Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojans and possibly Win32/Crowti


  • This topic is locked This topic is locked
9 replies to this topic

#1 rchi

rchi

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 01 November 2014 - 06:39 PM

Hello. A couple days ago I was having trouble on my computer with chrome.exes flooding my processes and making my CPU Usage 100%. I also had many attacks from a trojan called "Ransom:Win32/Crowti". Before that I had problems with the replicating dll.host processes, although that has not been a problem for almost a week. 

 

Last night, I discovered a .exe in My Documents called "INSTALL_TOR". I looked in my other folders and found that there was one copy present in many other folders as well. I searched the "INSTALL_TOR" in My Computer and it located over 700 copies of this .exe. I deleted them all and emptied my Recycle Bin. 

 

 

Afterwards, I ran ESET Online Scanner overnight and it found 35 infections and only cleaned 30. I ran MBAM this morning and it only found one threat this time compared to the 8 it found the previous scan. Those 8 threats are currently under quarantine in MBAM (6 of which had to do with the fake google chrome processes). Should I go ahead and delete them?

 

I also ran Microsoft Security Essentials this morning and it found nothing this time but it does have the "Ransom:Win32/Crowti" trojan under quarantine from last night. The night before that, I had 60+ attacks from that trojan overnight as I left my computer on to scan. 

 

So far, after the removal of "INSTALL_TOR" and the ESET scan, I've had no problems with the replicating chrome.exes. Although I'm not sure if the trojan is still present on my computer (besides the ones under quarantine) since it was still a problem even after I deleted it with MBAM a few times in the last few days. I'm also not sure if the 5 infections ESET found but did not clean are still on my computer. Lastly, I'm not sure if the Crowti trojan is still present on my computer or not. 

 

 

Here is the link to my previous thread before I was elevated here: http://www.bleepingcomputer.com/forums/t/554028/fake-google-chrome-and-win32crowti/

 

 

Here is my DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7600.17267
Run by Ray at 18:58:09 on 2014-11-01
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3767.2003 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\lxdqcoms.exe
C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
C:\Users\Ray\Forefront UAG Remote Access Agent\myfilesunccedu\filer1\uagqecsvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxext.exe
C:\Program Files (x86)\Lexmark Z2400 Series\lxdqmon.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Ray\AppData\Local\Akamai\netsession_win.exe
C:\Users\Ray\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ray\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
uProxyOverride = 127.0.0.1:9421;*.local;<local>
mWinlogon: Userinit = userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [Akamai NetSession Interface] "C:\Users\Ray\AppData\Local\Akamai\netsession_win.exe"
uRun: [Search Protection] "C:\Users\Ray\AppData\Roaming\Search Protection\SP.EXE" /autostart
uRun: [Media Finder] "C:\Program Files (x86)\Media Finder\Media Finder.exe" /opentotray
uRun: [Google Update] "C:\Users\Ray\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Facebook Update] "C:\Users\Ray\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
uRun: [uTorrent] "C:\Users\Ray\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [MDS_Menu] "C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso" UpdateWithCreateOnce "Software\CyberLink\MediaShow Espresso\5.6"
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [ArcadeMovieService] "C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
uPolicies-Explorer: TaskbarNoNotification = dword:0
uPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-Windows\System: UseOEMBackground = dword:1
mPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: HideSCAHealth = dword:0
IE: Download with &Media Finder - C:\Program Files (x86)\Media Finder\hook.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{476E3F75-6456-4B85-87B2-1F7370EC44DD} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{476E3F75-6456-4B85-87B2-1F7370EC44DD}\130303031326 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{476E3F75-6456-4B85-87B2-1F7370EC44DD}\251697723702E4564777F627B6 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{476E3F75-6456-4B85-87B2-1F7370EC44DD}\34F646973702E6564777F627B6 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{476E3F75-6456-4B85-87B2-1F7370EC44DD}\4416C65613233343 : DHCPNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
TCP: Interfaces\{476E3F75-6456-4B85-87B2-1F7370EC44DD}\5702D61646022627F6F3 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{476E3F75-6456-4B85-87B2-1F7370EC44DD}\E496E6562775966496D2355636572756 : DHCPNameServer = 10.23.0.20 10.23.0.30
TCP: Interfaces\{F3992B9C-AFE1-45CB-A3BD-8A0C42672CE6} : DHCPNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
x64-mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [ODDPwr] "C:\Program Files\Acer\Optical Drive Power Management\ODDPwr.exe"
x64-Run: [mwlDaemon] C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [lxdqmon.exe] "C:\Program Files (x86)\Lexmark Z2400 Series\lxdqmon.exe"
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=282369&p=
FF - component: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCore.dll
FF - component: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll
FF - plugin: C:\Users\Ray\AppData\Local\Facebook\Messenger\2.1.4814.0\npFbDesktopPlugin.dll
FF - plugin: C:\Users\Ray\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Ray\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-10-15 129752]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-7-17 269008]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2009-6-2 22576]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2009-6-2 20016]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2009-6-2 60464]
R2 {6E090BD5-4EF5-4bf0-A968-74049E88E935};Power Control [2010/04/28 13:33:39];C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\000.fcl [2010-2-25 146928]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-4-25 325200]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2010-4-28 866336]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-4-25 13336]
R2 lxdq_device;lxdq_device;C:\Windows\System32\lxdqcoms.exe -service --> C:\Windows\System32\lxdqcoms.exe -service [?]
R2 MWLService;MyWinLocker Service;C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [2010-4-17 305520]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 125584]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [2010-3-8 250368]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2009-11-5 144640]
R2 ODDPwrSvc;Acer ODD Power Service;C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [2010-4-25 171040]
R2 TomTomHOMEService;TomTomHOMEService;C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2010-8-24 92008]
R2 uagqecsvc;Microsoft Forefront UAG Quarantine Enforcement Client;C:\Users\Ray\Forefront UAG Remote Access Agent\myfilesunccedu\filer1\uagqecsvc.exe [2013-10-18 144896]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-4-28 2314240]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-4-25 243232]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-4-28 56344]
R3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2010-4-25 158976]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-4-25 271872]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\System32\drivers\L1C62x64.sys [2010-4-25 75304]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-8-22 368624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\lxdqserv.exe [2008-2-27 29184]
S2 McProxy;McAfee Proxy Service;"C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc --> C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [?]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\System32\drivers\AmUStor.sys [2009-5-26 40448]
S3 DrvAgent64;DrvAgent64;C:\Windows\SysWOW64\drivers\DrvAgent64.SYS [2012-3-23 21712]
S3 Gun;Gun;C:\Windows\System32\Gun64.sys [2011-1-30 30840]
S3 NTIBackupSvc;NTI Backup Now 5 Backup Service;C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2009-11-5 50432]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-8 1255736]
.
=============== Created Last 30 ================
.
2014-11-01 22:48:57 11627712 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D9A49EC0-CF32-48CF-9A2C-7C470A3EBCCF}\mpengine.dll
2014-11-01 06:27:40 11627712 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-11-01 04:37:34 11627712 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E2D55544-248B-43AB-8557-44B4FF432083}\mpengine.dll
2014-10-31 18:18:22 -------- d-----w- C:\Program Files (x86)\ESET
2014-10-30 19:27:03 -------- d-----w- C:\Windows\pss
2014-10-30 04:15:47 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-10-30 02:56:39 0 ----a-w- C:\Windows\System32\pvvicv.dll
2014-10-16 00:27:08 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-10-16 00:26:43 92888 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-10-16 00:26:43 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-10-16 00:26:43 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-15 22:43:35 0 ----a-w- C:\Users\Ray\AppData\Roaming\pvvicv.dll
2014-10-15 21:53:53 87200 ----a-w- C:\ProgramData\wrnhoah.tmp
2014-10-15 05:27:41 276480 ----a-w- C:\Windows\System32\generaltel.dll
2014-10-15 05:27:40 504320 ----a-w- C:\Windows\System32\aepdu.dll
2014-10-15 05:27:39 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-10-15 05:27:38 3195392 ----a-w- C:\Windows\System32\win32k.sys
2014-10-15 02:28:24 822384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\icuuc52.dll
2014-10-15 02:28:24 10594416 ----a-w- C:\Program Files (x86)\Mozilla Firefox\icudt52.dll
2014-10-15 02:28:24 1022576 ----a-w- C:\Program Files (x86)\Mozilla Firefox\icuin52.dll
.
==================== Find3M  ====================
.
2014-10-28 10:34:58 275080 ------w- C:\Windows\System32\MpSigStub.exe
2014-10-01 15:11:12 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-09-23 19:28:08 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-23 19:28:08 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 18:59:00.58 ===============
 
 
 
 
Along with the attach.txt, I have attached the logs for my latest rKill, MBAM (today's and yesterday's), and ESET scans

Attached Files


Edited by rchi, 01 November 2014 - 06:42 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:56 AM

Posted 06 November 2014 - 11:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 rchi

rchi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 07 November 2014 - 12:39 AM

Update: I still have not had a problem with the fake google chrome processes since the ESET scan but now I'm having problems with the replicating dllhost.exe COM Surrogates again. I have to constantly close the processes. Even after the AdwCleaner clean and I restarted my computer, the dllhost processes began almost immediately the minute I logged into my user. They also come back after I end their processes about every 15-20 seconds. It didnt happen this fast the last time I had a problem with it. 
 
 
# AdwCleaner v3.311 - Report created 07/11/2014 at 00:18:24
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : Ray - RAY-PC
# Running from : C:\Users\Ray\Downloads\adwcleaner_3.311.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\House Of Soft
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\Ray\AppData\Local\Conduit
Folder Deleted : C:\Users\Ray\AppData\Local\eSupport.com
Folder Deleted : C:\Users\Ray\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Ray\AppData\Roaming\FinalTorrent
Folder Deleted : C:\Users\Ray\AppData\Roaming\Media Finder
Folder Deleted : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\ConduitCommon
Folder Deleted : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\Smartbar
Folder Deleted : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
File Deleted : C:\Windows\SysWOW64\conduitEngine.tmp
File Deleted : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\user.js
File Deleted : C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage
File Deleted : C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Media Finder]
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Search Protection]
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\MF
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Vid-Saver_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\Vid-Saver_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2438727
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022342291}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{33333333-3333-3333-3333-330033343391}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066346691}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077347791}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B13EC3E-999A-4B70-B9CB-2617B8323822}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7B13EC3E-999A-4B70-B9CB-2617B8323822}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066346691}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077347791}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\MediaFinder
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\yuna software
Key Deleted : HKCU\Software\AppDataLow\Software\Search Protection
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Freeze.com
Key Deleted : HKLM\SOFTWARE\Messenger Plus!\OpenCandy
Key Deleted : HKLM\SOFTWARE\OpenCandy NSIS SDK
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.7600.17267
 
 
-\\ Mozilla Firefox v30.0 (en-US)
 
[ File : C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\8ktisurt.default-1402882812793\prefs.js ]
 
 
[ File : C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\prefs.js ]
 
Line Deleted : user_pref("CT2786678..clientLogIsEnabled", true);
Line Deleted : user_pref("CT2786678..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
Line Deleted : user_pref("CT2786678..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
Line Deleted : user_pref("CT2786678.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Line Deleted : user_pref("CT2786678.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Line Deleted : user_pref("CT2786678.AppTrackingLastCheckTime", "Wed Feb 08 2012 21:42:26 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.BrowserCompStateIsOpen_129579220236217502", true);
Line Deleted : user_pref("CT2786678.CTID", "CT2786678");
Line Deleted : user_pref("CT2786678.CurrentServerDate", "9-2-2012");
Line Deleted : user_pref("CT2786678.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT2786678.DialogsGetterLastCheckTime", "Wed Feb 08 2012 21:42:17 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.DownloadReferralCookieData", "");
Line Deleted : user_pref("CT2786678.EMailNotifierPollDate", "Thu Feb 09 2012 15:34:16 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedLastCount5690698542593514850", 501);
Line Deleted : user_pref("CT2786678.FeedPollDate2429156812186649977", "Thu Feb 09 2012 15:22:35 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156813040823546", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156813130095866", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156813224203613", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156813230837251", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156813454291735", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156813729834876", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156813860870021", "Thu Feb 09 2012 15:22:35 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156814264681793", "Thu Feb 09 2012 15:22:35 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156814863075366", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedPollDate2429156815257761081", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.FeedTTL2429156813040823546", 15);
Line Deleted : user_pref("CT2786678.FeedTTL2429156813130095866", 10);
Line Deleted : user_pref("CT2786678.FeedTTL2429156813454291735", 5);
Line Deleted : user_pref("CT2786678.FeedTTL2429156814264681793", 5);
Line Deleted : user_pref("CT2786678.FirstServerDate", "8-8-2011");
Line Deleted : user_pref("CT2786678.FirstTime", true);
Line Deleted : user_pref("CT2786678.FirstTimeFF3", true);
Line Deleted : user_pref("CT2786678.FixPageNotFoundErrors", false);
Line Deleted : user_pref("CT2786678.GroupingServerCheckInterval", 1440);
Line Deleted : user_pref("CT2786678.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Line Deleted : user_pref("CT2786678.HasUserGlobalKeys", true);
Line Deleted : user_pref("CT2786678.HomePageProtectorEnabled", false);
Line Deleted : user_pref("CT2786678.Initialize", true);
Line Deleted : user_pref("CT2786678.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT2786678.InstallationAndCookieDataSentCount", 3);
Line Deleted : user_pref("CT2786678.InstallationType", "UnknownIntegration");
Line Deleted : user_pref("CT2786678.InstalledDate", "Mon Aug 08 2011 00:02:52 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT2786678.IsAlertDBUpdated", true);
Line Deleted : user_pref("CT2786678.IsGrouping", false);
Line Deleted : user_pref("CT2786678.IsInitSetupIni", true);
Line Deleted : user_pref("CT2786678.IsMulticommunity", false);
Line Deleted : user_pref("CT2786678.IsOpenThankYouPage", true);
Line Deleted : user_pref("CT2786678.IsOpenUninstallPage", false);
Line Deleted : user_pref("CT2786678.LanguagePackLastCheckTime", "Wed Feb 08 2012 21:42:16 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.LanguagePackReloadIntervalMM", 1440);
Line Deleted : user_pref("CT2786678.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
Line Deleted : user_pref("CT2786678.LastLogin_3.5.0.12", "Wed Feb 08 2012 21:42:16 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.LastLogin_3.9.0.3", "Thu Feb 09 2012 15:22:34 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.LatestVersion", "3.9.0.3");
Line Deleted : user_pref("CT2786678.Locale", "en");
Line Deleted : user_pref("CT2786678.MCDetectTooltipHeight", "83");
Line Deleted : user_pref("CT2786678.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Line Deleted : user_pref("CT2786678.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT2786678.MyStuffEnabledAtInstallation", true);
Line Deleted : user_pref("CT2786678.OriginalFirstVersion", "3.5.0.12");
Line Deleted : user_pref("CT2786678.SearchEngineBeforeUnload", "chrome://browser-region/locale/region.properties");
Line Deleted : user_pref("CT2786678.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT2786678.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT2786678.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT2786678.SearchInNewTabLastCheckTime", "Wed Feb 08 2012 21:42:15 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2786678.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usage.ashx?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2786678.SearchProtectorEnabled", false);
Line Deleted : user_pref("CT2786678.SearchProtectorToolbarDisabled", false);
Line Deleted : user_pref("CT2786678.ServiceMapLastCheckTime", "Wed Feb 08 2012 21:42:15 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.SettingsLastCheckTime", "Thu Feb 09 2012 15:22:32 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.SettingsLastUpdate", "1326994324");
Line Deleted : user_pref("CT2786678.ThirdPartyComponentsInterval", 504);
Line Deleted : user_pref("CT2786678.ThirdPartyComponentsLastCheck", "Sun Jan 22 2012 15:08:53 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.ThirdPartyComponentsLastUpdate", "1312887586");
Line Deleted : user_pref("CT2786678.ToolbarShrinkedFromSetup", false);
Line Deleted : user_pref("CT2786678.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2786678");
Line Deleted : user_pref("CT2786678.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
Line Deleted : user_pref("CT2786678.Uninstall", true);
Line Deleted : user_pref("CT2786678.UserID", "UN96161163191248315");
Line Deleted : user_pref("CT2786678.WeatherNetwork", "");
Line Deleted : user_pref("CT2786678.WeatherPollDate", "Thu Feb 09 2012 15:22:35 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.WeatherUnit", "F");
Line Deleted : user_pref("CT2786678.alertChannelId", "1178763");
Line Deleted : user_pref("CT2786678.backendstorage.cb_firstuse0100", "31");
Line Deleted : user_pref("CT2786678.backendstorage.cbfirsttime", "5765642053657020323820323031312032313A35313A333920474D542D3034303020284561737465726E204461796C696768742054696D6529");
Line Deleted : user_pref("CT2786678.backendstorage.url_history", "68747470733A2F2F7777772E66616365626F6F6B2E636F6D2F646561637469766174652E706870");
Line Deleted : user_pref("CT2786678.backendstorage.url_history0001", "687474703A2F2F617070732E66616365626F6F6B2E636F6D2F776F72647377697468667269656E64732F3F7265663D626F6F6B6D61726B7326636F756E743D302666625F736F75726[...]
Line Deleted : user_pref("CT2786678.backendstorage.url_history_time", "31333238303831363031383137");
Line Deleted : user_pref("CT2786678.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.conduit.com;apps.conduit.com;services.apps.conduit.com\",\"AppsDetectionUrlPattern\":\"hxxp://appdown[...]
Line Deleted : user_pref("CT2786678.globalFirstTimeInfoLastCheckTime", "Wed Feb 08 2012 21:42:16 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.homepageProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2786678.initDone", true);
Line Deleted : user_pref("CT2786678.isAppTrackingManagerOn", true);
Line Deleted : user_pref("CT2786678.myStuffEnabled", true);
Line Deleted : user_pref("CT2786678.myStuffPublihserMinWidth", 400);
Line Deleted : user_pref("CT2786678.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
Line Deleted : user_pref("CT2786678.myStuffServiceIntervalMM", 1440);
Line Deleted : user_pref("CT2786678.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
Line Deleted : user_pref("CT2786678.oldAppsList", "129295695672325902,129295695672325903,111,1000234,129295698017012804,1000034,129526967958500204,129309489763975460,5690698542593514850,129309485163350924,1293154114[...]
Line Deleted : user_pref("CT2786678.searchProtectorDialogDelayInSec", 10);
Line Deleted : user_pref("CT2786678.searchProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2786678.testingCtid", "");
Line Deleted : user_pref("CT2786678.toolbarAppMetaDataLastCheckTime", "Wed Feb 08 2012 21:42:16 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.toolbarContextMenuLastCheckTime", "Wed Feb 08 2012 21:42:16 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT2786678.usagesFlag", 2);
Line Deleted : user_pref("CT3072253..clientLogIsEnabled", false);
Line Deleted : user_pref("CT3072253..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
Line Deleted : user_pref("CT3072253..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
Line Deleted : user_pref("CT3072253.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Line Deleted : user_pref("CT3072253.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Line Deleted : user_pref("CT3072253.BrowserCompStateIsOpen_129573915102477663", true);
Line Deleted : user_pref("CT3072253.BrowserCompStateIsOpen_129749445881800338", true);
Line Deleted : user_pref("CT3072253.BrowserCompStateIsOpen_129805375651312503", true);
Line Deleted : user_pref("CT3072253.BrowserCompStateIsOpen_130067979083742856", true);
Line Deleted : user_pref("CT3072253.BrowserCompStateIsOpen_1359634299000", true);
Line Deleted : user_pref("CT3072253.CTID", "CT3072253");
Line Deleted : user_pref("CT3072253.ConfigurationLastCheckTime", "Wed Nov 27 2013 21:57:32 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.CurrentServerDate", "28-11-2013");
Line Deleted : user_pref("CT3072253.DSInstall", false);
Line Deleted : user_pref("CT3072253.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT3072253.DialogsGetterLastCheckTime", "Wed Nov 27 2013 21:57:33 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.DownloadReferralCookieData", "");
Line Deleted : user_pref("CT3072253.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3072253.FirstServerDate", "22-5-2012");
Line Deleted : user_pref("CT3072253.FirstTime", true);
Line Deleted : user_pref("CT3072253.FirstTimeFF3", true);
Line Deleted : user_pref("CT3072253.FixPageNotFoundErrors", true);
Line Deleted : user_pref("CT3072253.GroupingServerCheckInterval", 1440);
Line Deleted : user_pref("CT3072253.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Line Deleted : user_pref("CT3072253.HPInstall", false);
Line Deleted : user_pref("CT3072253.HasUserGlobalKeys", true);
Line Deleted : user_pref("CT3072253.HomePageProtectorEnabled", false);
Line Deleted : user_pref("CT3072253.HomepageBeforeUnload", "chrome://branding/locale/browserconfig.properties");
Line Deleted : user_pref("CT3072253.Initialize", true);
Line Deleted : user_pref("CT3072253.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT3072253.InstallationAndCookieDataSentCount", 3);
Line Deleted : user_pref("CT3072253.InstallationId", "fft9A48.tmp.exe");
Line Deleted : user_pref("CT3072253.InstallationType", "XPE");
Line Deleted : user_pref("CT3072253.InstalledDate", "Mon May 21 2012 22:21:12 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.IsAlertDBUpdated", true);
Line Deleted : user_pref("CT3072253.IsGrouping", false);
Line Deleted : user_pref("CT3072253.IsInitSetupIni", true);
Line Deleted : user_pref("CT3072253.IsMulticommunity", false);
Line Deleted : user_pref("CT3072253.IsOpenThankYouPage", true);
Line Deleted : user_pref("CT3072253.IsOpenUninstallPage", false);
Line Deleted : user_pref("CT3072253.LanguagePackLastCheckTime", "Wed Nov 27 2013 21:57:31 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.LanguagePackReloadIntervalMM", 1440);
Line Deleted : user_pref("CT3072253.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
Line Deleted : user_pref("CT3072253.LastLogin_3.12.0.8", "Fri Jun 22 2012 17:13:00 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.LastLogin_3.13.0.6", "Thu Aug 16 2012 03:39:36 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.LastLogin_3.14.1.0", "Tue Sep 04 2012 20:08:17 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.LastLogin_3.15.1.0", "Tue Mar 26 2013 12:20:26 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.LastLogin_3.18.0.7", "Sat Sep 28 2013 21:55:04 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.LastLogin_3.20.0.4", "Wed Nov 27 2013 21:57:31 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.LatestVersion", "3.20.0.4");
Line Deleted : user_pref("CT3072253.Locale", "en");
Line Deleted : user_pref("CT3072253.MCDetectTooltipHeight", "83");
Line Deleted : user_pref("CT3072253.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Line Deleted : user_pref("CT3072253.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT3072253.MyStuffEnabledAtInstallation", false);
Line Deleted : user_pref("CT3072253.OriginalFirstVersion", "3.12.0.8");
Line Deleted : user_pref("CT3072253.SearchAPILastCheckTime", "Wed Nov 27 2013 21:57:31 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.SearchCaption", "uTorrentControl2 Customized Web Search");
Line Deleted : user_pref("CT3072253.SearchEngineBeforeUnload", "chrome://browser-region/locale/region.properties");
Line Deleted : user_pref("CT3072253.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT3072253.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT3072253.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT3072253.SearchInNewTabLastCheckTime", "Sat Sep 28 2013 21:55:03 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID&UM=UM_ID");
Line Deleted : user_pref("CT3072253.SearchInNewTabURLFromSearchAPI", "hxxp://search.conduit.com/?ctid=CT3072253&octid=CT3072253&SearchSource=15&CUI=SB_CUI&SSPV=EB_SSPV&Lay=1&UM=UM_ID");
Line Deleted : user_pref("CT3072253.SearchProtectorEnabled", false);
Line Deleted : user_pref("CT3072253.SearchProtectorToolbarDisabled", false);
Line Deleted : user_pref("CT3072253.SendProtectorDataViaLogin", true);
Line Deleted : user_pref("CT3072253.ServiceMapLastCheckTime", "Wed Nov 27 2013 21:57:31 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.SettingsLastCheckTime", "Wed Nov 27 2013 21:57:28 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.SettingsLastUpdate", "1385283463");
Line Deleted : user_pref("CT3072253.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT3072253&SearchSource=13");
Line Deleted : user_pref("CT3072253.ThirdPartyComponentsInterval", 504);
Line Deleted : user_pref("CT3072253.ThirdPartyComponentsLastCheck", "Mon May 21 2012 22:21:10 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.ThirdPartyComponentsLastUpdate", "1331805997");
Line Deleted : user_pref("CT3072253.ToolbarShrinkedFromSetup", false);
Line Deleted : user_pref("CT3072253.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
Line Deleted : user_pref("CT3072253.UserID", "UN62129032057498060");
Line Deleted : user_pref("CT3072253.addressBarTakeOverEnabledInHidden", "true");
Line Deleted : user_pref("CT3072253.alertChannelId", "1463702");
Line Deleted : user_pref("CT3072253.autoDisableScopes", 0);
Line Deleted : user_pref("CT3072253.backendstorage.cbcountry_000", "5553");
Line Deleted : user_pref("CT3072253.backendstorage.cbfirsttime", "4D6F6E204D617920323120323031322032323A32313A313420474D542D3034303020284561737465726E204461796C696768742054696D6529");
Line Deleted : user_pref("CT3072253.backendstorage.url_history0001", "687474703A2F2F7777772E676F6F676C652E636F6D2F75726C3F73613D74267263743D6A26713D66616D696C79253230646F6C6C617226736F757263653D7765622663643D3526737[...]
Line Deleted : user_pref("CT3072253.cbcountry_000.from_oldbar.enc", "VVM=");
Line Deleted : user_pref("CT3072253.cbfirsttime.from_oldbar.enc", "TW9uIE1heSAyMSAyMDEyIDIyOjIxOjE0IEdNVC0wNDAwIChFYXN0ZXJuIERheWxpZ2h0IFRpbWUp");
Line Deleted : user_pref("CT3072253.countryCode", "US");
Line Deleted : user_pref("CT3072253.enableAlerts", "never");
Line Deleted : user_pref("CT3072253.firstTimeDialogOpened", true);
Line Deleted : user_pref("CT3072253.fixPageNotFoundErrorByUser", "TRUE");
Line Deleted : user_pref("CT3072253.fixPageNotFoundErrorInHidden", "true");
Line Deleted : user_pref("CT3072253.fullUserID", "UN62129032057498060.UP.20140115174827");
Line Deleted : user_pref("CT3072253.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.conduit.com;apps.conduit.com;services.apps.conduit.com\",\"AppsDetectionUrlPattern\":\"hxxp://appdown[...]
Line Deleted : user_pref("CT3072253.globalFirstTimeInfoLastCheckTime", "Mon May 21 2012 22:21:11 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.homepageProtectorEnableByLogin", true);
Line Deleted : user_pref("CT3072253.initDone", true);
Line Deleted : user_pref("CT3072253.installId", "fft9A48.tmp.exe");
Line Deleted : user_pref("CT3072253.installType", "XPE");
Line Deleted : user_pref("CT3072253.isAppTrackingManagerOn", true);
Line Deleted : user_pref("CT3072253.isCheckedStartAsHidden", true);
Line Deleted : user_pref("CT3072253.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3072253.isFirstTimeToolbarLoading", "false");
Line Deleted : user_pref("CT3072253.isPerformedSmartBarTransition", "true");
Line Deleted : user_pref("CT3072253.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT3072253.keyword", true);
Line Deleted : user_pref("CT3072253.lastVersion", "10.20.101.5");
Line Deleted : user_pref("CT3072253.myStuffEnabled", true);
Line Deleted : user_pref("CT3072253.myStuffPublihserMinWidth", 400);
Line Deleted : user_pref("CT3072253.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
Line Deleted : user_pref("CT3072253.myStuffServiceIntervalMM", 1440);
Line Deleted : user_pref("CT3072253.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
Line Deleted : user_pref("CT3072253.navigateToUrlOnSearch", false);
Line Deleted : user_pref("CT3072253.navigationAliasesJson", "{\"EB_MAIN_FRAME_URL\":\"about%3Ablank\",\"EB_MAIN_FRAME_TITLE\":\"\",\"EB_SEARCH_TERM\":\"\",\"EB_TOOLBAR_SUB_DOMAIN\":\"hxxp://uTorrentControl2.OurToolb[...]
Line Deleted : user_pref("CT3072253.originalHomepage", "chrome://branding/locale/browserconfig.properties");
Line Deleted : user_pref("CT3072253.originalSearchAddressUrl", "chrome://browser-region/locale/region.properties");
Line Deleted : user_pref("CT3072253.originalSearchEngine", "chrome://browser-region/locale/region.properties");
Line Deleted : user_pref("CT3072253.revertSettingsEnabled", true);
Line Deleted : user_pref("CT3072253.searchFromAddressBarEnabledByUser", "true");
Line Deleted : user_pref("CT3072253.searchInNewTabEnabledByUser", "true");
Line Deleted : user_pref("CT3072253.searchInNewTabEnabledInHidden", "true");
Line Deleted : user_pref("CT3072253.searchProtector.notifyChanges", "{\"dataType\":\"string\",\"data\":\"false\"}");
Line Deleted : user_pref("CT3072253.searchProtectorDialogDelayInSec", 10);
Line Deleted : user_pref("CT3072253.searchProtectorEnableByLogin", true);
Line Deleted : user_pref("CT3072253.searchSuggestEnabledByUser", "true");
Line Deleted : user_pref("CT3072253.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3072253.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3072253.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\"}");
Line Deleted : user_pref("CT3072253.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"data\":\"CT3072253\"}");
Line Deleted : user_pref("CT3072253.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"string\",\"data\":\"hxxp://uTorrentControl2.OurToolbar.com//xpi\"}");
Line Deleted : user_pref("CT3072253.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"string\",\"data\":\"uTorrentControl2 \"}");
Line Deleted : user_pref("CT3072253.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data\":\"true\"}");
Line Deleted : user_pref("CT3072253.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data\":\"2\"}");
Line Deleted : user_pref("CT3072253.serviceLayer_services_Configuration_lastUpdate", "1391580258505");
Line Deleted : user_pref("CT3072253.serviceLayer_services_login_10.20.101.5_lastUpdate", "1391580264434");
Line Deleted : user_pref("CT3072253.serviceLayer_services_searchAPI_lastUpdate", "1391580258408");
Line Deleted : user_pref("CT3072253.serviceLayer_services_serviceMap_lastUpdate", "1391580258193");
Line Deleted : user_pref("CT3072253.serviceLayer_services_toolbarSettings_lastUpdate", "1391580258693");
Line Deleted : user_pref("CT3072253.serviceLayer_services_translation_lastUpdate", "1391580263359");
Line Deleted : user_pref("CT3072253.settingsINI", true);
Line Deleted : user_pref("CT3072253.showToolbarPermission", "false");
Line Deleted : user_pref("CT3072253.smartbar.CTID", "CT3072253");
Line Deleted : user_pref("CT3072253.smartbar.Uninstall", "0");
Line Deleted : user_pref("CT3072253.smartbar.toolbarName", "uTorrentControl2 ");
Line Deleted : user_pref("CT3072253.testingCtid", "");
Line Deleted : user_pref("CT3072253.toolbarAppMetaDataLastCheckTime", "Wed Nov 27 2013 21:57:33 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.toolbarBornServerTime", "22-5-2012");
Line Deleted : user_pref("CT3072253.toolbarContextMenuLastCheckTime", "Mon May 21 2012 22:21:13 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CT3072253.toolbarCurrentServerTime", "5-2-2014");
Line Deleted : user_pref("CT3072253.toolbarDisabled", "true");
Line Deleted : user_pref("CT3072253.toolbarLoginClientTime", "Wed Feb 05 2014 01:04:24 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CT3072253.upgradeFromOBVersion", true);
Line Deleted : user_pref("CT3072253.url_history0001.from_oldbar.enc", "aHR0cDovL3d3dy5nb29nbGUuY29tL3VybD9zYT10JnJjdD1qJnE9ZmFtaWx5JTIwZG9sbGFyJnNvdXJjZT13ZWImY2Q9NSZzcWk9MiZ2ZWQ9MENKb0JFSXdRTUFRJnVybD1odHRwJTNBJTJG[...]
Line Deleted : user_pref("CT3072253.usagesFlag", 2);
Line Deleted : user_pref("CT3072253_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1391580335258,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT2786678/CT2786678", "\"b00a1ff66f98c26c86a5eba79b4ca9ec1\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT3072253/CT3072253", "\"8ce24be9483cacc1344dba16098a45cd3\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1178763/1174448/US", "\"0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1463702/1459356/US", "\"0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2786678", "\"1313448428\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT3072253", "\"1362324308\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en", "C5ZJe6gL80JBW5CuLy+wkg==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en", "mfQ70fvlD2zuBxSBj8rQqA==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en", "k9un27OkAvkwB2ZmvXxTnA==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en", "FqddrIU7eyJgaaLyHDeVMQ==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\"8076e3ce381dcd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.12.0.8", "\"0d648794549cd1:14d1\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13.0.6", "\"0e0a4327275cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.14.1.0", "\"0e0a4327275cd1:151d\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.15.1.0", "\"0343677cfb1cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.18.0.7", "\"23c5489aa686ce1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.20.0.4", "\"f414eeaa6bece1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.5.0.12", "\"801a319dd78ccc1:12da\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://newtab.conduit-hosting.com/newtab/?ctid=CT3072253&UM=UM_ID", "\"1212221107\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2786678", "\"13a760730d9291f1df061003ecf304ce\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT3072253", "\"52c3f1538cb4af4ada257fcbc6b15d49\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=CT2786678&octid=CT2786678", "\"1321973053\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"e31ffd53af3e4b8047b10f1b213aab62\"");
Line Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Ray\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\263yxguy.default\\conduitCommon\\modules\\3.12.0.8");
Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.12.0.8");
Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.properties");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2786678,CT3072253");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2786678,CT3072253");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2786678,CT3072253");
Line Deleted : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Wed Feb 08 2012 21:42:16 GMT-0500 (Eastern Standard Time)");
Line Deleted : user_pref("CommunityToolbar.globalUserId", "18efefc7-db1f-41cf-87bc-4dd33fb64ec6");
Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT3072253");
Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Mon May 21 2012 22:21:13 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.alertEnabled", false);
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 60);
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Mon May 21 2012 22:21:22 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Fri May 25 2012 12:28:33 GMT-0400 (Eastern Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Line Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Line Deleted : user_pref("CommunityToolbar.notifications.userId", "d3ee73fd-899c-4196-acbf-d3f41e30dab7");
Line Deleted : user_pref("CommunityToolbar.originalHomepage", "chrome://branding/locale/browserconfig.properties");
Line Deleted : user_pref("CommunityToolbar.originalSearchEngine", "chrome://browser-region/locale/region.properties");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.properties");
Line Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3072253");
Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3072253");
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q=,hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&CU[...]
Line Deleted : user_pref("smartbar.machineId", "XIILZXP2P3RJMPEGIAZNC/DFVGZEHS2L/PSPAGYDJT1L+BWDCIEYDFJFXWZXSC0K+QB9+OXMWTFBLU0EYGMOPW");
 
-\\ Google Chrome v
 
[ File : C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Search Provider] : hxxp://www.thingamajob.com/Job-Search-Results.aspx?CRITERIA={searchTerms}
Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
Deleted [Search Provider] : hxxp://movies.netflix.com/WiSearch?raw_query=dream+high&ac_category_type=none&ac_rel_posn=-1&ac_abs_posn=-1&v1={searchTerms}&search_submit=
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [38806 octets] - [07/11/2014 00:11:46]
AdwCleaner[S0].txt - [38991 octets] - [07/11/2014 00:18:24]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [39052 octets] ##########
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-11-2014
Ran by Ray (administrator) on RAY-PC on 07-11-2014 00:29:46
Running from C:\Users\Ray\Desktop\FRST64
Loaded Profile: Ray (Available profiles: Ray & Guest)
Platform: Windows 7 Home Premium (X64) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
( ) C:\Windows\System32\lxdqcoms.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
(Acer Incorporated) C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Acer Incorporated) C:\Program Files\Acer\Optical Drive Power Management\ODDPWR.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Program Files (x86)\Lexmark Z2400 Series\lxdqmon.exe
(Microsoft Corporation) C:\Users\Ray\Forefront UAG Remote Access Agent\myfilesunccedu\filer1\uagqecsvc.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Acer Incorporated) C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
(Akamai Technologies, Inc.) C:\Users\Ray\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\Ray\AppData\Local\Akamai\netsession_win.exe
(Flux Software LLC) C:\Users\Ray\AppData\Local\FluxSoftware\Flux\flux.exe
(Spotify Ltd) C:\Users\Ray\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LManager.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe
(Dritek System Inc.) C:\Program Files (x86)\Launch Manager\LMworker.exe
(Google Inc.) C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Acer ePower Management] => C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe [860704 2010-03-17] (Acer Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10038304 2010-02-02] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [877600 2010-02-02] (Realtek Semiconductor)
HKLM\...\Run: [ODDPwr] => C:\Program Files\Acer\Optical Drive Power Management\ODDPwr.exe [223264 2010-04-22] (Acer Incorporated)
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-04-17] (Egis Technology Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [lxdqmon.exe] => C:\Program Files (x86)\Lexmark Z2400 Series\lxdqmon.exe [656040 2008-03-27] ()
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324608 2010-02-05] (Alcor Micro Corp.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2773232 2013-10-17] (Synaptics Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [MDS_Menu] => C:\Program Files (x86)\Acer Arcade Deluxe\MediaShow Espresso\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [LManager] => C:\Program Files (x86)\Launch Manager\LManager.exe [1300560 2010-03-03] (Dritek System Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2009-12-23] (Intel Corporation)
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\BackupManagerTray.exe [260608 2010-03-08] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [ArcadeMovieService] => C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\ArcadeMovieService.exe [124136 2010-03-17] (CyberLink Corp.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\Run: [Akamai NetSession Interface] => C:\Users\Ray\AppData\Local\Akamai\netsession_win.exe [4672920 2014-04-17] (Akamai Technologies, Inc.)
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\Run: [Google Update] => C:\Users\Ray\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-21] (Google Inc.)
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\Run: [F.lux] => C:\Users\Ray\AppData\Local\FluxSoftware\Flux\flux.exe [1016712 2013-10-15] (Flux Software LLC)
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\Run: [Spotify] => C:\Users\Ray\AppData\Roaming\Spotify\Spotify.exe [6553144 2014-11-06] (Spotify Ltd)
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\Run: [Spotify Web Helper] => C:\Users\Ray\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-11-06] (Spotify Ltd)
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\MountPoints2: {01ce153b-c825-11df-802b-c80aa96b6329} - E:\LaunchU3.exe -a
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\MountPoints2: {3a09bd38-6c18-11e3-9ce8-c80aa96b6329} - D:\LGAutoRun.exe
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\MountPoints2: {d0516e75-7353-11e0-a9aa-c80aa96b6329} - E:\LaunchU3.exe -a
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...\MountPoints2: {dd623a49-f42c-11df-8334-c80aa96b6329} - D:\LaunchU3.exe -a
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 0
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll (Egis Technology Inc.)
ShellIconOverlayIdentifiers-x32: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x86\psdprotect.dll (Egis Technology Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5745&r=27360810c906l0473z1l5t4511k596
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {6ECB8329-43A4-4616-8BAD-7CA5496B0A63} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=282369&p={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: HKLM-x32 {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: HKLM-x32 {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default
FF DefaultSearchEngine: Yahoo!
FF SelectedSearchEngine: Yahoo!
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 -> C:\Users\Ray\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 -> C:\Users\Ray\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPCentraUpdater.dll (Saba Software, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF SearchPlugin: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\searchplugins\yahoo_ff.xml
FF Extension: YouTube to MP3 - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\Extensions\youtube2mp3@mondayx.de [2012-01-07]
FF Extension: EPUBReader - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2014-10-15]
FF Extension: No Name - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [Not Found]
 
Chrome: 
=======
CHR Profile: C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-11-19]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-21]
CHR Extension: (AdBlock) - C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2012-07-17]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2011-09-03]
CHR Extension: (Google Wallet) - C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (ScriptSafe) - C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiigbmnaadbkfbmpbfijlflahbdbdgdf [2012-08-02]
CHR StartMenuInternet: Google Chrome - C:\Users\Ray\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 LMS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe [262144 2009-09-30] (Intel Corporation) [File not signed]
S2 lxdqCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxdqserv.exe [29184 2009-04-28] (Lexmark International, Inc.) [File not signed]
R2 lxdq_device; C:\Windows\system32\lxdqcoms.exe [1044648 2008-02-27] ( )
R2 lxdq_device; C:\Windows\SysWOW64\lxdqcoms.exe [594600 2008-02-27] ( )
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R2 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-04-17] (Egis Technology Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2009-05-14] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NTI IScheduleSvc; C:\Program Files (x86)\NewTech Infosystems\Acer Backup Manager\IScheduleSvc.exe [250368 2010-03-08] (NewTech Infosystems, Inc.) [File not signed]
R2 ODDPwrSvc; C:\Program Files\Acer\Optical Drive Power Management\ODDPWRSvc.exe [171040 2010-04-22] (Acer Incorporated)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2009-05-14] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [75136 2011-03-17] ()
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [244904 2010-02-03] () [File not signed]
R2 uagqecsvc; C:\Users\Ray\Forefront UAG Remote Access Agent\myfilesunccedu\filer1\uagqecsvc.exe [144896 2013-10-18] (Microsoft Corporation) [File not signed]
R2 UNS; C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2314240 2009-09-30] (Intel Corporation) [File not signed]
S2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [X]
S2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Gun; C:\Windows\system32\Gun64.sys [30840 2011-01-30] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R2 {6E090BD5-4EF5-4bf0-A968-74049E88E935}; C:\Program Files (x86)\Acer Arcade Deluxe\Arcade Movie\000.fcl [146928 2010-02-25] (CyberLink Corp.)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 X6va001; \??\C:\Users\Ray\AppData\Local\Temp\001B491.tmp [X]
S3 X6va005; \??\C:\Users\Ray\AppData\Local\Temp\0056632.tmp [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-07 00:26 - 2014-11-07 00:29 - 00000000 ____D () C:\Users\Ray\Desktop\FRST64
2014-11-07 00:26 - 2014-11-07 00:29 - 00000000 ____D () C:\FRST
2014-11-07 00:12 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-11-07 00:11 - 2014-11-07 00:18 - 00000000 ____D () C:\AdwCleaner
2014-11-07 00:11 - 2014-11-07 00:11 - 00001517 _____ () C:\Users\Ray\Desktop\adwcleaner_3.311 - Shortcut.lnk
2014-11-07 00:10 - 2014-11-07 00:10 - 01375089 _____ () C:\Users\Ray\Downloads\adwcleaner_3.311.exe
2014-11-06 20:27 - 2014-11-06 20:29 - 00000000 ____D () C:\Users\Ray\AppData\Local\Spotify
2014-11-06 20:27 - 2014-11-06 20:27 - 00001797 _____ () C:\Users\Ray\Desktop\Spotify.lnk
2014-11-06 20:27 - 2014-11-06 20:27 - 00001783 _____ () C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2014-11-06 20:25 - 2014-11-06 21:15 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Spotify
2014-11-06 20:25 - 2014-11-06 20:25 - 00137888 _____ (Spotify Ltd) C:\Users\Ray\Downloads\SpotifySetup.exe
2014-11-06 03:55 - 2014-11-06 03:55 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Synaptics
2014-11-06 03:21 - 2014-11-06 03:21 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_SynTP_01011.Wdf
2014-11-06 03:18 - 2013-10-17 23:46 - 00726768 _____ (Synaptics Incorporated) C:\Windows\system32\SynCOM.dll
2014-11-06 03:18 - 2013-10-17 23:46 - 00550640 _____ (Synaptics Incorporated) C:\Windows\system32\Drivers\SynTP.sys
2014-11-06 03:18 - 2013-10-17 23:46 - 00422640 _____ (Synaptics Incorporated) C:\Windows\system32\SynTPCo19.dll
2014-11-06 03:18 - 2013-10-17 23:46 - 00403696 _____ (Synaptics Incorporated) C:\Windows\SysWOW64\SynCom.dll
2014-11-06 03:18 - 2013-10-17 23:46 - 00252144 _____ (Synaptics Incorporated) C:\Windows\system32\SynTPAPI.dll
2014-11-06 03:18 - 2013-10-17 23:46 - 00172272 _____ (Synaptics Incorporated) C:\Windows\SysWOW64\SynTPCom.dll
2014-11-06 03:18 - 2013-04-16 18:33 - 01795952 _____ (Microsoft Corporation) C:\Windows\system32\WdfCoInstaller01011.dll
2014-11-06 03:17 - 2014-11-07 00:09 - 00001324 _____ () C:\Windows\Synaptics.log
2014-11-06 03:17 - 2013-10-17 23:46 - 00482032 ____N (Synaptics Incorporated) C:\Users\Ray\Documents\Setup.exe
2014-11-06 02:41 - 2013-10-17 23:44 - 00038224 ____N () C:\Users\Ray\Documents\ReleaseNotes.html
2014-11-06 02:40 - 2014-11-06 02:41 - 00000000 ____D () C:\Users\Ray\Documents\WinWDF
2014-11-06 02:40 - 2013-06-27 17:33 - 00000043 ____N () C:\Users\Ray\Documents\Release.txt
2014-11-06 02:39 - 2014-11-06 02:40 - 123787854 _____ () C:\Users\Ray\Documents\Synaptics_v17_0_19_C_XP32_Vista32_Win7-32_XP64_Vista64_Win7-64_Acme_Inc.zip
2014-11-03 21:52 - 2014-11-03 21:52 - 00000350 _____ () C:\Users\Ray\Desktop\Spring 2015 classes.txt
2014-11-01 21:31 - 2014-11-07 00:04 - 00000798 _____ () C:\Windows\SynInst.log
2014-11-01 17:59 - 2014-11-01 17:59 - 00022434 _____ () C:\Users\Ray\Desktop\dds.txt
2014-11-01 17:59 - 2014-11-01 17:59 - 00021724 _____ () C:\Users\Ray\Desktop\attach.txt
2014-10-31 23:04 - 2014-10-31 23:04 - 00688992 ____R (Swearware) C:\Users\Ray\Desktop\dds.com
2014-10-31 13:18 - 2014-10-31 13:18 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-10-31 13:17 - 2014-10-31 13:17 - 02347384 _____ (ESET) C:\Users\Ray\Desktop\esetsmartinstaller_enu.exe
2014-10-31 00:25 - 2014-11-01 18:20 - 00002202 _____ () C:\Users\Ray\Desktop\Rkill.txt
2014-10-31 00:24 - 2014-10-31 00:25 - 00001414 _____ () C:\Users\Ray\Desktop\rkill.exe - Shortcut.lnk
2014-10-31 00:23 - 2014-10-31 00:24 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\Ray\Downloads\rkill.exe
2014-10-30 22:16 - 2014-10-30 22:17 - 00061034 _____ () C:\Users\Ray\Downloads\Result.txt
2014-10-30 22:16 - 2014-10-30 22:16 - 00401920 _____ (Farbar) C:\Users\Ray\Downloads\MiniToolBox.exe
2014-10-30 22:14 - 2014-10-30 22:14 - 00003394 _____ () C:\Users\Ray\Downloads\FSS.txt
2014-10-30 22:13 - 2014-10-30 22:13 - 00415232 _____ (Farbar) C:\Users\Ray\Downloads\FSS.exe
2014-10-30 22:11 - 2014-10-30 22:11 - 00001079 _____ () C:\Users\Ray\Desktop\SecurityCheck.exe - Shortcut.lnk
2014-10-30 22:10 - 2014-10-30 22:10 - 00854448 _____ () C:\Users\Ray\Downloads\SecurityCheck.exe
2014-10-30 15:23 - 2014-10-30 15:23 - 00078153 _____ () C:\Users\Ray\Documents\bookmarks_10_30_14.html
2014-10-30 14:27 - 2014-10-31 23:21 - 00000000 ____D () C:\Windows\pss
2014-10-30 12:54 - 2014-10-30 12:54 - 00002029 _____ () C:\Users\Ray\Downloads\software_removal_tool.log
2014-10-29 23:15 - 2014-11-01 06:50 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-10-29 23:12 - 2014-10-30 23:59 - 00000000 ____D () C:\Users\Ray\Desktop\mbar
2014-10-29 23:02 - 2014-10-29 23:04 - 14349744 _____ (Malwarebytes Corp.) C:\Users\Ray\Downloads\mbar-1.07.0.1012.exe
2014-10-29 22:52 - 2014-10-29 22:52 - 00000000 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_71-b14.log
2014-10-29 22:29 - 2014-10-29 22:29 - 00001070 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-29 21:56 - 2014-10-29 21:56 - 00000000 _____ () C:\Windows\system32\pvvicv.dll
2014-10-26 16:14 - 2014-10-26 16:14 - 00973248 _____ () C:\Users\Ray\Downloads\Ch56-NetworkDesign.pptx
2014-10-26 15:18 - 2014-10-26 15:18 - 00625184 _____ () C:\Users\Ray\Downloads\QuickResponse (1).pptx
2014-10-26 14:48 - 2014-10-26 14:48 - 01410784 _____ () C:\Users\Ray\Downloads\Ch4-DesignDistribution.pptx
2014-10-15 19:27 - 2014-11-01 18:29 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-15 19:26 - 2014-10-30 23:10 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-15 19:26 - 2014-10-29 22:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-15 19:26 - 2014-10-29 22:29 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-15 19:26 - 2014-10-01 10:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-15 17:43 - 2014-10-15 17:43 - 00000000 _____ () C:\Users\Ray\AppData\Roaming\pvvicv.dll
2014-10-15 16:54 - 2014-10-31 18:42 - 00001368 _____ () C:\ProgramData\@system.att
2014-10-15 16:53 - 2014-10-31 19:15 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-15 16:53 - 2014-10-15 16:53 - 00004024 _____ () C:\Windows\System32\Tasks\{5AA47DDC-CECE-D189-5D3B-4F1DC3F1D7CE}
2014-10-15 16:52 - 2014-10-31 18:42 - 00001104 ____H () C:\ProgramData\@system2.att
2014-10-15 16:52 - 2014-10-15 16:52 - 00000448 ____H () C:\Users\Ray\AppData\Roaming\麽鎒駓覜
2014-10-15 16:38 - 2014-10-29 16:27 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-15 00:27 - 2014-10-09 20:53 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-10-15 00:27 - 2014-10-09 20:53 - 00276480 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-10-15 00:27 - 2014-10-09 20:47 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-10-15 00:27 - 2014-09-14 19:44 - 03195392 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-11 18:56 - 2014-10-11 18:56 - 00029120 _____ () C:\Users\Ray\Downloads\QuickResponse_Unlimited.xlsx
2014-10-11 18:30 - 2014-10-11 18:31 - 00625184 _____ () C:\Users\Ray\Downloads\QuickResponse.pptx
2014-10-10 02:58 - 2014-10-10 02:58 - 01199408 _____ () C:\Users\Ray\Downloads\sharda_bi3_ppt_04.pptx
2014-10-10 00:31 - 2014-10-10 00:31 - 04113184 _____ () C:\Users\Ray\Downloads\sharda_bi3_ppt_02.pptx
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-07 00:25 - 2010-04-28 15:08 - 02001530 _____ () C:\Windows\WindowsUpdate.log
2014-11-07 00:25 - 2009-07-14 00:13 - 00726444 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-07 00:20 - 2010-08-07 04:06 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-07 00:20 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-07 00:20 - 2009-07-13 23:51 - 00173520 _____ () C:\Windows\setupact.log
2014-11-07 00:19 - 2010-04-28 15:04 - 00883778 _____ () C:\Windows\PFRO.log
2014-11-07 00:09 - 2010-04-28 15:17 - 00015080 _____ () C:\Windows\DPINST.LOG
2014-11-07 00:02 - 2010-08-07 04:04 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3373049887-3995142470-4015399281-1001UA.job
2014-11-07 00:02 - 2010-08-07 04:04 - 00000848 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3373049887-3995142470-4015399281-1001Core.job
2014-11-06 23:58 - 2012-04-27 22:51 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-06 23:54 - 2010-08-07 04:06 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-06 23:24 - 2012-03-05 22:35 - 00000920 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3373049887-3995142470-4015399281-1001UA.job
2014-11-06 23:24 - 2012-03-05 22:35 - 00000898 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3373049887-3995142470-4015399281-1001Core.job
2014-11-06 17:14 - 2012-08-02 22:12 - 00003910 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{142A3C9A-3FD1-47B4-A9CF-000D437B1591}
2014-11-06 04:02 - 2009-07-13 23:45 - 00015792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-06 04:02 - 2009-07-13 23:45 - 00015792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-06 03:11 - 2011-08-07 10:29 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\uTorrent
2014-11-06 03:09 - 2010-08-07 03:52 - 00000000 ____D () C:\Users\Ray
2014-11-06 03:08 - 2011-11-09 21:31 - 00000000 ____D () C:\Users\Ray\AppData\Local\Akamai
2014-11-06 03:08 - 2011-08-07 10:59 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\vlc
2014-11-06 03:08 - 2010-12-24 17:49 - 00000000 ____D () C:\Users\Guest
2014-11-06 03:07 - 2010-04-28 15:18 - 00000000 ____D () C:\Program Files\Synaptics
2014-11-06 03:07 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\registration
2014-11-02 11:32 - 2013-01-17 14:36 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\YGOPro
2014-10-31 23:21 - 2014-05-09 23:27 - 00000000 ____D () C:\Users\Ray\AppData\Local\Skype
2014-10-31 23:21 - 2014-01-16 01:51 - 00000000 ____D () C:\ProgramData\InstallMate
2014-10-31 23:21 - 2013-09-26 09:30 - 00000000 ____D () C:\Users\Ray\Forefront UAG Remote Access Agent
2014-10-31 23:21 - 2013-09-10 20:31 - 00000000 ____D () C:\Users\Ray\Desktop\Centra
2014-10-31 23:21 - 2013-09-09 23:30 - 00000000 ____D () C:\Users\Ray\Centra
2014-10-31 23:21 - 2013-04-08 00:40 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-10-31 23:21 - 2012-12-12 02:28 - 00000000 ____D () C:\Users\Ray\Downloads\metro 2033
2014-10-31 23:21 - 2012-08-25 14:03 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Centra
2014-10-31 23:21 - 2012-05-22 21:35 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\QuickScan
2014-10-31 23:21 - 2012-05-21 00:23 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Yahoo!
2014-10-31 23:21 - 2012-04-23 01:31 - 00000000 ___RD () C:\Users\Ray\Dropbox
2014-10-31 23:21 - 2012-04-23 01:29 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Dropbox
2014-10-31 23:21 - 2012-03-05 22:35 - 00000000 ____D () C:\Users\Ray\AppData\Local\Facebook
2014-10-31 23:21 - 2011-09-25 00:55 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\WSOP-USA.com
2014-10-31 23:21 - 2011-05-27 17:39 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\OpenOffice.org
2014-10-31 23:21 - 2011-04-22 15:25 - 00000000 ____D () C:\Users\Ray\Pokemon Online
2014-10-31 23:21 - 2011-03-02 20:49 - 00000000 ____D () C:\Users\Ray\AppData\Local\PunkBuster
2014-10-31 23:21 - 2011-01-30 01:32 - 00000000 ____D () C:\Game
2014-10-31 23:21 - 2011-01-11 21:13 - 00000000 ____D () C:\Users\Ray\AppData\Local\PowerCinema
2014-10-31 23:21 - 2010-12-24 17:50 - 00000000 ____D () C:\Users\Guest\AppData\Roaming\Mozilla
2014-10-31 23:21 - 2010-12-24 17:49 - 00000000 ____D () C:\Users\Guest\AppData\Roaming\Skype
2014-10-31 23:21 - 2010-10-24 11:33 - 00000000 ____D () C:\Users\Ray\AppData\Local\Mozilla
2014-10-31 23:21 - 2010-10-20 20:49 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\TomTom
2014-10-31 23:21 - 2010-10-20 20:49 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Mozilla
2014-10-31 23:21 - 2010-10-19 21:42 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Malwarebytes
2014-10-31 23:21 - 2010-10-06 21:54 - 00000000 ____D () C:\ProgramData\Alwil Software
2014-10-31 23:21 - 2010-09-09 11:23 - 00000000 ____D () C:\Users\Ray\AppData\Local\PokerStars.NET
2014-10-31 23:21 - 2010-08-30 19:01 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Skype
2014-10-31 23:21 - 2010-08-26 11:39 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\HP
2014-10-31 23:21 - 2010-08-09 20:53 - 00000000 ____D () C:\Users\Ray\AppData\Local\Microsoft Games
2014-10-31 23:21 - 2010-08-08 18:44 - 00000000 ____D () C:\Users\Ray\AppData\Local\Adobe
2014-10-31 23:21 - 2010-08-07 18:10 - 00000000 ____D () C:\Nexon
2014-10-31 23:21 - 2010-08-07 04:12 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Apple Computer
2014-10-31 23:21 - 2010-08-07 04:12 - 00000000 ____D () C:\Users\Ray\AppData\Local\Apple Computer
2014-10-31 23:21 - 2010-08-07 04:11 - 00000000 ____D () C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2014-10-31 23:21 - 2010-08-07 04:04 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Adobe
2014-10-31 23:21 - 2010-08-07 04:03 - 00000000 ____D () C:\Users\Ray\AppData\Local\Google
2014-10-31 23:21 - 2010-04-28 15:30 - 00000000 ____D () C:\ProgramData\CyberLink
2014-10-31 23:21 - 2010-04-28 15:12 - 00000000 ____D () C:\book
2014-10-31 23:21 - 2010-04-25 00:52 - 00000000 ___HD () C:\OEM
2014-10-31 23:21 - 2010-04-25 00:52 - 00000000 ____D () C:\ProgramData\OEM
2014-10-31 23:21 - 2010-04-25 00:47 - 00000000 ____D () C:\ProgramData\EgisTec IPS
2014-10-31 23:21 - 2010-04-25 00:32 - 00000000 ____D () C:\ProgramData\Acer
2014-10-31 23:14 - 2014-05-13 19:30 - 00000000 ____D () C:\Users\Ray\Documents\Comics
2014-10-31 23:14 - 2014-03-28 13:24 - 00000000 ____D () C:\Users\Ray\Documents\PS3
2014-10-31 23:14 - 2012-05-18 22:00 - 00000000 ____D () C:\Users\Ray\Documents\Win7LogonBackgroundChanger
2014-10-31 23:14 - 2012-04-12 12:33 - 00000000 ____D () C:\Users\Ray\Documents\Economics
2014-10-31 23:14 - 2010-11-05 17:25 - 00000000 ____D () C:\Users\Ray\Documents\CyberLink
2014-10-31 23:14 - 2010-10-20 20:50 - 00000000 ____D () C:\Users\Ray\Documents\TomTom
2014-10-31 23:13 - 2012-08-21 19:08 - 00000000 ____D () C:\Users\Ray\Documents\eTextbook
2014-10-31 23:13 - 2010-08-08 20:58 - 00000000 ____D () C:\Users\Ray\Documents\My Received Files
2014-10-31 00:08 - 2009-07-14 02:45 - 00000000 ____D () C:\Windows\ShellNew
2014-10-30 06:34 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Web
2014-10-30 02:25 - 2010-08-07 07:02 - 00000000 ____D () C:\Users\Ray\Tracing
2014-10-29 22:52 - 2010-09-09 09:51 - 00000000 ____D () C:\Program Files (x86)\Java
2014-10-29 22:13 - 2014-08-31 13:20 - 00000000 ____D () C:\Users\Ray\Airstream
2014-10-29 21:55 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\TAPI
2014-10-28 05:34 - 2010-08-07 04:17 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-27 19:05 - 2010-08-07 04:05 - 00002360 _____ () C:\Users\Ray\Desktop\Google Chrome.lnk
2014-10-22 08:49 - 2010-08-07 04:06 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-22 08:49 - 2010-08-07 04:06 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-21 22:57 - 2010-08-07 04:04 - 00003866 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3373049887-3995142470-4015399281-1001UA
2014-10-21 22:57 - 2010-08-07 04:04 - 00003470 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3373049887-3995142470-4015399281-1001Core
2014-10-16 20:45 - 2009-07-13 23:45 - 00444872 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-16 20:44 - 2014-07-17 05:15 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-10-16 20:43 - 2010-04-25 00:33 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-16 20:41 - 2013-08-15 02:02 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-16 20:30 - 2010-08-13 11:21 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-15 19:26 - 2012-05-22 08:05 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-10-15 19:26 - 2010-10-19 21:42 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-15 17:33 - 2014-08-31 13:19 - 00000000 ____D () C:\Program Files (x86)\AirStream-Suite
2014-10-15 17:33 - 2014-02-17 01:20 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-15 17:33 - 2013-02-01 10:35 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
 
Some content of TEMP:
====================
C:\Users\Ray\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmprxikne.dll
C:\Users\Ray\AppData\Local\Temp\ICSharpCode.SharpZipLib.dll
C:\Users\Ray\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Ray\AppData\Local\Temp\msc.dll
C:\Users\Ray\AppData\Local\Temp\Quarantine.exe
C:\Users\Ray\AppData\Local\Temp\SearchProtectionSetup.exe
C:\Users\Ray\AppData\Local\Temp\YgoUpdater.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-05 00:29
 
==================== End Of Log ============================
 
 
 
 
 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:56 AM

Posted 07 November 2014 - 09:14 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF SearchPlugin: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\searchplugins\yahoo_ff.xml
FF Extension: No Name - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [Not Found]
CHR HomePage: Default -> https://search.yahoo.com/?type=282369&fr=spigot-yhp-ch
S2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [X]
S2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 X6va001; \??\C:\Users\Ray\AppData\Local\Temp\001B491.tmp [X]
S3 X6va005; \??\C:\Users\Ray\AppData\Local\Temp\0056632.tmp [X]
C:\Users\Ray\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmprxikne.dll
C:\Users\Ray\AppData\Local\Temp\ICSharpCode.SharpZipLib.dll
C:\Users\Ray\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Ray\AppData\Local\Temp\msc.dll
C:\Users\Ray\AppData\Local\Temp\Quarantine.exe
C:\Users\Ray\AppData\Local\Temp\SearchProtectionSetup.exe
C:\Users\Ray\AppData\Local\Temp\YgoUpdater.exe
Task: {5C6F0EB6-C9AF-4B17-9D94-D568178AD0ED} - System32\Tasks\{5AA47DDC-CECE-D189-5D3B-4F1DC3F1D7CE} => C:\Users\Ray\AppData\Roaming\vxrpsd.dll/s "C:\Users\Ray\AppData\Roaming\vxrpsd.dll" <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

How is the computer running now?

#5 rchi

rchi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 09 November 2014 - 06:41 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-11-2014 01
Ran by Ray at 2014-11-09 18:29:43 Run:1
Running from C:\Users\Ray\Desktop\FRST64
Loaded Profile: Ray (Available profiles: Ray & Guest)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF SearchPlugin: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\searchplugins\yahoo_ff.xml
FF Extension: No Name - C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [Not Found]
S2 Apple Mobile Device; "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" [X]
S2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 X6va001; \??\C:\Users\Ray\AppData\Local\Temp\001B491.tmp [X]
S3 X6va005; \??\C:\Users\Ray\AppData\Local\Temp\0056632.tmp [X]
C:\Users\Ray\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmprxikne.dll
C:\Users\Ray\AppData\Local\Temp\ICSharpCode.SharpZipLib.dll
C:\Users\Ray\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Ray\AppData\Local\Temp\msc.dll
C:\Users\Ray\AppData\Local\Temp\Quarantine.exe
C:\Users\Ray\AppData\Local\Temp\SearchProtectionSetup.exe
C:\Users\Ray\AppData\Local\Temp\YgoUpdater.exe
Task: {5C6F0EB6-C9AF-4B17-9D94-D568178AD0ED} - System32\Tasks\{5AA47DDC-CECE-D189-5D3B-4F1DC3F1D7CE} => C:\Users\Ray\AppData\Roaming\vxrpsd.dll/s "C:\Users\Ray\AppData\Roaming\vxrpsd.dll" <==== ATTENTION
 
End
*****************
 
"HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-3373049887-3995142470-4015399281-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.
C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\searchplugins\yahoo_ff.xml => Moved successfully.
C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\263yxguy.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} not found.
Chrome HomePage deleted successfully.
Apple Mobile Device => Service deleted successfully.
McNASvc => Service deleted successfully.
McProxy => Service deleted successfully.
EagleX64 => Service deleted successfully.
X6va001 => Service deleted successfully.
X6va005 => Service deleted successfully.
C:\Users\Ray\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmprxikne.dll => Moved successfully.
C:\Users\Ray\AppData\Local\Temp\ICSharpCode.SharpZipLib.dll => Moved successfully.
C:\Users\Ray\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe => Moved successfully.
C:\Users\Ray\AppData\Local\Temp\msc.dll => Moved successfully.
C:\Users\Ray\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Ray\AppData\Local\Temp\SearchProtectionSetup.exe => Moved successfully.
C:\Users\Ray\AppData\Local\Temp\YgoUpdater.exe => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5C6F0EB6-C9AF-4B17-9D94-D568178AD0ED}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C6F0EB6-C9AF-4B17-9D94-D568178AD0ED}" => Key deleted successfully.
C:\Windows\System32\Tasks\{5AA47DDC-CECE-D189-5D3B-4F1DC3F1D7CE} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{5AA47DDC-CECE-D189-5D3B-4F1DC3F1D7CE}" => Key deleted successfully.
 
==== End of Fixlog ====
 
 
The computer is running smoothly now. The dllhost.exes have stopped. 


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:56 AM

Posted 10 November 2014 - 08:30 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 rchi

rchi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 11 November 2014 - 02:55 PM

Well I'm still concerned about some of the stuff I mentioned in the opening post. I just want to make sure my computer is completely clean. 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:56 AM

Posted 12 November 2014 - 09:06 AM

We cannot confirm that your computer is 100% clean from anything.

You have executed many cleaning programs and all that was identified was cleaned.

If the computer is not giving you any problems well that is good.

You may decide for your security to change all your passwords. Your call.

#9 rchi

rchi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 16 November 2014 - 07:35 PM

I see. Well my computer has been running fine for the past week so I guess everything is okay. Thank you very much for your help!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:56 AM

Posted 17 November 2014 - 09:09 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users