
ShortcutTarget: 1AB24RN6.lnk -> C:\ProgramData\{4007dc82-6f9d-7ab4-4007-7dc826f97209}\1AB24RN6.exe (No File)
ProxyEnable: [S-1-5-21-3583772472-3013558980-347553230-1001] => Internet Explorer proxy is enabled.
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-3583772472-3013558980-347553230-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-3583772472-3013558980-347553230-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
S3 Lavasoft Kernexplorer; No ImagePath
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
2015-03-16 17:53 - 2015-03-16 17:53 - 00003664 _____ () C:\windows\System32\Tasks\IE_ERR4WDR
C:\windows\System32\Tasks\IE_ERR4WDR
015-03-16 17:53 - 2015-03-16 17:53 - 00003640 _____ () C:\windows\System32\Tasks\HDNINSTSCHD
2015-03-16 17:53 - 2015-03-16 17:53 - 00003506 _____ () C:\windows\System32\Tasks\UPDTEXE4_WDR
2015-03-16 17:52 - 2015-03-16 17:56 - 00000000 ____D () C:\Program Files (x86)\Portable WeatherApp
C:\windows\System32\Tasks\HDNINSTSCHD
C:\windows\System32\Tasks\UPDTEXE4_WDR
C:\Program Files (x86)\Portable WeatherApp
2015-03-14 13:50 - 2015-03-19 07:31 - 00000000 ____D () C:\Program Files (x86)\Windows Network Accelerater
C:\Program Files (x86)\Windows Network Accelerater
2015-03-14 13:50 - 2015-03-14 13:50 - 00000000 ____D () C:\ProgramData\Windows VXM
2015-03-14 13:06 - 2015-03-14 14:07 - 00000000 ____D () C:\Program Files (x86)\Ninja Loader
2015-03-14 13:05 - 2015-03-14 13:05 - 00000000 ____D () C:\Users\RoseCake\Documents\DreamVideoSoft
2015-03-14 13:04 - 2015-03-16 21:55 - 00000000 ____D () C:\ProgramData\{b95cd953-ab35-e8d1-b95c-cd953ab3654e}
2015-03-14 13:04 - 2015-03-16 18:01 - 00000000 ____D () C:\ProgramData\Optimizer
2015-03-14 13:04 - 2015-03-14 13:04 - 00003116 _____ () C:\windows\System32\Tasks\{4549E9A6-25B5-4CFC-A8C0-17672EA6055F}
2015-03-14 13:04 - 2015-03-14 13:04 - 00000000 ____D () C:\Program Files (x86)\YouTube Download Pool
2015-03-14 12:55 - 2015-03-16 17:59 - 00001346 _____ () C:\windows\Tasks\TSZK.job
2015-03-14 12:42 - 2015-03-17 15:12 - 00000000 ____D () C:\Users\RoseCake\AppData\Local\C0918958-1426336956-E011-B5A7-00266CC682D8
2015-03-14 12:39 - 2015-03-17 15:11 - 00000000 ____D () C:\ProgramData\{4007dc82-6f9d-7ab4-4007-7dc826f97209}
2015-03-14 12:39 - 2015-03-16 19:00 - 00000000 ____D () C:\Users\RoseCake\AppData\Roaming\C0918958-1426351151-E011-B5A7-00266CC682D8
2015-03-14 12:38 - 2015-03-14 12:38 - 00000088 _____ () C:\Users\RoseCake\AppData\Local\dd8aabaa03142635a973ae46125b9ccc
2015-03-14 12:35 - 2015-03-17 15:11 - 00000000 ____D () C:\ProgramData\{05ef0d6c-1f36-5967-05ef-f0d6c1f335b0}
2015-03-14 12:34 - 2015-03-16 17:53 - 00000000 ____D () C:\Users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8
2015-03-13 07:28 - 2015-03-13 07:29 - 02057008 _____ () C:\Users\RoseCake\Downloads\Adaware_Installer (1).exe
2015-03-09 17:30 - 2015-03-16 21:33 - 00000385 _____ () C:\Users\RoseCake\AppData\Roaming\TSZK
C:\Program Files (x86)\Lavasoft
C:\Users\RoseCake\AppData\Roaming\TSZK
2015-03-14 12:38 - 2015-03-14 12:38 - 0000088 _____ () C:\Users\RoseCake\AppData\Local\dd8aabaa03142635a973ae46125b9ccc
Task: {198C343B-CCED-42C5-8523-422F45BAF623} - System32\Tasks\IE_ERR4WDR => C:\Program Files (x86)\Portable WeatherApp\IEError.exe
Task: {55E9C570-885A-492F-8D54-69BF5882442C} - System32\Tasks\UPDTEXE4_WDR => C:\Program Files (x86)\Portable WeatherApp\updater.exe
Task: {7FAF9ECE-AD29-41FB-BA54-901BA7536554} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\windows\Tasks\TSZK.job => C:\Users\RoseCake\AppData\Roaming\TSZK.exe <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\75718006.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\98483919.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\75718006.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\98483919.sys => ""="Driver"
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
hosts:
Emptytemp:
end

Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

Post the Fixlog.txt, that will be located on the desktop after the fix runs.

Thanks
Joe

#17
d.brack

Posted 20 March 2015 - 06:46 PM

Member

Topic Starter
Member
42 posts

Hey. Here it is:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by RoseCake at 2015-03-20 20:28:52 Run:1
Running from C:\Users\RoseCake\Desktop
Loaded Profiles: RoseCake (Available profiles: RoseCake)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
CreateRestorePoint:
C:\Program Files (x86)\YouTube Download Pool\G2\youtubeserv.exe
HKU\S-1-5-21-3583772472-3013558980-347553230-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
C:\Program Files (x86)\Lavasoft\Web Companion
ShortcutTarget: 1AB24RN6.lnk -> C:\ProgramData\{4007dc82-6f9d-7ab4-4007-7dc826f97209}\1AB24RN6.exe (No File)
ProxyEnable: [S-1-5-21-3583772472-3013558980-347553230-1001] => Internet Explorer proxy is enabled.
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-3583772472-3013558980-347553230-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-3583772472-3013558980-347553230-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
S3 Lavasoft Kernexplorer; No ImagePath
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
2015-03-16 17:53 - 2015-03-16 17:53 - 00003664 _____ () C:\windows\System32\Tasks\IE_ERR4WDR
C:\windows\System32\Tasks\IE_ERR4WDR
015-03-16 17:53 - 2015-03-16 17:53 - 00003640 _____ () C:\windows\System32\Tasks\HDNINSTSCHD
2015-03-16 17:53 - 2015-03-16 17:53 - 00003506 _____ () C:\windows\System32\Tasks\UPDTEXE4_WDR
2015-03-16 17:52 - 2015-03-16 17:56 - 00000000 ____D () C:\Program Files (x86)\Portable WeatherApp
C:\windows\System32\Tasks\HDNINSTSCHD
C:\windows\System32\Tasks\UPDTEXE4_WDR
C:\Program Files (x86)\Portable WeatherApp
2015-03-14 13:50 - 2015-03-19 07:31 - 00000000 ____D () C:\Program Files (x86)\Windows Network Accelerater
C:\Program Files (x86)\Windows Network Accelerater
2015-03-14 13:50 - 2015-03-14 13:50 - 00000000 ____D () C:\ProgramData\Windows VXM
2015-03-14 13:06 - 2015-03-14 14:07 - 00000000 ____D () C:\Program Files (x86)\Ninja Loader
2015-03-14 13:05 - 2015-03-14 13:05 - 00000000 ____D () C:\Users\RoseCake\Documents\DreamVideoSoft
2015-03-14 13:04 - 2015-03-16 21:55 - 00000000 ____D () C:\ProgramData\{b95cd953-ab35-e8d1-b95c-cd953ab3654e}
2015-03-14 13:04 - 2015-03-16 18:01 - 00000000 ____D () C:\ProgramData\Optimizer
2015-03-14 13:04 - 2015-03-14 13:04 - 00003116 _____ () C:\windows\System32\Tasks\{4549E9A6-25B5-4CFC-A8C0-17672EA6055F}
2015-03-14 13:04 - 2015-03-14 13:04 - 00000000 ____D () C:\Program Files (x86)\YouTube Download Pool
2015-03-14 12:55 - 2015-03-16 17:59 - 00001346 _____ () C:\windows\Tasks\TSZK.job
2015-03-14 12:42 - 2015-03-17 15:12 - 00000000 ____D () C:\Users\RoseCake\AppData\Local\C0918958-1426336956-E011-B5A7-00266CC682D8
2015-03-14 12:39 - 2015-03-17 15:11 - 00000000 ____D () C:\ProgramData\{4007dc82-6f9d-7ab4-4007-7dc826f97209}
2015-03-14 12:39 - 2015-03-16 19:00 - 00000000 ____D () C:\Users\RoseCake\AppData\Roaming\C0918958-1426351151-E011-B5A7-00266CC682D8
2015-03-14 12:38 - 2015-03-14 12:38 - 00000088 _____ () C:\Users\RoseCake\AppData\Local\dd8aabaa03142635a973ae46125b9ccc
2015-03-14 12:35 - 2015-03-17 15:11 - 00000000 ____D () C:\ProgramData\{05ef0d6c-1f36-5967-05ef-f0d6c1f335b0}
2015-03-14 12:34 - 2015-03-16 17:53 - 00000000 ____D () C:\Users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8
2015-03-13 07:28 - 2015-03-13 07:29 - 02057008 _____ () C:\Users\RoseCake\Downloads\Adaware_Installer (1).exe
2015-03-09 17:30 - 2015-03-16 21:33 - 00000385 _____ () C:\Users\RoseCake\AppData\Roaming\TSZK
C:\Program Files (x86)\Lavasoft
C:\Users\RoseCake\AppData\Roaming\TSZK
2015-03-14 12:38 - 2015-03-14 12:38 - 0000088 _____ () C:\Users\RoseCake\AppData\Local\dd8aabaa03142635a973ae46125b9ccc
Task: {198C343B-CCED-42C5-8523-422F45BAF623} - System32\Tasks\IE_ERR4WDR => C:\Program Files (x86)\Portable WeatherApp\IEError.exe
Task: {55E9C570-885A-492F-8D54-69BF5882442C} - System32\Tasks\UPDTEXE4_WDR => C:\Program Files (x86)\Portable WeatherApp\updater.exe
Task: {7FAF9ECE-AD29-41FB-BA54-901BA7536554} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\windows\Tasks\TSZK.job => C:\Users\RoseCake\AppData\Roaming\TSZK.exe <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\75718006.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\98483919.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\75718006.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\98483919.sys => ""="Driver"
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
hosts:
Emptytemp:
end
*****************

Processes closed successfully.
Restore point was successfully created.
C:\Program Files (x86)\YouTube Download Pool\G2\youtubeserv.exe => Moved successfully.
HKU\S-1-5-21-3583772472-3013558980-347553230-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Web Companion => value deleted successfully.
"C:\Program Files (x86)\Lavasoft\Web Companion" => File/Directory not found.
C:\ProgramData\{4007dc82-6f9d-7ab4-4007-7dc826f97209}\1AB24RN6.exe not found.
HKU\S-1-5-21-3583772472-3013558980-347553230-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-3583772472-3013558980-347553230-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-3583772472-3013558980-347553230-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
Lavasoft Kernexplorer => Service deleted successfully.
RSUSBSTOR => Service deleted successfully.
C:\windows\System32\Tasks\IE_ERR4WDR => Moved successfully.
"C:\windows\System32\Tasks\IE_ERR4WDR" => File/Directory not found.
015-03-16 17:53 - 2015-03-16 17:53 - 00003640 _____ () C:\windows\System32\Tasks\HDNINSTSCHD => Error: No automatic fix found for this entry.
C:\windows\System32\Tasks\UPDTEXE4_WDR => Moved successfully.
C:\Program Files (x86)\Portable WeatherApp => Moved successfully.
C:\windows\System32\Tasks\HDNINSTSCHD => Moved successfully.
"C:\windows\System32\Tasks\UPDTEXE4_WDR" => File/Directory not found.
"C:\Program Files (x86)\Portable WeatherApp" => File/Directory not found.
C:\Program Files (x86)\Windows Network Accelerater => Moved successfully.
"C:\Program Files (x86)\Windows Network Accelerater" => File/Directory not found.
C:\ProgramData\Windows VXM => Moved successfully.
C:\Program Files (x86)\Ninja Loader => Moved successfully.
C:\Users\RoseCake\Documents\DreamVideoSoft => Moved successfully.
C:\ProgramData\{b95cd953-ab35-e8d1-b95c-cd953ab3654e} => Moved successfully.
C:\ProgramData\Optimizer => Moved successfully.
C:\windows\System32\Tasks\{4549E9A6-25B5-4CFC-A8C0-17672EA6055F} => Moved successfully.
C:\Program Files (x86)\YouTube Download Pool => Moved successfully.
C:\windows\Tasks\TSZK.job => Moved successfully.
C:\Users\RoseCake\AppData\Local\C0918958-1426336956-E011-B5A7-00266CC682D8 => Moved successfully.
C:\ProgramData\{4007dc82-6f9d-7ab4-4007-7dc826f97209} => Moved successfully.
C:\Users\RoseCake\AppData\Roaming\C0918958-1426351151-E011-B5A7-00266CC682D8 => Moved successfully.
C:\Users\RoseCake\AppData\Local\dd8aabaa03142635a973ae46125b9ccc => Moved successfully.
C:\ProgramData\{05ef0d6c-1f36-5967-05ef-f0d6c1f335b0} => Moved successfully.
C:\Users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8 => Moved successfully.
C:\Users\RoseCake\Downloads\Adaware_Installer (1).exe => Moved successfully.
C:\Users\RoseCake\AppData\Roaming\TSZK => Moved successfully.
C:\Program Files (x86)\Lavasoft => Moved successfully.
"C:\Users\RoseCake\AppData\Roaming\TSZK" => File/Directory not found.
"C:\Users\RoseCake\AppData\Local\dd8aabaa03142635a973ae46125b9ccc" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{198C343B-CCED-42C5-8523-422F45BAF623}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{198C343B-CCED-42C5-8523-422F45BAF623}" => Key deleted successfully.
C:\Windows\System32\Tasks\IE_ERR4WDR not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\IE_ERR4WDR" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{55E9C570-885A-492F-8D54-69BF5882442C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{55E9C570-885A-492F-8D54-69BF5882442C}" => Key deleted successfully.
C:\Windows\System32\Tasks\UPDTEXE4_WDR not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UPDTEXE4_WDR" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7FAF9ECE-AD29-41FB-BA54-901BA7536554}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7FAF9ECE-AD29-41FB-BA54-901BA7536554}" => Key deleted successfully.
C:\Windows\System32\Tasks\Ad-Aware Update (Weekly) => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ad-Aware Update (Weekly)" => Key deleted successfully.
C:\windows\Tasks\TSZK.job not found.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\75718006.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\98483919.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\75718006.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\98483919.sys" => Key deleted successfully.

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {C44030AF-72A1-4FB2-B2D9-EEA37CAB7129}.
{BD32A4F6-AF7B-4B7A-B112-AD2F4BB664E7} canceled.
{C9DEA4D2-8AE8-4D81-8CB6-47594A3CCF35} canceled.
{D105BEDD-9E21-4CFF-8B4F-B29FE1A6495F} canceled.
{4FB45AF1-3266-4F93-BB97-B46BCC3B2C10} canceled.
{8714DCED-B7A0-4BA4-BC00-C84053ECEAFE} canceled.
{D346B9EA-0392-4AAD-9170-231829E2D7DF} canceled.
{3D579EEB-F4FB-49FC-BB91-A76940F06FF8} canceled.
{C51C303B-F07F-4D6C-AFCB-94790B5A2FDB} canceled.
{849D0545-9195-4765-95E6-C856E1CA4693} canceled.
{81A5A30C-8197-4763-94ED-01B1300F2486} canceled.
10 out of 11 jobs canceled.

========= End of CMD: =========

========= netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 98.5 MB temporary data.

The system needed a reboot.

==== End of Fixlog 20:31:25 ====

I don't want to seem redundant, but this will take care of the popup I've seen today about updating the browser I mentioned earlier, right? It didn't happen yet on this boot, so I so hope so! Thanks so much again. Love your quick replies.

#18
zep516

Posted 20 March 2015 - 06:54 PM

Trusted Helper

Malware Removal
8,093 posts

but this will take care of the popup I've seen today about updating the browser

It's actually hard to say an pinpoint the exact issue, there is so much junk on the computer, but we are making progress.

What browser do you use ?

#19
d.brack

Posted 20 March 2015 - 07:03 PM

Member

Topic Starter
Member
42 posts

Internet Explorer, because that is what was on it. I will probably switch to Firefox once we get done, but I know IE has to work for certain things. That is why I have stayed with it through this process. Chrome was on it too, but I don't like it. Like I said, AVAST said the process it blocked was Netclean.exe.

#20
zep516

Posted 20 March 2015 - 07:08 PM

Trusted Helper

Malware Removal
8,093 posts

Internet Explorer, because that is what was on it.

OK,

Lets go ahead and reset Internet Explorer to default values then,

See Here

I'm looking into this Netclean.exe.

#21
d.brack

Posted 20 March 2015 - 07:22 PM

Member

Topic Starter
Member
42 posts

OK. I did reset, but I have a couple of things here. First, I didn't know whether to reset the Personal Data or not. Second, The addon from "Discuss" from unknown publisher said it was ready to use. I x'ed out. Third, it says IE wants permission to open/use Windows Explorer. I either said no or x'ed out of that too. Just those things... a question and what happened after the reboot....

#22
zep516

Posted 20 March 2015 - 07:37 PM

Trusted Helper

Malware Removal
8,093 posts

Reset personal data, none of it is yours it's from the old user. As far as the other questions I think you're ok on how you responded to them.

Let me know when you reset personal data, we will run another scan with another tool...

Thanks
Joe

#23
d.brack

Posted 20 March 2015 - 08:01 PM

Member

Topic Starter
Member
42 posts

OK, Ready. This will be my last for the night... I'm an early bird. And the "Discuss" addon came up again. I x'ed out again.

Edited by d.brack, 20 March 2015 - 08:03 PM.

#24
zep516

Posted 20 March 2015 - 08:04 PM

Trusted Helper

Malware Removal
8,093 posts

If you're an early bird like me, then wait till Tomorrow to do this,

Please run combofix

You will be asked to disable you Anti Virus see Here on how to do that.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer and run combofix again.

In your next post I need the following

Log from Combofix, that log can also be found at C:\Combofix.txt

#25
d.brack

Posted 20 March 2015 - 08:06 PM

Member

Topic Starter
Member
42 posts

Thanks, I will. Talk at ya in the morning. Sleep well., Good night.

#26
d.brack

Posted 21 March 2015 - 08:59 AM

Member

Topic Starter
Member
42 posts

Good morning! When I booted up this morning I didn't get any of the popups, including the addon Discuss. The computer is also running kinda slow. Anyway, here is the Log.

Combofix Log:

ComboFix 15-03-14.03 - RoseCake 03/21/2015 10:20:39.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.1639.423 [GMT -4:00]
Running from: c:\users\RoseCake\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\RoseCake\AppData\Local\nsk6349.tmp
c:\users\RoseCake\AppData\Local\nszC33A.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2015-02-21 to 2015-03-21 )))))))))))))))))))))))))))))))
.
.
2015-03-21 14:38 . 2015-03-21 14:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-03-19 12:00 . 2015-03-19 12:07 -------- d-----w- c:\users\RoseCake\AppData\Local\Mozilla
2015-03-19 11:59 . 2015-03-19 11:59 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2015-03-19 10:26 . 2015-03-19 10:26 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-03-18 23:53 . 2015-03-19 00:07 -------- d-----w- C:\AdwCleaner
2015-03-18 15:16 . 2015-03-21 00:33 -------- d-----w- C:\FRST
2015-03-16 21:51 . 2015-03-16 21:51 -------- d-----w- c:\users\RoseCake\AppData\Roaming\AVAST Software
2015-03-16 21:44 . 2015-03-16 21:44 136752 ----a-w- c:\windows\system32\drivers\aswStm.sys
2015-03-16 21:44 . 2015-03-16 21:44 268640 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2015-03-16 21:44 . 2015-03-16 21:44 93528 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2015-03-16 21:44 . 2015-03-16 21:44 88408 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2015-03-16 21:44 . 2015-03-16 21:44 65736 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2015-03-16 21:44 . 2015-03-16 21:44 441728 ----a-w- c:\windows\system32\drivers\aswSP.sys
2015-03-16 21:44 . 2015-03-16 21:44 29168 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2015-03-16 21:44 . 2015-03-16 21:44 1047320 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2015-03-16 21:44 . 2015-03-16 21:44 364472 ----a-w- c:\windows\system32\aswBoot.exe
2015-03-16 21:44 . 2015-03-16 21:44 43112 ----a-w- c:\windows\avastSS.scr
2015-03-16 21:41 . 2015-03-16 21:41 -------- d-----w- c:\program files\AVAST Software
2015-03-14 18:05 . 2015-03-14 18:06 21976 ----a-w- c:\windows\system32\drivers\SPPD.sys
2015-03-14 17:23 . 2015-03-14 17:23 -------- d-----w- c:\users\RoseCake\.cache
2015-03-11 15:35 . 2015-02-03 03:28 2048 ----a-w- c:\windows\system32\mferror.dll
2015-03-11 15:35 . 2015-02-03 03:09 2048 ----a-w- c:\windows\SysWow64\mferror.dll
2015-03-11 15:34 . 2015-02-03 03:31 215552 ----a-w- c:\windows\system32\ubpm.dll
2015-03-11 15:34 . 2015-02-03 03:12 171520 ----a-w- c:\windows\SysWow64\ubpm.dll
2015-03-11 15:34 . 2015-02-13 05:22 14177280 ----a-w- c:\windows\system32\shell32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-19 11:42 . 2015-01-05 02:23 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-13 00:26 . 2012-04-11 01:40 122905848 ----a-w- c:\windows\system32\MRT.exe
2015-02-05 12:18 . 2012-08-07 13:14 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-02-05 12:18 . 2012-08-07 13:14 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-04 03:16 . 2015-02-11 01:45 609280 ----a-w- c:\windows\system32\generaltel.dll
2015-02-04 03:16 . 2015-02-11 01:45 762368 ----a-w- c:\windows\system32\invagent.dll
2015-02-04 03:16 . 2015-02-11 01:45 414720 ----a-w- c:\windows\system32\devinv.dll
2015-02-04 03:16 . 2015-02-11 01:45 894976 ----a-w- c:\windows\system32\appraiser.dll
2015-02-04 03:16 . 2015-02-11 01:45 227328 ----a-w- c:\windows\system32\aepdu.dll
2015-02-04 03:16 . 2015-02-11 01:45 192000 ----a-w- c:\windows\system32\aepic.dll
2015-02-04 03:13 . 2015-02-11 01:45 1098752 ----a-w- c:\windows\system32\aeinv.dll
2015-01-27 23:36 . 2015-02-11 01:45 1239720 ----a-w- c:\windows\system32\aitstatic.exe
2015-01-09 03:14 . 2015-02-11 01:47 91136 ----a-w- c:\windows\system32\wdi.dll
2015-01-09 03:14 . 2015-02-11 01:47 950272 ----a-w- c:\windows\system32\perftrack.dll
2015-01-09 03:14 . 2015-02-11 01:47 29696 ----a-w- c:\windows\system32\powertracker.dll
2015-01-09 02:48 . 2015-02-11 01:47 76800 ----a-w- c:\windows\SysWow64\wdi.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2010-07-01 1295224]
"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]
"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2011-04-25 305088]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-03-19 5511352]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE -b -l [1999-2-18 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 YouTubeDownload_G2;YouTube Download Pool (G2);c:\program files (x86)\YouTube Download Pool\G2\youtubeserv.exe;c:\program files (x86)\YouTube Download Pool\G2\youtubeserv.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 lyvicocu;Reservation Faxes;c:\users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8\jnstDA8.tmp;c:\users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8\jnstDA8.tmp [x]
R4 vumowoge;Telex Chat;c:\users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8\nsp6A1E.tmp;c:\users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8\nsp6A1E.tmp [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys;c:\windows\SYSNATIVE\drivers\gfibto.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe;c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys;c:\windows\SYSNATIVE\DRIVERS\FwLnk.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys;c:\windows\SYSNATIVE\DRIVERS\pgeffect.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVERS\rtl8192Ce.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [x]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-03-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-07 12:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-03-16 21:44 722400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://start.toshiba.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mDefault_Page_URL = hxxp://www.google.com
uInternet Settings,ProxyOverride = <local>
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\users\RoseCake\AppData\Roaming\Mozilla\Firefox\Profiles\8c7y18iw.default\
.
.
------- File Associations -------
.
inifile="%SystemRoot%\system32\NOTEPAD.EXE" %1
txtfile="%SystemRoot%\system32\NOTEPAD.EXE" %1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
c:\users\RoseCake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1AB24RN6.lnk - c:\programdata\{4007dc82-6f9d-7ab4-4007-7dc826f97209}\1AB24RN6.exe /startup
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe
HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe
HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCCUJobMgr]
"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.10.26\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\lyvicocu]
"ImagePath"="c:\users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8\jnstDA8.tmp"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\vumowoge]
"ImagePath"="c:\users\RoseCake\AppData\Roaming\C0918958-1426350886-E011-B5A7-00266CC682D8\nsp6A1E.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="BrowserHTM"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-03-21 10:46:13
ComboFix-quarantined-files.txt 2015-03-21 14:46
.
Pre-Run: 195,773,538,304 bytes free
Post-Run: 195,141,476,352 bytes free
.
- - End Of File - - 1DA5F9EF147732B33E4717492CF8A62A
5B5E648D12FCADC244C1EC30318E1EB9

Thanks!

#27
zep516

Posted 21 March 2015 - 09:07 AM

Trusted Helper

Malware Removal
8,093 posts

You're welcome. We still have a bit to do.

From a quick glance it looks ok. That computer could use more ram. Run the computer for a while today and see how things are. I'll look at log a bit more closely

What is the exact model # of your Laptop ?

Next

Download Security Check by screen317 from Here or Here
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.

Thanks
Joe

#28
d.brack

Posted 21 March 2015 - 09:30 AM

Member

Topic Starter
Member
42 posts

The exact model is a Toshiba Satellite C655D. Here is the Checkup log:

Results of screen317's Security Check version 0.99.99
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java™ 6 Update 20
Java version 32-bit out of Date!
Mozilla Firefox (36.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````

I have to say I'm having a really good time working with you! Thank you for making it fun.

#29
zep516

Posted 21 March 2015 - 09:34 AM

Trusted Helper

Malware Removal
8,093 posts

Looks not bad, we will talk about Java later..

I want to see what programs are starting up with windows because that can slow the computer down, so send me this scan.

Download HijackThis

Go Here to download HijackThis program
Save HijackThis to your desktop.
Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
copy and paste hijackthis report into the topic

#30
d.brack

Posted 21 March 2015 - 09:56 AM

Member

Topic Starter
Member
42 posts

OK, Here ya go:

Hijack This:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 11:51:32 AM, on 3/21/2015
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17689)

FIREFOX: 36.0.1 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe
C:\Program Files\AVAST Software\Avast\avastui.exe
C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
C:\Program Files (x86)\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe
C:\windows\SysWOW64\notepad.exe
C:\Users\RoseCake\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://mywayphotos.r...veX_Control.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avast Antivirus (avast! Antivirus) - Avast Software s.r.o. - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\windows\system32\fxssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: Common Client Job Manager Service (PCCUJobMgr) - Symantec Corporation - C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.10.26\ccSvcHst.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\windows\system32\sppsvc.exe (file missing)
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - Unknown owner - C:\windows\system32\TODDSrv.exe (file missing)
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: YouTube Download Pool (G2) (YouTubeDownload_G2) - Unknown owner - C:\Program Files (x86)\YouTube Download Pool\G2\youtubeserv.exe (file missing)