Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Viruses(zoomify), internet is disabled, will not boot in safe mode.


  • This topic is locked This topic is locked
17 replies to this topic

#1 ravendark

ravendark

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 21 December 2014 - 08:12 PM

I have a Dell XPS 8300

Processor: Intel® Core™ i7-2600 CPU@3.40GHz 3.40GHz

RAM: 8GB 64 Bit Operating System

 

I was attempting to download something from download.cnet and did the custom install to NOT install the things they hide in the installer, and it installed them anyway. One of the things that it installed was Zoomify.

 

 

Upon checking Task Manager, I found the following things running that I have never seen before. Most of them restart themselves instantaneously upon termination. Here are the processes, descriptions, and where they are located when I click "open file location"

 

coz32host.exe*32 - description is the same as name - Location: ProgramData/zoomify_29/1.1.0.29**The reason for the 29 is that everytime I attempt to delete this folder, it replicates itself**

 

coz64host.exe - description is the same as name - Location: ProgramData/zoomify_29/1.1.0.29

 

cozahost.exe*32 - description is the same as name - Location: ProgramData/zoomify_29/1.1.0.29

 

csrss.exe - No description (will not open a file location)

 

winlogon.exe - No description (will not open a file location)

 

atieclxx.exe - No description(will not open a file location)

 

client.exe - No description (AppData/Local/GeniousBox) *I just deleted this, even though I already did earlier and it somehow came back*

 

 

Upon going to the zoomify folder, I also see "cozaghost.exe" and "cozwdhost.exe" as well as zoomifyL32.dll, zoomifyL64.dll, and zoomifyutil32.dll

 

The "client.exe" process was blocking my computer from accessing the internet, and once I deleted it, I was able to access the internet again.

 

 

When I try to boot in safe mode, it will start the boot process, but my moniter will say "no signal". You can still hear the computer running, there is just no signal. I have tried in Safe Mode, Safe Mode with Networking, and Safe Mode with command prompt. Same thing every time. It boots fine in normal windows mode.

 

What I can conclude is that this virus has blocked my computer from starting if it is not running. I can't delete it, because it is "running in another window/program", I cant end it because it restarts faster than I can click the next one. I am at a loss here.

 

 

Update: I just spent about an hour messing around. I opened the zoomify folder and was able to change the permissions to these three files so that I could stop the process in task manager and delete them. coz32host.exe*32, coz64host.exe, cozahost.exe*32. Because I deleted them, they still keep trying to open triggering an error window to pop up saying "Windows cannot find 'C:\ProgramData\zoomify_29\1.1.0.29\coz64host.exe'. Make sure you typed the name correctly, and then try again" It does this for the three files that I was able to delete. If I close out of the error window, it pops back up again in a few seconds.

 

Under processes, "cozaghost.exe" and "cozwdhost.exe" do not show up in the list. However, they are located in "Services" of my task manager instead. I am unable to delete these because I am unable to stop the services from running.

 

I was also able to remove zoomifyL32.dll using my methods. If I try to delete zoomifyL64.dll, it says This action can't be completed because the file is open in Print driver host for 32bit applications.

 

zoomifyutil32.dll cannot be deleted because it is open in cozaghost.exe.

 

Any help would be much appreciated. Malwarebytes finds NO malicious files. Spybot found some but whatever I deleted was not this. And Avira says everything is free and clear.


Edited by ravendark, 21 December 2014 - 08:15 PM.


BC AdBot (Login to Remove)

 


m

#2 ravendark

ravendark
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 21 December 2014 - 08:15 PM

Sorry, I forgot to change the title once I got the internet running again. =( This has been like a three hour work in progress.



#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:28 PM

Posted 25 December 2014 - 11:22 AM

Greetings ravendark and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. While I review our situation please run the below for me.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:28 PM

Posted 28 December 2014 - 04:54 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 ravendark

ravendark
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 29 December 2014 - 12:31 PM

Hello Gary!

 

My name is Sasha =)

 

Thank you so much for taking your time to help people out with computer issues!

 

So a little backstory because I was out of state the past four days for the holidays. Happy Holidays by the way.

 

While waiting for a reply, I walked away from my computer to give my brain a rest and came back several hours later and continued to try and deleted those damned files. I eventaully was successful in doing so. Apparently the .dll files were attached to a "printer spooler" process that was running, so I force stopped it, deleted the .dll and the other .dll and the other .exe file, so they were finally gone. I restarted the printer spooler and so far, everything is running smoothly (or appears to be). I still think I have gadgetbox on my computer somewhere, but I can't find it.

 

Anywho, I did the things that you have asked, and here are the results.

 

 

_____________________________________________________________

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014
Ran by Sasha (administrator) on DOOMSDAY on 29-12-2014 12:22:20
Running from C:\Users\Sasha\Downloads
Loaded Profiles: Sasha &  (Available profiles: Sasha & SEAN)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
() C:\Program Files (x86)\Paragon Software\HFS+ for Windows  8.0\apmwinsrv.exe
(Apple Computer, Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
() C:\Program Files (x86)\Canon\IJPLM\ijplmsvc.exe
(NTI Corporation) C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(CANON INC.) C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(LG Electronics) C:\LGMobileUpgrade\LGMOBILEAX\BYR_Client\VZWUAAgent.exe
(Flux Software LLC) C:\Users\Sasha\AppData\Local\FluxSoftware\Flux\flux.exe
(ArcSoft, Inc.) C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Alcor Micro Corp.) C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
() C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
(PowerISO Computing, Inc.) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\IntelAppStore\bin\AppUp.exe
(CANON INC.) C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
() C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(NTI Corporation) C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Wondershare) C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_235_ActiveX.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVH.EXE
() Q:\140066.enu\Office14\WINWORDC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
() Q:\140066.enu\Office14\OffSpon.EXE
(Vagex) C:\Users\Sasha\Downloads\Vagex.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_246.exe
(Microsoft Corporation) C:\Windows\System32\SndVol.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RunDLLEntry_THXCfg] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [RunDLLEntry_EptMon] => C:\Windows\system32\RunDLL32.exe C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2055016 2011-04-29] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13307496 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2779024 2011-03-14] (CANON INC.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation)
HKLM-x32\...\Run: [ShwiconXP9106] => C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe [237568 2010-03-10] (Alcor Micro Corp.)
HKLM-x32\...\Run: [THX Audio Control Panel] => C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe [963584 2009-12-01] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [Dell Registration] => C:\Program Files (x86)\System Registration\prodreg.exe [4144448 2010-11-10] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AccuWeatherWidget] => C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [885760 2011-04-29] ()
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-12] (Logitech Inc.)
HKLM-x32\...\Run: [DivXUpdate] => C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-28] ()
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [180224 2009-07-26] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [152896 2012-04-04] (Intel Corporation)
HKLM-x32\...\Run: [Intel AppUp(SM) center Systray] => C:\Program Files (x86)\Intel\IntelAppStore\bin\AppUp.exe [932608 2012-04-04] (Intel Corporation)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1612920 2011-08-04] (CANON INC.)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [296096 2012-11-21] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AdobeCS4ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2014-03-13] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [702768 2014-12-16] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [BackupNowEZtray] => C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZtray.exe [581624 2013-02-05] (NTI Corporation)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [126200 2014-11-20] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2072928 2014-10-31] (Wondershare)
HKLM-x32\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Video Converter Ultimate\DelayPluginI.exe
HKLM\...\RunOnce: [EDocs] => C:\Program Files\Dell Inc\Dell Edoc Viewer\EDocs.exe [1499648 2010-04-28] (Dell Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [Google Update] => C:\Users\Sasha\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-17] (Google Inc.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [Facebook Update] => "C:\Users\Sasha\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [ooVoo.exe] => C:\Program Files (x86)\ooVoo\oovoo.exe [37904960 2013-04-04] (ooVoo LLC)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [Spotify Web Helper] => C:\Users\Sasha\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-12-21] (Spotify Ltd)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [BYRUA_AGENT] => C:\LGMobileUpgrade\LGMOBILEAX\BYR_Client\VZWUAAgent.exe [392312 2012-12-09] (LG Electronics)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [Vagex] => C:\Users\Sasha\Downloads\Vagex.exe [158720 2014-12-21] (Vagex)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [F.lux] => C:\Users\Sasha\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [Spotify] => C:\Users\Sasha\AppData\Roaming\Spotify\Spotify.exe [6553144 2014-12-21] (Spotify Ltd)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [GoogleChromeAutoLaunch_3B6A60E56BCE5F44532CD2A14A3F77CC] => C:\Users\Sasha\AppData\Local\Google\Chrome\Application\chrome.exe [856904 2014-12-05] (Google Inc.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\RunOnce: [Adobe Speed Launcher] => 1419203208
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_15_0_0_246_Plugin.exe [855216 2014-12-09] (Adobe Systems Incorporated)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\MountPoints2: {953d5428-ebb4-11e2-b04b-782bcba02785} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\MountPoints2: {b31af55f-e772-11e1-b163-782bcba02785} - G:\TL_Bootstrap.exe
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Google Update] => C:\Users\Sasha\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-17] (Google Inc.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Facebook Update] => "C:\Users\Sasha\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [ooVoo.exe] => C:\Program Files (x86)\ooVoo\oovoo.exe [37904960 2013-04-04] (ooVoo LLC)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Spotify Web Helper] => C:\Users\Sasha\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-12-21] (Spotify Ltd)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [BYRUA_AGENT] => C:\LGMobileUpgrade\LGMOBILEAX\BYR_Client\VZWUAAgent.exe [392312 2012-12-09] (LG Electronics)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Vagex] => C:\Users\Sasha\Downloads\Vagex.exe [158720 2014-12-21] (Vagex)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [F.lux] => C:\Users\Sasha\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Spotify] => C:\Users\Sasha\AppData\Roaming\Spotify\Spotify.exe [6553144 2014-12-21] (Spotify Ltd)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [GoogleChromeAutoLaunch_3B6A60E56BCE5F44532CD2A14A3F77CC] => C:\Users\Sasha\AppData\Local\Google\Chrome\Application\chrome.exe [856904 2014-12-05] (Google Inc.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\RunOnce: [Adobe Speed Launcher] => 1419203208
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {953d5428-ebb4-11e2-b04b-782bcba02785} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {b31af55f-e772-11e1-b163-782bcba02785} - G:\TL_Bootstrap.exe
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [Google Update] => C:\Users\Sasha\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-17] (Google Inc.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [Facebook Update] => "C:\Users\Sasha\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [ooVoo.exe] => C:\Program Files (x86)\ooVoo\oovoo.exe [37904960 2013-04-04] (ooVoo LLC)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [Spotify Web Helper] => C:\Users\Sasha\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-12-21] (Spotify Ltd)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [BYRUA_AGENT] => C:\LGMobileUpgrade\LGMOBILEAX\BYR_Client\VZWUAAgent.exe [392312 2012-12-09] (LG Electronics)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [Vagex] => C:\Users\Sasha\Downloads\Vagex.exe [158720 2014-12-21] (Vagex)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [F.lux] => C:\Users\Sasha\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [Spotify] => C:\Users\Sasha\AppData\Roaming\Spotify\Spotify.exe [6553144 2014-12-21] (Spotify Ltd)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [GoogleChromeAutoLaunch_3B6A60E56BCE5F44532CD2A14A3F77CC] => C:\Users\Sasha\AppData\Local\Google\Chrome\Application\chrome.exe [856904 2014-12-05] (Google Inc.)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\RunOnce: [Adobe Speed Launcher] => 1419203208
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\MountPoints2: {953d5428-ebb4-11e2-b04b-782bcba02785} - F:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\MountPoints2: {b31af55f-e772-11e1-b163-782bcba02785} - G:\TL_Bootstrap.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Button Manager v1.874.lnk
ShortcutTarget: Button Manager v1.874.lnk -> C:\Program Files (x86)\INITIO\Button Manager v1.874\inihid.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TotalMedia Backup Monitor.lnk
ShortcutTarget: TotalMedia Backup Monitor.lnk -> C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe (ArcSoft, Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Sasha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-175057651-2618150129-1025104438-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
URLSearchHook: HKLM-x32 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKLM -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO-x32: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\Program Files (x86)\YRefresher\YRefresher.dll ()
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: WSWSVCUchrome - No CLSID Value
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default
FF DefaultSearchEngine: Google
FF SearchEngineOrder.1: GadgetBox
FF SearchEngineOrder.1,S: GadgetBox
FF SelectedSearchEngine: GadgetBox
FF SelectedSearchEngine,S: GadgetBox
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll ()
FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1200112.dll (Adobe Systems, Inc.)
FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=15.0.6.14 -> c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprjplug;version=15.0.6.14 -> c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=12.0.1.669 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=15.0.6.14 -> c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\Sasha\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: @talk.google.com/O1DPlugin -> C:\Users\Sasha\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: intel.com/AppUp -> C:\Program Files (x86)\Intel\IntelAppStore\bin\npAppUp.dll (Intel)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @talk.google.com/GoogleTalkPlugin -> C:\Users\Sasha\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @talk.google.com/O1DPlugin -> C:\Users\Sasha\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @tools.google.com/Google Update;version=3 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @tools.google.com/Google Update;version=9 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: intel.com/AppUp -> C:\Program Files (x86)\Intel\IntelAppStore\bin\npAppUp.dll (Intel)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: @talk.google.com/GoogleTalkPlugin -> C:\Users\Sasha\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: @talk.google.com/O1DPlugin -> C:\Users\Sasha\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: @tools.google.com/Google Update;version=3 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: @tools.google.com/Google Update;version=9 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: intel.com/AppUp -> C:\Program Files (x86)\Intel\IntelAppStore\bin\npAppUp.dll (Intel)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprjplug.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nprpplugin.dll (RealPlayer)
FF Plugin ProgramFiles/Appdata: C:\Users\Sasha\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Sasha\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF Extension: Avira Browser Safety - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\abs@avira.com [2014-12-22]
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\artur.dubovoy@gmail.com [2014-12-10]
FF Extension: Vagex Firefox Add-On - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\ffaddon@vagex.com [2014-12-22]
FF Extension: NetVideoHunter - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\netvideohunter@netvideohunter.com [2014-07-28]
FF Extension: Auto Refresh - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\autorefresh@plugin.xpi [2012-11-21]
FF Extension: Firebug - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\firebug@software.joehewitt.com.xpi [2011-12-11]
FF Extension: Youtube MP3 Downloader using youtube-mp3.org - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\jid1-xKH0EoS44u1a2w@jetpack.xpi [2014-07-04]
FF Extension: Youtube and more - Easy Video Downloader - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\vdpure@link64.xpi [2014-12-10]
FF Extension: Best Video Downloader 2 - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\{170503FA-3349-4F17-BC86-001888A5C8E2}.xpi [2014-07-04]
FF Extension: ReloadEvery - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi [2012-11-21]
FF Extension: Download YouTube Videos as MP4 - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi [2014-12-10]
FF Extension: Easy YouTube Video Downloader - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi [2011-10-03]
FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 &lt;video&gt; - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2012-02-11]
FF HKLM-x32\...\Firefox\Extensions: [{0153E448-190B-4987-BDE1-F256CADA672F}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012-11-21]
FF HKLM-x32\...\Firefox\Extensions: [{85E85FF9-E50C-42DE-8A3D-61485FD6C8DB}] - C:\Program Files\Nuclear Coffee\VideoGet\Plugins\VideoGet_FF.xpi
FF Extension: No Name - C:\Program Files\Nuclear Coffee\VideoGet\Plugins\VideoGet_FF.xpi [2014-12-15]

Chrome:
=======
CHR HomePage: Default ->
CHR StartupUrls: Default -> ""
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Popup Notifications for Craigslist) - C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default\Extensions\aenadocogjnkbmchfnkpipdinoleakbj [2014-07-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-11]
CHR Extension: (Adblock Plus) - C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-07-03]
CHR Extension: (Avira Browser Safety) - C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2014-12-21]
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2013-01-16]
CHR Extension: (Google Wallet) - C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (DivX Plus Web Player HTML5 <video>) - C:\Users\Sasha\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm [2013-01-16]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2012-11-21]
CHR HKLM-x32\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files (x86)\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2011-12-12]
CHR StartMenuInternet: Google Chrome - C:\Users\Sasha\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-12-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-12-16] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\avwebg7.exe [993584 2014-12-16] (Avira Operations GmbH & Co. KG)
R2 apmwinsrv; C:\Program Files (x86)\Paragon Software\HFS+ for Windows  8.0\apmwinsrv.exe [65616 2010-12-16] ()
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [166192 2014-11-20] (Avira Operations GmbH & Co. KG)
R2 Bonjour Service; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [229376 2006-02-28] (Apple Computer, Inc.) [File not signed]
R2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [138192 2011-02-07] ()
R2 NTI BackupNowEZSvr; C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [46072 2013-02-05] (NTI Corporation)
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S4 cozaghost; "C:\ProgramData\zoomify_29\1.1.0.29\cozaghost.exe" /ts2=1 [X]
S4 cozwdhost; "C:\ProgramData\zoomify_29\1.1.0.29\cozwdhost.exe" -scm [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 apmwin; C:\Windows\System32\DRIVERS\apmwin.sys [49744 2010-11-18] (Paragon Software Group)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-07] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-07] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-05-28] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [43064 2014-10-07] (Avira Operations GmbH & Co. KG)
R0 gpt_loader; C:\Windows\System32\DRIVERS\gpt_loader.sys [55376 2010-11-18] (Paragon Software Group)
S3 Hfsplus; C:\Windows\System32\DRIVERS\hfsplus.sys [189520 2010-12-16] (Paragon Software Group)
R2 HfsplusRec; C:\Windows\System32\DRIVERS\hfsplusrec.sys [14416 2010-12-16] (Paragon Software Group)
R0 mounthlp; C:\Windows\System32\DRIVERS\mounthlp.sys [42064 2010-11-18] (Paragon Software Group)
R2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
S3 pfc; C:\Windows\SysWOW64\drivers\pfc.sys [14604 2003-08-11] (Padus, Inc.) [File not signed]
S3 WLRAWMp50x64; C:\Windows\System32\Drivers\WLRAWMp50x64.sys [35352 2013-01-22] (Logitech, Inc.)
S3 WLRAWMp50x64; C:\Windows\SysWOW64\Drivers\WLRAWMp50x64.sys [35352 2013-01-22] (Logitech, Inc.)
S3 WLRAWSp50x64; C:\Windows\System32\Drivers\WLRAWSp50x64.sys [34328 2013-01-22] (Logitech, Inc.)
S3 WLRAWSp50x64; C:\Windows\SysWOW64\Drivers\WLRAWSp50x64.sys [34328 2013-01-22] (Logitech, Inc.)
S0 aphmpr; System32\drivers\yead.sys [X]
S3 WISOVD; \??\C:\Program Files (x86)\WinISO Computing\WinISO\bin\driver\WISOVD_win7_x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-29 12:22 - 2014-12-29 12:22 - 00042786 _____ () C:\Users\Sasha\Downloads\FRST.txt
2014-12-29 12:22 - 2014-12-29 12:22 - 00000000 ____D () C:\FRST
2014-12-29 12:21 - 2014-12-29 12:21 - 02123264 _____ (Farbar) C:\Users\Sasha\Downloads\FRST64.exe
2014-12-29 12:21 - 2014-12-29 12:21 - 00001403 _____ () C:\Users\Sasha\Desktop\FRST64.exe - Shortcut.lnk
2014-12-21 17:47 - 2014-12-29 12:05 - 00000728 _____ () C:\Windows\setupact.log
2014-12-21 17:47 - 2014-12-21 17:47 - 00000000 _____ () C:\Windows\setuperr.log
2014-12-21 17:25 - 2013-03-01 22:29 - 00000794 _____ () C:\Windows\system32\Drivers\etc\hosts.20141221-172518.backup
2014-12-21 16:26 - 2014-12-21 16:26 - 00003118 _____ () C:\Windows\System32\Tasks\{4B296C36-5476-4F4B-8E5D-A7D9D324E031}
2014-12-21 16:18 - 2014-12-21 16:18 - 00000000 ____D () C:\Users\Sasha\Documents\4Videosoft Studio
2014-12-21 16:18 - 2014-12-21 16:18 - 00000000 ____D () C:\Users\Sasha\AppData\Local\4Videosoft Studio
2014-12-21 16:10 - 2014-12-21 16:10 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\ImTOO
2014-12-21 16:09 - 2014-12-21 16:09 - 00000064 _____ () C:\Users\Sasha\AppData\Local\12662fe45a6dd3765dd5c8e27163711a
2014-12-21 15:52 - 2014-12-21 15:52 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\AisoSoft
2014-12-21 15:42 - 2014-12-21 15:43 - 00000000 ____D () C:\Users\Sasha\Documents\Wondershare Video Converter Ultimate
2014-12-21 15:42 - 2014-12-21 15:42 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\Wondershare Video Converter Ultimate
2014-12-21 15:42 - 2014-12-21 15:42 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\{950EB46C-6AC7-4ACC-AB36-9A6A77C08B6A}
2014-12-21 15:41 - 2014-12-21 16:23 - 00000000 ____D () C:\ProgramData\Wondershare
2014-12-21 15:41 - 2014-12-21 16:23 - 00000000 ____D () C:\Program Files (x86)\Wondershare
2014-12-21 15:41 - 2014-12-21 15:43 - 00000000 ____D () C:\ProgramData\Wondershare Video Converter Ultimate
2014-12-21 15:41 - 2014-12-21 15:41 - 00000000 ____D () C:\Users\Sasha\Documents\Wondershare MediaServer
2014-12-21 15:41 - 2014-12-21 15:41 - 00000000 ____D () C:\Users\Sasha\AppData\Local\Wondershare
2014-12-21 15:41 - 2014-10-24 14:16 - 00721263 _____ () C:\Windows\SysWOW64\WSCM64.dll
2014-12-21 15:40 - 2014-12-21 15:41 - 00000000 ____D () C:\Users\Public\Documents\Wondershare
2014-12-21 15:36 - 2014-12-21 15:36 - 00000000 ____D () C:\ProgramData\APN
2014-12-21 15:35 - 2014-12-21 15:35 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\iDealshare VideoGo 5
2014-12-21 15:34 - 2014-09-26 18:36 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-12-21 15:33 - 2014-12-21 15:33 - 00005682 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_71-b14.log
2014-12-21 15:33 - 2014-09-26 18:42 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-12-21 15:33 - 2014-09-26 18:36 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-12-21 15:33 - 2014-09-26 18:35 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-12-21 14:52 - 2014-12-21 14:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-12-21 14:52 - 2014-12-21 14:52 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-12-21 14:52 - 2014-12-21 14:52 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-12-21 14:50 - 2014-12-21 14:50 - 42096984 _____ (Apple Inc.) C:\Users\Sasha\Downloads\QuickTimeInstaller.exe
2014-12-21 14:47 - 2014-12-21 14:47 - 00102293 _____ () C:\Users\Sasha\Downloads\TaylorSweet2.MOV
2014-12-21 14:31 - 2014-12-21 14:46 - 00106165 _____ () C:\Users\Sasha\Downloads\TaylorSweet.MOV
2014-12-19 00:09 - 2014-12-19 00:09 - 00000000 ____D () C:\Users\Sasha\AppData\Local\Vagex
2014-12-18 23:34 - 2014-12-19 00:05 - 00000006 _____ () C:\Users\Sasha\Downloads\userid.txt
2014-12-18 23:33 - 2014-12-22 20:37 - 00040960 _____ () C:\Users\Sasha\Downloads\vagex.log
2014-12-18 23:32 - 2014-12-21 22:24 - 00158720 _____ (Vagex) C:\Users\Sasha\Downloads\Vagex.exe
2014-12-18 23:32 - 2012-11-20 11:58 - 00151552 _____ ( ) C:\Users\Sasha\Downloads\Interop.SHDocVw.dll
2014-12-18 23:32 - 2012-11-20 11:58 - 00016384 _____ (Vagex) C:\Users\Sasha\Downloads\updater.exe
2014-12-18 16:10 - 2014-12-18 16:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YRefresher
2014-12-18 16:10 - 2014-12-18 16:10 - 00000000 ____D () C:\Program Files (x86)\YRefresher
2014-12-17 15:58 - 2014-12-17 15:58 - 11416298 _____ () C:\Users\Sasha\Downloads\Pendant.psd
2014-12-16 14:18 - 2014-12-16 14:19 - 00000000 ____D () C:\Users\Sasha\Downloads\Brush
2014-12-16 14:17 - 2014-12-16 14:17 - 10094509 _____ () C:\Users\Sasha\Downloads\Real_Smoke__675_pixels_.zip
2014-12-15 14:11 - 2014-12-15 14:11 - 09422760 _____ (Nuclear Coffee ) C:\Users\Sasha\Downloads\VideoGetInstaller-x64.exe
2014-12-15 14:11 - 2014-12-15 14:11 - 00000000 ____D () C:\Users\Sasha\Documents\My Downloaded Video
2014-12-15 14:11 - 2014-12-15 14:11 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\Nuclear Coffee
2014-12-15 14:11 - 2014-12-15 14:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoGet
2014-12-15 14:11 - 2014-12-15 14:11 - 00000000 ____D () C:\Program Files\Nuclear Coffee
2014-12-12 02:27 - 2014-12-12 02:27 - 00000000 ____D () C:\Users\Sasha\Downloads\pigjam
2014-12-09 15:43 - 2014-12-09 15:43 - 00105843 _____ () C:\Users\Sasha\Downloads\vtctattooscripttwo.zip
2014-12-09 15:43 - 2014-12-09 15:43 - 00097995 _____ () C:\Users\Sasha\Downloads\vtc-nuetattooscript.zip
2014-12-09 15:43 - 2014-12-09 15:43 - 00097695 _____ () C:\Users\Sasha\Downloads\vtc-badtattoohandone.zip
2014-12-09 15:42 - 2014-12-09 15:42 - 00069052 _____ () C:\Users\Sasha\Downloads\tangerine.zip
2014-12-09 15:39 - 2014-12-09 15:39 - 00032953 _____ () C:\Users\Sasha\Downloads\civitype-fg.zip
2014-12-09 15:38 - 2014-12-09 15:39 - 00031206 _____ () C:\Users\Sasha\Downloads\beachman-script.zip
2014-12-09 13:59 - 2014-12-09 14:00 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-06 00:53 - 2014-12-06 00:59 - 61462561 _____ () C:\Users\Sasha\Downloads\facebook-FireGypsyProductions.zip
2014-12-05 22:55 - 2014-12-28 23:18 - 00002956 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateXML_Sasha
2014-12-05 22:55 - 2014-12-28 23:18 - 00000366 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Sasha.job
2014-12-05 22:55 - 2014-12-28 12:06 - 00002960 _____ () C:\Windows\System32\Tasks\ReclaimerUpdateFiles_Sasha
2014-12-05 22:55 - 2014-12-28 12:06 - 00000370 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Sasha.job
2014-12-05 22:55 - 2014-12-21 18:05 - 00000376 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Sasha.job
2014-12-05 22:55 - 2014-12-05 22:55 - 00003612 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperResumePrompt_Sasha
2014-12-05 22:55 - 2014-12-05 22:55 - 00002664 _____ () C:\Windows\System32\Tasks\RNUpgradeHelperLogonPrompt_Sasha

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-29 12:05 - 2011-09-20 19:10 - 01935510 _____ () C:\Windows\WindowsUpdate.log
2014-12-29 11:55 - 2011-12-28 19:10 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000UA.job
2014-12-29 11:32 - 2014-03-31 16:58 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-29 11:31 - 2012-04-15 21:48 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-29 11:21 - 2012-02-07 21:18 - 00000928 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000UA.job
2014-12-29 02:21 - 2012-02-07 21:18 - 00000906 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000Core.job
2014-12-29 02:00 - 2011-09-20 17:57 - 00000000 ____D () C:\Users\Sasha\AppData\Local\Adobe
2014-12-29 01:32 - 2014-03-31 16:58 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-28 15:01 - 2013-06-05 09:08 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2014-12-28 14:55 - 2011-12-28 19:10 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000Core.job
2014-12-24 08:34 - 2009-07-13 23:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-24 08:34 - 2009-07-13 23:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-22 16:33 - 2013-03-14 13:58 - 00000000 ____D () C:\Users\Sasha\Documents\contracts
2014-12-22 16:30 - 2012-08-07 18:03 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2014-12-22 16:27 - 2011-09-26 16:50 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\SoftGrid Client
2014-12-22 16:25 - 2011-09-20 17:47 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\Adobe
2014-12-22 16:24 - 2011-11-16 19:03 - 00000000 ____D () C:\Users\Sasha\AppData\Local\Windows Live
2014-12-21 23:06 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-12-21 18:53 - 2011-11-17 18:44 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\Skype
2014-12-21 18:32 - 2014-08-04 09:18 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-21 18:12 - 2012-02-22 19:41 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\Spotify
2014-12-21 18:10 - 2009-07-14 00:13 - 00006498 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-21 18:04 - 2012-09-30 22:54 - 00000358 ____H () C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job
2014-12-21 18:04 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-21 17:52 - 2010-11-20 22:47 - 00415700 _____ () C:\Windows\PFRO.log
2014-12-21 17:39 - 2009-07-13 23:45 - 00000000 ____D () C:\Windows\Setup
2014-12-21 17:35 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-12-21 15:36 - 2013-11-16 22:03 - 00000000 ____D () C:\ProgramData\Oracle
2014-12-21 15:33 - 2011-09-20 19:17 - 00000000 ____D () C:\Program Files (x86)\Java
2014-12-21 15:32 - 2012-04-15 21:48 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-21 15:31 - 2012-04-15 21:48 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-21 15:31 - 2011-09-20 19:12 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-21 15:29 - 2013-04-15 20:49 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-12-21 15:27 - 2011-10-25 23:04 - 00000000 ____D () C:\Users\Sasha\AppData\Roaming\Apple Computer
2014-12-21 15:15 - 2011-09-20 19:17 - 00000000 ____D () C:\Program Files (x86)\Intel
2014-12-21 15:13 - 2014-08-04 09:18 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-21 15:13 - 2012-11-22 12:55 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-21 15:13 - 2009-07-13 23:45 - 04912568 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-20 16:49 - 2011-09-20 17:43 - 00000000 ____D () C:\Users\Sasha\AppData\Local\Dell
2014-12-20 15:15 - 2014-08-04 09:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-20 15:15 - 2012-10-05 02:24 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-19 07:34 - 2014-11-06 05:42 - 00000000 ____D () C:\ProgramData\Package Cache
2014-12-19 07:34 - 2014-06-11 14:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2014-12-19 07:34 - 2014-06-11 14:30 - 00000000 ____D () C:\Program Files (x86)\Avira
2014-12-18 14:57 - 2011-11-16 19:44 - 00028160 _____ () C:\Users\Sasha\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-12-11 20:58 - 2011-12-28 19:11 - 00002368 _____ () C:\Users\Sasha\Desktop\Google Chrome.lnk
2014-12-09 15:59 - 2011-09-20 17:42 - 00086192 _____ () C:\Users\Sasha\AppData\Local\GDIPFONTCACHEV1.DAT

Some content of TEMP:
====================
C:\Users\Sasha\AppData\Local\Temp\avgnt.exe
C:\Users\Sasha\AppData\Local\Temp\bccbcabecbcab.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-25 00:45

==================== End Of Log ============================

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2014
Ran by Sasha at 2014-12-29 12:23:10
Running from C:\Users\Sasha\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKLM-x32\...\uTorrent) (Version: 3.0.0 - )
7-Zip 9.22beta (HKLM-x32\...\7-Zip) (Version:  - )
ACID Pro 7.0 (HKLM-x32\...\{BFA5441E-B7E6-46F5-A15D-1B74707AE93A}) (Version: 7.0.641 - Sony)
ActivePerl 5.16.3 Build 1603 (64-bit) (HKLM\...\{8C327061-E39D-4696-84A8-E84533ADDD7D}) (Version: 5.16.1603 - ActiveState)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Anchor Service x64 CS4 (Version: 2.0 - Adobe Systems Incorporated) Hidden
Adobe CMaps x64 CS4 (Version: 2.0 - Adobe Systems Incorporated) Hidden
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.4.980 - Adobe Systems Incorporated.)
Adobe CSI CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Download Assistant (HKLM-x32\...\com.adobe.downloadassistant.AdobeDownloadAssistant) (Version: 1.2.5 - Adobe Systems Incorporated)
Adobe Drive CS4 x64 (Version: 1 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Fonts All x64 (Version: 2.0 - Adobe Systems Incorporated) Hidden
Adobe Illustrator CS5 (HKLM-x32\...\{9B97EC91-B3FD-4BFF-88FC-5345A26AC2E7}) (Version: 15.0 - Adobe Systems Incorporated)
Adobe Linguistics CS4 x64 (Version: 4.0.0 - Adobe Systems Incorporated) Hidden
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe PDF Library Files x64 CS4 (Version: 9.0 - Adobe Systems Incorporated) Hidden
Adobe Photoshop CS4 (64 Bit) (Version: 11.0 - Adobe Systems Incorporated) Hidden
Adobe Photoshop CS4 (HKLM-x32\...\Adobe_faf656ef605427ee2f42989c3ad31b8) (Version: 11.0 - Adobe Systems Incorporated)
Adobe Premiere Pro (HKLM-x32\...\{084709F7-38C5-4609-B55F-2417939315EB}) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Premiere Pro CS3 (HKLM-x32\...\Adobe_32fdd767b4383606e8168e834af5d90) (Version: 3 - Adobe Systems Incorporated)
Adobe Premiere Pro CS5.5 (HKLM-x32\...\{0497EAED-70DA-4BBE-BEB3-AF77FD8788EA}) (Version: 5.5 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.0.112 - Adobe Systems, Inc.)
Adobe Story (HKLM-x32\...\com.adobe.AdobeStory.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.0.571 - Adobe Systems Incorporated)
Adobe Type Support x64 CS4 (Version: 9.0 - Adobe Systems Incorporated) Hidden
Adobe WinSoft Linguistics Plugin x64 (Version: 1.1 - Adobe Systems Incorporated) Hidden
AMD Catalyst Install Manager (HKLM\...\{5E03A267-415E-5383-FA8F-3CE4145663B9}) (Version: 8.0.903.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft TotalMedia Backup & Record (HKLM-x32\...\{EF6F70D0-C242-4047-946B-98EA8208481A}) (Version:  - ArcSoft)
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.10 - Michael Tippach)
ATI AVIVO64 Codecs (Version: 11.6.0.10419 - ATI Technologies Inc.) Hidden
Audacity 1.2.6 (HKLM-x32\...\Audacity_is1) (Version:  - )
Avira (HKLM-x32\...\{e7c7c227-b742-4878-9425-f09bbf9951db}) (Version: 1.1.27.25527 - Avira Operations & Co. KG)
Avira (x32 Version: 1.1.27.25527 - Avira Operations & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.468 - Avira)
Best Buy pc app (HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\48e4cff94f039634) (Version: 3.1.0.0 - Best Buy)
Best Buy pc app (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\48e4cff94f039634) (Version: 3.1.0.0 - Best Buy)
Best Buy pc app (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\48e4cff94f039634) (Version: 3.1.0.0 - Best Buy)
Best Buy pc app (Version: 3.1.0.0 - Best Buy) Hidden
Best Buy pc app (x32 Version: 3.1.0.0 - Best Buy) Hidden
Button Manager v1.874 (HKLM-x32\...\{703C4409-D597-433A-9B17-E411D9236451}) (Version: 1.8.7.004 - INITIO)
CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) Hidden
Canon Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version:  - )
Canon Inkjet Printer/Scanner/Fax Extended Survey Program (HKLM-x32\...\CANONIJPLM100) (Version:  - )
Canon MG2100 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2100_series) (Version:  - )
Canon MG2100 series User Registration (HKLM-x32\...\Canon MG2100 series User Registration) (Version:  - )
Canon MP Navigator EX 5.0 (HKLM-x32\...\MP Navigator EX 5.0) (Version:  - )
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version:  - )
Canon Solution Menu EX (HKLM-x32\...\CanonSolutionMenuEX) (Version:  - )
Connect (x32 Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Getting Started Guide (HKLM-x32\...\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}) (Version: 1.00.0000 - Dell Inc.)
Dell MusicStage (HKLM-x32\...\{91AF2672-F5BC-42CF-8037-A9D2F92BBCC0}) (Version: 1.5.201.0 - Fingertapps)
Dell PhotoStage (HKLM-x32\...\{E4335E82-17B3-460F-9E70-39D9BC269DB3}) (Version: 1.5.0.65 - ArcSoft)
Dell Product Registration (HKLM-x32\...\{2A0F2CC5-3065-492C-8380-B03AA7106B1A}) (Version: 1.0.6 - Dell Inc.)
Dell Stage (HKLM-x32\...\{E2EBA7C0-8072-447F-856D-FFEE8D15B23B}) (Version: 1.5.201.0 - Fingertapps)
Dell VideoStage  (HKLM-x32\...\InstallShield_{DCE0E79A-B9AC-41AC-98C1-7EF0538BCA7F}) (Version: 1.2.0.1712 - CyberLink Corp.)
Dell VideoStage  (x32 Version: 1.2.0.1712 - CyberLink Corp.) Hidden
DivX Setup (HKLM-x32\...\DivX Setup) (Version: 2.6.1.5 - DivX, LLC)
DW WLAN Card (HKLM\...\DW WLAN Card) (Version: 5.60.48.35 - Dell Inc.)
EPA 608 Certification 4.0.00 (HKLM-x32\...\8872-1522-2113-8155) (Version: 4.0.00 - Mainstream Engineering Corporation)
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
f.lux (HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Flux) (Version:  - )
f.lux (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Flux) (Version:  - )
f.lux (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Flux) (Version:  - )
Facebook Video Calling 3.1.0.521 (HKLM-x32\...\{2091F234-EB58-4B80-8C96-8EB78C808CF7}) (Version: 3.1.521 - Skype Limited)
Google Chrome (HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Chrome (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Chrome (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Talk Plugin (HKLM-x32\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Intel AppUp(SM) center (HKLM-x32\...\Intel AppUp(SM) center 37466) (Version: 03.05.314 - Intel)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.0.0.1046 - Intel Corporation)
Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.710 - Oracle)
Java™ 6 Update 22 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022F0}) (Version: 6.0.220 - Oracle)
Java™ 6 Update 27 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416027FF}) (Version: 6.0.270 - Oracle)
Java™ 6 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216031FF}) (Version: 6.0.310 - Oracle)
join.me (HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\JoinMe) (Version: 1.7.0.138 - LogMeIn, Inc.)
join.me (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\JoinMe) (Version: 1.7.0.138 - LogMeIn, Inc.)
join.me (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\JoinMe) (Version: 1.7.0.138 - LogMeIn, Inc.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
jZip (HKLM-x32\...\jZip) (Version:  - Bandoo Media Inc.) <==== ATTENTION
K-Lite Codec Pack 5.4.0 (64-bit) (HKLM\...\KLiteCodecPack64_is1) (Version: 5.4.0 - )
kuler (x32 Version: 2.0 - Adobe Systems Incorporated) Hidden
LG Verizon United Drivers (HKLM-x32\...\{885DBC42-4BCC-4A7E-9F2B-64B25E02E926}) (Version: 2.6.0 - LG Electronics)
Logitech Alert Commander (HKLM-x32\...\{1E03F229-6AE9-4AA6-AE6D-20B618039DC0}) (Version: 3.3.142 - Logitech)
Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
Magic ISO Maker v5.5 (build 0265) (HKLM-x32\...\Magic ISO Maker v5.5 (build 0265)) (Version:  - )
Magic ISO Maker v5.5 (build 0281) (HKLM-x32\...\Magic ISO Maker v5.5 (build 0281)) (Version:  - )
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (español) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 3082) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Français) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1036) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Italiano) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1040) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Nederlands) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1043) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Miro Video Converter (HKLM-x32\...\Miro Video Converter) (Version: 0.8.0 - Participatory Culture Foundation)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Multimedia Card Reader (HKLM-x32\...\InstallShield_{41068A8C-3F30-46B6-978A-EA692F28D1AF}) (Version: 1.7.915.93 - Fitipower)
Multimedia Card Reader (x32 Version: 1.7.915.93 - Fitipower) Hidden
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
Nimo Codecs Pack v5.0 (Remove Only) (HKLM-x32\...\NimoCorp) (Version:  - )
NTI Backup Now EZ (HKLM-x32\...\InstallShield_{B9ECA41B-55CC-4654-B6B5-6731D009EC69}) (Version: 3.0.2.32 - NTI Corporation)
NTI Backup Now EZ (x32 Version: 3.0.2.32 - NTI Corporation) Hidden
Nuclear Coffee - VideoGet (HKLM\...\VideoGet_is1) (Version: 2014 - Nuclear Coffee)
OJOsoft Total Video Converter (HKLM-x32\...\OJOsoft Total Video Converter_is1) (Version: 2.6.1.0106 - OJOsoft)
ooVoo (HKLM-x32\...\{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}) (Version: 3.5.7047 - ooVoo LLC.)
OpenOffice.org 3.3 (HKLM-x32\...\{3E171899-0175-47CC-84C4-562ACDD4C021}) (Version: 3.3.9567 - OpenOffice.org)
Paragon HFS+ for Windows™ 8.0 (HKLM-x32\...\{456534C0-51E7-11DF-B336-005056C00008}) (Version: 1.00 - Paragon Software)
PDF Settings CS4 (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden
PDF Settings CS5 (x32 Version: 10.0 - Adobe Systems Incorporated) Hidden
Photoshop Camera Raw (x32 Version: 5.0 - Adobe Systems Incorporated) Hidden
Photoshop Camera Raw_x64 (Version: 5.0 - Adobe Systems Incorporated) Hidden
PowerISO (HKLM-x32\...\PowerISO) (Version: 5.0 - Power Software Ltd)
Project64 1.6 (HKLM-x32\...\{9559F7CA-5E34-4237-A2D9-D856464AD727}) (Version: 1.6 - Project64)
PxMergeModule (x32 Version: 1.00.0000 - Your Company Name) Hidden
Python 2.7 (64-bit) (HKLM\...\{20c31435-2a0a-4580-be8b-ac06fc243ca5}) (Version: 2.7.150 - Python Software Foundation)
Python 3.0.1 (64-bit) (HKLM\...\{de2f2d9c-53e2-40ee-8209-74da63cb060f}) (Version: 3.0.1150 - Python Software Foundation)
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
RealNetworks - Microsoft Visual C++ 2008 Runtime (x32 Version: 9.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM-x32\...\RealPlayer 15.0) (Version: 15.0.6 - RealNetworks)
Realtek AC'97 Audio (HKLM-x32\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version: 5.37 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6482 - Realtek Semiconductor Corp.)
RealUpgrade 1.1 (x32 Version: 1.1.0 - RealNetworks, Inc.) Hidden
Skype™ 6.14 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.14.104 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Spotify (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Spotify (HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
Suite Shared Configuration CS4 (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
THX TruStudio PC (HKLM-x32\...\{010A785B-F920-4350-821B-6309909C20BB}) (Version: 1.0 - Creative Technology Limited)
VC80CRTRedist - 8.0.50727.6195 (x32 Version: 1.2.0 - DivX, Inc) Hidden
Video Converter Studio V3.1.5 (HKLM-x32\...\{195E8D7F-292B-4B04-A6E7-E96CAF04C767}_is1) (Version: 3.1.5 - Apowersoft)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Movie Maker 2.6 (HKLM-x32\...\{B3DAF54F-DB25-4586-9EF1-96D24BB14088}) (Version: 2.6.4037.0 - Microsoft Corporation)
WinISO (HKLM-x32\...\WinISO) (Version: 6.1.0.4435 - WinISO Computing Inc.)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
XEDecrypt 1.00 (HKLM-x32\...\XEDecrypt 1.00) (Version:  - )
Yrefresher 1.00 (HKLM-x32\...\YRefresher_is1) (Version:  - Yoconsoft)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Sasha\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{F0D5B8DF-FA50-4AC1-B644-6DD3DABA2DC0}\InprocServer32 -> 42494E41525953545245414D0300000003000000591248CE8BE38A631FB24E0033D1BD35475DB327E7A9CAA293834BF04FC6 (the data entry has 8 more characters).
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\Windows\system32\shell32.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File

==================== Restore Points  =========================

21-12-2014 00:00:19 Scheduled Checkpoint
21-12-2014 14:51:21 Installed QuickTime 7
21-12-2014 15:30:52 Installed Java 7 Update 71
29-12-2014 00:00:10 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2011-10-04 18:58 - 2013-03-01 22:29 - 00000794 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1                activate.adobe.com


==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0F1BC33F-FE3C-45B3-A49F-D7317D4B928C} - System32\Tasks\RNUpgradeHelperResumePrompt_Sasha => C:\Users\Sasha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.03\agent\rnupgagent.exe [2014-12-05] (RealNetworks, Inc.)
Task: {123CD9E5-A90A-44B5-85F8-A3FB940FA472} - System32\Tasks\{4B296C36-5476-4F4B-8E5D-A7D9D324E031} => pcalua.exe -a C:\ProgramData\zoomify_29\1.1.0.29\Uninstaller.exe -c /ga=1503
Task: {146E92B1-72E0-4E65-B8DA-8819EE13EC27} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {309CC394-4C3C-4661-8D15-540175C82259} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {3E4B831B-FB6F-4E0E-A943-D41DBA9AEF25} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-31] (PC-Doctor, Inc.)
Task: {42D8FE8D-F5BD-4D0A-B6D3-324D9959B6E4} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-175057651-2618150129-1025104438-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2012-07-27] (RealNetworks, Inc.)
Task: {4AA725C1-AB40-4D0B-91C4-E01585B726E4} - System32\Tasks\ReclaimerUpdateFiles_Sasha => C:\Users\Sasha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.03\agent\rnupgagent.exe [2014-12-05] (RealNetworks, Inc.)
Task: {4C4F611C-E9B8-40B8-912C-841387FF71AC} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000UA => C:\Users\Sasha\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {4EB0E34F-6597-49EA-B96C-8FC2CC1DFC15} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-175057651-2618150129-1025104438-1003 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2012-07-27] (RealNetworks, Inc.)
Task: {4F5B5E50-3984-4479-B70E-9D2CF3ED338D} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000UA => C:\Users\Sasha\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-17] (Google Inc.)
Task: {596683D1-F5E8-4596-AA82-4C46986E08DF} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2014-01-31] (PC-Doctor, Inc.)
Task: {5A775E90-475E-4854-9E1C-A3FF3A293EF8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-03-31] (Google Inc.)
Task: {5CEAC0C1-BA87-4190-950C-40EF6CDB65F7} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-03-31] (Google Inc.)
Task: {89823D6E-EAAE-4AEA-B003-AB53BB00AC24} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000Core => C:\Users\Sasha\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-17] (Google Inc.)
Task: {90C6EC93-79A3-49AD-A05D-E6AF33E17FB7} - System32\Tasks\ReclaimerUpdateXML_Sasha => C:\Users\Sasha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.03\agent\rnupgagent.exe [2014-12-05] (RealNetworks, Inc.)
Task: {A10964D8-95AA-4998-BFE3-E6A6D3A7B913} - System32\Tasks\RNUpgradeHelperLogonPrompt_Sasha => C:\Users\Sasha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.03\agent\rnupgagent.exe [2014-12-05] (RealNetworks, Inc.)
Task: {A374C336-1680-49AB-B031-936F9FE625D8} - System32\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3} => C:\ProgramData\Premium\GBox\GBox.exe <==== ATTENTION
Task: {A92FFBCC-16A2-4171-9336-B388885A510E} - System32\Tasks\RealCreateProcessScheduledTask265498S-1-5-21-175057651-2618150129-1025104438-1000 => c:\program files (x86)\real\realplayer\update\realsched.exe [2012-11-21] (RealNetworks, Inc.)
Task: {A9CBDDFF-EEF1-498B-90F8-7DBC10F8C0E7} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-21] (Adobe Systems Incorporated)
Task: {BF0F1C65-5086-4C5F-8079-5E2E39D89242} - System32\Tasks\AdobeAAMUpdater-1.0-DOOMSDAY-Sasha => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2012-09-20] (Adobe Systems Incorporated)
Task: {C121256A-3B5E-45F6-9374-97DBCCF5923B} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-175057651-2618150129-1025104438-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2012-07-27] (RealNetworks, Inc.)
Task: {CF6EC33F-D513-4633-A019-7903B50DB21C} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000Core => C:\Users\Sasha\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: {D9E3C744-EFD6-48A5-A04A-9C57A595446D} - System32\Tasks\{04DBD90D-F98E-4230-8E40-DF53D6DEC7B4} => pcalua.exe -a "C:\Users\Sasha\Downloads\Rosetta Stone 3.4.7\Rosetta Stone 3.4.7.exe" -d "C:\Users\Sasha\Downloads\Rosetta Stone 3.4.7"
Task: {DCE7161A-70F3-4873-A9EF-2933BDEA9818} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {F44B9334-C0CD-4648-A922-CDD2E7FB4EE4} - System32\Tasks\SidebarExecute => C:\Program Files (x86)\Windows Sidebar\sidebar.exe [2010-11-20] (Microsoft Corporation)
Task: {FBE1E42B-9241-452E-AFB7-4B21064580EA} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-175057651-2618150129-1025104438-1003 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2012-07-27] (RealNetworks, Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000Core.job => C:\Users\Sasha\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000UA.job => C:\Users\Sasha\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job => C:\ProgramData\Premium\GBox\GBox.exe <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000Core.job => C:\Users\Sasha\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-175057651-2618150129-1025104438-1000UA.job => C:\Users\Sasha\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ReclaimerUpdateFiles_Sasha.job => C:\Users\Sasha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.03\agent\rnupgagent.exe
Task: C:\Windows\Tasks\ReclaimerUpdateXML_Sasha.job => C:\Users\Sasha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.03\agent\rnupgagent.exe
Task: C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Sasha.job => C:\Users\Sasha\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.03\agent\rnupgagent.exe

==================== Loaded Modules (whitelisted) =============

2014-12-21 15:41 - 2014-10-24 14:16 - 00721263 _____ () C:\Windows\SysWOW64\WSCM64.dll
2010-12-16 13:11 - 2010-12-16 13:11 - 00065616 _____ () C:\Program Files (x86)\Paragon Software\HFS+ for Windows  8.0\apmwinsrv.exe
2012-08-07 18:03 - 2011-02-07 11:56 - 00138192 _____ () C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
2011-07-28 18:08 - 2011-07-28 18:08 - 01259376 _____ () C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
2012-09-12 23:38 - 2012-09-12 23:38 - 00264040 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
2013-02-05 09:11 - 2013-02-05 09:11 - 00465824 _____ () C:\Program Files (x86)\NTI\NTI Backup Now EZ\sqlite3.dll
2011-06-21 09:42 - 2011-06-21 09:42 - 01075200 _____ () C:\Program Files (x86)\NTI\NTI Backup Now EZ\ACE.dll
2013-02-05 09:10 - 2013-02-05 09:10 - 00045048 _____ () C:\Program Files (x86)\NTI\NTI Backup Now EZ\archive.dll
2011-01-17 15:19 - 2011-09-23 20:04 - 00985088 _____ () C:\Program Files (x86)\OpenOffice.org 3\program\libxml2.dll
2011-08-12 11:18 - 2011-08-12 11:18 - 02145304 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtCore4.dll
2011-08-12 11:18 - 2011-08-12 11:18 - 07956504 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtGui4.dll
2011-08-12 11:18 - 2011-08-12 11:18 - 00342552 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtXml4.dll
2011-08-12 11:18 - 2011-08-12 11:18 - 00029208 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QGif4.dll
2011-08-12 11:18 - 2011-08-12 11:18 - 00128536 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll
2011-07-28 18:09 - 2011-07-28 18:09 - 00096112 _____ () C:\Program Files (x86)\DivX\DivX Update\DivXUpdateCheck.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00891392 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtNetwork4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 02281984 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtCore4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00322048 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\log4cplus.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00339456 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtXml4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00400384 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\sqlite3.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00015872 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\featureController.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00062976 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\osEvents.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00195584 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\libgsoap.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00062464 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\zlib1.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00443904 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\deviceProfile.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00019456 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\eventsSender.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00060928 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\serviceManagerStarter.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 01283584 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtScript4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 10836992 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtWebKit4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00266752 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\phonon4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 08167936 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\QtGui4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00026624 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\imageformats\qgif4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00028672 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\imageformats\qico4.dll
2012-04-18 21:19 - 2012-04-04 15:36 - 00196608 _____ () C:\Program Files (x86)\Intel\IntelAppStore\bin\imageformats\qjpeg4.dll
2012-09-12 23:39 - 2012-09-12 23:39 - 00336232 _____ () C:\Program Files (x86)\Common Files\logishrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll
2014-12-21 15:41 - 2014-10-31 16:37 - 01498112 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\DAQExp.dll
2014-12-21 15:41 - 2014-05-19 17:19 - 00137728 _____ () C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
2014-02-13 03:41 - 2014-02-13 03:41 - 00169472 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\aa739380ca2b2fc7366d464d2f2301ac\IsdiInterop.ni.dll
2011-09-20 19:17 - 2010-09-13 18:28 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2001-08-03 17:58 - 2001-08-03 17:58 - 00045056 _____ () C:\Program Files (x86)\YRefresher\YRefresher.dll
2014-12-09 14:00 - 2014-12-09 14:00 - 03758192 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-12-09 23:33 - 2014-12-09 23:33 - 16841392 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\Microsoft:gtx5Gjmh9Tod5geC78fPN
AlternateDataStreams: C:\ProgramData\Microsoft:khl8uejdQ3xy0iRQG1LMVLTY
AlternateDataStreams: C:\ProgramData\Microsoft:TjcHdea7N6NpkHbDHbNak
AlternateDataStreams: C:\Users\Sasha\Local Settings:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local\Application Data:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local\Temporary Internet Files:EKTuaS3MjFT6JXQwgWaJ

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-175057651-2618150129-1025104438-500 - Administrator - Disabled)
Guest (S-1-5-21-175057651-2618150129-1025104438-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-175057651-2618150129-1025104438-1002 - Limited - Enabled)
Sasha (S-1-5-21-175057651-2618150129-1025104438-1000 - Administrator - Enabled) => C:\Users\Sasha
SEAN (S-1-5-21-175057651-2618150129-1025104438-1003 - Administrator - Enabled) => C:\Users\SEAN

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/24/2014 03:34:48 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine Error calling CreateFile on volume '\\?\Volume{6b510ec4-e4ec-11e0-a2cb-782bcba02785}\'.  hr = 0x80070005, Access is denied.
.


Operation:
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Execution Context: Coordinator
   Provider ID: {00000000-0000-0000-0000-000000000000}
   Volume Name: Q:\
   Execution Context: Coordinator

Error: (12/24/2014 03:34:48 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine Error calling CreateFile on volume '\\?\Volume{6b510ec4-e4ec-11e0-a2cb-782bcba02785}\'.  hr = 0x80070005, Access is denied.
.


Operation:
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Execution Context: Coordinator
   Provider ID: {00000000-0000-0000-0000-000000000000}
   Volume Name: Q:\
   Execution Context: Coordinator

Error: (12/24/2014 03:34:47 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine Error calling CreateFile on volume '\\?\Volume{6b510ec4-e4ec-11e0-a2cb-782bcba02785}\'.  hr = 0x80070005, Access is denied.
.


Operation:
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Execution Context: Coordinator
   Provider ID: {00000000-0000-0000-0000-000000000000}
   Volume Name: Q:\
   Execution Context: Coordinator

Error: (12/22/2014 00:47:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 34.0.5.5443, time stamp: 0x5475dd5d
Faulting module name: mozalloc.dll, version: 34.0.5.5443, time stamp: 0x5475d664
Exception code: 0x80000003
Fault offset: 0x00001425
Faulting process id: 0x2534
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (12/22/2014 03:22:28 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 34.0.5.5443, time stamp: 0x5475dd5d
Faulting module name: mozalloc.dll, version: 34.0.5.5443, time stamp: 0x5475d664
Exception code: 0x80000003
Fault offset: 0x00001425
Faulting process id: 0x1f90
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (12/21/2014 06:16:03 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Information only.
Error: The operation timed out
 ErrorCode: 14007(0x36b7).

Error: (12/21/2014 06:10:18 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/21/2014 06:10:18 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/21/2014 06:06:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: cozaghost.exe, version: 1.1.0.29, time stamp: 0x5492bce1
Faulting module name: cozaghost.exe, version: 1.1.0.29, time stamp: 0x5492bce1
Exception code: 0xc0000005
Fault offset: 0x00017400
Faulting process id: 0x1148
Faulting application start time: 0xcozaghost.exe0
Faulting application path: cozaghost.exe1
Faulting module path: cozaghost.exe2
Report Id: cozaghost.exe3

Error: (12/21/2014 06:05:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: cozaghost.exe, version: 1.1.0.29, time stamp: 0x5492bce1
Faulting module name: cozaghost.exe, version: 1.1.0.29, time stamp: 0x5492bce1
Exception code: 0xc0000005
Fault offset: 0x00017400
Faulting process id: 0xa24
Faulting application start time: 0xcozaghost.exe0
Faulting application path: cozaghost.exe1
Faulting module path: cozaghost.exe2
Report Id: cozaghost.exe3


System errors:
=============
Error: (12/21/2014 06:14:59 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 48.

Error: (12/21/2014 06:13:29 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 48.

Error: (12/21/2014 06:11:59 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 48.

Error: (12/21/2014 06:10:29 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 48.

Error: (12/21/2014 06:09:09 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 48.

Error: (12/21/2014 06:06:08 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The cozaghost service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (12/21/2014 06:05:55 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The cozaghost service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (12/21/2014 06:05:53 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
aphmpr

Error: (12/21/2014 06:04:33 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 5:53:28 PM on ‎12/‎21/‎2014 was unexpected.

Error: (12/21/2014 05:52:47 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 5:50:41 PM on ‎12/‎21/‎2014 was unexpected.


Microsoft Office Sessions:
=========================
Error: (12/24/2014 03:34:48 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Error calling CreateFile on volume '\\?\Volume{6b510ec4-e4ec-11e0-a2cb-782bcba02785}\'0x80070005, Access is denied.


Operation:
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Execution Context: Coordinator
   Provider ID: {00000000-0000-0000-0000-000000000000}
   Volume Name: Q:\
   Execution Context: Coordinator

Error: (12/24/2014 03:34:48 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Error calling CreateFile on volume '\\?\Volume{6b510ec4-e4ec-11e0-a2cb-782bcba02785}\'0x80070005, Access is denied.


Operation:
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Execution Context: Coordinator
   Provider ID: {00000000-0000-0000-0000-000000000000}
   Volume Name: Q:\
   Execution Context: Coordinator

Error: (12/24/2014 03:34:47 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Error calling CreateFile on volume '\\?\Volume{6b510ec4-e4ec-11e0-a2cb-782bcba02785}\'0x80070005, Access is denied.


Operation:
   Check If Volume Is Supported by Provider
   Add a Volume to a Shadow Copy Set

Context:
   Execution Context: Coordinator
   Provider ID: {00000000-0000-0000-0000-000000000000}
   Volume Name: Q:\
   Execution Context: Coordinator

Error: (12/22/2014 00:47:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe34.0.5.54435475dd5dmozalloc.dll34.0.5.54435475d6648000000300001425253401d01e0b429b481fC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozalloc.dll978538ed-8a02-11e4-8cd0-782bcba02785

Error: (12/22/2014 03:22:28 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe34.0.5.54435475dd5dmozalloc.dll34.0.5.54435475d66480000003000014251f9001d01dac3dbbbcbeC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozalloc.dllaa3f7e64-89b3-11e4-8cd0-782bcba02785

Error: (12/21/2014 06:16:03 PM) (Source: CVHSVC) (EventID: 100) (User: )
Description: Error: The operation timed out
 ErrorCode: 14007(0x36b7).

Error: (12/21/2014 06:10:18 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (12/21/2014 06:10:18 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (12/21/2014 06:06:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: cozaghost.exe1.1.0.295492bce1cozaghost.exe1.1.0.295492bce1c000000500017400114801d01d72af2ac057C:\ProgramData\zoomify_29\1.1.0.29\cozaghost.exeC:\ProgramData\zoomify_29\1.1.0.29\cozaghost.exef16cd19f-8965-11e4-8cd0-782bcba02785

Error: (12/21/2014 06:05:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: cozaghost.exe1.1.0.295492bce1cozaghost.exe1.1.0.295492bce1c000000500017400a2401d01d728b7fa1bcC:\ProgramData\zoomify_29\1.1.0.29\cozaghost.exeC:\ProgramData\zoomify_29\1.1.0.29\cozaghost.exee6e3da88-8965-11e4-8cd0-782bcba02785


==================== Memory info ===========================

Processor: Intel® Core™ i7-2600 CPU @ 3.40GHz
Percentage of memory in use: 76%
Total physical RAM: 8174.45 MB
Available physical RAM: 1915.12 MB
Total Pagefile: 33172.63 MB
Available Pagefile: 24204.75 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:1383.92 GB) (Free:1021.66 GB) NTFS
Drive d: (FIREWORMZ At Str) (CDROM) (Total:1.07 GB) (Free:0 GB) CDFS
Drive f: (TOSHIBA EXT) (Fixed) (Total:931.41 GB) (Free:0.5 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 10000000)
Partition 1: (Not Active) - (Size=102 MB) - (Type=DE)
Partition 2: (Active) - (Size=13.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1383.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: C7F6B596)
Partition 1: (Active) - (Size=931.4 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:28 PM

Posted 29 December 2014 - 04:26 PM

Greetings Sasha,

It appears you have a pirated Adobe software on your computer. Unfortunately I am going to ask you to remove the software prior to us continuing on. If you are willing to do that please let me know when it has been accomplished and I will post our next step. Your computer is still a mess. :(

I don't know what files you deleted but it appears your computer was infected with a Backdoor Trojan as there is still evidence of that in the logs. Although I typically like to see additional evidence to see if it is recent or not out of caution I am going to provide you with the information I normally post regarding that type of infection.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Please let me know if you have already noticed evidences of financial institution irregularities. Those accounts should be monitored from this point forward.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 

Here are some thoughts I have put together for people who ask what they should do in light of the infection. Ultimately each user must decide for themselves what to do and the below are things you might want to consider.

It is necessary for us to at least make you aware of the worse case scenario. This is because of the potential Backdoor Trojans bring with them, but it is not a determination on our part that your situation currently falls within this worse case scenario.

Ultimately it is a personal decision whether to reformat or not. What decision should you make to let you sleep well at night? It is different for different people. I will say whether rightly or wrongly most people decide to clean and not reformat, at least initially.

The only insight I can offer is how I evaluate the issue personally even though I have never had a Backdoor Trojan on my computer. One of the primary purposes for malicious software is to somehow separate you from your money. It seems reasonable to assume that a thief trying to take your money via a Backdoor Trojan will hit you hard, and quickly. Once your computer starts to act up and you become suspicious you have the opportunity to eliminate access to your computer and change the information taken, namely account and password information. The key to this, in my opinion, is whether or not you have noticed any irregularities in your banking or other financial institutions, or things like email and social network accounts (i.e. Facebook). If you have not seen any evidence of that then you may question whether your information has truly been stolen. If it seems it hasn't, and your critical information has been changed, it is reasonable to be more confident you are safe but you must stop short of claiming an absolute guarantee.

If, after careful consideration you decide not to reformat your computer it would be wise to continue monitoring your sensitive data and don't wait to address future symptoms on your computer which seem to be malware related.

The bottom line, the only way to be absolutely sure to be rid of a Backdoor Trojan is to reformat. The decision is yours.

Oh My!


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please let me know how you want to proceed.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 ravendark

ravendark
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 29 December 2014 - 09:07 PM

Hey Gary!

 

I have uninstalled the Adobe Products.

 

I have never had anything strange happen during my sessions on the computer. And if they are after money, well, they probably won't get far seeing as I don't really have any to begin with. My email doesn't send out spam, and my social media accounts haven't sent out any unauthorized messages or anything. So, so far, so good on that end. I really don't want to reformat my computer. So we can just see if we can get rid of anything that is on here.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:28 PM

Posted 29 December 2014 - 09:39 PM

That sounds good, thanks. I was able to locate some of the Gadgetbox and other remnant entries and we will be taking care of those.

We need to copy and paste the FRST program from your Downloads folder to your Desktop.

Running from C:\Users\Sasha\Downloads


Following that, please consider and do this.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Vagex] => C:\Users\Sasha\Downloads\Vagex.exe [158720 2014-12-21] (Vagex)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [AdobeBridge] => [X]
URLSearchHook: HKLM-x32 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Handler: WSWSVCUchrome - No CLSID Value
FF SearchEngineOrder.1: GadgetBox
FF SearchEngineOrder.1,S: GadgetBox
FF SelectedSearchEngine: GadgetBox
FF SelectedSearchEngine,S: GadgetBox
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Extension: Vagex Firefox Add-On - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\ffaddon@vagex.com [2014-12-22]
S4 cozaghost; "C:\ProgramData\zoomify_29\1.1.0.29\cozaghost.exe" /ts2=1 [X]
S4 cozwdhost; "C:\ProgramData\zoomify_29\1.1.0.29\cozwdhost.exe" -scm [X]
S0 aphmpr; System32\drivers\yead.sys [X]
S3 WISOVD; \??\C:\Program Files (x86)\WinISO Computing\WinISO\bin\driver\WISOVD_win7_x64.sys [X]
2014-12-21 16:26 - 2014-12-21 16:26 - 00003118 _____ () C:\Windows\System32\Tasks\{4B296C36-5476-4F4B-8E5D-A7D9D324E031}
2014-12-21 16:09 - 2014-12-21 16:09 - 00000064 _____ () C:\Users\Sasha\AppData\Local\12662fe45a6dd3765dd5c8e27163711a
2014-12-21 18:04 - 2012-09-30 22:54 - 00000358 ____H () C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job
C:\Users\Sasha\AppData\Local\Temp\avgnt.exe
C:\Users\Sasha\AppData\Local\Temp\bccbcabecbcab.exe
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Sasha\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{F0D5B8DF-FA50-4AC1-B644-6DD3DABA2DC0}\InprocServer32 -> 42494E41525953545245414D0300000003000000591248CE8BE38A631FB24E0033D1BD35475DB327E7A9CAA293834BF04FC6 (the data entry has 8 more characters).
Task: {A374C336-1680-49AB-B031-936F9FE625D8} - System32\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3} => C:\ProgramData\Premium\GBox\GBox.exe <==== ATTENTION
Task: C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job => C:\ProgramData\Premium\GBox\GBox.exe <==== ATTENTION
C:\Users\Sasha\Downloads\Vagex.exe
2014-12-19 00:09 - 2014-12-19 00:09 - 00000000 ____D () C:\Users\Sasha\AppData\Local\Vagex
2014-12-18 23:33 - 2014-12-22 20:37 - 00040960 _____ () C:\Users\Sasha\Downloads\vagex.log
2014-12-18 23:32 - 2012-11-20 11:58 - 00151552 _____ ( ) C:\Users\Sasha\Downloads\Interop.SHDocVw.dll
2014-12-18 23:32 - 2012-11-20 11:58 - 00016384 _____ (Vagex) C:\Users\Sasha\Downloads\updater.exe
C:\ProgramData\Premium\GBox
AlternateDataStreams: C:\ProgramData\Microsoft:gtx5Gjmh9Tod5geC78fPN
AlternateDataStreams: C:\ProgramData\Microsoft:khl8uejdQ3xy0iRQG1LMVLTY
AlternateDataStreams: C:\ProgramData\Microsoft:TjcHdea7N6NpkHbDHbNak
AlternateDataStreams: C:\Users\Sasha\Local Settings:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local\Application Data:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local\Temporary Internet Files:EKTuaS3MjFT6JXQwgWaJ
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 ravendark

ravendark
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 29 December 2014 - 10:05 PM

Hey Gary,

 

I barely use uTorrent at all, if ever. I am aware of the dangers, that is why I never download anything without making sure there are positive reviews and scanning the files first.

 

I did as you asked. My computer didnt restart properly. It was blank screen for 15 minutes, I hard restarted and it started normally the second time.

 

Another concern is that at this current moment, chrome started automatically in my task manager, however, chrome is not actually running. There are 5 chrome processes running that started automatically, but chrome is not running.

 

Here is the fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2014
Ran by Sasha at 2014-12-29 21:46:22 Run:1
Running from C:\Users\Sasha\Desktop
Loaded Profiles: Sasha &  (Available profiles: Sasha & SEAN)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Vagex] => C:\Users\Sasha\Downloads\Vagex.exe [158720 2014-12-21] (Vagex)
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\...\Run: [AdobeBridge] => [X]
URLSearchHook: HKLM-x32 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
URLSearchHook: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 - Default Value = {3B81079D-2AC9-425f-A494-A1C7D93AFA3C}
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1 -> No Name - {B24BA06E-FB7B-4757-95C2-DC01125F750E} -  No File
Handler: WSWSVCUchrome - No CLSID Value
FF SearchEngineOrder.1: GadgetBox
FF SearchEngineOrder.1,S: GadgetBox
FF SelectedSearchEngine: GadgetBox
FF SelectedSearchEngine,S: GadgetBox
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Extension: Vagex Firefox Add-On - C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\ffaddon@vagex.com [2014-12-22]
S4 cozaghost; "C:\ProgramData\zoomify_29\1.1.0.29\cozaghost.exe" /ts2=1 [X]
S4 cozwdhost; "C:\ProgramData\zoomify_29\1.1.0.29\cozwdhost.exe" -scm [X]
S0 aphmpr; System32\drivers\yead.sys [X]
S3 WISOVD; \??\C:\Program Files (x86)\WinISO Computing\WinISO\bin\driver\WISOVD_win7_x64.sys [X]
2014-12-21 16:26 - 2014-12-21 16:26 - 00003118 _____ () C:\Windows\System32\Tasks\{4B296C36-5476-4F4B-8E5D-A7D9D324E031}
2014-12-21 16:09 - 2014-12-21 16:09 - 00000064 _____ () C:\Users\Sasha\AppData\Local\12662fe45a6dd3765dd5c8e27163711a
2014-12-21 18:04 - 2012-09-30 22:54 - 00000358 ____H () C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job
C:\Users\Sasha\AppData\Local\Temp\avgnt.exe
C:\Users\Sasha\AppData\Local\Temp\bccbcabecbcab.exe
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Sasha\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Sasha\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{F0D5B8DF-FA50-4AC1-B644-6DD3DABA2DC0}\InprocServer32 -> 42494E41525953545245414D0300000003000000591248CE8BE38A631FB24E0033D1BD35475DB327E7A9CAA293834BF04FC6 (the data entry has 8 more characters).
Task: {A374C336-1680-49AB-B031-936F9FE625D8} - System32\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3} => C:\ProgramData\Premium\GBox\GBox.exe <==== ATTENTION
Task: C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job => C:\ProgramData\Premium\GBox\GBox.exe <==== ATTENTION
C:\Users\Sasha\Downloads\Vagex.exe
2014-12-19 00:09 - 2014-12-19 00:09 - 00000000 ____D () C:\Users\Sasha\AppData\Local\Vagex
2014-12-18 23:33 - 2014-12-22 20:37 - 00040960 _____ () C:\Users\Sasha\Downloads\vagex.log
2014-12-18 23:32 - 2012-11-20 11:58 - 00151552 _____ ( ) C:\Users\Sasha\Downloads\Interop.SHDocVw.dll
2014-12-18 23:32 - 2012-11-20 11:58 - 00016384 _____ (Vagex) C:\Users\Sasha\Downloads\updater.exe
C:\ProgramData\Premium\GBox
AlternateDataStreams: C:\ProgramData\Microsoft:gtx5Gjmh9Tod5geC78fPN
AlternateDataStreams: C:\ProgramData\Microsoft:khl8uejdQ3xy0iRQG1LMVLTY
AlternateDataStreams: C:\ProgramData\Microsoft:TjcHdea7N6NpkHbDHbNak
AlternateDataStreams: C:\Users\Sasha\Local Settings:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local\Application Data:bSO4EhIuWyyE9BDVtiCpnT
AlternateDataStreams: C:\Users\Sasha\AppData\Local\Temporary Internet Files:EKTuaS3MjFT6JXQwgWaJ
*****************

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value deleted successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value deleted successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run\\Vagex => value deleted successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\ => value deleted successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\ => value deleted successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\URLSearchHooks\\ => value deleted successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\URLSearchHooks\\ => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{B24BA06E-FB7B-4757-95C2-DC01125F750E} => value deleted successfully.
HKCR\CLSID\{B24BA06E-FB7B-4757-95C2-DC01125F750E} => Key not found.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Value not found.
HKCR\CLSID\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{B24BA06E-FB7B-4757-95C2-DC01125F750E} => Value not found.
HKCR\CLSID\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{B24BA06E-FB7B-4757-95C2-DC01125F750E} => Key not found.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Value not found.
HKCR\CLSID\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{B24BA06E-FB7B-4757-95C2-DC01125F750E} => Value not found.
HKCR\CLSID\Toolbar: HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{{B24BA06E-FB7B-4757-95C2-DC01125F750E} => Key not found.
HKCR\PROTOCOLS\Handler\Handler: WSWSVCUchrome - No CLSID Value => Key not found.
Firefox SearchEngineOrder.1 deleted successfully.
Firefox SearchEngineOrder.1,S deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox SelectedSearchEngine,S deleted successfully.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin" => Key deleted successfully.
C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll not found.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin" => Key deleted successfully.
C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll not found.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-1\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin" => Key deleted successfully.
C:\Users\Sasha\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll not found.
C:\Users\Sasha\AppData\Roaming\Mozilla\Firefox\Profiles\0utth5kf.default\Extensions\ffaddon@vagex.com => Moved successfully.
cozaghost => Service deleted successfully.
cozwdhost => Service deleted successfully.
aphmpr => Service deleted successfully.
WISOVD => Service deleted successfully.
C:\Windows\System32\Tasks\{4B296C36-5476-4F4B-8E5D-A7D9D324E031} => Moved successfully.
C:\Users\Sasha\AppData\Local\12662fe45a6dd3765dd5c8e27163711a => Moved successfully.
C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job => Moved successfully.
C:\Users\Sasha\AppData\Local\Temp\avgnt.exe => Moved successfully.
C:\Users\Sasha\AppData\Local\Temp\bccbcabecbcab.exe => Moved successfully.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}" => Key deleted successfully.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.
"HKU\S-1-5-21-175057651-2618150129-1025104438-1000_Classes\CLSID\{F0D5B8DF-FA50-4AC1-B644-6DD3DABA2DC0}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A374C336-1680-49AB-B031-936F9FE625D8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A374C336-1680-49AB-B031-936F9FE625D8}" => Key deleted successfully.
C:\Windows\System32\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}" => Key deleted successfully.
C:\Windows\Tasks\GBoxUpdaterTask{AB87E263-C16C-4F48-B38F-08C90EDB28E3}.job not found.
C:\Users\Sasha\Downloads\Vagex.exe => Moved successfully.
C:\Users\Sasha\AppData\Local\Vagex => Moved successfully.
Could not move "C:\Users\Sasha\Downloads\vagex.log" => Scheduled to move on reboot.
C:\Users\Sasha\Downloads\Interop.SHDocVw.dll => Moved successfully.
C:\Users\Sasha\Downloads\updater.exe => Moved successfully.
"C:\ProgramData\Premium\GBox" => File/Directory not found.
C:\ProgramData\Microsoft => ":gtx5Gjmh9Tod5geC78fPN" ADS removed successfully.
C:\ProgramData\Microsoft => ":khl8uejdQ3xy0iRQG1LMVLTY" ADS removed successfully.
C:\ProgramData\Microsoft => ":TjcHdea7N6NpkHbDHbNak" ADS removed successfully.
"C:\Users\Sasha\Local Settings" => ":bSO4EhIuWyyE9BDVtiCpnT" ADS not found.
C:\Users\Sasha\AppData\Local => ":bSO4EhIuWyyE9BDVtiCpnT" ADS removed successfully.
"C:\Users\Sasha\AppData\Local\Application Data" => ":bSO4EhIuWyyE9BDVtiCpnT" ADS not found.
"C:\Users\Sasha\AppData\Local\Temporary Internet Files" => ":EKTuaS3MjFT6JXQwgWaJ" ADS not found.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-29 21:58:05)<=

C:\Users\Sasha\Downloads\vagex.log => Is moved successfully.

==== End of Fixlog 21:58:05 ====



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:28 PM

Posted 29 December 2014 - 10:21 PM

Hi Sasha,

Chrome is actually scheduled to start in the background on computer boot up. This is not malicious behavior.

HKU\S-1-5-21-175057651-2618150129-1025104438-1000\...\Run: [GoogleChromeAutoLaunch_3B6A60E56BCE5F44532CD2A14A3F77CC] => C:\Users\Sasha\AppData\Local\Google\Chrome\Application\chrome.exe [856904 2014-12-05] (Google Inc.)


How is the computer running?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 ravendark

ravendark
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 29 December 2014 - 10:26 PM

Hey Gary!

 

Thanks for the heads up about chrome! I didn't know that =) The computer is running the same as before, only with all the crap removed =) The computer was never really acting funny, besides when Gadgetbox and Zoomify were doing their own things. Besides those, the main concern now is why my computer will not boot properly 75% of the time. And I couldn't and still can't boot in safe mode. The computer boots, I select safe mode, and you can hear the computer fan running like crazy but it's just a black screen indefinitely. It does this for any booting mode other than normal mode and in normal mode it will happen about 75% of the time. I just have to keep hard restarting until it boots normally. Is this something to be concerned about?

 

Thank you so so SO much for your help! You are a wizard! How can I learn what you know about malware and computers?



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:28 PM

Posted 29 December 2014 - 11:18 PM

Hi Sasha,

Thank you for your kind words. I am ending for the evening but would like to continue addressing your concerns tomorrow even though I don't believe they are malware related.

I am not sure what your intentions are regarding learning about malware but BleepingComputer has a Malware Training Program which is available to those who would like to enter an intense training program with the express desire to volunteer their services to others in the same way I and my colleagues are doing. For more information see here.
 
See you tomorrow!

Edited by Oh My!, 30 December 2014 - 09:02 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 ravendark

ravendark
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 29 December 2014 - 11:27 PM

Thanks Gary!

 

I will check out the information. Have a good night!

 

-Sasha



#14 ravendark

ravendark
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 29 December 2014 - 11:29 PM

Argh! Link came up as "You do not have permission to view this forum" =(



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:28 PM

Posted 30 December 2014 - 09:02 AM

Sorry Sasha, try the link again.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users