Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost using lots of memory


  • This topic is locked This topic is locked
23 replies to this topic

#1 Henrykill

Henrykill

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 06 February 2015 - 09:23 PM

I have been having this problem for a while and posted before but the thread was locked before I could follow up. I am more dedicated to get this fixed so please help.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 AM

Posted 11 February 2015 - 09:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Is this the topic you are talking about?
http://www.bleepingcomputer.com/forums/t/553317/svchost-hogging-memory/#entry3516351

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

If you still have this tool just post a fresh FRST.TXt log for my review.
Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 Henrykill

Henrykill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 13 February 2015 - 01:08 AM

I'll get this done tomorrow evening. as for how the computer runs, it is a partition on my Mac running bootcamp, it runs fine if I can keep the offending process killed. When it is running it uses up to 1gig of memory and makes the computer useless.

#4 Henrykill

Henrykill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 14 February 2015 - 03:10 PM

Nasdaq, 

 

yes that link to the forum topic was my original post.

 

Here are the reports you asked for, starting with AdwCleaner.

 

leaner v4.110 - Logfile created 14/02/2015 at 11:58:48
# Updated 05/02/2015 by Xplode
# Database : 2015-02-14.2 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Endo Box - ENDOBOX-PC
# Running from : C:\Users\Endo Box\Desktop\adwcleaner_4.110.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v34.0.1847.116
 
 
-\\ Chromium v
 
 
-\\ Comodo Dragon v
 
 
-\\ Chrome Canary v
 
 
*************************
 
AdwCleaner[R0].txt - [11901 bytes] - [25/10/2014 11:49:23]
AdwCleaner[R1].txt - [899 bytes] - [29/11/2014 17:18:14]
AdwCleaner[R2].txt - [2602 bytes] - [04/02/2015 18:38:04]
AdwCleaner[R3].txt - [1206 bytes] - [14/02/2015 11:55:53]
AdwCleaner[S0].txt - [11863 bytes] - [25/10/2014 11:52:19]
AdwCleaner[S1].txt - [952 bytes] - [29/11/2014 17:21:04]
AdwCleaner[S2].txt - [5249 bytes] - [04/02/2015 18:40:58]
AdwCleaner[S3].txt - [1134 bytes] - [14/02/2015 11:58:48]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1193  bytes] ##########
 
 
 
 
 
 
 
 
 
 
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-02-2015
Ran by Endo Box (administrator) on ENDOBOX-PC on 14-02-2015 12:05:51
Running from C:\Users\Endo Box\Desktop
Loaded Profiles: Endo Box (Available profiles: Endo Box)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(AMD) C:\Windows\System32\atiesrxx.exe
() C:\Program Files (x86)\Input Remapper\InputRemapper.x64.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\Input Remapper\InputRemapper.x64.exe
() C:\Windows\System32\AppleOSSMgr.exe
(Apple Inc.) C:\Windows\System32\AppleTimeSrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Sanford, L.P.) C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Apple Inc.) C:\Program Files\Boot Camp\Bootcamp.exe
(Saitek) C:\Program Files\SmartTechnology\Software\ProfilerU.exe
(Saitek) C:\Program Files\SmartTechnology\Software\SaiMfd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files (x86)\AirPort\APAgent.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8114720 2009-09-11] (Realtek Semiconductor)
HKLM\...\Run: [Apple_KbdMgr] => C:\Program Files\Boot Camp\Bootcamp.exe [638776 2010-03-09] (Apple Inc.)
HKLM\...\Run: [ProfilerU] => C:\Program Files\SmartTechnology\Software\ProfilerU.exe [310784 2011-08-10] (Saitek)
HKLM\...\Run: [SaiMfd] => C:\Program Files\SmartTechnology\Software\SaiMfd.exe [158208 2011-08-10] (Saitek)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [InputRemapperTray] => C:\Program Files (x86)\Input Remapper\InputRemapper.exe [159160 2007-03-24] ()
HKLM-x32\...\Run: [DLSService] => "C:\Program Files (x86)\DYMO\DYMO Label Software\DLSService.exe"
HKLM-x32\...\Run: [AirPort Base Station Agent] => C:\Program Files (x86)\AirPort\APAgent.exe [771360 2009-11-11] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [641704 2012-11-16] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKU\S-1-5-21-4240230936-1819473028-1083907883-1000\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [1942720 2015-01-23] (Valve Corporation)
HKU\S-1-5-21-4240230936-1819473028-1083907883-1000\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4272640 2012-09-12] (Microsoft Corporation)
HKU\S-1-5-21-4240230936-1819473028-1083907883-1000\...\MountPoints2: {f4273d2c-0c87-11e1-b9d8-806e6f6e6963} - D:\SETUP.EXE
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks Background Downloader.lnk
ShortcutTarget: SolidWorks Background Downloader.lnk -> C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe (Dassault Systèmes SolidWorks Corp.)
Startup: C:\Users\Endo Box\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkey - Shortcut.lnk
ShortcutTarget: AutoHotkey - Shortcut.lnk -> C:\Program Files\AutoHotkey\AutoHotkey.exe ()
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-4240230936-1819473028-1083907883-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-4240230936-1819473028-1083907883-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
HKU\S-1-5-21-4240230936-1819473028-1083907883-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = www.bing.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-4240230936-1819473028-1083907883-1000 -> {CDFC86D8-6E58-4CF8-9FD6-245B0888DB28} URL = http://www.bing.com/search?q={searchTerms}&form=MS8TDF&pc=MS8TDF&src=IE-SearchBox
BHO: YoiuTuAdBlocukueorr -> {1DF980D2-1905-84E9-9A4B-B91EA4783B3F} -> C:\ProgramData\YoiuTuAdBlocukueorr\mSG.x64.dll No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: YoutubeAdblocker -> {C21B4746-9D5A-E199-D8F0-A140548976F4} -> C:\Program Files (x86)\YoutubeAdblocker\qUBHtzn34.x64.dll No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
DPF: HKLM-x32 {24B8CB65-C0D2-11D0-A523-444553540000} http://ww2.acehardware-acenet.com/ACENET/Controls/AceExpl/AceExpl.cab
DPF: HKLM-x32 {41F841C0-AE16-11D5-8817-0050DA6EF5E5} http://ww2.acehardware-acenet.com/ACENET/controls/FarPoint60/fpspr60.cab
DPF: HKLM-x32 {8BF1A503-001F-11D0-A296-00A0246497B9} http://ww2.acehardware-acenet.com/ACENET/Controls/ACENET/ACECTL.CAB
DPF: HKLM-x32 {C903C000-9C6E-419D-A0AC-2E760BBA3764} http://ww2.acehardware-acenet.com/ACENET/Controls/MCSi/McsiMenu.cab
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 10.0.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.7.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @dymo.com/DymoLabelFramework -> C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll ( Sanford L.P.)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @stamps.com/Web client plug-in,version=1.0 -> C:\Program Files (x86)\Stamps.com Web Postage Plug-in\npsdcwc.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKU\S-1-5-21-4240230936-1819473028-1083907883-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Endo Box\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Extension: DownloadTerms - C:\Users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\Extensions\cxfnl@nxazbwxrbgsgfqqp.net [2013-09-06]
FF Extension: DownloadTerms - C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net [2013-09-06]
FF HKU\S-1-5-21-4240230936-1819473028-1083907883-1000\...\Firefox\Extensions: [wcapturex@deskperience.com] - C:\Program Files (x86)\WhiteSmokeTranslator\WCaptureMoz
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
 
Chrome: 
=======
CHR Profile: C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-21]
CHR Extension: (Google Drive) - C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-21]
CHR Extension: (YouTube) - C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-21]
CHR Extension: (Google Search) - C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-21]
CHR Extension: (IE Tab) - C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd [2014-06-07]
CHR Extension: (Google Wallet) - C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-21]
CHR Extension: (Gmail) - C:\Users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-21]
CHR HKLM-x32\...\Chrome\Extension: [bakaaanikglogbgdnnkhieaaadpnkggc] - C:\Users\ENDOBO~1\AppData\Local\Temp\ccex.crx [2012-01-11]
CHR HKLM-x32\...\Chrome\Extension: [mjdepfkicdcciagbigfcmdhknnoaaegf] - C:\Program Files (x86)\WhiteSmokeTranslator [Not Found]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AppleOSSMgr; C:\Windows\system32\AppleOSSMgr.exe [171832 2010-03-09] ()
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [814976 2015-02-06] ()
R2 DymoPnpService; C:\Program Files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [32336 2011-08-10] (Sanford, L.P.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2013-03-28] ()
S3 Remote Solver for Flow Simulation 2011; C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [110344 2010-09-07] (Mentor Graphics Corporation)
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2011-11-13] (SolidWorks) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 InputRemapper; "C:/Program Files (x86)/Input Remapper/InputRemapper.x64.exe" -Service InputRemapper [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BthKicker; C:\Windows\System32\DRIVERS\BthKicker.sys [8704 2010-01-10] (Apple Inc.)
R2 inpoutx64; C:\Windows\System32\Drivers\inpoutx64.sys [15008 2011-11-20] (Highresolution Enterprises [www.highrez.co.uk])
R3 InputRemapperFilter; C:\Windows\System32\Drivers\InputRemapperFilter.x64.sys [22968 2007-03-24] (Erik Olofsson)
S3 KProcessHacker2; C:\Program Files\Process Hacker 2\kprocesshacker.sys [39576 2013-11-13] (wj32)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
S3 nvrd64; C:\Windows\system32\DRIVERS\nvrd64.sys [175648 2009-06-30] (NVIDIA Corporation)
R3 SaiK0CCB; C:\Windows\System32\DRIVERS\SaiK0CCB.sys [176136 2011-03-23] (Saitek)
R3 SaiMini; C:\Windows\System32\DRIVERS\SaiMini.sys [24640 2011-08-11] (Saitek)
R3 SaiNtBus; C:\Windows\System32\drivers\SaiBus.sys [52160 2011-08-11] (Saitek)
R3 SaiU0CCB; C:\Windows\System32\DRIVERS\SaiU0CCB.sys [41352 2011-03-23] (Saitek)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2015-02-04] ()
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 X6va013; \??\C:\Windows\SysWOW64\Drivers\X6va013 [X]
S3 X6va016; \??\C:\Windows\SysWOW64\Drivers\X6va016 [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-14 12:05 - 2015-02-14 12:05 - 02134528 _____ (Farbar) C:\Users\Endo Box\Desktop\FRST64.exe
2015-02-14 12:05 - 2015-02-14 12:05 - 00001267 _____ () C:\Users\Endo Box\Desktop\adwreport.txt
2015-02-14 12:05 - 2015-02-14 12:05 - 00000000 ____D () C:\Users\Endo Box\Desktop\FRST-OlderVersion
2015-02-14 11:55 - 2015-02-14 11:55 - 02112512 _____ () C:\Users\Endo Box\Desktop\adwcleaner_4.110.exe
2015-02-14 11:54 - 2015-02-14 11:55 - 02112512 _____ () C:\Users\Endo Box\Downloads\adwcleaner_4.110.exe
2015-02-06 18:20 - 2015-02-06 18:21 - 00042722 _____ () C:\Users\Endo Box\Desktop\Addition.txt
2015-02-06 18:19 - 2015-02-06 18:20 - 18570328 _____ () C:\Users\Endo Box\Desktop\RogueKillerX64 (2).exe
2015-02-06 18:17 - 2015-02-14 12:05 - 00015072 _____ () C:\Users\Endo Box\Desktop\FRST.txt
2015-02-04 19:04 - 2015-02-04 19:04 - 00003424 ____N () C:\bootsqm.dat
2015-02-04 18:40 - 2015-02-04 18:40 - 18570328 _____ () C:\Users\Endo Box\Downloads\RogueKillerX64 (1).exe
2015-01-27 18:31 - 2015-01-27 18:31 - 00000000 ____D () C:\Users\Endo Box\AppData\Roaming\Process Hacker 2
2015-01-27 18:21 - 2015-01-27 18:21 - 01932448 _____ (wj32 ) C:\Users\Endo Box\Downloads\processhacker-2.33-setup.exe
2015-01-27 18:21 - 2015-01-27 18:21 - 00001809 _____ () C:\Users\Endo Box\Desktop\Process Hacker 2.lnk
2015-01-27 18:21 - 2015-01-27 18:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2
2015-01-27 18:21 - 2015-01-27 18:21 - 00000000 ____D () C:\Program Files\Process Hacker 2
2015-01-24 20:49 - 2015-01-24 20:49 - 97286942 _____ () C:\Users\Endo Box\Downloads\DX50Firmware_V1.6.0, Nov 21st 2014.zip
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-14 12:06 - 2014-10-25 11:57 - 00000000 ____D () C:\FRST
2015-02-14 12:06 - 2011-11-11 17:17 - 01511234 _____ () C:\Windows\WindowsUpdate.log
2015-02-14 12:05 - 2013-09-09 16:29 - 00200330 _____ () C:\Users\Endo Box\.pia_manager_crash.log
2015-02-14 12:05 - 2011-11-11 10:05 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-02-14 12:02 - 2012-09-17 18:05 - 00000000 ____D () C:\Users\Endo Box\Tracing
2015-02-14 12:02 - 2009-07-13 20:51 - 00480266 _____ () C:\Windows\setupact.log
2015-02-14 12:01 - 2014-04-21 17:35 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-14 12:01 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-14 11:58 - 2014-10-25 11:45 - 00000000 ____D () C:\AdwCleaner
2015-02-14 11:58 - 2012-04-08 19:28 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-14 11:52 - 2012-05-21 16:57 - 00176017 _____ () C:\Users\Endo Box\Documents\98.238.178.1
2015-02-14 11:44 - 2009-07-13 20:45 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-14 11:44 - 2009-07-13 20:45 - 00010208 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-14 11:40 - 2014-04-21 17:35 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-14 11:36 - 2014-10-25 12:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-09 19:30 - 2012-07-13 13:00 - 00000000 ____D () C:\Users\Endo Box\AppData\Local\ArmA 2 OA
2015-02-09 19:29 - 2009-07-13 21:08 - 00032608 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-02-08 04:56 - 2011-11-11 10:03 - 00889392 _____ () C:\Windows\PFRO.log
2015-02-06 19:58 - 2012-04-08 19:28 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-06 19:58 - 2012-04-08 19:28 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-06 19:58 - 2011-11-11 12:20 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-06 18:50 - 2011-11-11 17:08 - 00000000 ____D () C:\Windows\Panther
2015-02-06 18:28 - 2014-10-25 12:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-06 18:28 - 2014-10-25 12:13 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-06 18:28 - 2012-02-10 19:18 - 00001074 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-04 18:40 - 2014-10-25 11:38 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-01-27 19:23 - 2014-10-25 12:49 - 00001412 _____ () C:\Users\Endo Box\Desktop\Rkill.txt
2015-01-20 17:16 - 2013-11-08 20:52 - 00000000 ____D () C:\Program Files (x86)\Diablo II
 
==================== Files in the root of some directories =======
 
2011-12-30 11:43 - 2011-12-30 11:43 - 0028394 __RSH () C:\Program Files (x86)\DLS8Uninstall.log
2014-02-02 18:48 - 2014-01-12 21:51 - 0146768 _____ () C:\Program Files (x86)\trz3448.tmp
2013-09-06 18:07 - 2013-09-06 18:08 - 0000624 _____ () C:\Users\Endo Box\AppData\Roaming\All CPU MeterV3_Settings.ini
2011-11-14 19:16 - 2013-09-06 18:05 - 0000412 _____ () C:\Users\Endo Box\AppData\Roaming\All CPU Meter_Settings.ini
2013-09-06 18:02 - 2013-09-06 18:03 - 0000282 _____ () C:\Users\Endo Box\AppData\Roaming\GPU MeterV2_Settings.ini
2013-01-10 15:36 - 2013-01-10 15:36 - 0582227 _____ () C:\Users\Endo Box\AppData\Roaming\technic-launcher.jar
2013-02-27 16:46 - 2013-03-14 14:53 - 0000496 _____ () C:\Users\Endo Box\AppData\Roaming\UserMetrics.osl
2011-11-11 17:24 - 2009-08-29 18:40 - 0000990 _____ () C:\Users\Endo Box\AppData\Local\7F68A003.il
2011-11-18 14:37 - 2013-03-24 20:55 - 0005632 _____ () C:\Users\Endo Box\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-11-11 17:24 - 2009-08-29 18:40 - 0000832 _____ () C:\Users\Endo Box\AppData\Local\IndexIE_7F68A003.il
2013-09-06 17:40 - 2013-09-06 17:40 - 0007605 _____ () C:\Users\Endo Box\AppData\Local\Resmon.ResmonCfg
2011-11-18 16:06 - 2014-03-09 21:05 - 0000000 _____ () C:\Users\Endo Box\AppData\Local\Temptable.xml
 
Files to move or delete:
====================
C:\Users\Endo Box\en_res.dll
C:\Users\Endo Box\es_res.dll
C:\Users\Endo Box\fr_res.dll
C:\Users\Endo Box\grm_res.dll
C:\Users\Endo Box\inpout32.dll
C:\Users\Endo Box\inpoutx64.dll
C:\Users\Endo Box\it_res.dll
C:\Users\Endo Box\jp_res.dll
C:\Users\Endo Box\MacFan.exe
C:\Users\Endo Box\MacFanx64.exe
C:\Users\Endo Box\mfc80u.dll
C:\Users\Endo Box\msvcr80.dll
C:\Users\Endo Box\PCPE Setup.exe
C:\Users\Endo Box\pt_res.dll
C:\Users\Endo Box\ResourceReader.dll
C:\Users\Endo Box\ru_res.dll
C:\Users\Endo Box\zh_res.dll
 
 
Some content of TEMP:
====================
C:\Users\Endo Box\AppData\Local\Temp\7za.exe
C:\Users\Endo Box\AppData\Local\Temp\BingBarSetup-Partner.exe
C:\Users\Endo Box\AppData\Local\Temp\binkw32.dll
C:\Users\Endo Box\AppData\Local\Temp\contentDATs.exe
C:\Users\Endo Box\AppData\Local\Temp\d2l_Install.exe
C:\Users\Endo Box\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Endo Box\AppData\Local\Temp\oi_{6A4A1F6E-0911-4302-8035-3E92AB0AE07C}.exe
C:\Users\Endo Box\AppData\Local\Temp\Quarantine.exe
C:\Users\Endo Box\AppData\Local\Temp\SecurityScan_Release.exe
C:\Users\Endo Box\AppData\Local\Temp\sqlite3.dll
C:\Users\Endo Box\AppData\Local\Temp\su-setup.exe
C:\Users\Endo Box\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Endo Box\AppData\Local\Temp\swt-win32-3740.dll
C:\Users\Endo Box\AppData\Local\Temp\tbuTor.dll
C:\Users\Endo Box\AppData\Local\Temp\TSCC.exe
C:\Users\Endo Box\AppData\Local\Temp\TsuA2ACFB53.dll
C:\Users\Endo Box\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Endo Box\AppData\Local\Temp\YontooIEClient.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-08 18:50
 
==================== End Of Log ============================


#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 AM

Posted 15 February 2015 - 09:59 AM

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Do you have any need or have any difficulties with this process
C:\Program Files (x86)\Input Remapper\InputRemapper.x64.exe
I notice that one file is missing in this service.
R2 InputRemapper; "C:/Program Files (x86)/Input Remapper/InputRemapper.x64.exe" -Service InputRemapper [X]
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: YoiuTuAdBlocukueorr -> {1DF980D2-1905-84E9-9A4B-B91EA4783B3F} -> C:\ProgramData\YoiuTuAdBlocukueorr\mSG.x64.dll No File
BHO: YoutubeAdblocker -> {C21B4746-9D5A-E199-D8F0-A140548976F4} -> C:\Program Files (x86)\YoutubeAdblocker\qUBHtzn34.x64.dll No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @stamps.com/Web client plug-in,version=1.0 -> C:\Program Files (x86)\Stamps.com Web Postage Plug-in\npsdcwc.dll No File
FF Extension: DownloadTerms - C:\Users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\Extensions\cxfnl@nxazbwxrbgsgfqqp.net [2013-09-06]
FF Extension: DownloadTerms - C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net [2013-09-06]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [bakaaanikglogbgdnnkhieaaadpnkggc] - C:\Users\ENDOBO~1\AppData\Local\Temp\ccex.crx [2012-01-11]
CHR HKLM-x32\...\Chrome\Extension: [mjdepfkicdcciagbigfcmdhknnoaaegf] - C:\Program Files (x86)\WhiteSmokeTranslator [Not Found]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 X6va013; \??\C:\Windows\SysWOW64\Drivers\X6va013 [X]
S3 X6va016; \??\C:\Windows\SysWOW64\Drivers\X6va016 [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#6 Henrykill

Henrykill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 15 February 2015 - 12:56 PM

As far as Input remapper I cant remember exactly what I was using it for. I don't use it anymore though.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-02-2015
Ran by Endo Box at 2015-02-15 09:43:56 Run:1
Running from C:\Users\Endo Box\Desktop
Loaded Profiles: Endo Box (Available profiles: Endo Box)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
CloseProcesses:
 
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: YoiuTuAdBlocukueorr -> {1DF980D2-1905-84E9-9A4B-B91EA4783B3F} -> C:\ProgramData\YoiuTuAdBlocukueorr\mSG.x64.dll No File
BHO: YoutubeAdblocker -> {C21B4746-9D5A-E199-D8F0-A140548976F4} -> C:\Program Files (x86)\YoutubeAdblocker\qUBHtzn34.x64.dll No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @stamps.com/Web client plug-in,version=1.0 -> C:\Program Files (x86)\Stamps.com Web Postage Plug-in\npsdcwc.dll No File
FF Extension: DownloadTerms - C:\Users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\Extensions\cxfnl@nxazbwxrbgsgfqqp.net [2013-09-06]
FF Extension: DownloadTerms - C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net [2013-09-06]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [bakaaanikglogbgdnnkhieaaadpnkggc] - C:\Users\ENDOBO~1\AppData\Local\Temp\ccex.crx [2012-01-11]
CHR HKLM-x32\...\Chrome\Extension: [mjdepfkicdcciagbigfcmdhknnoaaegf] - C:\Program Files (x86)\WhiteSmokeTranslator [Not Found]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 X6va013; \??\C:\Windows\SysWOW64\Drivers\X6va013 [X]
S3 X6va016; \??\C:\Windows\SysWOW64\Drivers\X6va016 [X]
 
End
*****************
 
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => Key deleted successfully.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => Key not found. 
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1DF980D2-1905-84E9-9A4B-B91EA4783B3F}" => Key deleted successfully.
"HKCR\CLSID\{1DF980D2-1905-84E9-9A4B-B91EA4783B3F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C21B4746-9D5A-E199-D8F0-A140548976F4}" => Key deleted successfully.
"HKCR\CLSID\{C21B4746-9D5A-E199-D8F0-A140548976F4}" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value deleted successfully.
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Key not found. 
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@stamps.com/Web client plug-in,version=1.0" => Key deleted successfully.
C:\Users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\Extensions\cxfnl@nxazbwxrbgsgfqqp.net => Moved successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net => Moved successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bakaaanikglogbgdnnkhieaaadpnkggc" => Key deleted successfully.
"C:\Users\ENDOBO~1\AppData\Local\Temp\ccex.crx" => File/Directory not found.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mjdepfkicdcciagbigfcmdhknnoaaegf" => Key deleted successfully.
Synth3dVsc => Service deleted successfully.
tsusbhub => Service deleted successfully.
VGPU => Service deleted successfully.
X6va013 => Service deleted successfully.
X6va016 => Service deleted successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 09:43:59 ====
 
 
 
 
 
 
 

 Results of screen317's Security Check version 0.99.96  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 JavaFX 2.1.1    
 Java™ 6 Update 30  
 Java™ 7 Update 5  
 Java version 32-bit out of Date! 
  Java 64-bit 8 Update 31  
 Adobe Flash Player 16.0.0.305  
 Adobe Reader 9 Adobe Reader out of Date! 
 Google Chrome 34.0.1847.116 Google Chrome out of date!  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Google Update Install {1EF5D828-DACE-46A9-9B69-7D8086902198}\GoogleUpdateSetup.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 10% 
````````````````````End of Log`````````````````````` 
 
 
 
 
 
How the computer runs. As of right now it seems better I am attempting to install windows updates since I was unable to with this scvhost issue. I will update if I am able to get the updates downloaded and installed.
 
Thank you and so far so good.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 AM

Posted 15 February 2015 - 02:18 PM

Using the Add/Remove Programs applet remove these old versions of Java.

JavaFX 2.1.1
Java™ 6 Update 30
Java™ 7 Update 5

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Keep me posted on the updates.

#8 Henrykill

Henrykill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 15 February 2015 - 02:31 PM

I took care of the old versions of java and adobe reader. I let windows update sit for an hour with not progress so I am assuming it still wont update. 

 

The major offender svchost has failed to show up. There is only one using 160mb of memory instead of 850mb. 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 AM

Posted 16 February 2015 - 08:36 AM

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

#10 Henrykill

Henrykill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 16 February 2015 - 09:07 PM

RogueKiller report.

 

RogueKiller V10.3.0.0 (x64) [Feb 16 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Endo Box [Administrator]
Mode : Delete -- Date : 02/16/2015  18:06:16
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 [(Private Address) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 [(Private Address) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.0.1.1 [(Private Address) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{59870AA8-4B52-42C0-9565-97FFAC205A7C} | DhcpNameServer : 10.0.1.1 [(Private Address) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{59870AA8-4B52-42C0-9565-97FFAC205A7C} | DhcpNameServer : 10.0.1.1 [(Private Address) (XX)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{59870AA8-4B52-42C0-9565-97FFAC205A7C} | DhcpNameServer : 10.0.1.1 [(Private Address) (XX)]  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1001FALS-00J7B0 ATA Device +++++
--- User ---
[MBR] 7f61e0c3cf3edeb404ab1bbe0985641a
[BSP] b29902d74ebdfe3117a980929bc33ed2 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 200 MB
1 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 409640 | Size: 667081 MB
2 - [XXXXXX] MACOSX-BT (0xab) [VISIBLE] Offset (sectors): 1366591704 | Size: 619 MB
3 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 1367861248 | Size: 285968 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_DEL_01272015_192529.log - RKreport_DEL_10252014_124849.log - RKreport_DEL_10252014_140444.log - RKreport_DEL_11292014_171219.log
RKreport_DEL_11292014_171230.log - RKreport_SCN_01272015_192513.log - RKreport_SCN_10252014_124328.log - RKreport_SCN_10252014_124818.log
RKreport_SCN_10252014_140200.log - RKreport_SCN_11292014_171040.log - RKreport_SCN_02162015_180601.log


#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 AM

Posted 17 February 2015 - 09:29 AM

Nothing suspicious there.

Please Download and run the ComboFix tool.

How to use ComboFix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions on the page.

Post the content of the C:\ComboFix.txt file for my review.

p.s.
When all is well you can remove the tool by following the Uninstall instructions on the same page.

====

#12 Henrykill

Henrykill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 18 February 2015 - 09:03 PM

ComboFix 15-02-16.01 - Endo Box 02/18/2015  17:43:10.1.2 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.4077.1697 [GMT -8:00]
Running from: c:\users\Endo Box\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\cflog\EPLog.txt
C:\install.exe
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\Administrator\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\Endo Box\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\Endo Box\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\Endo Box\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Endo Box\AppData\LocalLow\.2.7.dat
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\2qpt56mvz@yaoowwo.com\bootstrap.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\2qpt56mvz@yaoowwo.com\chrome.manifest
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\2qpt56mvz@yaoowwo.com\content\bg.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\2qpt56mvz@yaoowwo.com\install.rdf
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\3aee@yeyarwj.org\bootstrap.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\3aee@yeyarwj.org\chrome.manifest
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\3aee@yeyarwj.org\content\bg.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\3aee@yeyarwj.org\install.rdf
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\ug9qpdm@o-rb.co.uk\bootstrap.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\ug9qpdm@o-rb.co.uk\chrome.manifest
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\ug9qpdm@o-rb.co.uk\content\bg.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\ug9qpdm@o-rb.co.uk\install.rdf
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\uyeagj@iueyejin.com\bootstrap.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\uyeagj@iueyejin.com\chrome.manifest
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\uyeagj@iueyejin.com\content\bg.js
c:\users\Endo Box\AppData\Roaming\Mozilla\Firefox\Profiles\2xupfx5t.default\extensions\staged\uyeagj@iueyejin.com\install.rdf
c:\users\Endo Box\MacFan.exe
c:\users\Endo Box\MacFanx64.exe
c:\users\Endo Box\ResourceReader.dll
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\dobdhkihkamjckbombnjdcljimnbgpip\1.0\tGFnKDnnbYd.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\foilkihfjbmbnepdmepakfgkocpollda\2.7\MS6G_k9Xdfh.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\BxD.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\icon48.png
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\lldjbpgipagkhmpiebjjmdaahdkilino\1.1\manifest.json
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\background.html
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\content.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\GX66e6C.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\lsdb.js
c:\users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\floipahigmmkfhkoapmnijnlnboniglg\115\manifest.json
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_conhost.exe        pid: 2124     24: c:\windows\System32\en-US\conhost.exe.mui
-------\Service_Copyright © 1997-2008 Mark Russinovich
-------\Service_Handle v3.42
-------\Service_lsm.exe            pid: 568     268: c:\windows\System32\en-US\lsm.exe.mui
-------\Service_MsMpEng.exe        pid: 800     350: c:\program files\Microsoft Security Client\NisSrv.exe
-------\Service_MsMpEng.exe        pid: 800     368: c:\program files\Microsoft Security Client\MpCmdRun.exe
-------\Service_Sysinternals - www.sysinternals.com
-------\Service_wmpnetwk.exe       pid: 4412     3C: c:\program files\Windows Media Player\en-US\wmpnetwk.exe.mui
.
.
(((((((((((((((((((((((((   Files Created from 2015-01-19 to 2015-02-19  )))))))))))))))))))))))))))))))
.
.
2015-02-17 02:09 . 2015-01-29 09:07 11910896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82B51424-FFBB-4B2D-A6D9-52BCAC6A5198}\mpengine.dll
2015-02-16 01:42 . 2015-02-16 01:42 -------- d-----w- c:\program files\TeamSpeak 3 Client
2015-02-15 19:28 . 2015-02-15 19:29 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2015-02-15 02:16 . 2015-02-15 02:16 -------- d-----w- c:\users\Endo Box\AppData\Local\Maca134
2015-02-15 02:07 . 2015-02-17 02:14 -------- d-----w- c:\program files (x86)\DayZLauncher
2015-02-14 19:59 . 2014-09-20 23:39 1188440 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{56B9715A-DF09-4250-A645-C1BB98B1C215}\gapaengine.dll
2015-02-14 19:57 . 2014-12-02 10:26 11870360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-28 02:31 . 2015-01-28 02:31 -------- d-----w- c:\users\Endo Box\AppData\Roaming\Process Hacker 2
2015-01-28 02:21 . 2015-01-28 02:21 -------- d-----w- c:\program files\Process Hacker 2
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-02-19 01:26 . 2014-10-25 20:14 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-02-17 02:01 . 2014-10-25 19:38 37624 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-02-07 03:58 . 2012-04-09 03:28 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-02-07 03:58 . 2011-11-11 20:20 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-31 11:14 . 2011-11-12 05:41 298120 ------w- c:\windows\system32\MpSigStub.exe
2014-12-17 02:09 . 2014-11-01 18:30 895088 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2014-12-17 02:09 . 2014-11-01 18:30 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2014-12-14 02:12 . 2012-01-12 20:09 895088 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2014-12-14 02:11 . 2012-01-12 20:08 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2014-12-14 02:11 . 2014-11-01 18:30 710992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2014-12-01 00:02 . 2012-01-12 20:08 710992 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2014-11-21 14:14 . 2014-10-25 20:13 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 14:14 . 2014-10-25 20:13 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 14:14 . 2012-02-11 03:18 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-01-13 05:51 . 2014-02-03 02:48 146768 ----a-w- c:\program files (x86)\trz3448.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-12-10 05:44 220632 ----a-w- c:\users\Endo Box\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-12-10 05:44 220632 ----a-w- c:\users\Endo Box\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-12-10 05:44 220632 ----a-w- c:\users\Endo Box\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2015-01-23 1942720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"InputRemapperTray"="c:\program files (x86)\Input Remapper\InputRemapper.exe" [2007-03-24 159160]
"AirPort Base Station Agent"="c:\program files (x86)\AirPort\APAgent.exe" [2009-11-11 771360]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]
.
c:\users\Endo Box\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AutoHotkey - Shortcut.lnk - c:\program files\AutoHotkey\AutoHotkey.exe [2011-10-15 1278976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe /launch_from 0 [2012-9-18 1855560]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DymoPnpService;DYMO PnP Service;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe;c:\program files (x86)\DYMO\DYMO Label Software\DymoPnpService.exe [x]
R3 BEService;BattlEye Service;c:\program files (x86)\Common Files\BattlEye\BEService.exe;c:\program files (x86)\Common Files\BattlEye\BEService.exe [x]
R3 BthKicker;Apple Bluetooth Device Driver;c:\windows\system32\DRIVERS\BthKicker.sys;c:\windows\SYSNATIVE\DRIVERS\BthKicker.sys [x]
R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Remote Solver for Flow Simulation 2011;Remote Solver for Flow Simulation 2011;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe;c:\program files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe;c:\windows\SYSNATIVE\AppleOSSMgr.exe [x]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe;c:\windows\SYSNATIVE\AppleTimeSrv.exe [x]
S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 inpoutx64;inpoutx64;c:\windows\system32\Drivers\inpoutx64.sys;c:\windows\SYSNATIVE\Drivers\inpoutx64.sys [x]
S2 InputRemapper;Input Remapper;C:/Program Files (x86)/Input Remapper/InputRemapper.x64.exe -Service InputRemapper;C:/Program Files (x86)/Input Remapper/InputRemapper.x64.exe -Service InputRemapper [x]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys;c:\windows\SYSNATIVE\drivers\KeyAgent.sys [x]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys;c:\windows\SYSNATIVE\drivers\MacHALDriver.sys [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys;c:\windows\SYSNATIVE\DRIVERS\BthAudioHF.sys [x]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys;c:\windows\SYSNATIVE\drivers\bthav.sys [x]
S3 InputRemapperFilter;Input Remapper Filter;c:\windows\system32\Drivers\InputRemapperFilter.x64.sys;c:\windows\SYSNATIVE\Drivers\InputRemapperFilter.x64.sys [x]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys;c:\windows\SYSNATIVE\DRIVERS\IRFilter.sys [x]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys;c:\windows\SYSNATIVE\DRIVERS\KeyMagic.sys [x]
S3 SaiK0CCB;SaiK0CCB;c:\windows\system32\DRIVERS\SaiK0CCB.sys;c:\windows\SYSNATIVE\DRIVERS\SaiK0CCB.sys [x]
S3 SaiU0CCB;SaiU0CCB;c:\windows\system32\DRIVERS\SaiU0CCB.sys;c:\windows\SYSNATIVE\DRIVERS\SaiU0CCB.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-02-15 17:57 1086280 ----a-w- c:\program files (x86)\Google\Chrome\Application\40.0.2214.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-02-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 03:58]
.
2015-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22 01:34]
.
2015-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22 01:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-12-10 05:44 244696 ----a-w- c:\users\Endo Box\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-12-10 05:44 244696 ----a-w- c:\users\Endo Box\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-12-10 05:44 244696 ----a-w- c:\users\Endo Box\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-09-11 8114720]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2010-03-10 638776]
"ProfilerU"="c:\program files\SmartTechnology\Software\ProfilerU.exe" [2011-08-11 310784]
"SaiMfd"="c:\program files\SmartTechnology\Software\SaiMfd.exe" [2011-08-11 158208]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-24 1266912]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: acehardware-acenet.com
Trusted Zone: acehardware-aceonline.com
Trusted Zone: acehardware-eaglevision.com
Trusted Zone: acehardware-vendors.com
Trusted Zone: aceservices.com
Trusted Zone: acehardware-acenet.com
Trusted Zone: acehardware-aceonline.com
Trusted Zone: acehardware-eaglevision.com
Trusted Zone: acehardware-vendors.com
Trusted Zone: aceservices.com
TCP: DhcpNameServer = 10.0.1.1
DPF: AceIESecuritySettings - hxxp://ww2.acehardware-acenet.com/Controls/AceIESecuritySettings.CAB
DPF: {24B8CB65-C0D2-11D0-A523-444553540000} - hxxp://ww2.acehardware-acenet.com/ACENET/Controls/AceExpl/AceExpl.cab
DPF: {41F841C0-AE16-11D5-8817-0050DA6EF5E5} - hxxp://ww2.acehardware-acenet.com/ACENET/controls/FarPoint60/fpspr60.cab
DPF: {8BF1A503-001F-11D0-A296-00A0246497B9} - hxxp://ww2.acehardware-acenet.com/ACENET/Controls/ACENET/ACECTL.CAB
DPF: {C903C000-9C6E-419D-A0AC-2E760BBA3764} - hxxp://ww2.acehardware-acenet.com/ACENET/Controls/MCSi/McsiMenu.cab
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-DLSService - c:\program files (x86)\DYMO\DYMO Label Software\DLSService.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-BattlEye for A2 - c:\program files (x86)\steam\steamapps\common\arma 2BattlEye\UnInstallBE.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc_blr.exe
AddRemove-{E31045B4-9DB5-9EBD-44DF-BD4E6CFD40DF}_is1 - c:\program files (x86)\DayZLauncher\unins000.exe
AddRemove-DownloadTerms - c:\users\Endo Box\AppData\Local\DownloadTerms\uninst.exe
.
.
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\conhost.exe        pid: 2124     24: C:]
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\InputRemapper]
"ImagePath"="\"C:/Program Files (x86)/Input Remapper/InputRemapper.x64.exe\" -Service InputRemapper"
--
"ImagePath"="\SystemRoot\system32\DRIVERS\lsi_scsi.sys"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lsm.exe            pid: 568     268: C:]
--
"ImagePath"="system32\drivers\MSKSSRV.sys"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MsMpEng.exe        pid: 800     350: C:]
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MsMpEng.exe        pid: 800     368: C:]
--
"ImagePath"="%systemroot%\system32\wbem\WmiApSrv.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wmpnetwk.exe       pid: 4412     3C: C:]
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\InputRemapper]
"ImagePath"="\"C:/Program Files (x86)/Input Remapper/InputRemapper.x64.exe\" -Service InputRemapper"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4240230936-1819473028-1083907883-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-4240230936-1819473028-1083907883-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_305_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_305.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2015-02-18  18:01:23 - machine was rebooted
ComboFix-quarantined-files.txt  2015-02-19 02:01
.
Pre-Run: 16,500,854,784 bytes free
Post-Run: 15,961,538,560 bytes free
.
- - End Of File - - F136397DA8E42717B9F7B6A64DF676D3
A36C5E4F47E84449FF07ED3517B43A31


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 AM

Posted 19 February 2015 - 08:57 AM

How is the computer running now.

#14 Henrykill

Henrykill
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 19 February 2015 - 09:06 PM

its running fine.. doing about 10 miles a day.. lol I am still unable to download windows update items.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:51 AM

Posted 20 February 2015 - 08:39 AM

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users