Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Infections: Backdoor, Trojan, Pwd Stealer & Files Encrypter


  • This topic is locked This topic is locked
40 replies to this topic

#1 Sharekhan

Sharekhan

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 24 January 2015 - 01:57 AM

Hello, 

 

My computer was infected on 24 Dec 14 when I (very stupidly) downloaded a 'Total Codec' file 

 

My only AV is Microsoft Security Essentials. Computer is used for both work and home. I do not have any backups as of now.

 

The AV keeps reporting many infections some of which I mention below:

Backdoor:Win32/Simda.AT

Trojan:Win32/Miuref.F

Trojan:Win32/Peaac.gen!A!plock this one has the file name: UpdateFlashPlayer_1f69e11e.exe 

 

Also Zbot and some other items. The main 2 paths where the infections are found are 

C:\ProgramData\Microsoft\Secure\Icons\temp
C:\Users\Accounts\AppData\Local\Temp
 
There was a file weimi.exe which used to keep coming up in the first scans but has stopped coming in scans now - However I did read this file name in one of the logs by Farbar (I think in Addition.txt)
 
Also there is a suspicious DLL = IconsCacheHelper.dll at path C:\ProgramData\Microsoft\Secure\Icons\temp
I have tried to delete this but was unable to do it - I get error when trying to unregister the DLL
 
NEXT on 12 Jan 2015 another virus struck (maybe by an attacker using backdoor...) and I noticed last week that many of my .doc .zip .xls files and all my photos have been encrypted. I was doing research on how to solve all these problems and I landed up on this site. I have noticed that restore points are not available before 13 Jan 2015 and ShadowExplorer was also not able to help.
 
I have run DSS and Farbar but I still don't have a backup. Hope someone can help me here -
 
Frst.txt text follows:
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by Accounts (administrator) on SJB-SAMSUNG on 24-01-2015 10:19:54
Running from C:\Users\Accounts\Downloads
Loaded Profiles: UpdatusUser & Accounts (Available profiles: UpdatusUser & Accounts & GoMad Inc. (Launch))
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Samsung) C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(ITknowledge24.com) C:\Program Files\ITknowledge24\uTray.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(SPIS Ltd, New Zealand) C:\Program Files (x86)\TurboNote\tbnote.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe
(Samsung Electronics) C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe
(Indus Data Systems) C:\Islamic\azaan.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(AnchorFree Inc.) C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe
() C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
(Pervasive Software Inc.) C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(SAMSUNG Electronics) C:\Program Files (x86)\Samsung\Easy Support Center\SSCKbdHk.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-12-03] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: %LocalAppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [uTray] => C:\Program Files\ITknowledge24\uTray.exe [55296 2010-07-05] (ITknowledge24.com)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [URFmedia] => regsvr32.exe C:\Users\Accounts\AppData\Local\URFmedia\ep0lvr1s.dll <===== ATTENTION
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [IZNsoft] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Accounts\AppData\Local\Eption\CNHLX310.dll
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [Kauzgasyzoefwoi] => "C:\Users\Accounts\AppData\Roaming\Cykooxat\weimi.exe"
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [wincl] => C:\Users\Accounts\AppData\Roaming\WinCL\wincl.exe
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [Yfnoaktixuyx] => "C:\Users\Accounts\AppData\Roaming\Ysxeweun\viylwy.exe"
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\RunOnce: [Adobe Speed Launcher] => 1421930972
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {866a2824-578b-11e1-a696-dca971b87512} - "F:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {cfc16c37-1bb0-11e3-b93f-dca971b87512} - F:\AutoRun.exe
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {db1de089-f4f1-11e2-99d0-dca971b87512} - F:\MI.exe
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [226920 2011-06-05] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll => C:\windows\SysWOW64\nvinit.dll [193128 2011-06-05] (NVIDIA Corporation)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Azaan.lnk
ShortcutTarget: Azaan.lnk -> C:\Users\Accounts\AppData\Roaming\Microsoft\Installer\{AB8810C5-2B7E-4E5F-8B14-34476325BC79}\azaan.exe1_AB8810C52B7E4E5F8B1434476325BC79.exe (InstallShield Software Corp.)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IJ Network Scanner Selector EX.lnk
ShortcutTarget: IJ Network Scanner Selector EX.lnk -> C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe (CANON INC.)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TurboNote.lnk
ShortcutTarget: TurboNote.lnk -> C:\Program Files (x86)\TurboNote\tbnote.exe (SPIS Ltd, New Zealand)
ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-4089285565-4052558029-1726783300-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.eazel.com/?id=AAAe62e49bb1bb40a3e6a642204676f4252&oid=1
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://samsung.msn.com/
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://samsung.msn.com
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
URLSearchHook: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 - (No Name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - No File
URLSearchHook: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 - (No Name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - No File
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=SMSTDF&pc=MASM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO: Hotspot Shield Class -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll No File
BHO-x32: IEExtension.VDownloaderBHO -> {7b523e7c-f096-4e36-a0cb-7efeb5c675c1} -> C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {37483B40-C254-4A72-BDA4-22EE90182C1E} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4089285565-4052558029-1726783300-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Accounts\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-4089285565-4052558029-1726783300-1001: vitzo.com/VDownloader -> C:\Program Files (x86)\VDownloader\Addons\npVDownloader.dll No File
FF user.js: detected! => C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default\user.js
FF Extension: MP3 Byte Stream Handler - C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default\Extensions\{A81A2294-5A42-7956-6670-CF8A4ACFEC5B} [2014-12-24]
FF Extension: Hotspot Shield Extension - C:\Program Files (x86)\Mozilla Firefox\extensions\afext@anchorfree.com [2013-10-02]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: SmartPrintButton - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2012-02-14]
FF HKLM-x32\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files (x86)\VDownloader\Addons\FireFox
FF HKLM-x32\...\Firefox\Extensions: [OKitSpace@OKitSpace.es] - C:\Users\Accounts\AppData\Roaming\okitSpace\Firefox
FF Extension: No Name - C:\Users\Accounts\AppData\Roaming\okitSpace\Firefox [Not Found]
FF Extension: No Name - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [Not Found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/", "https://news.google.com/"
CHR Profile: C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-19]
CHR Extension: (Google Drive) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-19]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-23]
CHR Extension: (YouTube) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-03-31]
CHR Extension: (Google Search) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-03-31]
CHR Extension: (Google Wallet) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-03-31]
CHR HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\Accounts\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx [2012-06-07]
CHR HKLM-x32\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files (x86)\VDownloader\Addons\Chrome.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [lbidgdoiglndbjlcnnifemecdhnpeabo] - C:\Users\Accounts\AppData\Roaming\okitSpace\Chrome\OKitSpace.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\Accounts\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx [2012-06-07]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [136704 2009-06-24] (HP) [File not signed]
R2 hshld; C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [958248 2014-08-19] (AnchorFree Inc.)
S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-08-15] ()
R2 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [573224 2014-08-15] ()
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 psqlWGE; C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [435528 2011-04-07] (Pervasive Software Inc.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-12-01] () [File not signed]
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [44744 2014-08-15] (AnchorFree Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-10-08] (Marvell Semiconductor, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [47632 2010-01-27] (CACE Technologies, Inc.)
S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2011-12-15] (Windows ® 2003 DDK 3790 provider)
R2 SGDrv; C:\Windows\System32\DRIVERS\SGdrv64.sys [7680 2011-04-11] (Phoenix Technologies Ltd.)
R3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2014-05-17] (Anchorfree Inc.)
S1 atkwzkfx; \??\C:\windows\system32\drivers\atkwzkfx.sys [X]
S1 bxnqjjug; \??\C:\windows\system32\drivers\bxnqjjug.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S1 ejwbuggl; \??\C:\windows\system32\drivers\ejwbuggl.sys [X]
S1 esxpsmqu; \??\C:\windows\system32\drivers\esxpsmqu.sys [X]
S1 qrncqaet; \??\C:\windows\system32\drivers\qrncqaet.sys [X]
S1 sygsazox; \??\C:\windows\system32\drivers\sygsazox.sys [X]
S1 wzrjrcdj; \??\C:\windows\system32\drivers\wzrjrcdj.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-24 10:19 - 2015-01-24 10:21 - 00024243 _____ () C:\Users\Accounts\Downloads\FRST.txt
2015-01-24 10:19 - 2015-01-24 10:20 - 00000000 ____D () C:\FRST
2015-01-24 10:19 - 2015-01-24 10:19 - 02186752 _____ () C:\Users\Accounts\Downloads\AdwCleaner.exe
2015-01-24 10:17 - 2015-01-24 10:18 - 02126848 _____ (Farbar) C:\Users\Accounts\Downloads\FRST64.exe
2015-01-22 16:12 - 2015-01-22 16:55 - 00024982 _____ () C:\Users\Accounts\Desktop\dds.txt
2015-01-22 16:12 - 2015-01-22 16:55 - 00013421 _____ () C:\Users\Accounts\Desktop\attach.txt
2015-01-22 16:09 - 2015-01-22 16:09 - 00688992 ____R (Swearware) C:\Users\Accounts\Downloads\dds.com
2015-01-22 12:17 - 2015-01-22 12:21 - 00009294 __RSH () C:\ProgramData\ntuser.pol
2015-01-21 21:31 - 2015-01-21 21:31 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-21 21:31 - 2015-01-21 21:31 - 00002019 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2015-01-21 21:30 - 2015-01-22 16:46 - 00000000 ____D () C:\ProgramData\Adobe
2015-01-21 21:30 - 2015-01-21 21:30 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-01-21 21:29 - 2015-01-21 21:29 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\www.shadowexplorer.com
2015-01-21 21:28 - 2015-01-21 21:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2015-01-21 21:28 - 2015-01-21 21:28 - 00000000 ____D () C:\Program Files (x86)\ShadowExplorer
2015-01-21 21:25 - 2015-01-21 21:25 - 00969845 _____ (ShadowExplorer.com ) C:\Users\Accounts\Downloads\ShadowExplorer-0.9-setup.exe
2015-01-21 10:02 - 2015-01-21 10:43 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Tutous
2015-01-19 15:30 - 2015-01-21 09:29 - 00111016 _____ (Oracle Corporation) C:\windows\system32\WindowsAccessBridge-64.dll
2015-01-19 15:29 - 2015-01-19 15:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-19 15:28 - 2015-01-21 09:33 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-19 15:28 - 2015-01-21 09:31 - 00000000 ____D () C:\Program Files\Java
2015-01-15 08:19 - 2015-01-15 08:29 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Ysxeweun
2015-01-14 09:00 - 2014-12-19 07:06 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-01-14 09:00 - 2014-12-19 05:46 - 00141312 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2015-01-14 09:00 - 2014-12-06 08:17 - 00303616 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2015-01-14 09:00 - 2014-12-06 07:50 - 00156672 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncsi.dll
2015-01-14 09:00 - 2014-12-06 07:50 - 00052224 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2015-01-14 08:59 - 2014-12-12 09:35 - 05553592 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-01-14 08:59 - 2014-12-12 09:31 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-01-14 08:59 - 2014-12-12 09:31 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-01-14 08:59 - 2014-12-12 09:31 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-01-14 08:59 - 2014-12-12 09:11 - 03971512 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-01-14 08:59 - 2014-12-12 09:11 - 03916728 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-01-14 08:59 - 2014-12-12 09:07 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-01-14 08:59 - 2014-12-11 21:47 - 00087040 _____ (Microsoft Corporation) C:\windows\system32\TSWbPrxy.exe
2015-01-13 09:00 - 2015-01-17 18:20 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-13 08:55 - 2015-01-13 13:41 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Soqyot
2015-01-12 14:22 - 2015-01-19 15:02 - 00120992 _____ () C:\Users\Accounts\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-12 13:33 - 2015-01-12 13:34 - 02277402 _____ () C:\Users\Accounts\enc_files.txt
2015-01-08 15:05 - 2015-01-08 16:25 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Sakegy
2014-12-28 16:58 - 2015-01-19 14:59 - 00025884 _____ () C:\Users\Accounts\Desktop\Payment Request Summary.xlsx
2014-12-27 08:34 - 2014-12-27 14:36 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Cykooxat
2014-12-25 11:55 - 2014-12-25 11:55 - 00000000 ____D () C:\Users\Accounts\Documents\My Received Files
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-24 10:17 - 2012-05-07 15:51 - 00000000 ____D () C:\Users\Accounts\Documents\Outlook Files
2015-01-24 10:00 - 2014-12-24 20:55 - 00000822 _____ () C:\windows\Tasks\Security Center Update - 203003518.job
2015-01-24 09:51 - 2011-10-14 03:49 - 01089779 _____ () C:\windows\WindowsUpdate.log
2015-01-24 09:42 - 2012-03-25 14:28 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-24 09:21 - 2009-07-14 08:45 - 00032720 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-24 09:21 - 2009-07-14 08:45 - 00032720 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-24 09:14 - 2012-03-25 14:28 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-24 09:06 - 2012-12-12 16:31 - 00000000 ____D () C:\Users\Accounts\AppData\Local\132D14A1-FC17-4B7C-B4E2-7C895708B797.aplzod
2015-01-23 11:16 - 2013-10-23 18:48 - 00000000 ____D () C:\Users\Accounts\Downloads\havra school worksheets
2015-01-22 16:54 - 2009-07-14 09:13 - 00790176 _____ () C:\windows\system32\PerfStringBackup.INI
2015-01-22 16:46 - 2014-06-21 15:16 - 00015975 _____ () C:\windows\setupact.log
2015-01-22 16:46 - 2009-07-14 09:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-01-22 16:45 - 2010-11-21 07:47 - 00744376 _____ () C:\windows\PFRO.log
2015-01-21 21:32 - 2012-02-02 15:55 - 00000000 ____D () C:\Users\Accounts\AppData\Local\Adobe
2015-01-21 13:52 - 2012-04-05 13:14 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\vlc
2015-01-21 13:42 - 2012-01-26 13:42 - 00000000 ____D () C:\windows\System32\Tasks\NCH Software
2015-01-21 11:50 - 2012-02-26 18:44 - 00000000 ____D () C:\TallyTB
2015-01-21 10:42 - 2012-01-26 13:32 - 00000000 ____D () C:\Users\Accounts\AppData\Local\CrashDumps
2015-01-21 10:38 - 2012-01-25 15:38 - 00000519 _____ () C:\windows\ODBCINST.INI
2015-01-21 10:38 - 2012-01-25 15:38 - 00000028 _____ () C:\windows\ODBC.INI
2015-01-21 10:38 - 2012-01-25 15:38 - 00000000 ____D () C:\Program Files (x86)\Tally.ERP9
2015-01-21 10:05 - 2009-07-14 07:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2015-01-21 09:27 - 2012-01-25 15:38 - 00000061 _____ () C:\Users\Accounts\Documents\TallyODBC_9000.dsn
2015-01-19 16:30 - 2009-07-14 08:45 - 00438520 _____ () C:\windows\system32\FNTCACHE.DAT
2015-01-19 16:17 - 2012-01-22 19:23 - 00774486 _____ () C:\windows\SysWOW64\PerfStringBackup.INI
2015-01-19 16:09 - 2013-07-24 09:43 - 00000000 ____D () C:\windows\system32\MRT
2015-01-19 15:48 - 2012-02-08 18:45 - 113365784 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-01-19 15:32 - 2012-04-05 15:57 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-19 11:49 - 2009-07-14 09:32 - 00000000 ____D () C:\windows\system32\FxsTmp
2015-01-17 10:30 - 2013-07-01 14:50 - 00000000 ____D () C:\Users\Accounts\Documents\24by7
2015-01-17 10:27 - 2012-02-23 13:06 - 00000000 ____D () C:\Users\Accounts\Documents\Personal
2015-01-12 14:50 - 2014-09-08 15:17 - 00113995 _____ () C:\Users\Accounts\Downloads\linkedin_connections_export_microsoft_outlook 8Sept14.xlsx
2015-01-12 14:49 - 2014-11-12 09:22 - 09435719 _____ () C:\Users\Accounts\Downloads\2008.zip
2015-01-12 13:40 - 2014-12-22 09:36 - 00115317 _____ () C:\Users\Accounts\Desktop\24x717-12-14.xlsx
2015-01-12 13:40 - 2014-12-10 10:19 - 00074500 _____ () C:\Users\Accounts\Desktop\24x7 #ing System letter list.xlsx
2015-01-12 13:40 - 2014-09-30 13:07 - 00010914 _____ () C:\Users\Accounts\Documents\Surooh Aug14.xlsx
2015-01-12 13:40 - 2014-09-07 09:15 - 00036081 _____ () C:\Users\Accounts\Desktop\PowerPoint Attendance Aug14.xlsx
2015-01-12 13:40 - 2014-08-03 16:18 - 00032652 _____ () C:\Users\Accounts\Desktop\PowerPoint Attendance JUNE.xlsx
2015-01-12 13:40 - 2014-07-02 16:00 - 00010668 _____ () C:\Users\Accounts\Desktop\Recruitment List.xlsx
2015-01-12 13:40 - 2014-05-12 09:49 - 00024967 _____ () C:\Users\Accounts\Documents\SPDDS 24by7 2013 May14.xlsx
2015-01-12 13:40 - 2014-01-13 09:11 - 00011566 _____ () C:\Users\Accounts\Documents\Enquiry-Diving suit and materials.xlsx
2015-01-12 13:40 - 2013-03-19 17:44 - 00008282 _____ () C:\Users\Accounts\Documents\guests for Openthinking Day.xlsx
2015-01-12 13:33 - 2012-01-22 18:57 - 00000000 ____D () C:\Users\Accounts
2015-01-11 09:40 - 2009-07-14 07:20 - 00000000 ____D () C:\windows\system32\NDF
2015-01-08 15:12 - 2012-02-18 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3
2015-01-08 12:31 - 2012-06-23 17:38 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\uTorrent
2015-01-07 09:40 - 2014-12-22 10:58 - 00000019 _____ () C:\Users\Accounts\Desktop\userconfig.txt
2014-12-31 15:14 - 2010-11-21 07:27 - 00298120 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-12-31 09:37 - 2011-10-13 12:53 - 00000000 ____D () C:\Program Files (x86)\CyberLink
2014-12-31 09:30 - 2012-01-25 16:25 - 00000000 ____D () C:\Program Files (x86)\Business Objects
2014-12-31 09:27 - 2012-01-26 13:42 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\NCH Software
2014-12-31 09:27 - 2012-01-26 13:42 - 00000000 ____D () C:\Program Files (x86)\NCH Software
2014-12-31 09:06 - 2014-12-24 16:36 - 00000000 ____D () C:\Users\Accounts\AppData\Local\Eption
2014-12-25 15:50 - 2013-12-12 14:34 - 00009265 _____ () C:\windows\IE11_main.log
2014-12-25 12:14 - 2012-01-25 16:28 - 00000000 ____D () C:\windows\Crystal
2014-12-25 12:14 - 2012-01-25 16:19 - 00154798 _____ () C:\windows\PeachWLog.XML
2014-12-25 12:14 - 2011-10-13 11:51 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-12-25 12:09 - 2012-01-25 16:19 - 00000548 _____ () C:\windows\SysWOW64\Microsoft.VC90.MFC.manifest
2014-12-25 12:09 - 2012-01-25 16:19 - 00000524 _____ () C:\windows\SysWOW64\Microsoft.VC90.CRT.manifest
2014-12-25 12:00 - 2013-04-21 13:30 - 00000000 ___RD () C:\Users\Accounts\Dropbox
2014-12-25 11:58 - 2012-02-20 19:17 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Skype
2014-12-25 11:44 - 2012-04-05 13:03 - 00000000 ____D () C:\Program Files (x86)\SmartDraw 2012
2014-12-25 11:38 - 2014-01-19 09:46 - 00000000 ____D () C:\windows\system32\appmgmt
2014-12-25 11:38 - 2009-07-14 07:20 - 00000000 __RHD () C:\Users\Public\Libraries
2014-12-25 06:05 - 2013-04-21 10:36 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Dropbox
 
==================== Files in the root of some directories =======
2013-01-22 09:22 - 2013-01-22 09:22 - 0001474 _____ () C:\Users\Accounts\AppData\Roaming\CompatAdmin.log
2014-02-15 10:51 - 2014-07-16 13:27 - 0007644 _____ () C:\Users\Accounts\AppData\Local\resmon.resmoncfg
2012-02-20 19:18 - 2012-02-20 19:18 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2011-10-13 13:00 - 2011-10-13 13:01 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2011-10-13 12:53 - 2011-10-13 12:53 - 0000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log
2011-10-13 12:58 - 2011-10-13 12:59 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2011-10-13 12:54 - 2011-10-13 12:58 - 0000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log
2011-10-13 12:59 - 2011-10-13 13:00 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
 
Some content of TEMP:
====================
C:\Users\Accounts\AppData\Local\Temp\jre-8u31-windows-au.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-14 13:15
 
==================== End Of Log ============================
 
 
 
 
 

Attached Files


Edited by Sharekhan, 24 January 2015 - 03:05 AM.


BC AdBot (Login to Remove)

 


#2 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 24 January 2015 - 02:09 AM

Oh I thought I should also mention that I have used Local Policy to stop exe files from running from path %Appdata% - I have set 4 path policies based on a topic I read on a forum here...

 

addition.txt from Farbar attached with First post

 

I also have dds.txt from DDS if that is required.


Edited by Sharekhan, 24 January 2015 - 03:07 AM.


#3 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 25 January 2015 - 06:58 AM

Update: The password stealer Zbot is being detected too many times - it is running from C:\ProgramData\Microsoft\Secure\Icons\temp

 

I set up a disallow rule for Path C:\ProgramData\Microsoft\Secure\Icons\temp\*.exe to avoid any problems.

 

Also I will start taking a backup of the important files today.



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:23 PM

Posted 25 January 2015 - 02:22 PM

Hey, :)
What's with the Addition Log?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 25 January 2015 - 11:46 PM

Hello Agent 007,

 

I am sorry I could not understand your question. The Addition Log has been attached with my first post. 



#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:23 PM

Posted 26 January 2015 - 10:46 AM

Sorry, overlooked it. :S

Can you please post it directly into the thread because I can not open attachments on my system. :)

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 26 January 2015 - 11:47 PM

Hello Machiavelli,

 

Thank you for the help you will provide to clean my PC.

 

On the first day after running the Farbar tool - I think I ran ADWCleaner as well - Also I removed a lot of my Data files (pics, word, excel etc.) From now on I will not be making any changes or running any tools unless you ask me to...

 

What I did today is run the Farbar again and am posting both FRST and Additions log here....

 

FRST Log follows:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01

Ran by Accounts (administrator) on SJB-SAMSUNG on 27-01-2015 08:26:50
Running from C:\Users\Accounts\Desktop
Loaded Profiles: UpdatusUser & Accounts (Available profiles: UpdatusUser & Accounts & GoMad Inc. (Launch))
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(AnchorFree Inc.) C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe
() C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
(Pervasive Software Inc.) C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(ITknowledge24.com) C:\Program Files\ITknowledge24\uTray.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(SPIS Ltd, New Zealand) C:\Program Files (x86)\TurboNote\tbnote.exe
(Indus Data Systems) C:\Islamic\azaan.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Samsung) C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe
(Samsung Electronics) C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(SAMSUNG Electronics) C:\Program Files (x86)\Samsung\Easy Support Center\SSCKbdHk.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreamsDownloader.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-12-03] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: %LocalAppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\ProgramData\Microsoft\Secure\Icons\temp\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [uTray] => C:\Program Files\ITknowledge24\uTray.exe [55296 2010-07-05] (ITknowledge24.com)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [URFmedia] => regsvr32.exe C:\Users\Accounts\AppData\Local\URFmedia\ep0lvr1s.dll <===== ATTENTION
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [IZNsoft] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Accounts\AppData\Local\Eption\CNHLX310.dll
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [Kauzgasyzoefwoi] => "C:\Users\Accounts\AppData\Roaming\Cykooxat\weimi.exe"
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [wincl] => C:\Users\Accounts\AppData\Roaming\WinCL\wincl.exe
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [Yfnoaktixuyx] => "C:\Users\Accounts\AppData\Roaming\Ysxeweun\viylwy.exe"
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\RunOnce: [Adobe Speed Launcher] => 1422186032
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {866a2824-578b-11e1-a696-dca971b87512} - "F:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {cfc16c37-1bb0-11e3-b93f-dca971b87512} - F:\AutoRun.exe
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {db1de089-f4f1-11e2-99d0-dca971b87512} - F:\MI.exe
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [226920 2011-06-05] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll => C:\windows\SysWOW64\nvinit.dll [193128 2011-06-05] (NVIDIA Corporation)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Azaan.lnk
ShortcutTarget: Azaan.lnk -> C:\Users\Accounts\AppData\Roaming\Microsoft\Installer\{AB8810C5-2B7E-4E5F-8B14-34476325BC79}\azaan.exe1_AB8810C52B7E4E5F8B1434476325BC79.exe (InstallShield Software Corp.)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IJ Network Scanner Selector EX.lnk
ShortcutTarget: IJ Network Scanner Selector EX.lnk -> C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe (CANON INC.)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TurboNote.lnk
ShortcutTarget: TurboNote.lnk -> C:\Program Files (x86)\TurboNote\tbnote.exe (SPIS Ltd, New Zealand)
ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-4089285565-4052558029-1726783300-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.eazel.com/?id=AAAe62e49bb1bb40a3e6a642204676f4252&oid=1
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://samsung.msn.com/
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://samsung.msn.com
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
URLSearchHook: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 - (No Name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - No File
URLSearchHook: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 - (No Name) - {687578b9-7132-4a7a-80e4-30ee31099e03} - No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4089285565-4052558029-1726783300-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO: Hotspot Shield Class -> {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} -> C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll No File
BHO-x32: IEExtension.VDownloaderBHO -> {7b523e7c-f096-4e36-a0cb-7efeb5c675c1} -> C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {37483B40-C254-4A72-BDA4-22EE90182C1E} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {687578B9-7132-4A7A-80E4-30EE31099E03} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4089285565-4052558029-1726783300-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Accounts\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-4089285565-4052558029-1726783300-1001: vitzo.com/VDownloader -> C:\Program Files (x86)\VDownloader\Addons\npVDownloader.dll No File
FF user.js: detected! => C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default\user.js
FF Extension: MP3 Byte Stream Handler - C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default\Extensions\{A81A2294-5A42-7956-6670-CF8A4ACFEC5B} [2014-12-24]
FF Extension: Hotspot Shield Extension - C:\Program Files (x86)\Mozilla Firefox\extensions\afext@anchorfree.com [2013-10-02]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: SmartPrintButton - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2012-02-14]
FF HKLM-x32\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files (x86)\VDownloader\Addons\FireFox
FF HKLM-x32\...\Firefox\Extensions: [OKitSpace@OKitSpace.es] - C:\Users\Accounts\AppData\Roaming\okitSpace\Firefox
FF Extension: No Name - C:\Users\Accounts\AppData\Roaming\okitSpace\Firefox [Not Found]
FF Extension: No Name - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [Not Found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/", "https://news.google.com/"
CHR Profile: C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-19]
CHR Extension: (Google Drive) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-19]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-23]
CHR Extension: (YouTube) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-03-31]
CHR Extension: (Google Search) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-03-31]
CHR Extension: (Google Wallet) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-03-31]
CHR HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\Accounts\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx [2012-06-07]
CHR HKLM-x32\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files (x86)\VDownloader\Addons\Chrome.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [lbidgdoiglndbjlcnnifemecdhnpeabo] - C:\Users\Accounts\AppData\Roaming\okitSpace\Chrome\OKitSpace.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\Accounts\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx [2012-06-07]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [136704 2009-06-24] (HP) [File not signed]
R2 hshld; C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [958248 2014-08-19] (AnchorFree Inc.)
S3 HssTrayService; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [78512 2014-08-15] ()
R2 HssWd; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [573224 2014-08-15] ()
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 psqlWGE; C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [435528 2011-04-07] (Pervasive Software Inc.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-12-01] () [File not signed]
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [44744 2014-08-15] (AnchorFree Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-10-08] (Marvell Semiconductor, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [47632 2010-01-27] (CACE Technologies, Inc.)
S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2011-12-15] (Windows ® 2003 DDK 3790 provider)
R2 SGDrv; C:\Windows\System32\DRIVERS\SGdrv64.sys [7680 2011-04-11] (Phoenix Technologies Ltd.)
R3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [42184 2014-05-17] (Anchorfree Inc.)
S1 atkwzkfx; \??\C:\windows\system32\drivers\atkwzkfx.sys [X]
S1 bxnqjjug; \??\C:\windows\system32\drivers\bxnqjjug.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S1 ejwbuggl; \??\C:\windows\system32\drivers\ejwbuggl.sys [X]
S1 esxpsmqu; \??\C:\windows\system32\drivers\esxpsmqu.sys [X]
S1 qrncqaet; \??\C:\windows\system32\drivers\qrncqaet.sys [X]
S1 sygsazox; \??\C:\windows\system32\drivers\sygsazox.sys [X]
S1 wzrjrcdj; \??\C:\windows\system32\drivers\wzrjrcdj.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-27 08:26 - 2015-01-27 08:27 - 00024231 _____ () C:\Users\Accounts\Desktop\FRST.txt
2015-01-27 08:25 - 2015-01-27 08:25 - 00000000 ____D () C:\Users\Accounts\Desktop\FRST-OlderVersion
2015-01-25 16:03 - 2015-01-25 16:05 - 05633533 _____ () C:\Users\Accounts\Downloads\Kenya, Nairobi.zip
2015-01-24 11:11 - 2015-01-24 11:29 - 00000000 ____D () C:\AdwCleaner
2015-01-24 10:33 - 2015-01-24 10:34 - 01707939 _____ (Thisisu) C:\Users\Accounts\Downloads\JRT.exe
2015-01-24 10:22 - 2015-01-24 10:24 - 00036117 _____ () C:\Users\Accounts\Downloads\Addition.txt
2015-01-24 10:19 - 2015-01-27 08:26 - 00000000 ____D () C:\FRST
2015-01-24 10:19 - 2015-01-24 10:24 - 00037555 _____ () C:\Users\Accounts\Downloads\FRST.txt
2015-01-24 10:19 - 2015-01-24 10:19 - 02186752 _____ () C:\Users\Accounts\Desktop\AdwCleaner.exe
2015-01-24 10:17 - 2015-01-27 08:25 - 02129920 _____ (Farbar) C:\Users\Accounts\Desktop\FRST64.exe
2015-01-22 16:12 - 2015-01-22 16:55 - 00024982 _____ () C:\Users\Accounts\Desktop\dds.txt
2015-01-22 16:12 - 2015-01-22 16:55 - 00013421 _____ () C:\Users\Accounts\Desktop\attach.txt
2015-01-22 16:09 - 2015-01-22 16:09 - 00688992 ____R (Swearware) C:\Users\Accounts\Downloads\dds.com
2015-01-22 12:17 - 2015-01-25 15:47 - 00010550 __RSH () C:\ProgramData\ntuser.pol
2015-01-21 21:31 - 2015-01-21 21:31 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-21 21:31 - 2015-01-21 21:31 - 00002019 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2015-01-21 21:30 - 2015-01-22 16:46 - 00000000 ____D () C:\ProgramData\Adobe
2015-01-21 21:30 - 2015-01-21 21:30 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-01-21 21:29 - 2015-01-21 21:29 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\www.shadowexplorer.com
2015-01-21 21:28 - 2015-01-21 21:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2015-01-21 21:28 - 2015-01-21 21:28 - 00000000 ____D () C:\Program Files (x86)\ShadowExplorer
2015-01-21 21:25 - 2015-01-21 21:25 - 00969845 _____ (ShadowExplorer.com ) C:\Users\Accounts\Downloads\ShadowExplorer-0.9-setup.exe
2015-01-21 10:02 - 2015-01-21 10:43 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Tutous
2015-01-19 15:30 - 2015-01-21 09:29 - 00111016 _____ (Oracle Corporation) C:\windows\system32\WindowsAccessBridge-64.dll
2015-01-19 15:29 - 2015-01-19 15:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-19 15:28 - 2015-01-21 09:33 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-19 15:28 - 2015-01-21 09:31 - 00000000 ____D () C:\Program Files\Java
2015-01-15 08:19 - 2015-01-15 08:29 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Ysxeweun
2015-01-14 09:00 - 2014-12-19 07:06 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-01-14 09:00 - 2014-12-19 05:46 - 00141312 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2015-01-14 09:00 - 2014-12-06 08:17 - 00303616 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2015-01-14 09:00 - 2014-12-06 07:50 - 00156672 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncsi.dll
2015-01-14 09:00 - 2014-12-06 07:50 - 00052224 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2015-01-14 08:59 - 2014-12-12 09:35 - 05553592 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-01-14 08:59 - 2014-12-12 09:31 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-01-14 08:59 - 2014-12-12 09:31 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-01-14 08:59 - 2014-12-12 09:31 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-01-14 08:59 - 2014-12-12 09:11 - 03971512 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-01-14 08:59 - 2014-12-12 09:11 - 03916728 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-01-14 08:59 - 2014-12-12 09:07 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-01-14 08:59 - 2014-12-11 21:47 - 00087040 _____ (Microsoft Corporation) C:\windows\system32\TSWbPrxy.exe
2015-01-13 09:00 - 2015-01-25 08:41 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-13 08:55 - 2015-01-13 13:41 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Soqyot
2015-01-12 14:22 - 2015-01-19 15:02 - 00120992 _____ () C:\Users\Accounts\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-12 13:33 - 2015-01-12 13:34 - 02277402 _____ () C:\Users\Accounts\enc_files.txt
2015-01-08 15:05 - 2015-01-08 16:25 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Sakegy
2014-12-28 16:58 - 2015-01-19 14:59 - 00025884 _____ () C:\Users\Accounts\Desktop\Payment Request Summary.xlsx
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-27 08:26 - 2012-05-07 15:51 - 00000000 ____D () C:\Users\Accounts\Documents\Outlook Files
2015-01-27 08:24 - 2009-07-14 09:13 - 00790176 _____ () C:\windows\system32\PerfStringBackup.INI
2015-01-27 08:22 - 2014-12-24 20:55 - 00000822 _____ () C:\windows\Tasks\Security Center Update - 203003518.job
2015-01-27 08:22 - 2012-12-12 16:31 - 00000000 ____D () C:\Users\Accounts\AppData\Local\132D14A1-FC17-4B7C-B4E2-7C895708B797.aplzod
2015-01-27 08:22 - 2012-03-25 14:28 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-27 08:22 - 2011-10-14 03:49 - 01174237 _____ () C:\windows\WindowsUpdate.log
2015-01-26 15:38 - 2012-02-04 22:50 - 00000000 ____D () C:\Users\Accounts\Documents\GoMad ideas
2015-01-26 14:52 - 2012-06-23 17:38 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\uTorrent
2015-01-26 14:33 - 2012-04-05 13:14 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\vlc
2015-01-26 10:04 - 2012-02-23 13:06 - 00000000 ____D () C:\Users\Accounts\Documents\Personal
2015-01-26 08:42 - 2012-03-25 14:28 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-25 23:14 - 2012-07-31 17:03 - 00000000 ____D () C:\Users\GoMad Inc. (Launch)\Desktop\GoMad
2015-01-25 15:48 - 2009-07-14 08:45 - 00032720 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-25 15:48 - 2009-07-14 08:45 - 00032720 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-25 15:39 - 2014-06-21 15:16 - 00016087 _____ () C:\windows\setupact.log
2015-01-25 15:39 - 2009-07-14 09:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-01-24 14:05 - 2012-01-25 15:38 - 00000061 _____ () C:\Users\Accounts\Documents\TallyODBC_9000.dsn
2015-01-24 12:20 - 2013-10-23 18:48 - 00000000 ____D () C:\Users\Accounts\Downloads\havra school worksheets
2015-01-24 11:30 - 2010-11-21 07:47 - 00744690 _____ () C:\windows\PFRO.log
2015-01-24 11:22 - 2011-10-13 12:53 - 00000000 ____D () C:\ProgramData\Temp
2015-01-21 21:32 - 2012-02-02 15:55 - 00000000 ____D () C:\Users\Accounts\AppData\Local\Adobe
2015-01-21 13:42 - 2012-01-26 13:42 - 00000000 ____D () C:\windows\System32\Tasks\NCH Software
2015-01-21 11:50 - 2012-02-26 18:44 - 00000000 ____D () C:\TallyTB
2015-01-21 10:42 - 2012-01-26 13:32 - 00000000 ____D () C:\Users\Accounts\AppData\Local\CrashDumps
2015-01-21 10:38 - 2012-01-25 15:38 - 00000519 _____ () C:\windows\ODBCINST.INI
2015-01-21 10:38 - 2012-01-25 15:38 - 00000028 _____ () C:\windows\ODBC.INI
2015-01-21 10:38 - 2012-01-25 15:38 - 00000000 ____D () C:\Program Files (x86)\Tally.ERP9
2015-01-21 10:05 - 2009-07-14 07:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2015-01-19 16:30 - 2009-07-14 08:45 - 00438520 _____ () C:\windows\system32\FNTCACHE.DAT
2015-01-19 16:17 - 2012-01-22 19:23 - 00774486 _____ () C:\windows\SysWOW64\PerfStringBackup.INI
2015-01-19 16:09 - 2013-07-24 09:43 - 00000000 ____D () C:\windows\system32\MRT
2015-01-19 15:48 - 2012-02-08 18:45 - 113365784 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-01-19 15:32 - 2012-04-05 15:57 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-19 11:49 - 2009-07-14 09:32 - 00000000 ____D () C:\windows\system32\FxsTmp
2015-01-17 10:30 - 2013-07-01 14:50 - 00000000 ____D () C:\Users\Accounts\Documents\24by7
2015-01-12 14:50 - 2014-09-08 15:17 - 00113995 _____ () C:\Users\Accounts\Downloads\linkedin_connections_export_microsoft_outlook 8Sept14.xlsx
2015-01-12 14:49 - 2014-11-12 09:22 - 09435719 _____ () C:\Users\Accounts\Downloads\2008.zip
2015-01-12 13:40 - 2014-12-10 10:19 - 00074500 _____ () C:\Users\Accounts\Desktop\24x7 #ing System letter list.xlsx
2015-01-12 13:40 - 2014-07-02 16:00 - 00010668 _____ () C:\Users\Accounts\Desktop\Recruitment List.xlsx
2015-01-12 13:33 - 2012-01-22 18:57 - 00000000 ____D () C:\Users\Accounts
2015-01-11 09:40 - 2009-07-14 07:20 - 00000000 ____D () C:\windows\system32\NDF
2015-01-08 15:12 - 2012-02-18 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3
2015-01-07 09:40 - 2014-12-22 10:58 - 00000019 _____ () C:\Users\Accounts\Desktop\userconfig.txt
2014-12-31 15:14 - 2010-11-21 07:27 - 00298120 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-12-31 09:37 - 2011-10-13 12:53 - 00000000 ____D () C:\Program Files (x86)\CyberLink
2014-12-31 09:30 - 2012-01-25 16:25 - 00000000 ____D () C:\Program Files (x86)\Business Objects
2014-12-31 09:27 - 2012-01-26 13:42 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\NCH Software
2014-12-31 09:27 - 2012-01-26 13:42 - 00000000 ____D () C:\Program Files (x86)\NCH Software
2014-12-31 09:06 - 2014-12-24 16:36 - 00000000 ____D () C:\Users\Accounts\AppData\Local\Eption
 
==================== Files in the root of some directories =======
 
2013-01-22 09:22 - 2013-01-22 09:22 - 0001474 _____ () C:\Users\Accounts\AppData\Roaming\CompatAdmin.log
2014-02-15 10:51 - 2014-07-16 13:27 - 0007644 _____ () C:\Users\Accounts\AppData\Local\resmon.resmoncfg
2012-02-20 19:18 - 2012-02-20 19:18 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2011-10-13 13:00 - 2011-10-13 13:01 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2011-10-13 12:53 - 2011-10-13 12:53 - 0000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log
2011-10-13 12:58 - 2011-10-13 12:59 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2011-10-13 12:54 - 2011-10-13 12:58 - 0000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log
2011-10-13 12:59 - 2011-10-13 13:00 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
 
Some content of TEMP:
====================
C:\Users\Accounts\AppData\Local\Temp\BunndleOfferManager.dll
C:\Users\Accounts\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Accounts\AppData\Local\Temp\Quarantine.exe
C:\Users\Accounts\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-24 12:46
 
==================== End Of Log ============================
 
Additions Log follows:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-01-2015 01
Ran by Accounts at 2015-01-27 08:28:40
Running from C:\Users\Accounts\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
„Windows Live Essentials“ (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
„Windows Live Mail“ (x32 Version: 15.4.3502.0922 - „Microsoft Corporation“) Hidden
„Windows Live Messenger“ (x32 Version: 15.4.3502.0922 - „Microsoft Corporation“) Hidden
„Windows Live“ fotogalerija (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
µTorrent (HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\uTorrent) (Version: 3.3.2.30488 - BitTorrent Inc.)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Agatha Christie - Death on the Nile (x32 Version: 2.2.0.82 - WildTangent) Hidden
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bing Bar (HKLM-x32\...\{1E03DB52-D5CB-4338-A338-E526DD4D4DB1}) (Version: 7.0.610.0 - Microsoft Corporation)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build-a-lot (x32 Version: 2.2.0.82 - WildTangent) Hidden
Canon IJ Network Scanner Selector EX (HKLM-x32\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - )
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version:  - )
Canon MP Navigator EX 4.1 (HKLM-x32\...\MP Navigator EX 4.1) (Version:  - )
Canon MX410 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX410_series) (Version:  - )
Chuzzle Deluxe (x32 Version: 2.2.0.82 - WildTangent) Hidden
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
CyberLink Media Suite (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 8.0.2227 - CyberLink Corp.)
CyberLink Media+ Player10 (HKLM-x32\...\InstallShield_{34FBC7C4-CD31-4D93-A428-0E524EAC4586}) (Version: 10.0.1110.00 - CyberLink Corp.)
CyberLink MediaShow (HKLM-x32\...\InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}) (Version: 5.0.1130a - CyberLink Corp.)
CyberLink Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.3802 - CyberLink Corp.)
CyberLink PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.3306 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Diner Dash 2 Restaurant Rescue (x32 Version: 2.2.0.82 - WildTangent) Hidden
Dropbox (HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Easy File Share (HKLM-x32\...\{95BB7324-77D3-4BF3-8CF6-29F0857AC175}) (Version: 1.1.1699 - Samsung Electronics Co., Ltd.)
Easy Migration (HKLM-x32\...\{AD86049C-3D9C-43E1-BE73-643F57D83D50}) (Version: 1.0 - Samsung Electronics Co., Ltd.)
Easy Settings (HKLM-x32\...\{17283B95-21A8-4996-97DA-547A48DB266F}) (Version: 1.1 - Samsung Electronics Co., Ltd.)
Easy Software Manager (HKLM-x32\...\{DE256D8B-D971-456D-BC02-CB64DA24F115}) (Version: 1.1.16.14 - Samsung Electronics Co., Ltd.)
Easy Support Center 1.0 (HKLM-x32\...\{F687E657-F636-44DF-8125-9FEEA2C362F5}) (Version: 1.1.36 - Samsung)
ETDWare PS/2-X64 10.0.7.2_WHQL (HKLM\...\Elantech) (Version: 10.0.7.2 - ELAN Microelectronic Corp.)
Express Zip (HKLM-x32\...\ExpressZip) (Version:  - NCH Software)
Farm Frenzy (x32 Version: 2.2.0.82 - WildTangent) Hidden
Fotogalerija Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Foxit PDF Editor (HKLM-x32\...\Foxit PDF Editor) (Version:  - )
Galeria de Fotografias do Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galería fotográfica de Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galeria fotografii usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie de photos Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Galerie foto Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.91 - Google Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Hotspot Shield 3.50 (HKLM-x32\...\HotspotShield) (Version: 3.50 - AnchorFree)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
hppLaserJetService (x32 Version: 001.001.0.0 - Hewlett-Packard) Hidden
hppP1100P1560P1600SeriesLaserJetService (x32 Version: 001.001.0.0 - Hewlett-Packard) Hidden
hppusgP1100P1560P1600Series (x32 Version: 1.0.0.1 - Hewlett-Packard) Hidden
HPSSupply (HKLM-x32\...\{7902E313-FF0F-4493-ACB1-A8147B78DCD0}) (Version: 2.1.1.0000 - Hewlett Packard Development Company L.P.)
iCloud (HKLM\...\{2AAF09D5-4B3F-4975-B6A9-ECE2631FC942}) (Version: 4.0.5.20 - Apple Inc.)
Insaniquarium Deluxe (x32 Version: 2.2.0.82 - WildTangent) Hidden
Intel PROSet Wireless (x32 Version:  - ) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2266 - Intel Corporation)
Intel® PROSet/Wireless for Bluetooth® 3.0 + High Speed (HKLM\...\{A0E106D2-4815-4B7A-BAA7-7E21B530CFB4}) (Version: 1.1.0.0157 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology (HKLM\...\{006B5C65-3938-4246-B182-994A7E415EDE}) (Version: 1.1.0.0537 - Intel Corporation)
Intel® PROSet/Wireless WiFi Software (HKLM\...\{3C41721F-AF0F-4086-AA1C-4C7F29076228}) (Version: 14.01.1000 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.5.1001 - Intel Corporation)
Islamic Diary (HKLM-x32\...\{AB8810C5-2B7E-4E5F-8B14-34476325BC79}) (Version: 4.4.0000 - Synametrics Technologies)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Java 8 Update 31 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418031F0}) (Version: 8.0.310 - Oracle Corporation)
John Deere Drive Green (x32 Version: 2.2.0.82 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
MarketResearch (x32 Version: 130.0.374.000 - Hewlett-Packard) Hidden
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Application Compatibility Toolkit 5.6 (HKLM-x32\...\{0F5AEBB0-43F3-4571-ACE7-A7942E8AA179}) (Version: 5.6.7324.0 - Microsoft Corporation)
Microsoft Office Home and Business 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIOR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Multimedia POP (HKLM-x32\...\{331ECF61-69AF-4F57-AC35-AFED610231C3}) (Version: 1.0 - )
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.1.17869 - Symantec Corporation)
NVIDIA Graphics Driver 268.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 268.83 - NVIDIA Corporation)
Peachtree Signature Ready Forms (x32 Version: 6.14.24 - Sage Software SB, Inc.) Hidden
Peggle (x32 Version: 2.2.0.82 - WildTangent) Hidden
Penguins! (x32 Version: 2.2.0.82 - WildTangent) Hidden
Pervasive PSQL v10 SP2 Workgroup (32-bit) (HKLM-x32\...\Pervasive PSQL v10 SP2 Workgroup (32-bit)) (Version: 10.10.126 - Pervasive Software)
Pervasive PSQL v10 SP2 Workgroup (32-bit) (x32 Version: 10.20.034 - Pervasive Software) Hidden
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Pixillion Image Converter (HKLM-x32\...\Pixillion) (Version:  - NCH Software)
Plants vs. Zombies (x32 Version: 2.2.0.82 - WildTangent) Hidden
Poczta usługi Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Podstawowe programy Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Polar Golfer (x32 Version: 2.2.0.82 - WildTangent) Hidden
Pošta Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Raccolta foto di Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.44.421.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6413 - Realtek Semiconductor Corp.)
Safari (HKLM-x32\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
Samsung Recovery Solution 5 (HKLM-x32\...\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}) (Version: 5.0.1.5 - Samsung)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{91140000-0057-0000-0000-0000000FF1CE}_Office14.VISIOR_{359ADBEC-068A-4CC9-9174-77AB8EDB867A}) (Version:  - Microsoft)
ShadowExplorer 0.9 (HKLM-x32\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
Skype™ 6.16 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.16.105 - Skype Technologies S.A.)
Software Launcher (HKLM-x32\...\{B750B5C2-CC17-4967-905B-29F4EB986131}) (Version: 1.0.2 - Samsung)
Tally.ERP 9 (HKLM-x32\...\{7D96C914-518F-4B1B-98A6-D1ADBBEFFF98}) (Version:  - ©Tally Solutions Pvt. Ltd., 1988-2011.)
TallyERP9 (HKLM\...\{bd5cd9f2-bb45-4ae1-950d-fd5da8757f57}.sdb) (Version:  - )
TurboNote (HKLM-x32\...\TurboNote) (Version:  - )
UAC Trust Shortcut 1.0 (HKLM\...\{4C4A1499-1381-4174-9DB5-F6DE9249D23E}) (Version: 1.0.1 - ITknowledge24.com)
Unity Web Player (HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\UnityWebPlayer) (Version: 2.6.1f3_31223 - Unity Technologies ApS)
User Guide (HKLM-x32\...\{BAE68339-B0F6-4D33-9554-5A3DB2DFF5DA}) (Version: 1.3 - )
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.1.5 - WildTangent)
WildTangent ORB Game Console (x32 Version:  - WildTangent) Hidden
Windows Live 程式集 (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
WinPcap 4.1.1 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.1753 - CACE Technologies)
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Συλλογή φωτογραφιών του Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Основные компоненты Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Почта Windows Live (x32 Version: 15.4.3502.0922 - Корпорация Майкрософт) Hidden
Фотоальбом Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Фотогалерия на Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
גלריית התמונות של Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
بريد Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
معرض صور Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Accounts\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
 
==================== Restore Points  =========================
 
13-01-2015 08:49:32 Windows Update
17-01-2015 09:44:15 Windows Update
18-01-2015 08:58:53 Windows Modules Installer
19-01-2015 14:57:49 Removed Adobe Acrobat XI Pro.
19-01-2015 15:12:14 Removed Adobe Download Assistant
19-01-2015 15:48:04 Windows Update
21-01-2015 12:27:39 Removed Adobe Reader X (10.1.13).
23-01-2015 11:06:49 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 06:34 - 2009-06-11 01:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {0363FF14-E91B-4E7E-932C-DB1A34759CD4} - System32\Tasks\EasyPartitionManager => C:\Windows\MSetup\BA46-12225A02\EPM.exe
Task: {1F4FA8C9-683F-402D-823D-3AE32C8A6C37} - System32\Tasks\EasySpeedUpManager => C:\Program Files (x86)\Samsung\Easy Settings\EasySpeedUpManager.exe [2011-09-28] (Samsung Electronics)
Task: {30A2E9E0-F554-4B14-9259-5C052B5AD03A} - \Security Center Update - 3412238628 No Task File <==== ATTENTION
Task: {30B1318F-C09B-4532-86E9-61D86FC8E7DB} - \Security Center Update - 4204121893 No Task File <==== ATTENTION
Task: {3CBA3CB4-DD48-4C7B-99D8-B8C0CFD46BD9} - System32\Tasks\EasyBatteryManager => C:\Program Files (x86)\Samsung\Easy Settings\EBM\EasyBatteryMgr4.exe [2011-08-19] (SAMSUNG Electronics co., LTD.)
Task: {7202ABB3-1FCE-4A27-98C0-8D8598F639C8} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {761F1B56-78BF-42F3-AC7B-A32BEDD494A7} - System32\Tasks\{045176FC-3BD3-4215-BA22-ED41B2B6FFE9} => pcalua.exe -a "F:\MS Office 2007\setup.exe" -d "F:\MS Office 2007"
Task: {780D5EDC-7216-4FC8-98BF-3F0F4D6DA5EF} - System32\Tasks\{00D430BB-38DF-49B3-BDA2-9FB24A21340F} => pcalua.exe -a "F:\My Documents\Shabbir Docs\Personal\Religious\Noble Quran.exe" -d "F:\My Documents\Shabbir Docs\Personal\Religious"
Task: {863120D5-A033-4AD9-BFD1-DBDED5C6E3F9} - System32\Tasks\{F0BAAFDB-FF3F-4035-AE4F-9EE63BD8A4F8} => pcalua.exe -a "C:\Users\Accounts\Downloads\Annie 2014\Total Codec Pack.exe" -d "C:\Users\Accounts\Downloads\Annie 2014"
Task: {89A03DBC-02BD-46CD-8897-93A3EB85F4E1} - System32\Tasks\Easy Software Manager Agent => C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe [2011-09-15] (Samsung)
Task: {8A1D0F2C-1336-4CA7-B171-64FDE49EE82F} - System32\Tasks\NCH Software\ExpressZipReminder => C:\Program Files (x86)\NCH Software\ExpressZip\ExpressZip.exe [2012-09-05] (NCH Software)
Task: {90121EBA-0582-4AED-9A13-84137BF74332} - System32\Tasks\{AC9C75CB-F6D6-4DB9-AF6D-F5D7D03D7A47} => pcalua.exe -a "F:\SYSTEM FORMATING SOFTWARE\tally\setup\install.exe" -d "F:\SYSTEM FORMATING SOFTWARE\tally\setup"
Task: {9F5F8BD6-85C4-48E6-B23C-B720EB5767BE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {A3D19646-A4B5-4AD0-BE78-FAF67D1E095C} - System32\Tasks\SamsungSupportCenter => C:\Program Files (x86)\Samsung\Easy Support Center\SSCKbdHk.exe [2011-07-30] (SAMSUNG Electronics)
Task: {A592B2A4-E624-4272-9DDE-4AA459F224F8} - \Security Center Update - 2292958709 No Task File <==== ATTENTION
Task: {A854811B-4F3A-48AC-B31D-F9E01D683A40} - System32\Tasks\Security Center Update - 203003518 => C:\Users\Accounts\AppData\Roaming\Anquymse\itryf.exe <==== ATTENTION
Task: {A9E972E6-6D10-4755-B6DC-57DD9F56FC88} - System32\Tasks\SmartSetting => C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe [2011-09-06] (Samsung Electronics Co., Ltd.)
Task: {B28B4AF2-5B55-45F6-95DE-431B4CF32074} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {C3FC1E41-E347-4484-B6E2-D0C34C091DAD} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {C92FA0D2-2DFA-4C52-BAAA-B61062E7E78E} - System32\Tasks\MovieColorEnhancer => C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe [2011-08-19] (Samsung Electronics Co., Ltd.)
Task: {EC6F556E-1934-4824-8313-0F7AA6DB48E3} - System32\Tasks\SCCSpeedBoot => C:\Program Files (x86)\Samsung\Easy Settings\SCCSpeedBoot.exe [2011-08-22] (Samsung Electronics Co., Ltd.)
Task: {ED069E12-8321-4E8E-825F-0B48C080FBD2} - System32\Tasks\advSRS5 => C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe [2011-06-24] (SEC)
Task: {F8D89A77-18B9-46A4-A773-BF89C604A07A} - System32\Tasks\EasyDisplayMgr => C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe [2011-09-06] (Samsung Electronics Co., Ltd.)
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\Security Center Update - 203003518.job => C:\Users\Accounts\AppData\Roaming\Anquymse\itryf.exe <==== ATTENTION
 
==================== Loaded Modules (whitelisted) =============
 
2012-02-15 16:30 - 2007-07-12 22:37 - 00085504 _____ () C:\windows\System32\cpwmon64.dll
2012-02-14 16:25 - 2011-04-02 16:05 - 00290304 _____ () C:\windows\System32\HP1100LM.DLL
2012-02-14 16:25 - 2011-04-02 16:04 - 00074240 _____ () C:\windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2012-02-14 16:25 - 2011-04-02 16:04 - 01038336 _____ () C:\windows\system32\spool\DRIVERS\x64\3\HP1100GC.dll
2012-02-14 16:25 - 2011-04-02 16:05 - 03039744 _____ () C:\windows\system32\spool\DRIVERS\x64\3\hp1100su.dll
2014-08-15 23:19 - 2014-08-15 23:19 - 00573224 _____ () C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe
2011-10-13 12:58 - 2009-12-01 11:21 - 00244904 _____ () C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
2014-12-24 16:34 - 2014-12-24 16:34 - 02578944 _____ () C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll
2014-12-24 16:35 - 2014-12-24 16:35 - 02164736 _____ () C:\ProgramData\Microsoft\Secure\Icons\IconsCacheHelper.dll
2012-09-05 17:55 - 2012-09-05 17:55 - 00088064 _____ () C:\Program Files (x86)\NCH Software\ExpressZip\ezcm64.dll
2011-07-21 09:51 - 2010-12-16 13:37 - 00094208 _____ () C:\windows\system32\IccLibDll_x64.dll
2015-01-25 08:41 - 2015-01-21 07:41 - 01450312 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\libglesv2.dll
2015-01-25 08:41 - 2015-01-21 07:41 - 00205128 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\libegl.dll
2015-01-25 08:41 - 2015-01-21 07:41 - 10864456 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\pdf.dll
2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-08-19 22:35 - 2014-08-19 22:35 - 00912168 _____ () C:\Program Files (x86)\Hotspot Shield\bin\af_proxy.dll
2014-08-19 23:51 - 2014-08-19 23:51 - 00521000 _____ () C:\Program Files (x86)\Hotspot Shield\bin\HssRep.3.50.dll
2014-12-24 16:37 - 2014-12-24 16:37 - 01265152 _____ () C:\Users\Accounts\AppData\Local\URFmedia\ep0lvr1s.dll
2011-10-13 11:57 - 2011-02-16 20:03 - 00203776 _____ () C:\Program Files (x86)\Samsung\Easy Settings\WinCRT.dll
2014-12-29 08:28 - 2014-12-29 08:28 - 01286144 _____ () C:\Users\Accounts\AppData\Local\Eption\CNHLX310.dll
2011-10-13 12:12 - 2011-07-29 04:53 - 00746064 _____ () C:\Program Files (x86)\Samsung\Easy Software Manager\SWMFuncDLL.dll
2011-10-13 11:57 - 2006-08-12 07:48 - 00049152 _____ () C:\Program Files (x86)\Samsung\Easy Settings\HookDllPS2.dll
2011-10-13 12:10 - 2010-05-07 18:22 - 01636864 _____ () C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\Resdll.dll
2009-11-02 09:20 - 2009-11-02 09:20 - 00619816 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll
2009-11-02 09:23 - 2009-11-02 09:23 - 00013096 _____ () C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^Users^Accounts^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk => C:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Accounts^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^VDownloader.lnk => C:\windows\pss\VDownloader.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: BTMTrayAgent => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
MSCONFIG\startupreg: ETDCtrl => %ProgramFiles%\Elantech\ETDCtrl.exe
MSCONFIG\startupreg: HPUsageTrackingLEDM => "C:\Program Files (x86)\HP\HP UT LEDM\bin\hppusg.exe" "C:\Program Files (x86)\HP\HP UT LEDM\"
MSCONFIG\startupreg: IJNetworkScannerSelectorEX => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: MobileDocuments => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
MSCONFIG\startupreg: MSC => "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: VDownloader => C:\Program Files (x86)\VDownloader\VDownloader.exe /silent
 
========================= Accounts: ==========================
 
Accounts (S-1-5-21-4089285565-4052558029-1726783300-1001 - Administrator - Enabled) => C:\Users\Accounts
Administrator (S-1-5-21-4089285565-4052558029-1726783300-500 - Administrator - Disabled)
GoMad Inc. (Launch) (S-1-5-21-4089285565-4052558029-1726783300-1002 - Administrator - Disabled) => C:\Users\GoMad Inc. (Launch)
Guest (S-1-5-21-4089285565-4052558029-1726783300-501 - Limited - Enabled)
UpdatusUser (S-1-5-21-4089285565-4052558029-1726783300-1000 - Limited - Enabled) => C:\Users\UpdatusUser
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/27/2015 08:22:12 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 55753354
 
Error: (01/27/2015 08:22:12 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 55753354
 
Error: (01/27/2015 08:22:12 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (01/26/2015 04:53:08 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9204
 
Error: (01/26/2015 04:53:08 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9204
 
Error: (01/26/2015 04:53:08 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (01/26/2015 04:53:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8065
 
Error: (01/26/2015 04:53:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8065
 
Error: (01/26/2015 04:53:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (01/26/2015 04:53:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7067
 
 
System errors:
=============
Error: (01/25/2015 03:40:49 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (01/25/2015 03:40:02 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HP LaserJet Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (01/24/2015 11:32:02 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (01/24/2015 11:31:18 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HP LaserJet Service service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (01/22/2015 04:47:23 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (01/22/2015 04:46:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The HP LaserJet Service service failed to start due to the following error: 
%%1053
 
Error: (01/22/2015 04:46:57 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the HP LaserJet Service service to connect.
 
Error: (01/22/2015 02:31:06 PM) (Source: Tcpip) (EventID: 4199) (User: )
Description: The system detected an address conflict for IP address 192.168.1.7 with the system
having network hardware address 88-87-17-5F-D7-49. Network operations on this system may
be disrupted as a result.
 
Error: (01/21/2015 09:17:14 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.191.2937.0).
 
Error: (01/21/2015 09:16:48 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.191.2930.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.6.0305.00
 
Source Path: 4.6.0305.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
 
Microsoft Office Sessions:
=========================
Error: (01/27/2015 08:22:12 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 55753354
 
Error: (01/27/2015 08:22:12 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 55753354
 
Error: (01/27/2015 08:22:12 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (01/26/2015 04:53:08 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 9204
 
Error: (01/26/2015 04:53:08 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 9204
 
Error: (01/26/2015 04:53:08 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (01/26/2015 04:53:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8065
 
Error: (01/26/2015 04:53:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8065
 
Error: (01/26/2015 04:53:07 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (01/26/2015 04:53:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 7067
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-2350M CPU @ 2.30GHz
Percentage of memory in use: 36%
Total physical RAM: 4009.55 MB
Available physical RAM: 2535.8 MB
Total Pagefile: 8017.28 MB
Available Pagefile: 4972.75 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:178 GB) (Free:72 GB) NTFS
Drive d: () (Fixed) (Total:266.6 GB) (Free:266.46 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: F1D2CC8B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=178 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=266.6 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=21.1 GB) - (Type=27)
 
==================== End Of Log ============================


#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:23 PM

Posted 27 January 2015 - 11:41 AM

Hey, :)
Let us see if Adwcleaner finds some new staff.

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 27 January 2015 - 11:40 PM

Step 1: AdwCleaner log attached:

 

# AdwCleaner v4.109 - Report created 28/01/2015 at 08:24:01
# Updated 24/01/2015 by Xplode
# Database : 2015-01-26.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Accounts - SJB-SAMSUNG
# Running from : C:\Users\Accounts\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
Service Deleted : hshld
[#] Service Deleted : hsstrayservice
Service Deleted : hsswd
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\hotspot shield
Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\ProgramData\Uniblue
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\hotspot shield
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\hotspot shield
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\windows\SysWOW64\hotspot shield
Folder Deleted : C:\windows\SysWOW64\config\systemprofile\AppData\Roaming\hotspot shield
Folder Deleted : C:\Users\Accounts\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Accounts\AppData\Roaming\NCH Software
Folder Deleted : C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\uTorrentControl2
File Deleted : C:\windows\System32\drivers\taphss6.sys
File Deleted : C:\windows\System32\drivers\hssdrv6.sys
File Deleted : C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default\user.js
File Deleted : C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage
File Deleted : C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal
File Deleted : C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage
File Deleted : C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.lyricsfreak.com_0.localstorage-journal
File Deleted : C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Deleted : C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal
File Deleted : C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [OKitSpace@OKitSpace.es]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lbidgdoiglndbjlcnnifemecdhnpeabo
Key Deleted : HKCU\Software\Google\Chrome\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc
Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2801948
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3072253
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{90A52F08-64AC-4DC6-9D7D-4516670275D3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E69D4A59-73DE-4E38-9FB3-740EC4D9060D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8DCB7100-DF86-4384-8842-8FA844297B3F}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{687578B9-7132-4A7A-80E4-30EE31099E03}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{687578B9-7132-4A7A-80E4-30EE31099E03}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EBD839AE-B08C-4FB7-859B-F54AF16C159F}
Key Deleted : HKCU\Software\anchorfree
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PassWidget
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Driver-Soft
Key Deleted : HKLM\SOFTWARE\hotspotshield
Key Deleted : HKLM\SOFTWARE\SoftwareUpdater
Key Deleted : HKLM\SOFTWARE\Uniblue
Key Deleted : HKLM\SOFTWARE\Vittalia
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\hotspotshield
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v0.0.0.0
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v40.0.2214.93
 
 
*************************
 
AdwCleaner[R1].txt - [5934 octets] - [28/01/2015 08:18:21]
AdwCleaner[S1].txt - [5837 octets] - [28/01/2015 08:24:01]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5897 octets] ##########


#10 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 January 2015 - 12:49 AM

Step 2: MBAM - After reboot - the option for "View Detailed Logs" was not available. In "History" tab - I found a Protection Log - This is posted below:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Protection, 28 Jan 15 08:46:44, SYSTEM, SJB-SAMSUNG, Protection, Malware Protection, Starting, 
Protection, 28 Jan 15 08:46:44, SYSTEM, SJB-SAMSUNG, Protection, Malware Protection, Started, 
Protection, 28 Jan 15 08:46:44, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Starting, 
Protection, 28 Jan 15 08:47:26, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Started, 
Update, 28 Jan 15 08:47:26, SYSTEM, SJB-SAMSUNG, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1, 
Update, 28 Jan 15 08:47:27, SYSTEM, SJB-SAMSUNG, Manual, Rootkit Database, 2014.11.18.1, 2015.1.14.1, 
Detection, 28 Jan 15 08:49:16, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 77.78.252.196, 6881, Outbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 08:49:17, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 77.78.252.196, 6881, Outbound, C:\Windows\explorer.exe, 
Update, 28 Jan 15 08:50:55, SYSTEM, SJB-SAMSUNG, Manual, Malware Database, 2014.11.20.6, 2015.1.28.2, 
Protection, 28 Jan 15 08:50:55, SYSTEM, SJB-SAMSUNG, Protection, Refresh, Starting, 
Protection, 28 Jan 15 08:50:55, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Stopping, 
Protection, 28 Jan 15 08:50:55, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Stopped, 
Protection, 28 Jan 15 08:51:04, SYSTEM, SJB-SAMSUNG, Protection, Refresh, Success, 
Protection, 28 Jan 15 08:51:04, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Starting, 
Protection, 28 Jan 15 08:51:05, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Started, 
Detection, 28 Jan 15 08:54:02, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 93.115.83.244, 6881, Outbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 08:54:02, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 93.115.83.244, 6881, Outbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 09:03:25, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 41.35.79.67, 6881, Inbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 09:03:25, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 41.35.79.67, 6881, Inbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 09:27:00, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 213.55.114.39, 6881, Outbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 09:27:00, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 213.55.114.39, 6881, Outbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 09:27:01, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 213.55.114.119, 6881, Outbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 09:27:01, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, IP, 213.55.114.119, 6881, Outbound, C:\Windows\explorer.exe, 
Detection, 28 Jan 15 09:28:07, SYSTEM, SJB-SAMSUNG, Protection, Malware Protection, File, Trojan.Agent.DED, C:\ProgramData\Microsoft\Secure\Icons\temp\tmpC081.exe, Quarantine Failed, 5, Access is denied.  , [5c66906ca9e055e1c7ae816e48b911ef]
Scan, 28 Jan 15 09:28:40, SYSTEM, SJB-SAMSUNG, Manual, Start:28 Jan 15 08:51:41, Duration:34 min 34 sec, Threat Scan, Completed, 1 Malware Detection, 107 Non-Malware Detections, 
Protection, 28 Jan 15 09:30:53, SYSTEM, SJB-SAMSUNG, Protection, Malware Protection, Starting, 
Protection, 28 Jan 15 09:30:54, SYSTEM, SJB-SAMSUNG, Protection, Malware Protection, Started, 
Protection, 28 Jan 15 09:30:54, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Starting, 
Detection, 28 Jan 15 09:31:06, Accounts, SJB-SAMSUNG, Protection, Malware Protection, File, Trojan.Agent, C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll, Quarantine, [2b97b14bc4c5f83e9775b1561fe3bb45]
Protection, 28 Jan 15 09:33:05, SYSTEM, SJB-SAMSUNG, Protection, Malicious Website Protection, Started, 
 
(end)


#11 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 January 2015 - 01:13 AM

Step 3: Junk ware removal tool - Log below:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x64
Ran by Accounts on 28 Jan 15 at  9:59:00.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\hotspot shield"
Successfully deleted: [Folder] "C:\Users\Accounts\appdata\local\cre"
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{1D972E71-68C3-4739-A9D0-CE6C951738BE}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{24FF1A83-0DB4-49AA-A497-F99590301D2B}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{2F70D83B-B04C-4E55-ABF9-3B5C159D10B1}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{3BCD115F-5014-4345-8E3B-B2C30689D1D3}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{51AE87D5-72C1-4BB5-A4A4-C77A0094EF8D}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{65E48078-BCF6-4086-BC7E-E50A278F739F}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{7D98A656-FED3-41B3-B9AF-55881F37F9E1}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{A3AD355F-6885-493D-80BC-95F57EA01086}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{B1BB0179-6805-44B2-8B52-D56A0E54D0E1}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{B7ABB7BC-8223-4E7C-9C8B-FA2D041526A6}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{DAF6AF33-7918-4EB2-A44E-15F8FBF3CEDD}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{DC0FA7A2-07B3-40DA-97CC-1297B61FD300}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{FA125D34-7906-42E7-A259-BCB674EF749C}
Successfully deleted: [Empty Folder] C:\Users\Accounts\appdata\local\{FB920C17-CF6B-4ACF-96D4-CBD8CD33A3BB}
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 28 Jan 15 at 10:09:13.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#12 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 January 2015 - 01:21 AM

Step 4: FRST scan log below:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
Ran by Accounts (administrator) on SJB-SAMSUNG on 28-01-2015 10:15:37
Running from C:\Users\Accounts\Desktop
Loaded Profiles: UpdatusUser & Accounts (Available profiles: UpdatusUser & Accounts & GoMad Inc. (Launch))
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Pervasive Software Inc.) C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\SmartSetting.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\MovieColorEnhancer.exe
(Samsung Electronics Co., Ltd.) C:\Program Files (x86)\Samsung\Easy Settings\dmhkcore.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(ITknowledge24.com) C:\Program Files\ITknowledge24\uTray.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(SPIS Ltd, New Zealand) C:\Program Files (x86)\TurboNote\tbnote.exe
(Indus Data Systems) C:\Islamic\azaan.exe
(CANON INC.) C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(SEC) C:\Program Files (x86)\Samsung\Samsung Recovery Solution 5\WCScheduler.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Samsung) C:\Program Files (x86)\Samsung\Easy Software Manager\SWMAgent.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(SAMSUNG Electronics) C:\Program Files (x86)\Samsung\Easy Support Center\SSCKbdHk.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM Group Policy restriction on software: %LocalAppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %AppData%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %LocalAppData%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\ProgramData\Microsoft\Secure\Icons\temp\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [uTray] => C:\Program Files\ITknowledge24\uTray.exe [55296 2010-07-05] (ITknowledge24.com)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [URFmedia] => regsvr32.exe C:\Users\Accounts\AppData\Local\URFmedia\ep0lvr1s.dll <===== ATTENTION
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [IZNsoft] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Accounts\AppData\Local\Eption\CNHLX310.dll
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [Kauzgasyzoefwoi] => "C:\Users\Accounts\AppData\Roaming\Cykooxat\weimi.exe"
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [wincl] => C:\Users\Accounts\AppData\Roaming\WinCL\wincl.exe
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\Run: [Yfnoaktixuyx] => "C:\Users\Accounts\AppData\Roaming\Ysxeweun\viylwy.exe"
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {866a2824-578b-11e1-a696-dca971b87512} - "F:\WD SmartWare.exe" autoplay=true
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {cfc16c37-1bb0-11e3-b93f-dca971b87512} - F:\AutoRun.exe
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\...\MountPoints2: {db1de089-f4f1-11e2-99d0-dca971b87512} - F:\MI.exe
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [226920 2011-06-05] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll => C:\windows\SysWOW64\nvinit.dll [193128 2011-06-05] (NVIDIA Corporation)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Azaan.lnk
ShortcutTarget: Azaan.lnk -> C:\Users\Accounts\AppData\Roaming\Microsoft\Installer\{AB8810C5-2B7E-4E5F-8B14-34476325BC79}\azaan.exe1_AB8810C52B7E4E5F8B1434476325BC79.exe (InstallShield Software Corp.)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IJ Network Scanner Selector EX.lnk
ShortcutTarget: IJ Network Scanner Selector EX.lnk -> C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe (CANON INC.)
Startup: C:\Users\Accounts\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TurboNote.lnk
ShortcutTarget: TurboNote.lnk -> C:\Program Files (x86)\TurboNote\tbnote.exe (SPIS Ltd, New Zealand)
ShellIconOverlayIdentifiers: [1SecureIconsProvider] -> {FC9D8189-520A-4417-AED7-9EAC810C6FBA} => C:\ProgramData\Microsoft\Secure\Icons\SecureIconsProvider.dll No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://samsung.msn.com/
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://samsung.msn.com
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-4089285565-4052558029-1726783300-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
URLSearchHook: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 - (No Name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4089285565-4052558029-1726783300-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: IEExtension.VDownloaderBHO -> {7b523e7c-f096-4e36-a0cb-7efeb5c675c1} -> C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {37483B40-C254-4A72-BDA4-22EE90182C1E} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-4089285565-4052558029-1726783300-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4089285565-4052558029-1726783300-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Accounts\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-4089285565-4052558029-1726783300-1001: vitzo.com/VDownloader -> C:\Program Files (x86)\VDownloader\Addons\npVDownloader.dll No File
FF Extension: MP3 Byte Stream Handler - C:\Users\Accounts\AppData\Roaming\Mozilla\Firefox\Profiles\7413xrv6.default\Extensions\{A81A2294-5A42-7956-6670-CF8A4ACFEC5B} [2014-12-24]
FF Extension: Hotspot Shield Extension - C:\Program Files (x86)\Mozilla Firefox\extensions\afext@anchorfree.com [2013-10-02]
FF HKLM-x32\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: SmartPrintButton - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\QPExtension [2012-02-14]
FF HKLM-x32\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files (x86)\VDownloader\Addons\FireFox
FF Extension: No Name - C:\Users\Accounts\AppData\Roaming\okitSpace\Firefox [Not Found]
FF Extension: No Name - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [Not Found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/", "https://news.google.com/"
CHR Profile: C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-19]
CHR Extension: (Google Drive) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-19]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-23]
CHR Extension: (YouTube) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-03-31]
CHR Extension: (Google Search) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-03-31]
CHR Extension: (Google Wallet) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Gmail) - C:\Users\Accounts\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-03-31]
CHR HKLM-x32\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files (x86)\VDownloader\Addons\Chrome.crx [Not Found]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [136704 2009-06-24] (HP) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 psqlWGE; C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [435528 2011-04-07] (Pervasive Software Inc.)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [244904 2009-12-01] () [File not signed]
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-28] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2011-10-08] (Marvell Semiconductor, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R2 npf; C:\Windows\System32\drivers\npf.sys [47632 2010-01-27] (CACE Technologies, Inc.)
S3 rtport; C:\windows\SysWOW64\drivers\rtport.sys [15144 2011-12-15] (Windows ® 2003 DDK 3790 provider)
R2 SGDrv; C:\Windows\System32\DRIVERS\SGdrv64.sys [7680 2011-04-11] (Phoenix Technologies Ltd.)
S1 atkwzkfx; \??\C:\windows\system32\drivers\atkwzkfx.sys [X]
S1 bxnqjjug; \??\C:\windows\system32\drivers\bxnqjjug.sys [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S1 ejwbuggl; \??\C:\windows\system32\drivers\ejwbuggl.sys [X]
S1 esxpsmqu; \??\C:\windows\system32\drivers\esxpsmqu.sys [X]
S1 HssDRV6; system32\DRIVERS\hssdrv6.sys [X]
S1 qrncqaet; \??\C:\windows\system32\drivers\qrncqaet.sys [X]
S1 sygsazox; \??\C:\windows\system32\drivers\sygsazox.sys [X]
S3 taphss6; system32\DRIVERS\taphss6.sys [X]
S1 wzrjrcdj; \??\C:\windows\system32\drivers\wzrjrcdj.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 10:15 - 2015-01-28 10:16 - 00022271 _____ () C:\Users\Accounts\Desktop\FRST.txt
2015-01-28 10:09 - 2015-01-28 10:09 - 00002422 _____ () C:\Users\Accounts\Desktop\JRT.txt
2015-01-28 09:58 - 2015-01-28 09:58 - 00000000 ____D () C:\windows\ERUNT
2015-01-28 09:57 - 2015-01-28 09:58 - 01707939 _____ (Thisisu) C:\Users\Accounts\Desktop\JRT.exe
2015-01-28 09:51 - 2015-01-28 09:51 - 00000049 _____ () C:\Users\Accounts\Desktop\Scan MBAM.txt
2015-01-28 09:40 - 2015-01-28 09:40 - 00003981 _____ () C:\Users\Accounts\Desktop\MBAM.txt
2015-01-28 08:46 - 2015-01-28 09:33 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-28 08:46 - 2015-01-28 08:46 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-28 08:45 - 2015-01-28 08:45 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-28 08:45 - 2015-01-28 08:45 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-28 08:45 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-01-28 08:45 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys
2015-01-28 08:45 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys
2015-01-28 08:31 - 2015-01-28 08:40 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Accounts\Desktop\mbam-setup-2.0.4.1028.exe
2015-01-28 08:30 - 2015-01-28 08:30 - 00003886 _____ () C:\windows\System32\Tasks\Adobe Acrobat Update Task
2015-01-28 08:18 - 2015-01-28 08:24 - 00000000 ____D () C:\AdwCleaner
2015-01-28 08:14 - 2015-01-28 08:14 - 02194432 _____ () C:\Users\Accounts\Desktop\AdwCleaner.exe
2015-01-27 08:25 - 2015-01-28 10:15 - 00000000 ____D () C:\Users\Accounts\Desktop\FRST-OlderVersion
2015-01-25 16:03 - 2015-01-25 16:05 - 05633533 _____ () C:\Users\Accounts\Downloads\Kenya, Nairobi.zip
2015-01-24 10:22 - 2015-01-24 10:24 - 00036117 _____ () C:\Users\Accounts\Downloads\Addition.txt
2015-01-24 10:19 - 2015-01-28 10:15 - 00000000 ____D () C:\FRST
2015-01-24 10:19 - 2015-01-24 10:24 - 00037555 _____ () C:\Users\Accounts\Downloads\FRST.txt
2015-01-24 10:17 - 2015-01-27 08:25 - 02129920 _____ (Farbar) C:\Users\Accounts\Desktop\FRST64.exe
2015-01-22 16:12 - 2015-01-22 16:55 - 00024982 _____ () C:\Users\Accounts\Desktop\dds.txt
2015-01-22 16:12 - 2015-01-22 16:55 - 00013421 _____ () C:\Users\Accounts\Desktop\attach.txt
2015-01-22 16:09 - 2015-01-22 16:09 - 00688992 ____R (Swearware) C:\Users\Accounts\Downloads\dds.com
2015-01-22 12:17 - 2015-01-25 15:47 - 00010550 __RSH () C:\ProgramData\ntuser.pol
2015-01-21 21:31 - 2015-01-21 21:31 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-21 21:31 - 2015-01-21 21:31 - 00002019 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2015-01-21 21:30 - 2015-01-22 16:46 - 00000000 ____D () C:\ProgramData\Adobe
2015-01-21 21:30 - 2015-01-21 21:30 - 00000000 ____D () C:\Program Files (x86)\Adobe
2015-01-21 21:29 - 2015-01-21 21:29 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\www.shadowexplorer.com
2015-01-21 21:28 - 2015-01-21 21:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShadowExplorer
2015-01-21 21:28 - 2015-01-21 21:28 - 00000000 ____D () C:\Program Files (x86)\ShadowExplorer
2015-01-21 21:25 - 2015-01-21 21:25 - 00969845 _____ (ShadowExplorer.com ) C:\Users\Accounts\Downloads\ShadowExplorer-0.9-setup.exe
2015-01-21 10:02 - 2015-01-21 10:43 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Tutous
2015-01-19 15:30 - 2015-01-21 09:29 - 00111016 _____ (Oracle Corporation) C:\windows\system32\WindowsAccessBridge-64.dll
2015-01-19 15:29 - 2015-01-19 15:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-19 15:28 - 2015-01-21 09:33 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-19 15:28 - 2015-01-21 09:31 - 00000000 ____D () C:\Program Files\Java
2015-01-15 08:19 - 2015-01-15 08:29 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Ysxeweun
2015-01-14 09:00 - 2014-12-19 07:06 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-01-14 09:00 - 2014-12-19 05:46 - 00141312 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2015-01-14 09:00 - 2014-12-06 08:17 - 00303616 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2015-01-14 09:00 - 2014-12-06 07:50 - 00156672 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncsi.dll
2015-01-14 09:00 - 2014-12-06 07:50 - 00052224 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2015-01-14 08:59 - 2014-12-12 09:35 - 05553592 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-01-14 08:59 - 2014-12-12 09:31 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-01-14 08:59 - 2014-12-12 09:31 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-01-14 08:59 - 2014-12-12 09:31 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-01-14 08:59 - 2014-12-12 09:11 - 03971512 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-01-14 08:59 - 2014-12-12 09:11 - 03916728 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-01-14 08:59 - 2014-12-12 09:07 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-01-14 08:59 - 2014-12-11 21:47 - 00087040 _____ (Microsoft Corporation) C:\windows\system32\TSWbPrxy.exe
2015-01-13 09:00 - 2015-01-27 08:32 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-13 08:55 - 2015-01-13 13:41 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Soqyot
2015-01-12 14:22 - 2015-01-19 15:02 - 00120992 _____ () C:\Users\Accounts\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-12 13:33 - 2015-01-12 13:34 - 02277402 _____ () C:\Users\Accounts\enc_files.txt
2015-01-08 15:05 - 2015-01-08 16:25 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\Sakegy
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 09:43 - 2011-10-14 03:49 - 01291575 _____ () C:\windows\WindowsUpdate.log
2015-01-28 09:42 - 2012-03-25 14:28 - 00000898 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 09:39 - 2009-07-14 08:45 - 00032720 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 09:39 - 2009-07-14 08:45 - 00032720 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 09:36 - 2009-07-14 09:13 - 00790176 _____ () C:\windows\system32\PerfStringBackup.INI
2015-01-28 09:34 - 2012-01-26 13:32 - 00000000 ____D () C:\Users\Accounts\AppData\Local\CrashDumps
2015-01-28 09:31 - 2012-03-25 14:28 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 09:30 - 2014-06-21 15:16 - 00016199 _____ () C:\windows\setupact.log
2015-01-28 09:30 - 2009-07-14 09:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-01-28 09:29 - 2010-11-21 07:47 - 00778556 _____ () C:\windows\PFRO.log
2015-01-28 09:28 - 2009-07-14 07:20 - 00000000 ____D () C:\windows\Branding
2015-01-28 08:17 - 2012-05-07 15:51 - 00000000 ____D () C:\Users\Accounts\Documents\Outlook Files
2015-01-28 08:13 - 2012-12-12 16:31 - 00000000 ____D () C:\Users\Accounts\AppData\Local\132D14A1-FC17-4B7C-B4E2-7C895708B797.aplzod
2015-01-26 15:38 - 2012-02-04 22:50 - 00000000 ____D () C:\Users\Accounts\Documents\GoMad ideas
2015-01-26 14:52 - 2012-06-23 17:38 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\uTorrent
2015-01-26 14:33 - 2012-04-05 13:14 - 00000000 ____D () C:\Users\Accounts\AppData\Roaming\vlc
2015-01-26 10:04 - 2012-02-23 13:06 - 00000000 ____D () C:\Users\Accounts\Documents\Personal
2015-01-25 23:14 - 2012-07-31 17:03 - 00000000 ____D () C:\Users\GoMad Inc. (Launch)\Desktop\GoMad
2015-01-24 14:05 - 2012-01-25 15:38 - 00000061 _____ () C:\Users\Accounts\Documents\TallyODBC_9000.dsn
2015-01-24 12:20 - 2013-10-23 18:48 - 00000000 ____D () C:\Users\Accounts\Downloads\havra school worksheets
2015-01-24 11:22 - 2011-10-13 12:53 - 00000000 ____D () C:\ProgramData\Temp
2015-01-21 21:32 - 2012-02-02 15:55 - 00000000 ____D () C:\Users\Accounts\AppData\Local\Adobe
2015-01-21 13:42 - 2012-01-26 13:42 - 00000000 ____D () C:\windows\System32\Tasks\NCH Software
2015-01-21 11:50 - 2012-02-26 18:44 - 00000000 ____D () C:\TallyTB
2015-01-21 10:38 - 2012-01-25 15:38 - 00000519 _____ () C:\windows\ODBCINST.INI
2015-01-21 10:38 - 2012-01-25 15:38 - 00000028 _____ () C:\windows\ODBC.INI
2015-01-21 10:38 - 2012-01-25 15:38 - 00000000 ____D () C:\Program Files (x86)\Tally.ERP9
2015-01-21 10:05 - 2009-07-14 07:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2015-01-19 16:30 - 2009-07-14 08:45 - 00438520 _____ () C:\windows\system32\FNTCACHE.DAT
2015-01-19 16:17 - 2012-01-22 19:23 - 00774486 _____ () C:\windows\SysWOW64\PerfStringBackup.INI
2015-01-19 16:09 - 2013-07-24 09:43 - 00000000 ____D () C:\windows\system32\MRT
2015-01-19 15:48 - 2012-02-08 18:45 - 113365784 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-01-19 15:32 - 2012-04-05 15:57 - 00000000 ____D () C:\Program Files (x86)\Java
2015-01-19 14:59 - 2014-12-28 16:58 - 00025884 _____ () C:\Users\Accounts\Desktop\Payment Request Summary.xlsx
2015-01-19 11:49 - 2009-07-14 09:32 - 00000000 ____D () C:\windows\system32\FxsTmp
2015-01-17 10:30 - 2013-07-01 14:50 - 00000000 ____D () C:\Users\Accounts\Documents\24by7
2015-01-12 14:50 - 2014-09-08 15:17 - 00113995 _____ () C:\Users\Accounts\Downloads\linkedin_connections_export_microsoft_outlook 8Sept14.xlsx
2015-01-12 14:49 - 2014-11-12 09:22 - 09435719 _____ () C:\Users\Accounts\Downloads\2008.zip
2015-01-12 13:40 - 2014-12-10 10:19 - 00074500 _____ () C:\Users\Accounts\Desktop\24x7 #ing System letter list.xlsx
2015-01-12 13:40 - 2014-07-02 16:00 - 00010668 _____ () C:\Users\Accounts\Desktop\Recruitment List.xlsx
2015-01-12 13:33 - 2012-01-22 18:57 - 00000000 ____D () C:\Users\Accounts
2015-01-11 09:40 - 2009-07-14 07:20 - 00000000 ____D () C:\windows\system32\NDF
2015-01-08 15:12 - 2012-02-18 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3
2015-01-07 09:40 - 2014-12-22 10:58 - 00000019 _____ () C:\Users\Accounts\Desktop\userconfig.txt
2014-12-31 15:14 - 2010-11-21 07:27 - 00298120 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-12-31 09:37 - 2011-10-13 12:53 - 00000000 ____D () C:\Program Files (x86)\CyberLink
2014-12-31 09:30 - 2012-01-25 16:25 - 00000000 ____D () C:\Program Files (x86)\Business Objects
2014-12-31 09:06 - 2014-12-24 16:36 - 00000000 ____D () C:\Users\Accounts\AppData\Local\Eption
 
==================== Files in the root of some directories =======
 
2013-01-22 09:22 - 2013-01-22 09:22 - 0001474 _____ () C:\Users\Accounts\AppData\Roaming\CompatAdmin.log
2014-02-15 10:51 - 2014-07-16 13:27 - 0007644 _____ () C:\Users\Accounts\AppData\Local\resmon.resmoncfg
2012-02-20 19:18 - 2012-02-20 19:18 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2011-10-13 13:00 - 2011-10-13 13:01 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2011-10-13 12:53 - 2011-10-13 12:53 - 0000113 _____ () C:\ProgramData\{34FBC7C4-CD31-4D93-A428-0E524EAC4586}.log
2011-10-13 12:58 - 2011-10-13 12:59 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2011-10-13 12:54 - 2011-10-13 12:58 - 0000106 _____ () C:\ProgramData\{80E158EA-7181-40FE-A701-301CE6BE64AB}.log
2011-10-13 12:59 - 2011-10-13 13:00 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
 
Some content of TEMP:
====================
C:\Users\Accounts\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Accounts\AppData\Local\Temp\Quarantine.exe
C:\Users\Accounts\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-24 12:46
 
==================== End Of Log ============================


#13 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 28 January 2015 - 01:33 AM

Additional Information: After I finished running MBAM, Microsoft Security Essentials detected Backdoor:Win32/Simda 

 

The default action in Security essentials is set to "Remove" so the file was removed.

 

Also - MBAM while it was running - Protection was set to ON and it detected inbound and outbound intrusions - I guess this is already shown in the Log posted at Step 2.

 

There were 2 suspicious DLL files in location - C:\ProgramData\Microsoft\Secure\Icons

IconsCacheHelper.dll & SecureIconProvider.dll

 

I noticed that SecureIconProvider.dll has been removed after MBAM Scan. However, IconsCacheHelper.dll is still there.

 

Also, Thanks a lot for your time and your help - It is truly appreciated. :) 



#14 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:23 PM

Posted 28 January 2015 - 10:35 AM

Hey, :)
  • Start Malwarebytes
  • Go to the tab called History
  • Then click on Application Logs
tq7qi6z6.png
  • Then select the one log where it has found anything, do a double click on it
  • Then click on the Export
  • Button - select in the menu Text File (.txt)
p84ykoav.png
  • Save it on your Desktop and post the content of this text file into your next reply.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#15 Sharekhan

Sharekhan
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 29 January 2015 - 12:48 AM

Hi,

 

I had done those steps earlier too. The Scan log was empty although when the MBAM ran the first time it detected 107 threats (1 Malware; 106 PUP) All of those were quarantined by MBAM.

 

But the Scan logs in History -> Apllication Logs is blank. Screenshot attached.

 

Attached File  MBAM.png   63.64KB   0 downloads

 

Protection log was available and I had uploaded that yesterday.

 

When I opened MBAM today, it performed a scan again and reported Zero detections. However, Protection log is still reporting activity.

 

OK I checked the xml log file for yesterday and when I open it in Safari it gives an error. "error on line 53 at column 321: PCDATA invalid Char value 3"

 

 

I was able to convert it to Notepad but it comes as a Code - I don't know if it helps much but I am posting the same below:

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2015/01/28 08:51:41 +0400</date>
<logfile>mbam-log-2015-01-28 (08-51-31).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.00.4.1028</version>
<malware-database>v2015.01.28.02</malware-database>
<rootkit-database>v2015.01.14.01</rootkit-database>
<license>trial</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<osversion>Windows 7 Service Pack 1</osversion>
<arch>x64</arch>
<username>Accounts</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>443200</objects>
<time>2074</time>
<processes>0</processes>
<modules>0</modules>
<keys>4</keys>
<values>2</values>
<datas>1</datas>
<folders>28</folders>
<files>73</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKU\S-1-5-21-4089285565-4052558029-1726783300-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{687578B9-7132-4A7A-80E4-30EE31099E03}</path><vendor>PUP.Optional.uTorrentTB.A</vendor><action>success</action><hash>0b46b344b1d8d462d650df18669c4db3</hash></key>
<key><path>HKU\S-1-5-21-4089285565-4052558029-1726783300-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{687578B9-7132-4A7A-80E4-30EE31099E03}</path><vendor>PUP.Optional.uTorrentTB.A</vendor><action>success</action><hash>0b46b344b1d8d462d650df18669c4db3</hash></key>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\SrvBrowserProtect</path><vendor>PUP.Optional.SoftwareUpdater.A</vendor><action>success</action><hash>6ae72fc8e2a70432c8327b087e8514ec</hash></key>
<key><path>HKU\S-1-5-21-4089285565-4052558029-1726783300-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\ConduitSearchScopes</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>3f12ec0b52374ee87c774e368c77ca36</hash></key>
<value><path>HKU\S-1-5-21-4089285565-4052558029-1726783300-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER</path><valuename>{687578B9-7132-4A7A-80E4-30EE31099E03}</valuename><vendor>PUP.Optional.uTorrentTB.A</vendor><action>success</action><valuedata>¹xuh2qzJ€ä0î1 ž</valuedata><hash>0b46b344b1d8d462d650df18669c4db3</hash></value>
<value><path>HKU\S-1-5-21-4089285565-4052558029-1726783300-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{687578B9-7132-4A7A-80E4-30EE31099E03}</path><valuename></valuename><vendor>PUP.Optional.uTorrentTB.A</vendor><action>success</action><valuedata></valuedata><hash>b39e21d6a8e10c2a20062ec9a65cbd43</hash></value>
<data><path>HKU\S-1-5-21-4089285565-4052558029-1726783300-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN</path><valuename>Start Page</valuename><vendor>PUP.Optional.Eazel.A</vendor><action>replaced</action><valuedata>http://en.eazel.com/?id=AAAe62e49bb1bb40a3e6a642204676f4252&amp;oid=1</valuedata><baddata>http://en.eazel.com/?id=AAAe62e49bb1bb40a3e6a642204676f4252&amp;oid=1</baddata><gooddata>http://www.google.com</gooddata><hash>aea3d522345575c19ae1326ab74e15eb</hash></data>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\AddedAppDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\DefualtImages</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\DetectedAppDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\EngineFirstTimeDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog\images</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\images</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog\Images</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\Images</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarUntrustedAppsApprovalDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UninstallDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAddedAppDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAppApprovalDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAppPendingDialog</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Logs</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\MyStuffApps</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948\AppsMetaData</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948\DynamicDialogs</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<folder><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948\ToolbarSettings</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></folder>
<file><path>C:\Users\Accounts\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx</path><vendor>PUP.Optional.uTorrentTB.A</vendor><action>success</action><hash>72df32c5e2a77abc1577f5878e75659b</hash></file>
<file><path>C:\Windows\Tasks\Security Center Update - 203003518.job</path><vendor>Trojan.Agent.RvGen</vendor><action>success</action><hash>e968c0372f5abb7b5129b90b8d77956b</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\ldrtbNCH_.dll</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\tbNCH_.dll</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\toolbar.cfg</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\RoundedCornersIE9.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\DialogsAPI.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\excanvas.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\generalDialogStyle.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\PIE.htc</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\RoundedCorners.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\settings.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\version.txt</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\AddedAppDialog\app-added.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\AddedAppDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\DefualtImages\icon.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\DetectedAppDialog\app-2go.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\DetectedAppDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\EngineFirstTimeDialog\EngineFirstTimeDialog.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\EngineFirstTimeDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\EngineFirstTimeDialog\right-click.gif</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog\SearchProtector.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog\SearchProtector.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog\images\ok-button.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog\images\separation-line.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\NewSearchProtectorDialog\images\warning.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\bubble.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\bubble.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\images\information.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\images\x-default-LTR.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\images\x-default-RTL.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\images\x-mouseover-LTR.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorBubbleDialog\images\x-mouseover-RTL.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog\SearchProtector.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog\SearchProtector.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog\Images\info.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog\Images\ok-on.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorDialog\Images\ok.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\SearchProtectorRetakeover.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\SearchProtectorRetakeover.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\Images\Icon.jpg</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\Images\Icon.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\Images\info.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\Images\ok-on.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\SearchProtectorRetakeoverDialog\Images\ok.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\ToolbarFirstTimeDialog.css</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\ToolbarFirstTimeDialog.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\app-store-icon.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\arrow.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\divider.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\emailNotifier.gif</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\facebook.png</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\radio.GIF</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\Thumbs.db</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\truste_welcome.GIF</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarFirstTimeDialog\images\weather.GIF</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarUntrustedAppsApprovalDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\ToolbarUntrustedAppsApprovalDialog\ToolbarUntrustedAppsApprovalDialog.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAddedAppDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAddedAppDialog\UT-app-dialog-added.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAppApprovalDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAppApprovalDialog\UT-app-dialog-needs-your-approval.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAppPendingDialog\main.html</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Dialogs\UntrustedAppPendingDialog\UT-app-dialog-is-waiting.js</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948\AppsMetaData\data.bck.txt</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948\AppsMetaData\data.txt</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948\DynamicDialogs\data.txt</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
<file><path>C:\Users\GoMad Inc. (Launch)\AppData\LocalLow\NCH_EN\Repository\conduit_CT2801948_CT2801948\ToolbarSettings\data.txt</path><vendor>PUP.Optional.Conduit.A</vendor><action>success</action><hash>cf825a9d31581422e5ed67f7ad560cf4</hash></file>
</items>
</mbam-log>
 

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users