Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unremovable YTAdaRiemoeval


  • This topic is locked This topic is locked
19 replies to this topic

#1 saraynachan

saraynachan

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 03 April 2014 - 11:00 AM

I posted about a similar google chrome extension a month ago and a kind member helped me solve the problem. But now it's clear that it was something else causing me to keep being redirected to weird blank pages when I clicked on links. I checked my extensions and saw the only thing suspicious ""YTAdaRiemoeval". I googled it and found out it should originally be "YTAdRemoval". I tried to delete it but chrome said it was installed by "entreprise policy". Those online removal guides don't work at all. I used both "Malwarebytes' Anti-Malware" and Junkware Removal Tool and they came up with nothing. Any idea how to remove it? Many many thanks in advance.

 

Here's the DDS text:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.16518  BrowserJavaVersion: 10.51.2
Run by Sarayna at 23:43:33 on 2014-04-03
Microsoft Windows 7 家用進階版   6.1.7601.1.950.886.1028.18.2047.310 [GMT 8:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\eMachines\Registration\GregHSRW.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\D-Link\DWA-171\WlanWpsSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Glary Utilities 3\Integrator.exe
C:\Program Files\ImSmart\ImSmart\ImSmart.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\YodaoDict.exe
C:\Program Files\HP\HP Officejet 4620 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\D-Link\DWA-171\wirelesscm.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\Sarayna\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoIE.exe
C:\Users\Sarayna\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files\RescueTime\RescueTime.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoDictHelper.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\wordbook.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoIE.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoDictHelper.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoDictHelper.exe
C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoIE.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [YodaoDict] "c:\users\sarayna\appdata\local\youdao\dict\application\YodaoDict.exe" -hide -autostart
uRun: [HP Officejet 4620 series (NET)] "c:\program files\hp\hp officejet 4620 series\bin\ScanToPCActivationApp.exe" -deviceID "CN28O2305105RT:NW" -scfn "HP Officejet 4620 series (NET)" -AutoStart 1
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [GoogleChromeAutoLaunch_C387FD6B814881ECA85C3A9C22C1138F] "c:\program files\google\chrome\application\chrome.exe" --no-startup-window
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ImSmart] c:\program files\imsmart\imsmart\ImSmart.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe"  -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\users\sarayna\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\sarayna\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\sarayna\appdata\roaming\micros~1\windows\startm~1\programs\startup\everno~1.lnk - c:\users\sarayna\appdata\local\apps\evernote\evernote\EvernoteClipper.exe
StartupFolder: c:\users\sarayna\appdata\roaming\micros~1\windows\startm~1\programs\startup\rescue~1.lnk - c:\program files\rescuetime\RescueTime.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\dwa-171\wirelesscm.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: EnableSecureUIAPath = dword:1
IE: Add to Evernote 4.0 - c:\users\sarayna\appdata\local\apps\evernote\evernote\EvernoteIE.dll/204
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: 收藏到有道云?? - <no file>
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {65D09F88-CE18-4A95-B8AF-311C3311DB03} - c:\program files\youdao\youdaonote\ieext_btn.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} - hxxps://www.mybank.com.tw/MyATM/CAB/CathayMyATM.CAB
DPF: {5D5EF079-C21D-47EE-9249-D4E89C8D3E43} - hxxps://my.taishinbank.com.tw/ActiveX/eATM/Bull.cab
DPF: {603B9E6C-0467-4C23-8098-ACC2ED6FEB75} - hxxps://my.taishinbank.com.tw/ActiveX/eATM/TSBANK.cab
DPF: {7067DEA7-8C20-4519-8615-B1829371D8B9} - hxxps://family.chinatrust.com.tw/WebATM/1009/CTCBWebATM.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {A6132015-5796-48B5-B776-16D009021D81} - hxxps://eatm.firstbank.com.tw/acq/firstbankATM.CAB
DPF: {C345E174-3E87-4F41-A01C-B066A90A49B4} - hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{87B9C7EC-864B-4954-9A66-C86FADB02145} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{87B9C7EC-864B-4954-9A66-C86FADB02145}\46C696E6B6 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{A9022C51-22E5-4CBE-B59D-2C78A1044546} : DHCPNameServer = 168.95.1.1 168.95.192.1
TCP: Interfaces\{EC803D97-891F-4D21-90B1-63A6EEFA44DE} : DHCPNameServer = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
STS: FencesShlExt Class - {1984DD45-52CF-49cd-AB77-18F378FEA264} - c:\program files\stardock\fences\FencesMenu.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\sarayna\appdata\roaming\mozilla\firefox\profiles\y8yv16d2.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\ahnlab\asp\components\aosmgr\conflict_507\npaosmgr.dll
FF - plugin: c:\program files\ahnlab\asp\mykeydefense 2.5\npmkd25sp.dll
FF - plugin: c:\program files\beanfun!\beanfun! plugin\npBFWebStart.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlchromebrowserrecordext.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlhtml5videoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\mozillaplugins\nprndlpepperflashvideoshim.dll
FF - plugin: c:\programdata\realnetworks\realdownloader\browserplugins\npdlplugin.dll
FF - plugin: c:\users\sarayna\appdata\roaming\360yunpan\npUploadPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-11-24 21576]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-9-13 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-9-13 177864]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2014-2-15 18624]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-3 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-3 369584]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-3-10 242240]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-1-2 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-3 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-3-3 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-9-13 46808]
R2 Greg_Service;GRegService;c:\program files\emachines\registration\GregHSRW.exe [2009-8-28 1150496]
R2 hmip;hmip;c:\windows\system32\drivers\hmip.sys [2014-1-10 25448]
R3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2013-2-5 103056]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-1-2 167936]
R3 RtlWlanu;D-Link DWA-171 Wireless AC Dual Band Adapter;c:\windows\system32\drivers\RTWlanU.sys [2014-2-16 2122312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 EMVSCARD;EMVSCARD;c:\windows\system32\drivers\EMVSCARD.sys [2006-12-19 20736]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2012-4-9 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2014-4-1 30976]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-2-15 108032]
S3 Mkd2Bthf;Mkd2Bthf;c:\windows\system32\drivers\Mkd2BthF.sys [2013-2-5 81168]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2013-2-5 167696]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2013-7-25 18944]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2013-9-19 13464]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-1 52224]
.
=============== Created Last 30 ================
.
2014-03-31 17:11:11 30976 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-03-31 17:09:32 -------- d-----w- c:\programdata\HitmanPro
2014-03-28 19:12:17 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{14312c06-dde1-4285-94c4-6d6fde36e809}\offreg.dll
2014-03-28 19:10:59 7969936 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{14312c06-dde1-4285-94c4-6d6fde36e809}\mpengine.dll
2014-03-28 11:47:36 -------- d-----w- c:\users\sarayna\appdata\local\NBGI
2014-03-28 11:42:57 -------- d-----w- c:\windows\system32\xlive
2014-03-28 11:42:36 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2014-03-28 11:35:16 -------- d-----w- c:\users\sarayna\appdata\roaming\DropboxMaster
2014-03-16 06:33:00 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-03-13 15:48:43 -------- d-----w- c:\users\sarayna\appdata\local\FLT
2014-03-12 11:16:49 -------- d-----w- C:\$RECYCLE.BIN
2014-03-12 11:13:17 -------- d-----w- c:\users\sarayna\appdata\local\temp
2014-03-09 11:12:51 -------- d-----w- C:\Games
.
==================== Find3M  ====================
.
2014-03-12 11:21:17 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 11:21:17 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-02-06 10:20:26 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-02-06 10:19:55 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-02-06 10:01:36 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-02-06 10:00:46 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-02-06 09:47:22 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-02-06 09:47:18 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-02-06 09:46:27 553472 ----a-w- c:\windows\system32\jscript9diag.dll
2014-02-06 09:25:36 4244480 ----a-w- c:\windows\system32\jscript9.dll
2014-02-06 09:09:30 1964032 ----a-w- c:\windows\system32\inetcpl.cpl
2014-02-06 08:41:35 1820160 ----a-w- c:\windows\system32\wininet.dll
2014-01-19 11:56:24 230 ----a-w- c:\windows\system32\audition.reg
.
============= FINISH: 23:46:01.82 ===============
 
 
Attached File  attach.txt   11.11KB   1 downloads


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:13 PM

Posted 07 April 2014 - 11:43 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

cXfZ4wS.png


#3 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 08 April 2014 - 09:46 AM

Thank you for the help! I really appreciate it!

 

Here's the FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01 (ATTENTION: ====> FRST version is 26 days old and could be outdated)
Ran by Sarayna (administrator) on NNNN-PC on 08-04-2014 22:42:02
Running from C:\Users\Sarayna\Desktop
Microsoft Windows 7 家用進階版  Service Pack 1 (X86) OS Language: 0404
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Acer Incorporated) C:\Program Files\eMachines\Registration\GregHSRW.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Acer) C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
() C:\Program Files\D-Link\DWA-171\WlanWpsSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Glarysoft Ltd) C:\Program Files\Glary Utilities 3\Integrator.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
() C:\Program Files\ImSmart\ImSmart\ImSmart.exe
() C:\Program Files\Unlocker\UnlockerAssistant.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\Update\realsched.exe
() C:\Program Files\RocketDock\RocketDock.exe
(网易公司) C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\YodaoDict.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 4620 series\Bin\ScanToPCActivationApp.exe
(Google) C:\Program Files\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(D-Link Corp.) C:\Program Files\D-Link\DWA-171\wirelesscm.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Dropbox, Inc.) C:\Users\Sarayna\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041) C:\Users\Sarayna\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe
(RescueTime, Inc.) C:\Program Files\RescueTime\RescueTime.exe
(网易公司) C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoIE.exe
() C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoDictHelper.exe
(网易公司) C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\wordbook.exe
(Google) C:\Program Files\Google\Drive\googledrivesync.exe
() C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoDictHelper.exe
() C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\6.1.51.3219\YoudaoDictHelper.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IELowutil.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-20] (Realtek Semiconductor)
HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-08-30] (AVAST Software)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-05] (Adobe Systems Incorporated)
HKLM\...\Run: [ImSmart] - C:\Program Files\ImSmart\ImSmart\ImSmart.exe [217088 2009-06-23] ()
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [UnlockerAssistant] - C:\Program Files\Unlocker\UnlockerAssistant.exe [17408 2010-07-05] ()
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.)
HKLM\...\Run: [TkBellExe] - C:\Program Files\Real\RealPlayer\update\realsched.exe [295512 2013-11-06] (RealNetworks, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-09] (Adobe Systems Incorporated)
HKU\S-1-5-21-3901018940-1375249368-3704209125-1001\...\Run: [RocketDock] - C:\Program Files\RocketDock\RocketDock.exe [495616 2007-09-02] ()
HKU\S-1-5-21-3901018940-1375249368-3704209125-1001\...\Run: [YodaoDict] - C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\YodaoDict.exe [5227960 2014-03-28] (网易公司)
HKU\S-1-5-21-3901018940-1375249368-3704209125-1001\...\Run: [HP Officejet 4620 series (NET)] - C:\Program Files\HP\HP Officejet 4620 series\Bin\ScanToPCActivationApp.exe [1820520 2011-12-18] (Hewlett-Packard Co.)
HKU\S-1-5-21-3901018940-1375249368-3704209125-1001\...\Run: [GoogleDriveSync] - C:\Program Files\Google\Drive\googledrivesync.exe [20203904 2013-12-06] (Google)
HKU\S-1-5-21-3901018940-1375249368-3704209125-1001\...\Run: [DAEMON Tools Lite] - C:\Program Files\DAEMON Tools Lite\DTLite.exe [3481408 2012-02-13] (DT Soft Ltd)
HKU\S-1-5-21-3901018940-1375249368-3704209125-1001\...\Run: [GoogleChromeAutoLaunch_C387FD6B814881ECA85C3A9C22C1138F] - C:\Program Files\Google\Chrome\Application\chrome.exe [863184 2013-12-04] (Google Inc.)
Startup: C:\Users\nnnn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Sarayna\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Sarayna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Sarayna\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Sarayna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Users\Sarayna\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)
Startup: C:\Users\Sarayna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RescueTime.lnk
ShortcutTarget: RescueTime.lnk -> C:\Program Files\RescueTime\RescueTime.exe (RescueTime, Inc.)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {3800EE51-5EF2-4EA2-8A7B-957F0900A04A} URL = http://tw.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=902615&p={searchTerms}
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {12755229-656A-4508-BC94-2DA4D314B4C8} https://www.mybank.com.tw/MyATM/CAB/CathayMyATM.CAB
DPF: {5D5EF079-C21D-47EE-9249-D4E89C8D3E43} https://my.taishinbank.com.tw/ActiveX/eATM/Bull.cab
DPF: {603B9E6C-0467-4C23-8098-ACC2ED6FEB75} https://my.taishinbank.com.tw/ActiveX/eATM/TSBANK.cab
DPF: {7067DEA7-8C20-4519-8615-B1829371D8B9} https://family.chinatrust.com.tw/WebATM/1009/CTCBWebATM.cab
DPF: {A6132015-5796-48B5-B776-16D009021D81} https://eatm.firstbank.com.tw/acq/firstbankATM.CAB
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Sarayna\AppData\Roaming\Mozilla\Firefox\Profiles\y8yv16d2.default
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @ahnlab.com/asp/npaosmgr.1 - C:\Program Files\AhnLab\ASP\Components\aosmgr\conflict_507\npaosmgr.dll (AhnLab, Inc.)
FF Plugin: @ahnlab.com/asp/npmkd25sp - C:\Program Files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25sp.dll (AhnLab, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @gamania.com/beanfun - C:\Program Files\beanfun!\beanfun! Plugin\npBFWebStart.dll ( )
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3538.0513 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 - c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.1739 - C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 - c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 - C:\Program Files\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)
FF Plugin HKCU: 360.cn/UploadPlugin - C:\Users\Sarayna\AppData\Roaming\360YunPan\npUploadPlugin.dll (360.cn)
FF Plugin HKCU: @360.cn/npUpload - C:\Users\Sarayna\AppData\Roaming\360YunPan\npUploadPlugin.dll (360.cn)
FF Plugin HKCU: @ahnlab.com/asp/npmkd25sp - C:\Program Files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25sp.dll (AhnLab, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npBFPlugin.dll ( )
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll (RealPlayer)
FF SearchPlugin: C:\Users\Sarayna\AppData\Roaming\Mozilla\Firefox\Profiles\y8yv16d2.default\searchplugins\yahoo_ff.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\creativecommons.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\findbook-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\wikipedia-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-answer-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-bid-zh-TW.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-zh-TW.xml
FF Extension: RescueTime for Firefox - C:\Users\Sarayna\AppData\Roaming\Mozilla\Firefox\Profiles\y8yv16d2.default\Extensions\rescuetime_firefox@rescuetime.com.xpi [2014-01-30]
FF Extension: Red1 - C:\Users\Sarayna\AppData\Roaming\Mozilla\Firefox\Profiles\y8yv16d2.default\Extensions\{CCE2B3E0-5E83-4eff-B221-214DE205AD7F}.xpi [2014-03-07]
FF HKLM\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2011-03-03]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ []
FF HKCU\...\Firefox\Extensions: [dict@www.youdao.com] - C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\stable\extensions\firefox
FF Extension: Youdao Word Capturer - C:\Users\Sarayna\AppData\Local\Youdao\Dict\Application\stable\extensions\firefox [2013-10-02]
 
Chrome: 
=======
CHR RestoreOnStartup: "hxxp://tw.search.yahoo.com?type=902615&fr=spigot-yhp-ch", "hxxp://websearch.searchere.info/?pid=512&r=2013/09/29&hid=16341015464460084776&lg=EN&cc=TW&unqvl=37", "hxxp://www.google.com"
CHR DefaultSearchKeyword: google.com.tw
CHR Extension: (Bejeweled) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm [2012-08-01]
CHR Extension: (Duolingo) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiahmijlpehemcpleichkcokhegllfjl [2013-04-27]
CHR Extension: (Documents Google) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-15]
CHR Extension: (Google Drive) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-04]
CHR Extension: (Session Manager) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbcnbpafconjjigibnhbfmmgdbbkcjfi [2012-03-04]
CHR Extension: (RescueTime for Chrome™ & ChromeOS™) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdakmnplckeopfghnlpocafcepegjeap [2014-01-27]
CHR Extension: (YouTube) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-12]
CHR Extension: (Adblock Plus) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2012-03-04]
CHR Extension: (Recherche Google) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-12]
CHR Extension: (Jon Klassen) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmgjhcokclngghkncjakaigpjhfhpoek [2013-05-04]
CHR Extension: (Windows Media Player Extension for HTML5) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokdglbhghcebcopdbanieangmcamaak [2013-03-15]
CHR Extension: (RealDownloader) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-11-06]
CHR Extension: (Lingua.ly) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\iilcekgoelpgecpjnnoikhbleipnjdhf [2013-12-30]
CHR Extension: (Chromium Wheel Smooth Scroller) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\khpcanbeojalbkpgpmjpdkjnkfcgfkhb [2012-03-04]
CHR Extension: (Google Wallet) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (YTAdaRiemoeval) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\oenjofkngdmijekapocjfmmmjpfilphh [2014-03-12]
CHR Extension: (Gmail) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-12]
CHR Extension: (ShopDRop) - C:\ProgramData\kgfbohpgmbeabeigmpgjbjfkamlfpeoh [2014-01-01]
CHR HKLM\...\Chrome\Extension: [aohddidmgooofkgohkbkaohadkolgejj] - C:\Program Files\Youdao\Dict4\stable\YDChromeTextExtractor.crx [2012-03-29]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [iibmmjhgclhlahmjniokmhleigemjpbh] - C:\Users\Sarayna\AppData\Local\Temp\ccex.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [joinpgckiioeklibflapokicmndlcnef] - C:\program files\youdao\youdaonote\YoudaoNote-chrome.crx [2013-03-25]
CHR HKCU\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Sarayna\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-07-03]
CHR HKCU\...\Chrome\Extension: [nikpibnbobmbdbheedjfogjlikpgpnhp] - C:\Program Files\Common Files\DVDVideoSoft\plugins\DVDVideoSoftBrowserExtension.crx [2013-07-03]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
========================== Services (Whitelisted) =================
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-30] (AVAST Software)
R2 Greg_Service; C:\Program Files\eMachines\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
R2 Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [240160 2009-07-04] (Acer)
R2 WlanWpsSvc; C:\Program Files\D-Link\DWA-171\WlanWpsSvc.exe [167936 2008-06-26] ()
 
==================== Drivers (Whitelisted) ====================
 
R2 aswFsBlk; C:\Windows\system32\Drivers\aswFsBlk.sys [29816 2013-08-30] (AVAST Software)
R0 aswKbd; C:\Windows\system32\Drivers\aswKbd.sys [21576 2013-08-30] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [66336 2013-08-30] (AVAST Software)
R1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [61680 2013-08-30] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49376 2013-08-30] ()
R1 aswSnx; C:\Windows\system32\Drivers\aswSnx.sys [770344 2013-08-30] (AVAST Software)
R1 aswSP; C:\Windows\system32\Drivers\aswSP.sys [369584 2013-08-30] (AVAST Software)
R1 aswTdi; C:\Windows\system32\Drivers\aswTdi.sys [56080 2013-08-30] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [177864 2013-08-30] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2012-03-10] (DT Soft Ltd)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [30976 2014-04-01] ()
R2 hmip; C:\Windows\system32\Drivers\hmip.sys [25448 2013-06-19] (Hide My IP)
S3 Mkd2Bthf; C:\Windows\System32\drivers\Mkd2Bthf.sys [81168 2013-05-23] (AhnLab, Inc.)
S3 Mkd2kfNt; C:\Windows\System32\drivers\Mkd2kfNt.sys [167696 2013-09-12] (AhnLab, Inc.)
R3 Mkd2Nadr; C:\Windows\System32\drivers\Mkd2Nadr.sys [103056 2013-07-19] (AhnLab, Inc.)
R3 ProcObsrv; C:\Program Files\Glary Utilities 3\ProcObsrv.sys [11552 2013-09-13] (Glarysoft Ltd)
R3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [2122312 2013-03-08] (Realtek Semiconductor Corporation                           )
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [18624 2013-12-24] (IObit)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13464 2013-09-20] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S0 BootDefragDriver; System32\drivers\BootDefragDriver.sys [X]
S3 catchme; \??\C:\Users\Sarayna\AppData\Local\Temp\catchme.sys [X]
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
U2 wuaserv; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-04-08 22:42 - 2014-04-08 22:42 - 00024074 _____ () C:\Users\Sarayna\Desktop\FRST.txt
2014-04-08 22:38 - 2014-04-08 22:39 - 00051874 _____ () C:\Users\Sarayna\Downloads\Addition.txt
2014-04-08 22:36 - 2014-04-08 22:42 - 00000000 ____D () C:\FRST
2014-04-08 22:36 - 2014-04-08 22:39 - 00038524 _____ () C:\Users\Sarayna\Downloads\FRST.txt
2014-04-08 22:33 - 2014-04-08 22:33 - 01145856 _____ (Farbar) C:\Users\Sarayna\Desktop\FRST.exe
2014-04-06 17:16 - 2014-04-06 17:16 - 00002162 _____ () C:\Users\Public\Desktop\Remember Me.lnk
2014-04-06 17:08 - 2014-04-06 17:16 - 00000000 ____D () C:\Program Files\Remember Me
2014-04-06 13:49 - 2014-04-06 14:04 - 00000000 ____D () C:\Users\Sarayna\Downloads\flt-reme
2014-04-05 01:19 - 2014-04-05 02:17 - 00000000 ____D () C:\Users\Sarayna\Downloads\Korean Language Learning Pack (Updated)
2014-04-04 21:14 - 2014-04-04 21:14 - 00000000 ____D () C:\Users\Sarayna\Documents\Rockstar Games
2014-04-04 21:12 - 2014-04-04 21:12 - 00000000 __SHD () C:\ProgramData\SecuROM
2014-04-04 21:12 - 2014-04-04 21:12 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\Rockstar Games
2014-04-04 21:09 - 2014-04-04 21:09 - 00002299 _____ () C:\Users\Public\Desktop\Grand Theft Auto IV.lnk
2014-04-04 19:49 - 2014-04-04 19:49 - 00000000 ____D () C:\Program Files\R.G. Games
2014-04-04 16:01 - 2014-04-04 16:01 - 00000000 ____D () C:\Users\Sarayna\Downloads\Howl's.Moving.Castle.720p.ENG [ShadoWCraft]
2014-04-03 23:46 - 2014-04-03 23:46 - 00017494 _____ () C:\Users\Sarayna\Desktop\dds.txt
2014-04-03 23:46 - 2014-04-03 23:46 - 00011372 _____ () C:\Users\Sarayna\Desktop\attach.txt
2014-04-03 23:34 - 2014-04-03 23:35 - 00688992 ____R (Swearware) C:\Users\Sarayna\Downloads\dds.com
2014-04-03 23:20 - 2014-04-03 23:20 - 00195584 _____ () C:\Users\Sarayna\Downloads\S-TOPIK_12_wordlist.xls
2014-04-02 22:14 - 2014-04-02 22:21 - 00000000 ____D () C:\Users\Sarayna\Downloads\Lost complete Season 3 by Bzingaz (RiddlerA)
2014-04-02 17:57 - 2014-04-08 18:39 - 00000280 _____ () C:\Windows\setupact.log
2014-04-02 17:57 - 2014-04-02 17:57 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-01 14:30 - 2014-04-01 14:30 - 00000637 _____ () C:\Users\Sarayna\Desktop\JRT.txt
2014-04-01 14:24 - 2014-04-01 14:25 - 01038974 _____ (Thisisu) C:\Users\Sarayna\Downloads\JRT.exe
2014-04-01 01:25 - 2014-04-01 01:25 - 00000332 _____ () C:\Windows\system32\.crusader
2014-04-01 01:11 - 2014-04-01 01:29 - 00030976 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2014-04-01 01:09 - 2014-04-01 01:25 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-04-01 01:07 - 2014-04-01 01:08 - 10094400 _____ (SurfRight B.V.) C:\Users\Sarayna\Downloads\HitmanPro.exe
2014-03-28 20:03 - 2014-03-28 20:03 - 00000000 ____D () C:\Users\Sarayna\Documents\NBGI
2014-03-28 19:47 - 2014-03-28 19:47 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\NBGI
2014-03-28 19:42 - 2014-03-28 19:42 - 00000000 ____D () C:\Windows\system32\xlive
2014-03-28 19:42 - 2014-03-28 19:42 - 00000000 ____D () C:\Program Files\Microsoft Games for Windows - LIVE
2014-03-28 19:35 - 2014-03-28 19:35 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\DropboxMaster
2014-03-28 01:26 - 2014-03-28 18:25 - 00000000 ____D () C:\Users\Sarayna\Downloads\Dark_Souls_Prepare_To_Die_Edition-FLT
2014-03-26 19:33 - 2014-04-03 22:10 - 00000000 ____D () C:\Users\Sarayna\Documents\GTA San Andreas User Files
2014-03-26 16:56 - 2014-03-26 16:56 - 00000000 ____D () C:\Users\Sarayna\Documents\Square Enix
2014-03-26 16:47 - 2014-03-26 16:47 - 00001061 _____ () C:\Users\Public\Desktop\Final Fantasy VII.lnk
2014-03-25 22:05 - 2014-03-26 16:47 - 00001968 _____ () C:\Users\Public\Desktop\Cat-A-Cat Games.lnk
2014-03-22 22:20 - 2014-03-22 22:33 - 00000000 ____D () C:\Users\Sarayna\Downloads\The Bicycle Thief (Vittorio De Sica, 1948)
2014-03-16 14:47 - 2014-03-16 14:49 - 00001786 _____ () C:\DelFix.txt
2014-03-16 14:33 - 2013-12-18 21:10 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-03-16 14:33 - 2013-12-18 21:04 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-03-16 14:33 - 2013-12-18 21:04 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-03-16 14:33 - 2013-12-18 21:03 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-03-16 14:32 - 2014-03-16 14:33 - 00004839 _____ () C:\Windows\system32\jupdate-1.7.0_51-b13.log
2014-03-16 14:27 - 2014-03-16 14:27 - 00001993 _____ () C:\Users\Public\Desktop\Adobe Reader 9.lnk
2014-03-13 23:48 - 2014-03-13 23:48 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\FLT
2014-03-12 18:55 - 2014-03-12 19:20 - 00000000 ____D () C:\Windows\erdnt
2014-03-09 19:18 - 2014-03-09 19:18 - 00001927 _____ () C:\Users\Sarayna\Desktop\Play South Park The Stick of Truth.lnk
2014-03-09 19:12 - 2014-03-26 19:21 - 00000000 ____D () C:\Games
 
==================== One Month Modified Files and Folders =======
 
2014-04-08 22:42 - 2014-04-08 22:42 - 00024074 _____ () C:\Users\Sarayna\Desktop\FRST.txt
2014-04-08 22:42 - 2014-04-08 22:36 - 00000000 ____D () C:\FRST
2014-04-08 22:39 - 2014-04-08 22:38 - 00051874 _____ () C:\Users\Sarayna\Downloads\Addition.txt
2014-04-08 22:39 - 2014-04-08 22:36 - 00038524 _____ () C:\Users\Sarayna\Downloads\FRST.txt
2014-04-08 22:33 - 2014-04-08 22:33 - 01145856 _____ (Farbar) C:\Users\Sarayna\Desktop\FRST.exe
2014-04-08 22:21 - 2013-07-04 20:58 - 00000526 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-08 22:14 - 2010-12-15 23:15 - 00000530 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-08 22:04 - 2010-12-21 21:25 - 00000548 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3901018940-1375249368-3704209125-1000UA.job
2014-04-08 18:48 - 2009-07-14 12:34 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-08 18:48 - 2009-07-14 12:34 - 00009920 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-08 18:44 - 2010-08-11 03:12 - 01392862 _____ () C:\Windows\WindowsUpdate.log
2014-04-08 18:42 - 2011-11-20 15:03 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\Dropbox
2014-04-08 18:41 - 2013-09-19 20:32 - 00000324 _____ () C:\Windows\Tasks\GlaryInitialize 3.job
2014-04-08 18:41 - 2013-09-19 20:31 - 00000000 ____D () C:\Program Files\Glary Utilities 3
2014-04-08 18:41 - 2011-11-20 17:14 - 00000000 ___RD () C:\Users\Sarayna\Dropbox
2014-04-08 18:39 - 2014-04-02 17:57 - 00000280 _____ () C:\Windows\setupact.log
2014-04-08 18:39 - 2010-12-15 23:15 - 00000526 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-08 18:39 - 2009-07-14 12:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-07 02:42 - 2012-03-24 14:21 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\BitTorrent
2014-04-06 17:21 - 2013-08-11 23:34 - 00000000 ____D () C:\Users\Sarayna\Documents\My Games
2014-04-06 17:16 - 2014-04-06 17:16 - 00002162 _____ () C:\Users\Public\Desktop\Remember Me.lnk
2014-04-06 17:16 - 2014-04-06 17:08 - 00000000 ____D () C:\Program Files\Remember Me
2014-04-06 14:04 - 2014-04-06 13:49 - 00000000 ____D () C:\Users\Sarayna\Downloads\flt-reme
2014-04-06 05:04 - 2010-12-21 21:25 - 00000496 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3901018940-1375249368-3704209125-1000Core.job
2014-04-05 02:17 - 2014-04-05 01:19 - 00000000 ____D () C:\Users\Sarayna\Downloads\Korean Language Learning Pack (Updated)
2014-04-05 01:28 - 2013-04-04 16:47 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\Last.fm
2014-04-04 21:14 - 2014-04-04 21:14 - 00000000 ____D () C:\Users\Sarayna\Documents\Rockstar Games
2014-04-04 21:12 - 2014-04-04 21:12 - 00000000 __SHD () C:\ProgramData\SecuROM
2014-04-04 21:12 - 2014-04-04 21:12 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\Rockstar Games
2014-04-04 21:11 - 2013-02-02 18:10 - 00000000 ____D () C:\Windows\system32\directx
2014-04-04 21:10 - 2013-02-02 18:11 - 00000000 ___HD () C:\Windows\msdownld.tmp
2014-04-04 21:09 - 2014-04-04 21:09 - 00002299 _____ () C:\Users\Public\Desktop\Grand Theft Auto IV.lnk
2014-04-04 19:49 - 2014-04-04 19:49 - 00000000 ____D () C:\Program Files\R.G. Games
2014-04-04 16:01 - 2014-04-04 16:01 - 00000000 ____D () C:\Users\Sarayna\Downloads\Howl's.Moving.Castle.720p.ENG [ShadoWCraft]
2014-04-03 23:46 - 2014-04-03 23:46 - 00017494 _____ () C:\Users\Sarayna\Desktop\dds.txt
2014-04-03 23:46 - 2014-04-03 23:46 - 00011372 _____ () C:\Users\Sarayna\Desktop\attach.txt
2014-04-03 23:35 - 2014-04-03 23:34 - 00688992 ____R (Swearware) C:\Users\Sarayna\Downloads\dds.com
2014-04-03 23:20 - 2014-04-03 23:20 - 00195584 _____ () C:\Users\Sarayna\Downloads\S-TOPIK_12_wordlist.xls
2014-04-03 22:10 - 2014-03-26 19:33 - 00000000 ____D () C:\Users\Sarayna\Documents\GTA San Andreas User Files
2014-04-02 22:21 - 2014-04-02 22:14 - 00000000 ____D () C:\Users\Sarayna\Downloads\Lost complete Season 3 by Bzingaz (RiddlerA)
2014-04-02 17:57 - 2014-04-02 17:57 - 00000000 _____ () C:\Windows\setuperr.log
2014-04-01 14:30 - 2014-04-01 14:30 - 00000637 _____ () C:\Users\Sarayna\Desktop\JRT.txt
2014-04-01 14:25 - 2014-04-01 14:24 - 01038974 _____ (Thisisu) C:\Users\Sarayna\Downloads\JRT.exe
2014-04-01 01:29 - 2014-04-01 01:11 - 00030976 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2014-04-01 01:25 - 2014-04-01 01:25 - 00000332 _____ () C:\Windows\system32\.crusader
2014-04-01 01:25 - 2014-04-01 01:09 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-04-01 01:08 - 2014-04-01 01:07 - 10094400 _____ (SurfRight B.V.) C:\Users\Sarayna\Downloads\HitmanPro.exe
2014-03-29 23:58 - 2011-11-20 17:59 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\MiniLyrics
2014-03-29 23:47 - 2011-11-20 17:59 - 00000000 ____D () C:\Lyrics
2014-03-28 20:03 - 2014-03-28 20:03 - 00000000 ____D () C:\Users\Sarayna\Documents\NBGI
2014-03-28 19:47 - 2014-03-28 19:47 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\NBGI
2014-03-28 19:42 - 2014-03-28 19:42 - 00000000 ____D () C:\Windows\system32\xlive
2014-03-28 19:42 - 2014-03-28 19:42 - 00000000 ____D () C:\Program Files\Microsoft Games for Windows - LIVE
2014-03-28 19:35 - 2014-03-28 19:35 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\DropboxMaster
2014-03-28 19:35 - 2011-12-08 19:00 - 00003988 _____ () C:\Windows\wininit.ini
2014-03-28 19:35 - 2011-11-20 15:04 - 00001030 _____ () C:\Users\Sarayna\Desktop\Dropbox.lnk
2014-03-28 19:35 - 2011-11-20 15:04 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-03-28 18:25 - 2014-03-28 01:26 - 00000000 ____D () C:\Users\Sarayna\Downloads\Dark_Souls_Prepare_To_Die_Edition-FLT
2014-03-27 15:02 - 2013-09-19 12:22 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\iMobie
2014-03-26 19:33 - 2014-01-09 23:16 - 00000000 ____D () C:\Users\Sarayna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2014-03-26 19:21 - 2014-03-09 19:12 - 00000000 ____D () C:\Games
2014-03-26 16:56 - 2014-03-26 16:56 - 00000000 ____D () C:\Users\Sarayna\Documents\Square Enix
2014-03-26 16:47 - 2014-03-26 16:47 - 00001061 _____ () C:\Users\Public\Desktop\Final Fantasy VII.lnk
2014-03-26 16:47 - 2014-03-25 22:05 - 00001968 _____ () C:\Users\Public\Desktop\Cat-A-Cat Games.lnk
2014-03-25 23:40 - 2013-07-13 20:03 - 00000000 ____D () C:\Program Files\Steam
2014-03-25 19:57 - 2013-07-13 20:03 - 00000000 ____D () C:\Program Files\Common Files\Steam
2014-03-22 22:33 - 2014-03-22 22:20 - 00000000 ____D () C:\Users\Sarayna\Downloads\The Bicycle Thief (Vittorio De Sica, 1948)
2014-03-20 19:18 - 2010-08-06 15:07 - 00400406 _____ () C:\Windows\system32\prfh0404.dat
2014-03-20 19:18 - 2010-08-06 15:07 - 00122142 _____ () C:\Windows\system32\prfc0404.dat
2014-03-20 19:18 - 2009-01-02 23:48 - 01304978 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-17 18:21 - 2013-09-20 23:09 - 00000000 ____D () C:\Users\Sarayna\Desktop\Revive my computer
2014-03-16 14:49 - 2014-03-16 14:47 - 00001786 _____ () C:\DelFix.txt
2014-03-16 14:47 - 2014-02-19 23:50 - 00000000 ____D () C:\Windows\ERUNT
2014-03-16 14:44 - 2014-02-28 00:39 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-16 14:41 - 2013-11-04 15:24 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-16 14:33 - 2014-03-16 14:32 - 00004839 _____ () C:\Windows\system32\jupdate-1.7.0_51-b13.log
2014-03-16 14:33 - 2011-09-14 21:18 - 00000000 ____D () C:\Program Files\Java
2014-03-16 14:29 - 2014-02-18 20:57 - 00000000 ____D () C:\Program Files\Anvisoft
2014-03-16 14:27 - 2014-03-16 14:27 - 00001993 _____ () C:\Users\Public\Desktop\Adobe Reader 9.lnk
2014-03-16 03:42 - 2010-12-15 22:17 - 00000000 ____D () C:\Program Files\The KMPlayer
2014-03-13 23:48 - 2014-03-13 23:48 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\FLT
2014-03-13 23:10 - 2014-02-18 19:12 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\Razer
2014-03-13 23:10 - 2014-02-18 19:11 - 00000000 ____D () C:\ProgramData\Razer
2014-03-13 23:10 - 2014-02-18 19:11 - 00000000 ____D () C:\Program Files\Razer
2014-03-12 19:21 - 2013-07-04 20:58 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-12 19:21 - 2011-06-13 18:12 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-12 19:21 - 2009-07-14 10:37 - 00000000 __RHD () C:\Users\Default
2014-03-12 19:21 - 2009-07-14 10:37 - 00000000 ___RD () C:\Users\Public
2014-03-12 19:20 - 2014-03-12 18:55 - 00000000 ____D () C:\Windows\erdnt
2014-03-12 19:16 - 2009-07-14 10:04 - 00000215 _____ () C:\Windows\system.ini
2014-03-12 19:12 - 2011-11-19 19:07 - 00000000 ____D () C:\Users\Sarayna
2014-03-09 23:44 - 2011-11-20 16:15 - 00000000 ____D () C:\Users\Sarayna\AppData\Local\Adobe
2014-03-09 19:18 - 2014-03-09 19:18 - 00001927 _____ () C:\Users\Sarayna\Desktop\Play South Park The Stick of Truth.lnk
 
Some content of TEMP:
====================
C:\Users\Sarayna\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpq4xwit.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-30 18:31
 
==================== End Of Log ============================

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:13 PM

Posted 08 April 2014 - 12:14 PM

Hello,

 

 

STEP 1

 

 

Click on Start > type in appwiz.cpl in the search box and press Enter
Select IObit Apps Toolbar v8.6 > press Uninstall.

 

 

 

STEP 2

 

 
Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#5 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 09 April 2014 - 11:08 AM

I couldn't remove the toolbar. During the uninstallation an error message occurred saying that "a network error occurred while attempting to read from the file". As for the extension, it's gone now. Thank you so much!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014  01
Ran by Sarayna at 2014-04-09 23:59:42 Run:1
Running from C:\Users\Sarayna\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
SearchScopes: HKLM - DefaultScope value is missing.
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR Extension: (YTAdaRiemoeval) - C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\oenjofkngdmijekapocjfmmmjpfilphh [2014-03-12]
CHR Extension: (ShopDRop) - C:\ProgramData\kgfbohpgmbeabeigmpgjbjfkamlfpeoh [2014-01-01]
CHR HKLM\...\Chrome\Extension: [iibmmjhgclhlahmjniokmhleigemjpbh] - C:\Users\Sarayna\AppData\Local\Temp\ccex.crx [2013-08-14]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 catchme; \??\C:\Users\Sarayna\AppData\Local\Temp\catchme.sys [X]
Reg: reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuaserv"
Task: {98A1B124-EC8C-4819-BBA2-A604A50A568F} - System32\Tasks\Express Files Updater => C:\Program Files\ExpressFiles\EFupdater.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:0B9176C0
AlternateDataStreams: C:\ProgramData\TEMP:444C53BA
AlternateDataStreams: C:\ProgramData\TEMP:4D066AD2
AlternateDataStreams: C:\ProgramData\TEMP:5D7E5A8F
AlternateDataStreams: C:\ProgramData\TEMP:93DE1838
AlternateDataStreams: C:\ProgramData\TEMP:AB689DEA
AlternateDataStreams: C:\ProgramData\TEMP:ABE89FFE
AlternateDataStreams: C:\ProgramData\TEMP:E1F04E8D
C:\Users\Sarayna\AppData\Local\temp
end
*****************
 
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Extensions\oenjofkngdmijekapocjfmmmjpfilphh => Moved successfully.
C:\ProgramData\kgfbohpgmbeabeigmpgjbjfkamlfpeoh => Moved successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\iibmmjhgclhlahmjniokmhleigemjpbh => Key deleted successfully.
"C:\Users\Sarayna\AppData\Local\Temp\ccex.crx" => File/Directory not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
catchme => Service deleted successfully.
 
========= reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuaserv" =========
 
 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuaserv
    Start    REG_DWORD    0x2
 
 
 
========= End of Reg: =========
 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{98A1B124-EC8C-4819-BBA2-A604A50A568F} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{98A1B124-EC8C-4819-BBA2-A604A50A568F} => Key deleted successfully.
C:\Windows\System32\Tasks\Express Files Updater => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Express Files Updater => Key deleted successfully.
C:\ProgramData\TEMP => ":0B9176C0" ADS removed successfully.
C:\ProgramData\TEMP => ":444C53BA" ADS removed successfully.
C:\ProgramData\TEMP => ":4D066AD2" ADS removed successfully.
C:\ProgramData\TEMP => ":5D7E5A8F" ADS removed successfully.
C:\ProgramData\TEMP => ":93DE1838" ADS removed successfully.
C:\ProgramData\TEMP => ":AB689DEA" ADS removed successfully.
C:\ProgramData\TEMP => ":ABE89FFE" ADS removed successfully.
C:\ProgramData\TEMP => ":E1F04E8D" ADS removed successfully.
 
"C:\Users\Sarayna\AppData\Local\temp" directory move:
 
C:\Users\Sarayna\AppData\Local\temp\AdobeARM.log => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\Attach.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\DDS.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\dd_dotNetFx40_Client_x86_x64_decompression_log.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\dd_vcredistMSI2670.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\dd_vcredistUI2670.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcabdke.dll => Moved successfully.
Could not move "C:\Users\Sarayna\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcabdke.lck" => Scheduled to move on reboot.
Could not move "C:\Users\Sarayna\AppData\Local\temp\etilqs_00KJXQ9n2fuF11h" => Scheduled to move on reboot.
Could not move "C:\Users\Sarayna\AppData\Local\temp\etilqs_9ScUsdNbN3l4JMl" => Scheduled to move on reboot.
Could not move "C:\Users\Sarayna\AppData\Local\temp\etilqs_lhbOKX2fKYLTbSN" => Scheduled to move on reboot.
Could not move "C:\Users\Sarayna\AppData\Local\temp\etilqs_mT9PD0DaMOA6SDO" => Scheduled to move on reboot.
Could not move "C:\Users\Sarayna\AppData\Local\temp\etilqs_N0wqgF9Bo0Yx3X5" => Scheduled to move on reboot.
Could not move "C:\Users\Sarayna\AppData\Local\temp\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
C:\Users\Sarayna\AppData\Local\temp\JRT.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\log3 => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\Microsoft .NET Framework 4 Client Profile Setup_20140406_171936741.html => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\Microsoft Visual C++ 2010  x86 Redistributable Setup_20140406_172000547-Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219-MSP0.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\Microsoft Visual C++ 2010  x86 Redistributable Setup_20140406_172000547-MSI_vc_red.msi.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\Microsoft Visual C++ 2010  x86 Redistributable Setup_20140406_172000547.html => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\MSI58349.LOG => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\MSIe26f5.LOG => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\MSIe26f6.LOG => Moved successfully.
Could not move "C:\Users\Sarayna\AppData\Local\temp\qtsingleapp-fmlast-93b-1-lockfile" => Scheduled to move on reboot.
C:\Users\Sarayna\AppData\Local\temp\qtsingleapp-fmlast-cd93-1-lockfile => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\qtsingleapp-YouTub-3f23-1-lockfile => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_237C.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_2499.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_374A.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_594F.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_59F6.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_8285.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_8A04.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_9CA6.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_A835.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_AF18.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_C3E7.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_C6D5.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_DC26.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_DEE7.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\~1A29.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\~746B.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\~8838.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\~gu3-ver.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\~upgrade.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\bz2.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\kernel32.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\main.exe.manifest => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\mfc90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\mfc90u.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\mfcm90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\mfcm90u.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\msvcp100.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\msvcr100.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\psapi.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\pyexpat.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\pysqlite2._sqlite.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\python27.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\pythoncom27.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\PyWinTypes27.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\select.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\shell32.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\unicodedata.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32api.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32com.shell.shell.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32crypt.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32event.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32evtlog.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32file.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32inet.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32pdh.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32pipe.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32process.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32profile.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32security.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32trace.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32ts.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32ui.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\win32wnet.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\windows._lib_cacheinvalidation.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wx._controls_.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wx._core_.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wx._gdi_.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wx._html2.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wx._misc_.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wx._windows_.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wx._wizard.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wxbase294u_net_vc90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wxbase294u_vc90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wxmsw294u_adv_vc90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wxmsw294u_core_vc90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wxmsw294u_html_vc90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\wxmsw294u_webview_vc90.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\_ctypes.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\_elementtree.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\_hashlib.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\_multiprocessing.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\_socket.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\_ssl.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\_win32sysloader.pyd => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\support\gen_py\__init__.py => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\mime\drive.mime.types => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\js\XMLHttpRequest.js => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\docs.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdoc16.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdoc256.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdoc32.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdoc48.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdraw16.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdraw256.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdraw32.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gdraw48.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gform16.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gform256.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gform32.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gform48.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-glink16.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-glink256.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-glink32.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-glink48.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gsheet16.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gsheet256.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gsheet32.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gsheet48.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gslides16.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gslides256.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gslides32.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-gslides48.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-sync16.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-sync16.xpm => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-sync256.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-sync32.xpm => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\drive-sync64.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\exclaim.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\file.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\folder-mac.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\folder-winseven.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\folder-winxp.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\folder.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gdoc.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gdoc.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gdraw.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gdraw.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gform.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gform.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\glink.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\glink.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gnote.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gnote.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gscript.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gscript.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gsheet.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gsheet.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gslides.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gslides.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gtable.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\gtable.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\image_resources.py => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\image_resources.pyo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\info1-mac.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\info1-windows7.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\info1-windowsxp.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\info2-default.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\info2-mac.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\info2-win7.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\info2-winxp.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate1-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate1-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate1.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate1_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate2-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate2-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate2.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate2_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate3-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate3-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate3.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate3_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate4-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate4-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate4.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate4_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate5-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate5-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate5.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate5_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate6-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate6-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate6.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate6_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate7-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate7-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate7.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate7_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate8-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate8-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate8.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-animate8_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-error-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-error-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-error.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-error_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-inactive-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-inactive-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-inactive.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-inactive_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-normal-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-normal-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-normal.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-normal_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-pause-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-paused-inverse.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-paused-inverse_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-paused.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\mac-paused_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\menu_warning.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\menu_warning_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sharedfolder-mac.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sharedfolder-winseven.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sharedfolder-winxp.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\shareguyicon.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sheets.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\slides.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync.icns => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync_128.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync_menu_done.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync_menu_done_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync_menu_error.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync_menu_error_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync_menu_syncing.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\sync_menu_syncing_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\toprighticon.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\warning-hdpi_2x.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate1.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate2.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate3.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate4.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate5.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate6.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate7.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-animate8.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win-normal.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win7-error.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win7-inactive.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\win7-paused.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\winxp-error.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\winxp-inactive.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\winxp-paused.png => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\__init__.py => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\__init__.pyo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\overlays\Blacklisted.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\overlays\Shared.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\overlays\Synced.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\images\overlays\Syncing.ico => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\zh_TW\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\zh_HK\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\zh_CN\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\zh-Hant\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\zh-Hans\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\zh\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\vi\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\uk\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\tr\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\th\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\te\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ta\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\sv\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\sr\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\sl\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\sk\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ru\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ro\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\pt_PT\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\pt_BR\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\pt\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\pl\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\no\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\nl\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\mr\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ml\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\lv\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\lt\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ko\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\kn\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ja\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\it\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\id\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\hu\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\hr\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\hi\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\he\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\gu\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\fr\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\fil\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\fi\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\es\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\en_US\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\en_GB\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\en\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\el\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\de\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\da\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\cs\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ca\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\bn\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\bg\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\i18n\locale\ar\LC_MESSAGES\syncclient.mo => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\html\drive_thankyou.html => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\_MEI27722\resources\chrome_ext\apdfllckaahabafndbhieahigkjlhalf_live.crx => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\msohtmlclip1\01\clip_colorschememapping.xml => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\msohtmlclip1\01\clip_themedata.thmx => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\APPID_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\APPID_files.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\appinit64_null.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\appinit_null.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\APPPATHS.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\APPROVEDEXTENSIONS_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\ask.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\askCLSID.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\askregkey_x64.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\askregkey_x86.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\askregvalue_x64.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\askregvalue_x86.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\askservices.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\badAPPINIT.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\badFOLDERS.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\badFOLDERScom.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\badFOLDERSstart.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\badLNK.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\badvalues.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\BHO_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\BHO_name.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\browsermngr_keys.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\browsermngr_values.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CHOICE.DAT => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\chrome.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CHRregkey_x64.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CHRregkey_x86.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CHR_extensions.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CHR_open_x64.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CHR_open_x86.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\clean_shortcut.vbs => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CLSID_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\currentmd5.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\CUT.DAT => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\datamngr_del.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\defaultscope.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\delfolders.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\delorphans.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\ELEVATIONPOLICY_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\ev_clear.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\EXT.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFbrowsermngr.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFextensions.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFpluginREG.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFplugins.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFprefs.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFregkey_x64.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFregkey_x86.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFwhtlist.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFXML.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FFXPI.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FF_open_x64.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FF_open_x86.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\firefox.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FWCLSID.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\FWPolicy.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\get.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\IEwhtlst.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\iexplore.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\IE_open_x64.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\IE_open_x86.reg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\IFEO.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\INTERFACE_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\JRT.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\medfos.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\MENUEXT.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\misc.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\modules.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\modules.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\moduleservices.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\newmd5.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\NIRCMD.DAT => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\NOTIFY.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\PREAPPROVED_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\prelim.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\PRODUCTS.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\REGhcr.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\REGhkcu_and_hklm_allow.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\REGhkcu_and_hklm_software.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\REGhkcu_software_appdatalow.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\REGhkcu_software_microsoft.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\REGhklm_software_classes.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\REGISTRYUSERSID.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\runvalues.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\runvalues_x64.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\runvalues_x86.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\S1518COMPONENTS.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\searchlnk.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\SED.DAT => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\sednewline.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\services.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\serviceseventlog.cfg => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\SETTINGS_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\SHORTCUT.DAT => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\STATS_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\TDL4.bat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\TRACING.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\TYPELIB_clsid.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\UNINSTALL.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\UpgradeCodes.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\WGET.DAT => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\WOW6432NODE.dat => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\temp\null.txt => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\erunt\ERDNT.E_E => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\erunt\ERDNTDOS.LOC => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\erunt\ERDNTWIN.LOC => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\erunt\ERUNT.EXE => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\erunt\ERUNT.EXE.manifest => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\erunt\ERUNT.LOC => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\jrt\erunt\README.TXT => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\IXP000.TMP\dxwsetup.exe => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\b2p.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\botva2.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\dwmEnabled.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\ISDone.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\isgsg.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\isslideshow.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\IsWin7.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\_isetup\_isdecmp.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\_isetup\_RegDLL.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-MVA0H.tmp\_isetup\_shfoldr.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\b2p.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\botva2.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\dwmEnabled.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\ISDone.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\isgsg.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\isslideshow.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\IsWin7.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\_isetup\_isdecmp.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\_isetup\_RegDLL.tmp => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\is-08I3E.tmp\_isetup\_shfoldr.dll => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4660_3739\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4660_3739\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4660_3739\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_20126\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_20126\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_20126\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_16578\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_16578\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_16578\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_14360\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_14360\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4576_14360\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4440_11937\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4440_11937\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4440_11937\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4136_7684\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4136_7684\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4136_7684\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4028_12581\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4028_12581\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\4028_12581\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\396_35\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\396_35\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\396_35\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3728_17416\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3728_17416\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3728_17416\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_7494\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_7494\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_7494\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_24357\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_24357\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_24357\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_13595\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_13595\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3676_13595\manifest.json => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3540_1292\crl-set => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3540_1292\manifest.fingerprint => Moved successfully.
C:\Users\Sarayna\AppData\Local\temp\3540_1292\manifest.json => Moved successfully.
Could not move "C:\Users\Sarayna\AppData\Local\temp" directory. => Scheduled to move on reboot.
 
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-04-10 00:02:29)<=
 
C:\Users\Sarayna\AppData\Local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcabdke.lck => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp\etilqs_00KJXQ9n2fuF11h => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp\etilqs_9ScUsdNbN3l4JMl => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp\etilqs_lhbOKX2fKYLTbSN => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp\etilqs_mT9PD0DaMOA6SDO => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp\etilqs_N0wqgF9Bo0Yx3X5 => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp\FXSAPIDebugLogFile.txt => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp\qtsingleapp-fmlast-93b-1-lockfile => Is moved successfully.
C:\Users\Sarayna\AppData\Local\temp => Moved successfully.
 
==== End of Fixlog ====


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:13 PM

Posted 09 April 2014 - 11:28 AM

Hello,

 

Use this utility to remove the IObit Apps Toolbar v8.6.

 

 

 

Also please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach the results to your next reply.

 

Regards,

Georgi

 

 


cXfZ4wS.png


#7 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 10 April 2014 - 11:23 AM

Thanks now the toolbar is gone!

 

And here's the text:

 

Farbar Service Scanner Version: 25-02-2014
Ran by Sarayna (administrator) on 11-04-2014 at 00:22:27
Running from "C:\Users\Sarayna\Downloads"
Microsoft Windows 7 家用進階版  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2013-10-09 12:08] - [2013-09-14 08:48] - 0338944 ____A (Microsoft Corporation) F81BB7E487EDCEAB630A7EE66CF23913
 
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-10-09 12:08] - [2013-09-08 10:07] - 1294272 ____A (Microsoft Corporation) CA59F7C570AF70BC174F477CFE2D9EE3
 
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-08-15 13:11] - [2013-07-09 12:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9
 
C:\Program Files\Windows Defender\MpSvc.dll
[2013-07-10 19:40] - [2013-05-27 12:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47
 
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
 
 
**** End of log ****


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:13 PM

Posted 11 April 2014 - 03:00 AM

Hello,

 

Nice work! We managed to clean the infection. :)

 

Also if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#9 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 11 April 2014 - 10:31 AM

Here's the first step. I'm doing the second and will post it as soon as it finishes.
 
 
Rkill 2.6.5 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 04/11/2014 08:56:06 PM in x86 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\Sarayna\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe (PID: 5468) [UP-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
 
Program finished at: 04/11/2014 08:58:46 PM
Execution time: 0 hours(s), 2 minute(s), and 40 seconds(s)


#10 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 11 April 2014 - 11:02 AM

Step two:

When I clicked on it, a message popped up saying that this version is not compatible to my Windows version. What should I do?

 

Step three:

I found two logs so I'll post them both.

 

http://pastebin.com/hSA9FYz3

 

http://pastebin.com/ceA6inTW

 

Doing step four.



#11 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 11 April 2014 - 11:30 AM

Step four:

 

Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 2014/4/12
Scan Time: 太陽 12:29:42
Logfile: 
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.04.11.08
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Sarayna
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 289922
Time Elapsed: 30 min, 47 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.Ividi.A, HKU\S-1-5-21-3901018940-1375249368-3704209125-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\iVIDI Plugin, No Action By User, [1be51ce47e829b6555258de911f1be42], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#12 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 11 April 2014 - 12:27 PM

Step five:

I screwed up a bit with this one. I clicked on "next" without changing the options to "ignore" but I closed it as soon as I could. I hope it isn't too bad.

 

HitmanPro 3.7.9.216
www.hitmanpro.com
 
   Computer name . . . . : NNNN-PC
   Windows . . . . . . . : 6.1.1.7601.X86/2
   User name . . . . . . : nnnn-PC\Sarayna
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (18 days left)
 
   Scan date . . . . . . : 2014-04-12 00:51:30
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 13m 29s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 25
 
   Objects scanned . . . : 1,657,282
   Files scanned . . . . : 117,768
   Remnants scanned  . . : 664,909 files / 874,605 keys
 
Cookies _____________________________________________________________________
 
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:acpmagazines.112.2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.tagtoo.co
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:atlanticmedia.122.2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:dmtracker.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:fr.sitestat.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:googleads.g.doubleclick.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:hotlog.ru
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:in.getclicky.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:microsoftsto.112.2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:mtvn.112.2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:oracle.112.2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:rakuten.112.2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:sbsaustralia.112.2o7.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:statcounter.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:track.xuite.net
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:uk.sitestat.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:xiti.com
   C:\Users\Sarayna\AppData\Local\Google\Chrome\User Data\Default\Cookies:yadro.ru
   C:\Users\Sarayna\AppData\Roaming\Microsoft\Windows\Cookies\OJ2UJI6V.txt
   C:\Users\Sarayna\AppData\Roaming\Microsoft\Windows\Cookies\X2MCB8XO.txt
 
 


#13 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 11 April 2014 - 12:31 PM

Last step:

 

 Results of screen317's Security Check version 0.99.81  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 CCleaner     
 JavaFX 2.1.0    
 Java 7 Update 51  
 Adobe Flash Player 12.0.0.77  
 Adobe Reader 9 Adobe Reader out of Date! 
 Mozilla Firefox 27.0.1 Firefox out of Date!  
 Google Chrome 31.0.1650.63  
 Google Chrome 34.0.1847.116  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  
````````````````````End of Log`````````````````````` 


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:13 PM

Posted 12 April 2014 - 04:33 AM

Hello,

 

Run MBAM again and run a new scan but make sure that you delete the entries found.

Here is a compatible version of RogueKiller for you system => RogueKiller.exe

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 12 April 2014 - 11:37 AM.

cXfZ4wS.png


#15 saraynachan

saraynachan
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 12 April 2014 - 10:56 AM

Here's the RogueKiller report. The few Chinese characters mean "deleted", if it matters. I have no idea why they appeared in the report.

http://pastebin.com/SPiQqV4r

 

I'm redoing the MBAM scan now.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users