Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with search.easylifeapp.com keeps reappearing, redirects my browser


  • This topic is locked This topic is locked
16 replies to this topic

#1 The_Atomik_Punk!

The_Atomik_Punk!

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 15 May 2014 - 10:06 AM

Hello! I'm experiencing a reaccurrant problem with a browser hijacker sporadically appearing. It first came to my intention in the middle of a browsing session (I use Firefox) when all of a sudden all of my tabs were closed, and only one remained that redirected me to my new homepage, which was something called search.easylifeapp.com. The contents of the page were completely blank, as I assume my ad blocker prevented anything from loading.

 

I ran a full scan of the following programs: Adwcleaner, Junkware Removal Tool, & Malwarebytes Antimalware (free version). Adwcleaner found a few infected files, including one in Mozilla Firefox, Internet Explorer, and a few registry key entries. The problem seemed resolved to me.

 

A few days later while browsing, the exact same thing happened again- my browsing windows were all closed except for one, which redirected me to my new homepage that was something like gearbox.com (I'm sorry, I can't recall the exact search page name). As before, the page was completely blank, but would not allow me to go to my default homepage.

 

I ran the same programs listed above, and it yielded similar results, the problem once again seemed resolved. Unfortunately, this issue hasd reaccured 2 additional times (4 total, once more each of gearbox.com, and search.easylifeapp.com I believe), with my browser being redirected. After running those programs, the problem goes away for a few days, but seems to return eventually.

 

After doing some preliminary research on the web, I read a post detailing how this particular virus may be quite insidious, hiding its code in a few random files on the infected computer, which it then activates when it detects removal. It then contacts it's host server and redownloads itself.

 

My concern is that my personal financial data may be compromised if this virus still is on my computer unbeknowst to me, and is still communicating with it's host server. Any assistance with this matter would be GREATLY appreciated! Below is the contents of my DDS.txt log, and attatched is the attatch.txt file:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Bozanic at 10:28:09 on 2014-05-15
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12270.10171 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\locator.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\SysWOW64\PnkBstrB.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = Preserve
mStart Page = hxxp://www.google.com
mWinlogon: Userinit = userinit.exe,
BHO: AutorunsDisabled - <orphaned>
BHO: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\PlusIEContextMenu.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
mRun: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
mRun: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [IndexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"
mRun: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"
mRun: [PPort12reminder] "C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini"
mRun: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe
mRun: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe
mRun: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
mRun: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\Users\Bozanic\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\AUTORU~1\Dropbox.lnk - C:\Users\Bozanic\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{2CF95629-505C-4DDD-BDB2-EC18283EA095} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{FB3A5375-1EEB-460F-A063-4087BF229462} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{FB3A5375-1EEB-460F-A063-4087BF229462}\3574 : DHCPNameServer = 64.71.255.198
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\puresp3.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~2\gsb779~1.ena
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://www.google.com
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RunDLLEntry_THXCfg] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\THXCfg64.dll,RunDLLEntry THXCfg64
x64-Run: [RunDLLEntry_EptMon] C:\Windows\System32\RunDLL32.exe C:\Windows\System32\EptMon64.dll,RunDLLEntry EptMon64
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - <orphaned>
x64-Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Bozanic\AppData\Roaming\Mozilla\Firefox\Profiles\1nuw3p9b.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-1-25 268512]
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-12-29 55856]
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2012-1-7 26176]
R2 cpuz135;cpuz135;C:\Windows\System32\drivers\cpuz135_x64.sys [2012-1-5 21992]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [2010-3-9 144672]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-12-29 317440]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-12-29 406056]
R3 Sftfs;Sftfs;C:\Windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]
R3 Sftplay;Sftplay;C:\Windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]
R3 Sftredir;Sftredir;C:\Windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]
R3 Sftvol;Sftvol;C:\Windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2012-1-7 4163584]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-12-29 231440]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2013-4-9 266240]
S3 cleanhlp;cleanhlp;C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [2014-1-11 57024]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-10 111616]
S3 LinksysUpdater;Linksys Updater;C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-4-18 204800]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2012-9-21 351520]
S3 LVUVC64;Logitech HD Pro Webcam C920(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2012-9-21 4763680]
S3 MAUSBMOBILEPREII;Service for M-Audio MobilePre II;C:\Windows\System32\drivers\MAudioMobilePreII.sys [2010-6-21 484360]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-12-24 121416]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2011-4-27 133928]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-3-11 347872]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-2-14 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-9-28 53760]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-1-7 1255736]
S4 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2012-1-7 71472]
S4 DellDigitalDelivery;Dell Digital Delivery Service;C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe [2011-10-26 162816]
S4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-12-29 13592]
S4 MobilePreIIAudioDevMon;MobilePre Audio Device Monitor;C:\Program Files (x86)\M-Audio\MobilePre\AudioDevMon.exe [2010-6-21 1923592]
S4 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2010-5-4 503080]
S4 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2011-3-18 25072]
S4 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-12-29 1692480]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-05-14 22:33:48    119512    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-14 22:33:10    88280    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-05-14 22:33:10    63192    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-05-14 22:33:10    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-14 22:26:39    10651704    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{DEE974F9-74E4-40A5-B227-391D49915A7F}\mpengine.dll
2014-05-14 22:02:01    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-05-14 22:02:01    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-05-14 14:30:20    10651704    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-11 16:14:58    965232    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\icuuc52.dll
2014-05-11 16:14:58    1266800    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\icuin52.dll
2014-05-11 16:14:58    10594416    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\icudt52.dll
2014-05-04 15:17:35    --------    d-s---w-    C:\Windows\System32\CompatTel
2014-04-29 20:39:20    --------    d-----w-    C:\Users\Bozanic\AppData\Roaming\NVIDIA
2014-04-29 20:27:10    922968    ----a-w-    C:\Windows\System32\nvvsvc.exe
2014-04-29 20:27:10    6714312    ----a-w-    C:\Windows\System32\nvcpl.dll
2014-04-29 20:27:10    64968    ----a-w-    C:\Windows\System32\nvshext.dll
2014-04-29 20:27:10    386336    ----a-w-    C:\Windows\System32\nvmctray.dll
2014-04-29 20:27:10    3497816    ----a-w-    C:\Windows\System32\nvsvc64.dll
2014-04-29 20:27:01    62408    ----a-w-    C:\Windows\System32\OpenCL.dll
2014-04-29 20:27:01    54216    ----a-w-    C:\Windows\SysWow64\OpenCL.dll
2014-04-29 20:16:15    3649185    ----a-w-    C:\Windows\System32\nvcoproc.bin
2014-04-29 20:15:55    --------    d-----w-    C:\ProgramData\NVIDIA Corporation
2014-04-28 15:42:16    --------    d-----w-    C:\Program Files (x86)\Microsoft Analysis Services
2014-04-28 15:42:11    --------    d-----w-    C:\Windows\SHELLNEW
2014-04-22 15:01:28    96168    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
==================== Find3M  ====================
.
2014-05-15 02:47:46    280856    ----a-w-    C:\Windows\SysWow64\PnkBstrB.xtr
2014-05-15 02:47:46    280856    ----a-w-    C:\Windows\SysWow64\PnkBstrB.exe
2014-05-13 00:55:50    280856    ----a-w-    C:\Windows\SysWow64\PnkBstrB.ex0
2014-05-09 06:14:03    477184    ----a-w-    C:\Windows\System32\aepdu.dll
2014-05-09 06:11:23    424448    ----a-w-    C:\Windows\System32\aeinv.dll
2014-04-15 06:34:10    1070232    ----a-w-    C:\Windows\SysWow64\MSCOMCTL.OCX
2014-04-12 02:22:05    95680    ----a-w-    C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05    155072    ----a-w-    C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38    29184    ----a-w-    C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38    136192    ----a-w-    C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37    28160    ----a-w-    C:\Windows\System32\secur32.dll
2014-04-12 02:19:32    1460736    ----a-w-    C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05    31232    ----a-w-    C:\Windows\System32\lsass.exe
2014-04-12 02:12:06    22016    ----a-w-    C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56    96768    ----a-w-    C:\Windows\SysWow64\sspicli.dll
2014-04-03 13:50:58    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-03-19 19:27:44    76496    ----a-w-    C:\Windows\System32\drivers\dc3d.sys
2014-03-19 19:27:44    1795952    ----a-w-    C:\Windows\System32\WdfCoInstaller01011.dll
2014-03-11 13:52:30    133928    ----a-w-    C:\Windows\System32\drivers\NisDrvWFP.sys
2014-03-06 09:31:33    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34    548352    ----a-w-    C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15    752640    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41    5784064    ----a-w-    C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33    455168    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43    38400    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36    4254720    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40    592896    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43    32256    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15    2043904    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39    1967104    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40    2260480    ----a-w-    C:\Windows\System32\wininet.dll
2014-03-06 05:41:49    1789440    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-03-04 09:47:01    5550016    ----a-w-    C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21    362496    ----a-w-    C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21    243712    ----a-w-    C:\Windows\System32\wow64.dll
2014-03-04 09:44:21    13312    ----a-w-    C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20    39936    ----a-w-    C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10    210944    ----a-w-    C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08    86528    ----a-w-    C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06    340992    ----a-w-    C:\Windows\System32\schannel.dll
2014-03-04 09:44:03    722944    ----a-w-    C:\Windows\System32\objsel.dll
2014-03-04 09:44:03    314880    ----a-w-    C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03    16384    ----a-w-    C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00    728064    ----a-w-    C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00    424960    ----a-w-    C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56    57344    ----a-w-    C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56    52736    ----a-w-    C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56    44544    ----a-w-    C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:56    22016    ----a-w-    C:\Windows\System32\credssp.dll
2014-03-04 09:43:55    56832    ----a-w-    C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55    53760    ----a-w-    C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50    455168    ----a-w-    C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11    3969984    ----a-w-    C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11    3914176    ----a-w-    C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54    25600    ----a-w-    C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18    5120    ----a-w-    C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18    274944    ----a-w-    C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30    7680    ----a-w-    C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29    2048    ----a-w-    C:\Windows\SysWow64\user.exe
2014-02-14 15:09:01    194048    ----a-w-    C:\Windows\SysWow64\elshyph.dll
2014-01-19 03:30:15    3041792    ----a-w-    C:\Program Files (x86)\GS.Enabler
2014-01-19 03:30:15    2759168    ----a-w-    C:\Program Files (x86)\GS_x64.Enabler
.
============= FINISH: 10:28:26.81 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:47 PM

Posted 16 May 2014 - 07:05 AM


Hello The_Atomik_Punk!

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 The_Atomik_Punk!

The_Atomik_Punk!
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 16 May 2014 - 09:51 AM

Thank you for looking into my problem, Gringo! My computer is running normal. My fear is that this browser hijacker is still ligering on my computer somewhere, as these are the exact steps I myself have taken numerous times (running adwcleaner, junk removal tool, and malewarebytes) which remove it initially, yet it reapppears in a few days. Posted below are the results from adwcleaner, and JRT:

 

# AdwCleaner v3.208 - Report created 16/05/2014 at 10:39:08
# Updated 11/05/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Bozanic - HOME
# Running from : C:\Users\Bozanic\Downloads\Programs\System Utilities\Anti-Virus\adwcleaner_3.208.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\Software\{5F189DF5-2D05-472B-9091-84D9848AE48B}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041


-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Users\Bozanic\AppData\Roaming\Mozilla\Firefox\Profiles\1nuw3p9b.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [34033 octets] - [10/02/2014 17:19:32]
AdwCleaner[R10].txt - [1961 octets] - [25/02/2014 09:43:47]
AdwCleaner[R11].txt - [3063 octets] - [27/02/2014 13:54:38]
AdwCleaner[R12].txt - [2000 octets] - [27/02/2014 14:10:26]
AdwCleaner[R13].txt - [2205 octets] - [27/02/2014 23:05:37]
AdwCleaner[R14].txt - [2266 octets] - [28/02/2014 10:59:59]
AdwCleaner[R15].txt - [2327 octets] - [04/03/2014 00:01:32]
AdwCleaner[R16].txt - [2388 octets] - [05/03/2014 18:51:54]
AdwCleaner[R17].txt - [2449 octets] - [05/03/2014 21:00:49]
AdwCleaner[R18].txt - [2510 octets] - [08/03/2014 21:27:31]
AdwCleaner[R19].txt - [2571 octets] - [11/03/2014 21:58:58]
AdwCleaner[R1].txt - [923 octets] - [10/02/2014 17:46:36]
AdwCleaner[R20].txt - [2632 octets] - [14/03/2014 19:26:02]
AdwCleaner[R21].txt - [2564 octets] - [15/03/2014 11:21:59]
AdwCleaner[R22].txt - [2886 octets] - [17/03/2014 15:42:58]
AdwCleaner[R23].txt - [2947 octets] - [20/03/2014 22:05:26]
AdwCleaner[R24].txt - [2807 octets] - [21/03/2014 14:56:08]
AdwCleaner[R25].txt - [3472 octets] - [29/03/2014 11:08:46]
AdwCleaner[R26].txt - [3043 octets] - [01/04/2014 20:31:31]
AdwCleaner[R27].txt - [3102 octets] - [07/04/2014 20:23:00]
AdwCleaner[R28].txt - [3163 octets] - [15/04/2014 14:59:55]
AdwCleaner[R29].txt - [3842 octets] - [26/04/2014 10:25:54]
AdwCleaner[R2].txt - [1041 octets] - [12/02/2014 13:43:04]
AdwCleaner[R30].txt - [4020 octets] - [04/05/2014 11:06:26]
AdwCleaner[R31].txt - [4095 octets] - [06/05/2014 14:03:17]
AdwCleaner[R32].txt - [4046 octets] - [08/05/2014 12:07:21]
AdwCleaner[R33].txt - [3761 octets] - [09/05/2014 12:29:20]
AdwCleaner[R34].txt - [3822 octets] - [10/05/2014 16:22:55]
AdwCleaner[R35].txt - [3883 octets] - [10/05/2014 19:19:03]
AdwCleaner[R36].txt - [4375 octets] - [14/05/2014 14:58:17]
AdwCleaner[R37].txt - [4074 octets] - [14/05/2014 16:35:09]
AdwCleaner[R38].txt - [4135 octets] - [14/05/2014 17:48:32]
AdwCleaner[R39].txt - [4196 octets] - [15/05/2014 23:04:07]
AdwCleaner[R3].txt - [1162 octets] - [12/02/2014 19:24:13]
AdwCleaner[R40].txt - [4257 octets] - [16/05/2014 10:38:39]
AdwCleaner[R4].txt - [1222 octets] - [14/02/2014 18:51:22]
AdwCleaner[R5].txt - [1282 octets] - [14/02/2014 19:17:29]
AdwCleaner[R6].txt - [2367 octets] - [20/02/2014 21:51:48]
AdwCleaner[R7].txt - [1720 octets] - [21/02/2014 21:27:13]
AdwCleaner[R8].txt - [1840 octets] - [22/02/2014 14:09:16]
AdwCleaner[R9].txt - [1900 octets] - [23/02/2014 02:01:58]
AdwCleaner[S0].txt - [34585 octets] - [10/02/2014 17:20:22]
AdwCleaner[S10].txt - [4020 octets] - [06/05/2014 14:03:41]
AdwCleaner[S11].txt - [3959 octets] - [08/05/2014 12:07:44]
AdwCleaner[S12].txt - [4276 octets] - [14/05/2014 14:58:40]
AdwCleaner[S13].txt - [3565 octets] - [16/05/2014 10:39:08]
AdwCleaner[S1].txt - [983 octets] - [10/02/2014 17:47:17]
AdwCleaner[S2].txt - [1103 octets] - [12/02/2014 13:43:31]
AdwCleaner[S3].txt - [2340 octets] - [20/02/2014 21:52:30]
AdwCleaner[S4].txt - [1748 octets] - [21/02/2014 21:29:32]
AdwCleaner[S5].txt - [3116 octets] - [27/02/2014 13:55:15]
AdwCleaner[S6].txt - [2972 octets] - [20/03/2014 22:06:00]
AdwCleaner[S7].txt - [3550 octets] - [29/03/2014 11:09:19]
AdwCleaner[S8].txt - [3862 octets] - [26/04/2014 10:26:42]
AdwCleaner[S9].txt - [3927 octets] - [04/05/2014 11:07:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S13].txt - [4165 octets] ##########

 

 

 

 

 

 

 

 

 

 

Here is the results from JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Bozanic on 16/05/2014 at 10:41:32.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Bozanic\AppData\Roaming\mozilla\firefox\profiles\1nuw3p9b.default\minidumps [5 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 16/05/2014 at 10:45:59.75
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Thnak you again for your time and attention!
 

 

 

 

 

 

 

 

 

 

 

 



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:47 PM

Posted 16 May 2014 - 09:57 AM


Hello The_Atomik_Punk!

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 The_Atomik_Punk!

The_Atomik_Punk!
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 16 May 2014 - 10:24 AM

Hi Gringo! My computer is running normal. I just ran Combofix, and everything went smoothly, except for an inital incident that occured. When I started Combofix, it froze for a second, and then displayed a message with something to the effect of: "iexplorer has stopped working" and then gave the Windows options to "check for an online solution" or to "close the program". When this happened, there were immeadiately spawned approximately 6 minimized internet explorer windows at the bottom of my taskbar. Within a few seconds, this resolved itself, and combofix started. Below are the results from Combofix:

 

ComboFix 14-05-16.01 - Bozanic 16/05/2014  11:07:46.1.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12270.10499 [GMT -4:00]
Running from: c:\users\Bozanic\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\programdata\Amazon.ico
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\background.html
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\content.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\i3p_WMepFtC.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\background.html
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\BwiL6Y4O.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\content.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\background.html
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\content.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\icon48.png
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\pf8F.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\background.html
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\content.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\dJizo.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\manifest.json
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\background.html
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\content.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\i3p_WMepFtC.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\lsdb.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\manifest.json
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\background.html
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\BwiL6Y4O.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\content.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\lsdb.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\manifest.json
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\background.html
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\content.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\icon48.png
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\lsdb.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\manifest.json
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\pf8F.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\background.html
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\content.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\dJizo.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\lsdb.js
c:\users\ASPNET\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\manifest.json
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\background.html
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\content.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\i3p_WMepFtC.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\lsdb.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\manifest.json
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\background.html
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\BwiL6Y4O.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\content.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\lsdb.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\manifest.json
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\background.html
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\content.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\icon48.png
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\lsdb.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\manifest.json
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\pf8F.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\background.html
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\content.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\dJizo.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\lsdb.js
c:\users\C96B9CDD1409473BB7E5\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\background.html
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\content.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\i3p_WMepFtC.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\background.html
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\BwiL6Y4O.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\content.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\background.html
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\content.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\icon48.png
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\pf8F.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\background.html
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\content.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\dJizo.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\i3p_WMepFtC.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\eclcnlepmfepnccogfjdafhhlgcfdmnj\225\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\BwiL6Y4O.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcojahiblbibnmbcmphcbpbdfeikoajn\1.0\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\icon48.png
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\igjlnmjonghboljoajnhpcjmjikmpbmj\1.1\pf8F.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\dJizo.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhchmgjoammfmlkbfealkoamhcneeiee\2.7\manifest.json
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-16 to 2014-05-16  )))))))))))))))))))))))))))))))
.
.
2014-05-16 15:14 . 2014-05-16 15:14    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-05-16 15:14 . 2014-05-16 15:14    --------    d-----w-    c:\users\Bozanic\AppData\Local\temp
2014-05-16 15:01 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F391E2C7-C016-47CB-94DF-46F31651DFAB}\mpengine.dll
2014-05-14 22:33 . 2014-05-16 02:52    119512    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-14 22:33 . 2014-05-14 22:33    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-14 22:33 . 2014-04-03 13:51    63192    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-05-14 22:33 . 2014-04-03 13:51    88280    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-14 22:26 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-14 22:02 . 2014-05-06 04:40    23544320    ----a-w-    c:\windows\system32\mshtml.dll
2014-05-14 22:02 . 2014-05-06 03:00    84992    ----a-w-    c:\windows\system32\mshtmled.dll
2014-05-14 22:02 . 2014-05-06 04:17    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-05-14 22:02 . 2014-05-06 03:07    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2014-05-14 22:01 . 2014-05-14 22:01    --------    d-----w-    c:\users\Default\AppData\Local\Microsoft Help
2014-05-11 16:14 . 2014-05-11 16:14    965232    ----a-w-    c:\program files (x86)\Mozilla Firefox\icuuc52.dll
2014-05-11 16:14 . 2014-05-11 16:14    1266800    ----a-w-    c:\program files (x86)\Mozilla Firefox\icuin52.dll
2014-05-11 16:14 . 2014-05-11 16:14    10594416    ----a-w-    c:\program files (x86)\Mozilla Firefox\icudt52.dll
2014-05-08 13:48 . 2014-05-08 13:48    227704    ----a-w-    c:\program files (x86)\Mozilla Firefox\Plugins\nppdf32.dll
2014-05-04 15:17 . 2014-05-14 22:11    --------    d-s---w-    c:\windows\system32\CompatTel
2014-04-29 20:39 . 2014-04-30 00:37    --------    d-----w-    c:\users\Bozanic\AppData\Roaming\NVIDIA
2014-04-29 20:28 . 2014-04-29 20:28    --------    d-----w-    c:\programdata\NVIDIA
2014-04-29 20:27 . 2014-04-29 20:27    --------    d-----w-    c:\program files (x86)\AGEIA Technologies
2014-04-29 20:27 . 2014-03-04 13:06    6714312    ----a-w-    c:\windows\system32\nvcpl.dll
2014-04-29 20:27 . 2014-03-04 13:06    3497816    ----a-w-    c:\windows\system32\nvsvc64.dll
2014-04-29 20:27 . 2014-03-04 13:05    922968    ----a-w-    c:\windows\system32\nvvsvc.exe
2014-04-29 20:27 . 2014-03-04 13:05    64968    ----a-w-    c:\windows\system32\nvshext.dll
2014-04-29 20:27 . 2014-03-04 13:05    386336    ----a-w-    c:\windows\system32\nvmctray.dll
2014-04-29 20:27 . 2014-03-04 14:35    62408    ----a-w-    c:\windows\system32\OpenCL.dll
2014-04-29 20:27 . 2014-03-04 14:35    54216    ----a-w-    c:\windows\SysWow64\OpenCL.dll
2014-04-29 20:16 . 2014-03-04 13:05    3649185    ----a-w-    c:\windows\system32\nvcoproc.bin
2014-04-29 20:15 . 2014-04-29 20:15    --------    d-----w-    c:\programdata\NVIDIA Corporation
2014-04-28 15:42 . 2014-04-28 15:42    --------    d-----w-    c:\program files (x86)\Microsoft Analysis Services
2014-04-28 15:42 . 2014-04-28 15:42    --------    d-----w-    c:\windows\SHELLNEW
2014-04-28 15:41 . 2014-04-28 15:41    --------    d-----r-    C:\MSOCache
2014-04-22 15:05 . 2014-04-22 15:05    --------    d-----w-    c:\users\Bozanic\AppData\Roaming\Oracle
2014-04-22 15:01 . 2014-04-15 00:13    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-16 01:36 . 2013-08-01 03:15    280792    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2014-05-16 01:36 . 2013-08-01 03:13    280792    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
2014-05-16 01:36 . 2013-08-01 03:13    280856    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2014-05-14 21:58 . 2012-01-05 16:56    93223848    ----a-w-    c:\windows\system32\MRT.exe
2014-04-15 06:34 . 2014-04-15 06:34    1070232    ----a-w-    c:\windows\SysWow64\MSCOMCTL.OCX
2014-04-03 13:50 . 2014-02-10 21:35    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-19 19:27 . 2014-03-19 19:27    76496    ----a-w-    c:\windows\system32\drivers\dc3d.sys
2014-03-19 19:27 . 2014-03-19 19:27    1795952    ----a-w-    c:\windows\system32\WdfCoInstaller01011.dll
2014-03-11 13:52 . 2011-04-27 20:25    133928    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-06 09:31 . 2014-04-10 22:05    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-06 08:59 . 2014-04-10 22:05    66048    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-06 08:57 . 2014-04-10 22:05    548352    ----a-w-    c:\windows\system32\vbscript.dll
2014-03-06 08:57 . 2014-04-10 22:05    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-06 08:53 . 2014-04-10 22:05    2767360    ----a-w-    c:\windows\system32\iertutil.dll
2014-03-06 08:40 . 2014-04-10 22:05    51200    ----a-w-    c:\windows\system32\jsproxy.dll
2014-03-06 08:39 . 2014-04-10 22:05    33792    ----a-w-    c:\windows\system32\iernonce.dll
2014-03-06 08:32 . 2014-04-10 22:05    574976    ----a-w-    c:\windows\system32\ieui.dll
2014-03-06 08:29 . 2014-04-10 22:05    139264    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-06 08:29 . 2014-04-10 22:05    111616    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-06 08:28 . 2014-04-10 22:05    752640    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-06 08:15 . 2014-04-10 22:05    940032    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 08:11 . 2014-04-10 22:05    5784064    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-06 08:09 . 2014-04-10 22:05    453120    ----a-w-    c:\windows\system32\dxtmsft.dll
2014-03-06 08:03 . 2014-04-10 22:05    586240    ----a-w-    c:\windows\system32\ie4uinit.exe
2014-03-06 08:02 . 2014-04-10 22:05    61952    ----a-w-    c:\windows\SysWow64\iesetup.dll
2014-03-06 08:02 . 2014-04-10 22:05    455168    ----a-w-    c:\windows\SysWow64\vbscript.dll
2014-03-06 08:01 . 2014-04-10 22:05    51200    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56 . 2014-04-10 22:05    38400    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-03-06 07:48 . 2014-04-10 22:05    195584    ----a-w-    c:\windows\system32\msrating.dll
2014-03-06 07:46 . 2014-04-10 22:05    4254720    ----a-w-    c:\windows\SysWow64\jscript9.dll
2014-03-06 07:42 . 2014-04-10 22:05    296960    ----a-w-    c:\windows\system32\dxtrans.dll
2014-03-06 07:38 . 2014-04-10 22:05    112128    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-03-06 07:36 . 2014-04-10 22:05    592896    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2014-03-06 07:21 . 2014-04-10 22:05    628736    ----a-w-    c:\windows\system32\msfeeds.dll
2014-03-06 07:13 . 2014-04-10 22:05    32256    ----a-w-    c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11 . 2014-04-10 22:05    2043904    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-06 06:53 . 2014-04-10 22:05    13551104    ----a-w-    c:\windows\system32\ieframe.dll
2014-03-06 06:40 . 2014-04-10 22:05    1967104    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2014-03-06 06:22 . 2014-04-10 22:05    2260480    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 05:58 . 2014-04-10 22:05    1400832    ----a-w-    c:\windows\system32\urlmon.dll
2014-03-06 05:50 . 2014-04-10 22:05    846336    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-03-06 05:41 . 2014-04-10 22:05    1789440    ----a-w-    c:\windows\SysWow64\wininet.dll
2014-03-04 09:44 . 2014-04-10 22:03    362496    ----a-w-    c:\windows\system32\wow64win.dll
2014-03-04 09:44 . 2014-04-10 22:03    243712    ----a-w-    c:\windows\system32\wow64.dll
2014-03-04 09:44 . 2014-04-10 22:03    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2014-03-04 09:44 . 2014-04-10 22:03    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2014-03-04 09:44 . 2014-04-10 22:03    1163264    ----a-w-    c:\windows\system32\kernel32.dll
2014-03-04 09:17 . 2014-04-10 22:03    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2014-03-04 09:17 . 2014-04-10 22:03    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2014-03-04 09:16 . 2014-04-10 22:03    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2014-03-04 09:16 . 2014-04-10 22:03    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2014-03-04 08:09 . 2014-04-10 22:03    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2014-03-04 08:09 . 2014-04-10 22:03    2048    ----a-w-    c:\windows\SysWow64\user.exe
2014-01-19 03:30 . 2014-01-19 03:30    3041792    ----a-w-    c:\program files (x86)\GS.Enabler
2014-01-19 03:30 . 2014-01-19 03:30    2759168    ----a-w-    c:\program files (x86)\GS_x64.Enabler
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    94208    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    94208    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    94208    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2009-12-01 963584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-09-07 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-06-06 3076096]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
c:\users\Bozanic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\
Dropbox.lnk - c:\users\Bozanic\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"midi1"=mt32emu.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
R3 cleanhlp;cleanhlp;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C920(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 MAUSBMOBILEPREII;Service for M-Audio MobilePre II;c:\windows\system32\DRIVERS\MAudioMobilePreII.sys;c:\windows\SYSNATIVE\DRIVERS\MAudioMobilePreII.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x]
R4 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [x]
R4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R4 MobilePreIIAudioDevMon;MobilePre Audio Device Monitor;c:\program files (x86)\M-Audio\MobilePre\AudioDevMon.exe;c:\program files (x86)\M-Audio\MobilePre\AudioDevMon.exe [x]
R4 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
R4 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms;c:\program files\dell support center\pcdsrvc_x64.pkms [x]
R4 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-08 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-03-22 17:20]
.
2012-01-08 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2011-03-22 17:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"RunDLLEntry_THXCfg"="c:\windows\system32\THXCfg64.dll" [2009-10-15 17920]
"RunDLLEntry_EptMon"="c:\windows\system32\EptMon64.dll" [2009-10-15 21504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Bozanic\AppData\Roaming\Mozilla\Firefox\Profiles\1nuw3p9b.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-16  11:16:21
ComboFix-quarantined-files.txt  2014-05-16 15:16
.
Pre-Run: 252,322,471,936 bytes free
Post-Run: 252,002,902,016 bytes free
.
- - End Of File - - 4C20209FE8E21147A96D137F4631B2AE
 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:47 PM

Posted 16 May 2014 - 02:57 PM


Hello The_Atomik_Punk!

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 The_Atomik_Punk!

The_Atomik_Punk!
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 16 May 2014 - 03:50 PM

Thanks for getting back to me Gringo. My computer is still running normal, I just want to know that nothing is lingering on my system. I followed your instructions and ran Combofix a second time with that script. How does it look? Below is the produced log:

 

ComboFix 14-05-16.01 - Bozanic 16/05/2014  16:38:49.2.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.12270.10689 [GMT -4:00]
Running from: c:\users\Bozanic\Desktop\ComboFix.exe
Command switches used :: c:\users\Bozanic\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-16 to 2014-05-16  )))))))))))))))))))))))))))))))
.
.
2014-05-16 20:44 . 2014-05-16 20:44    --------    d-----w-    c:\users\HomeGroupUser$\AppData\Local\temp
2014-05-16 20:44 . 2014-05-16 20:44    --------    d-----w-    c:\users\Guest\AppData\Local\temp
2014-05-16 20:44 . 2014-05-16 20:44    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-05-16 20:44 . 2014-05-16 20:44    --------    d-----w-    c:\users\C96B9CDD1409473BB7E5\AppData\Local\temp
2014-05-16 20:44 . 2014-05-16 20:44    --------    d-----w-    c:\users\Bozanic\AppData\Local\temp
2014-05-16 20:44 . 2014-05-16 20:44    --------    d-----w-    c:\users\ASPNET\AppData\Local\temp
2014-05-16 20:44 . 2014-05-16 20:44    --------    d-----w-    c:\users\Administrator\AppData\Local\temp
2014-05-16 15:19 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F048AC5-5D4B-48EF-8396-F4732BBBCFF5}\mpengine.dll
2014-05-14 22:33 . 2014-05-16 02:52    119512    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-14 22:33 . 2014-05-14 22:33    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-14 22:33 . 2014-04-03 13:51    63192    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-05-14 22:33 . 2014-04-03 13:51    88280    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-14 22:26 . 2014-04-16 10:22    10651704    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-14 22:02 . 2014-05-06 04:40    23544320    ----a-w-    c:\windows\system32\mshtml.dll
2014-05-14 22:02 . 2014-05-06 03:00    84992    ----a-w-    c:\windows\system32\mshtmled.dll
2014-05-14 22:02 . 2014-05-06 04:17    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-05-14 22:02 . 2014-05-06 03:07    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2014-05-14 22:01 . 2014-05-14 22:01    --------    d-----w-    c:\users\Default\AppData\Local\Microsoft Help
2014-05-11 16:14 . 2014-05-11 16:14    965232    ----a-w-    c:\program files (x86)\Mozilla Firefox\icuuc52.dll
2014-05-11 16:14 . 2014-05-11 16:14    1266800    ----a-w-    c:\program files (x86)\Mozilla Firefox\icuin52.dll
2014-05-11 16:14 . 2014-05-11 16:14    10594416    ----a-w-    c:\program files (x86)\Mozilla Firefox\icudt52.dll
2014-05-08 13:48 . 2014-05-08 13:48    227704    ----a-w-    c:\program files (x86)\Mozilla Firefox\Plugins\nppdf32.dll
2014-05-04 15:17 . 2014-05-14 22:11    --------    d-s---w-    c:\windows\system32\CompatTel
2014-04-29 20:39 . 2014-04-30 00:37    --------    d-----w-    c:\users\Bozanic\AppData\Roaming\NVIDIA
2014-04-29 20:28 . 2014-04-29 20:28    --------    d-----w-    c:\programdata\NVIDIA
2014-04-29 20:27 . 2014-04-29 20:27    --------    d-----w-    c:\program files (x86)\AGEIA Technologies
2014-04-29 20:27 . 2014-03-04 13:06    6714312    ----a-w-    c:\windows\system32\nvcpl.dll
2014-04-29 20:27 . 2014-03-04 13:06    3497816    ----a-w-    c:\windows\system32\nvsvc64.dll
2014-04-29 20:27 . 2014-03-04 13:05    922968    ----a-w-    c:\windows\system32\nvvsvc.exe
2014-04-29 20:27 . 2014-03-04 13:05    64968    ----a-w-    c:\windows\system32\nvshext.dll
2014-04-29 20:27 . 2014-03-04 13:05    386336    ----a-w-    c:\windows\system32\nvmctray.dll
2014-04-29 20:27 . 2014-03-04 14:35    62408    ----a-w-    c:\windows\system32\OpenCL.dll
2014-04-29 20:27 . 2014-03-04 14:35    54216    ----a-w-    c:\windows\SysWow64\OpenCL.dll
2014-04-29 20:16 . 2014-03-04 13:05    3649185    ----a-w-    c:\windows\system32\nvcoproc.bin
2014-04-29 20:15 . 2014-04-29 20:15    --------    d-----w-    c:\programdata\NVIDIA Corporation
2014-04-28 15:42 . 2014-04-28 15:42    --------    d-----w-    c:\program files (x86)\Microsoft Analysis Services
2014-04-28 15:42 . 2014-04-28 15:42    --------    d-----w-    c:\windows\SHELLNEW
2014-04-28 15:41 . 2014-04-28 15:41    --------    d-----r-    C:\MSOCache
2014-04-22 15:05 . 2014-04-22 15:05    --------    d-----w-    c:\users\Bozanic\AppData\Roaming\Oracle
2014-04-22 15:01 . 2014-04-15 00:13    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-16 01:36 . 2013-08-01 03:15    280792    ----a-w-    c:\windows\SysWow64\PnkBstrB.xtr
2014-05-16 01:36 . 2013-08-01 03:13    280792    ----a-w-    c:\windows\SysWow64\PnkBstrB.exe
2014-05-16 01:36 . 2013-08-01 03:13    280856    ----a-w-    c:\windows\SysWow64\PnkBstrB.ex0
2014-05-14 21:58 . 2012-01-05 16:56    93223848    ----a-w-    c:\windows\system32\MRT.exe
2014-04-15 06:34 . 2014-04-15 06:34    1070232    ----a-w-    c:\windows\SysWow64\MSCOMCTL.OCX
2014-04-03 13:50 . 2014-02-10 21:35    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-19 19:27 . 2014-03-19 19:27    76496    ----a-w-    c:\windows\system32\drivers\dc3d.sys
2014-03-19 19:27 . 2014-03-19 19:27    1795952    ----a-w-    c:\windows\system32\WdfCoInstaller01011.dll
2014-03-11 13:52 . 2011-04-27 20:25    133928    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-06 09:31 . 2014-04-10 22:05    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-06 08:59 . 2014-04-10 22:05    66048    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-06 08:57 . 2014-04-10 22:05    548352    ----a-w-    c:\windows\system32\vbscript.dll
2014-03-06 08:57 . 2014-04-10 22:05    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-06 08:53 . 2014-04-10 22:05    2767360    ----a-w-    c:\windows\system32\iertutil.dll
2014-03-06 08:40 . 2014-04-10 22:05    51200    ----a-w-    c:\windows\system32\jsproxy.dll
2014-03-06 08:39 . 2014-04-10 22:05    33792    ----a-w-    c:\windows\system32\iernonce.dll
2014-03-06 08:32 . 2014-04-10 22:05    574976    ----a-w-    c:\windows\system32\ieui.dll
2014-03-06 08:29 . 2014-04-10 22:05    139264    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-06 08:29 . 2014-04-10 22:05    111616    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-06 08:28 . 2014-04-10 22:05    752640    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-06 08:15 . 2014-04-10 22:05    940032    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 08:11 . 2014-04-10 22:05    5784064    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-06 08:09 . 2014-04-10 22:05    453120    ----a-w-    c:\windows\system32\dxtmsft.dll
2014-03-06 08:03 . 2014-04-10 22:05    586240    ----a-w-    c:\windows\system32\ie4uinit.exe
2014-03-06 08:02 . 2014-04-10 22:05    61952    ----a-w-    c:\windows\SysWow64\iesetup.dll
2014-03-06 08:02 . 2014-04-10 22:05    455168    ----a-w-    c:\windows\SysWow64\vbscript.dll
2014-03-06 08:01 . 2014-04-10 22:05    51200    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56 . 2014-04-10 22:05    38400    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-03-06 07:48 . 2014-04-10 22:05    195584    ----a-w-    c:\windows\system32\msrating.dll
2014-03-06 07:46 . 2014-04-10 22:05    4254720    ----a-w-    c:\windows\SysWow64\jscript9.dll
2014-03-06 07:42 . 2014-04-10 22:05    296960    ----a-w-    c:\windows\system32\dxtrans.dll
2014-03-06 07:38 . 2014-04-10 22:05    112128    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-03-06 07:36 . 2014-04-10 22:05    592896    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2014-03-06 07:21 . 2014-04-10 22:05    628736    ----a-w-    c:\windows\system32\msfeeds.dll
2014-03-06 07:13 . 2014-04-10 22:05    32256    ----a-w-    c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11 . 2014-04-10 22:05    2043904    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-06 06:53 . 2014-04-10 22:05    13551104    ----a-w-    c:\windows\system32\ieframe.dll
2014-03-06 06:40 . 2014-04-10 22:05    1967104    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2014-03-06 06:22 . 2014-04-10 22:05    2260480    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 05:58 . 2014-04-10 22:05    1400832    ----a-w-    c:\windows\system32\urlmon.dll
2014-03-06 05:50 . 2014-04-10 22:05    846336    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-03-06 05:41 . 2014-04-10 22:05    1789440    ----a-w-    c:\windows\SysWow64\wininet.dll
2014-03-04 09:44 . 2014-04-10 22:03    362496    ----a-w-    c:\windows\system32\wow64win.dll
2014-03-04 09:44 . 2014-04-10 22:03    243712    ----a-w-    c:\windows\system32\wow64.dll
2014-03-04 09:44 . 2014-04-10 22:03    13312    ----a-w-    c:\windows\system32\wow64cpu.dll
2014-03-04 09:44 . 2014-04-10 22:03    16384    ----a-w-    c:\windows\system32\ntvdm64.dll
2014-03-04 09:44 . 2014-04-10 22:03    1163264    ----a-w-    c:\windows\system32\kernel32.dll
2014-03-04 09:17 . 2014-04-10 22:03    14336    ----a-w-    c:\windows\SysWow64\ntvdm64.dll
2014-03-04 09:17 . 2014-04-10 22:03    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2014-03-04 09:16 . 2014-04-10 22:03    25600    ----a-w-    c:\windows\SysWow64\setup16.exe
2014-03-04 09:16 . 2014-04-10 22:03    5120    ----a-w-    c:\windows\SysWow64\wow32.dll
2014-03-04 08:09 . 2014-04-10 22:03    7680    ----a-w-    c:\windows\SysWow64\instnm.exe
2014-03-04 08:09 . 2014-04-10 22:03    2048    ----a-w-    c:\windows\SysWow64\user.exe
2014-01-19 03:30 . 2014-01-19 03:30    3041792    ----a-w-    c:\program files (x86)\GS.Enabler
2014-01-19 03:30 . 2014-01-19 03:30    2759168    ----a-w-    c:\program files (x86)\GS_x64.Enabler
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    94208    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    94208    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    94208    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"nmctxth"="c:\program files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-04-09 648504]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2009-12-01 963584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]
"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2012-09-07 143360]
"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2012-06-06 3076096]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
c:\users\Bozanic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\
Dropbox.lnk - c:\users\Bozanic\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"midi1"=mt32emu.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2service.exe [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
R3 BrYNSvc;BrYNSvc;c:\program files (x86)\Browny02\BrYNSvc.exe;c:\program files (x86)\Browny02\BrYNSvc.exe [x]
R3 cleanhlp;cleanhlp;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\cleanhlp64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LinksysUpdater;Linksys Updater;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe;c:\program files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Pro Webcam C920(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 MAUSBMOBILEPREII;Service for M-Audio MobilePre II;c:\windows\system32\DRIVERS\MAudioMobilePreII.sys;c:\windows\SYSNATIVE\DRIVERS\MAudioMobilePreII.sys [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x]
R4 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [x]
R4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R4 MobilePreIIAudioDevMon;MobilePre Audio Device Monitor;c:\program files (x86)\M-Audio\MobilePre\AudioDevMon.exe;c:\program files (x86)\M-Audio\MobilePre\AudioDevMon.exe [x]
R4 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
R4 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms;c:\program files\dell support center\pcdsrvc_x64.pkms [x]
R4 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2ddax64.sys [x]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys;c:\windows\SYSNATIVE\drivers\cpuz135_x64.sys [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe;c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-08 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-03-22 17:20]
.
2012-01-08 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2011-03-22 17:20]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AutorunsDisabled\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-01-18 18:49    97792    ----a-w-    c:\users\Bozanic\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"RunDLLEntry_THXCfg"="c:\windows\system32\THXCfg64.dll" [2009-10-15 17920]
"RunDLLEntry_EptMon"="c:\windows\system32\EptMon64.dll" [2009-10-15 21504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Bozanic\AppData\Roaming\Mozilla\Firefox\Profiles\1nuw3p9b.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-16  16:45:24
ComboFix-quarantined-files.txt  2014-05-16 20:45
ComboFix2.txt  2014-05-16 15:16
.
Pre-Run: 251,952,189,440 bytes free
Post-Run: 251,625,975,808 bytes free
.
- - End Of File - - C19CC2367EA71EFC95AAD504B26F3A0C
 



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:47 PM

Posted 16 May 2014 - 08:13 PM


Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 The_Atomik_Punk!

The_Atomik_Punk!
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 17 May 2014 - 01:41 PM

Thanks for getting back to me, Gringo. My computer is still running normally. I ran Malwarebytes antimalware, but I recently "upgraded" and installed the freeware version of the new 2.0 program, which changes the interface from the original. As such, the log provided may not be what you would like. If that's the case, please if you could give me a download link to the original version, and I 'd be happy to oblige your instructions regarding saving the proper log format. As it stands, below are the produced logs from Malwarebytes and Hijackthis:

 

MalwareBytes AntiMlaware:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 17/05/2014
Scan Time: 2:30:03 PM
Logfile: MalwarebytesLog.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.17.10
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Bozanic

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 338440
Time Elapsed: 12 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

 

 

 

Hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:33:37 PM, on 17/05/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17041)
Boot mode: Normal

Running processes:
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Bozanic\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: PlusIEEventHelper Class - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [PPort12reminder] "C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe
O4 - HKLM\..\Run: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe
O4 - HKLM\..\Run: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe /autorun
O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe /AUTORUN
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Emsisoft Anti-Malware 6.0 - Service (a2AntiMalware) - Emsisoft GmbH - C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2service.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files (x86)\Browny02\BrYNSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PDFProFiltSrvPP - Nuance Communications, Inc. - C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9389 bytes
 



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:47 PM

Posted 18 May 2014 - 05:49 AM


Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
      O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe
      O4 - HKLM\..\Run: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
      O4 - Startup: AutorunsDisabled


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
    • NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
When the scan is complete
  • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 The_Atomik_Punk!

The_Atomik_Punk!
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 19 May 2014 - 02:55 PM

Hi Gringo, thanks for getting back to me. My computer is still running normally, with the exception that on occasion (somewhat frequently) I find Microsoft Security Essentials real time protection disabled, even though I did not turn it off. This comes to my attention if I look at the taskbar at the bottom right, and notice the red flag. Despite trying to manually reactivate it, it requires a reboot of my computer to turn back on real time protection (somewhat suspicious).

 

Thank you for the recomendations for HijackThis to disable certain startup items, I've done so and system boot-up time has been improved!

 

I ran the ESET Online Scanner as directed to, and the program found 21 threats. As per your instructions, I did not remove the threats, and have included the .txt file below displaying the results:

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\GSSvc.dll.vir    a variant of Win32/SProtector.F potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\ExpressZip\expresszip.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\ExpressZip\uninst.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\ExpressZip\zipsetup_v1.15.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Switch\switch.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Switch\switchsetup_v4.35.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\WavePad\uninst.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\WavePad\wavepad.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\WavePad\wpsetup_v5.06.exe.vir    a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Program Files (x86)\GS.Enabler    a variant of Win32/SProtector.E potentially unwanted application
C:\Program Files (x86)\GS_x64.Enabler    a variant of Win64/SProtector.A potentially unwanted application
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe    a variant of Win32/HiddenStart.A potentially unsafe application
C:\Program Files (x86)\Steam\steamapps\common\XCom UFO Defense\UFOLoader.exe    probably unknown NewHeur_PE virus
C:\ProgramData\InstallMate\{2537C54A-1357-44AC-A647-5B75FED4E7BC}\Custom.dll    Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{2537C54A-1357-44AC-A647-5B75FED4E7BC}\Custom.dll    Win32/InstalleRex.M potentially unwanted application
C:\Users\Bozanic\Downloads\Games\ROM Sets\GENESIS\SBWin 3 RC2 Setup.exe    Win32/InstallMonetizer.AF potentially unwanted application
C:\Users\Bozanic\Downloads\Programs\cnet2_moviestudiope100_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application
C:\Users\Bozanic\Downloads\Programs\FreeYouTubeDownloaderInstallerIC.exe    a variant of Win32/InstallCore.IO potentially unwanted application
C:\Users\Bozanic\Downloads\Programs\ImgBurn\SetupImgBurn_2.5.8.0.exe    Win32/OpenCandy potentially unsafe application
C:\Users\Bozanic\Downloads\Programs\System Utilities\ccsetup413.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Bozanic\Downloads\Programs\System Utilities\cpu-z_1.59-setup-en.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
 



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:47 PM

Posted 20 May 2014 - 03:47 AM


Hello The_Atomik_Punk!

There are some minor things in your online scan that should be removed.


delete files
  • Copy all text in the code box (below)...to Notepad.
    @echo off
    del /f /s /q "C:\Program Files (x86)\GS.Enabler"
    del /f /s /q "C:\Program Files (x86)\GS_x64.Enabler"
    del /f /s /q "C:\Program Files (x86)\Steam\steamapps\common\XCom UFO Defense\UFOLoader.exe"
    del /f /s /q "C:\ProgramData\InstallMate\{2537C54A-1357-44AC-A647-5B75FED4E7BC}\Custom.dll"
    del /f /s /q "C:\Users\All Users\InstallMate\{2537C54A-1357-44AC-A647-5B75FED4E7BC}\Custom.dll"
    del /f /s /q "C:\Users\Bozanic\Downloads\Games\ROM Sets\GENESIS\SBWin 3 RC2 Setup.exe"
    del /f /s /q "C:\Users\Bozanic\Downloads\Programs\cnet2_moviestudiope100_exe.exe"
    del /f /s /q "C:\Users\Bozanic\Downloads\Programs\FreeYouTubeDownloaderInstallerIC.exe"
    del /f /s /q "C:\Users\Bozanic\Downloads\Programs\ImgBurn\SetupImgBurn_2.5.8.0.exe"
    del /f /s /q "C:\Users\Bozanic\Downloads\Programs\System Utilities\ccsetup413.exe"
    del /f /s /q "C:\Users\Bozanic\Downloads\Programs\System Utilities\cpu-z_1.59-setup-en.exe"
    del %0
  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: batfileicon.gif<--XPvista_bat_icon.png<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.
The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:
  • Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
    They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

    The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.
  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK.
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • CF-Uninstall.png
:Remove the rest of our tools:

Please download DelFix and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click DelFix.exe.
  • select all options avalible
  • Click the Run button.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.
  • Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

    CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

    Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.
  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus
:Security awareness:


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

As Java seems to get exploited on a daily basis I advise to disable java in your web browsers - How to disable java in your web browsers - Disable Java


The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internetHere is some more reading for you from some of my collegesquoted from Tech Support Forum

Conclusion

There is no such thing as 'perfect security'. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 The_Atomik_Punk!

The_Atomik_Punk!
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 20 May 2014 - 11:17 AM

Gringo, I ran the cmd script to remove those items you listed, as well as uninstalling the diagnostic programs as per your instructions. My computer is running normally. It's a huge relief to know that my computer is now safe, and it's all thanks to your generous assistance! Thank you for the extra resources to read about internet safety, they were very insightful in helping me understand how malware works. Paypal Donation sent.

 

I have a question regarding your recommendation of WinPatrol. I installed it, but should I allow it to run all the time (i.e at start up?) If so, does it use significant system resources?

 

Finally, I believe that any malware that made it's way to my computer originated on my brother's laptop, which is networked to my computer. I'm sure that his computer contains malware, as when I ran JunkRemovalTool, a bad sector was found, but couldn't be recovered after a reset (there was some error). I'd like to open a thread regarding that computer, but seeing as it pertains to my case (and may spread malware back to my computer), would it be possible to continue that here, or should I start a new thread?



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:47 PM

Posted 20 May 2014 - 01:22 PM

It would be best to start a new thread but put the name gringo in the subject and let me know when it is ready

I want this so when I go back thru double checking things I do not look at your reports and get them confused

Thank you and it was nice



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 The_Atomik_Punk!

The_Atomik_Punk!
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 20 May 2014 - 02:24 PM

Hey Gringo! I recently created the new thread regarding the laptop networked to this computer, and I placed your name (GRINGO) at the start of the subject line.

 

Thank you again for your assistance in this matter, this computer is now clean, please close this thread.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users