Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various trojans found including Saturbot, Agent.FSA112, LVBP.ed


  • This topic is locked This topic is locked
13 replies to this topic

#1 Dudleydog73

Dudleydog73

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 20 March 2015 - 04:52 PM

I have a PC that has been finding and fixing various Trojans for a couple weeks via MalwareBytes but it seems to not be getting everything.  I find at times numerous instances of regsvr32.exe and various random files with names such as tmp7177.exe running and it hijacks my internet connection where
I cannot connect to anything. 

 

In normal windows mode for the last couple days MAlwareBytes and Windows Security Essentials find no threats during scan, but I just rebooted into safe mode and MalwareBytes found 6 threats which it either quarantined or deleted which were the following: 

 

Trojan.Sathurbot, C:\ProgramData\Microsoft\Security\Client\SecurityProvider.dll, Delete-on-Reboot, [ab1c044388020d2923efbaa9946f817f],
Trojan.Sathurbot, C:\Users\todd\AppData\Local\Temp\tmp61DD.tmp, Quarantined, [c205f65167232b0b8feaa7c96e922cd4],
Trojan.Agent.FSA112, C:\Users\todd\AppData\Local\Temp\950D.tmp, Quarantined, [a4234700d5b57eb8c3662f04b44efc04],
Trojan.LVBP.ED, C:\Users\todd\AppData\Local\Insoft\tmp7177.exe, Quarantined, [e2e57bcca3e7fc3a55ea49ee4db55ea2],
Trojan.Sathurbot, C:\ProgramData\Microsoft\Security\Client\SecurityHelper.dll, Delete-on-Reboot, [8c3bfa4dc3c7c37336b286bf808536ca],

 

After those detections I a subsequent MAlwarebytes scan found no threats.

 

Since I cannot seem to trust that I am getting everything I am asking for help.  My FRST log is below:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by todd (administrator) on DUDLEYGW on 20-03-2015 17:20:44
Running from C:\Users\todd\Downloads
Loaded Profiles: todd (Available profiles: todd)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [7940128 2009-07-06] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] => C:\Program Files\Realtek\Audio\HDA\Skytel.exe [1833504 2009-07-06] (Realtek Semiconductor Corp.)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2782096 2010-07-25] (CANON INC.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332296 2015-01-30] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Gateway Photo Frame] => C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe [123904 2009-05-05] (IOI)
HKLM-x32\...\Run: [LchDrvKey] => C:\Windows\LchDrvKey.exe [36864 2007-03-28] ()
HKLM-x32\...\Run: [LedKey] => C:\Windows\CNYHKey.exe [339968 2008-04-23] (Creative)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2008-08-29] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe [103720 2009-06-03] (CyberLink)
HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1213848 2010-09-14] (CANON INC.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [Codec Settings UAC Manager] => C:\Windows\SysWOW64\C2MP\CodecUACManager.exe [60344 2014-12-21] ()
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-11-21] (Malwarebytes Corporation)
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2010-01-18] (Google Inc.)
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [Google Update] => C:\Users\todd\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-24] (Google Inc.)
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [CmTray] => C:\Program Files (x86)\Content Manager\launchCM.exe [94208 2011-12-28] ()
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [NETGEARGenie] => C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe [596480 2014-04-22] (NETGEAR Inc.)
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [Insoft] => regsvr32.exe C:\Users\todd\AppData\Local\Insoft\CatDBtraceVdm64.dll <===== ATTENTION
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackTrayMenu.lnk
ShortcutTarget: CodecPackTrayMenu.lnk -> C:\Windows\SysWOW64\C2MP\TrayMenu.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GoPro Importer.lnk
ShortcutTarget: GoPro Importer.lnk -> C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe (GoPro)
ShellIconOverlayIdentifiers: [0WinSecurityProvider] -> {F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0110&m=dx4300
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0110&m=dx4300
URLSearchHook: HKLM-x32 - ZoneAlarm Extreme Security Toolbar - {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -  No File
URLSearchHook: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 - ZoneAlarm Extreme Security Toolbar - {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -  No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2925418
SearchScopes: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS363US363
SearchScopes: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW_enUS363US363
SearchScopes: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2925418
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-02-28] (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2012-04-07] (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-12] (Adobe Systems Incorporated)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2010-11-08] (CANON INC.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre6\bin\ssv.dll [2012-12-11] (Sun Microsystems, Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO-x32: ZoneAlarm Extreme Security Toolbar -> {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} ->  No File
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-02-28] (Google Inc.)
BHO-x32: Google Dictionary Compression sdch -> {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -> C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll No File
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2012-12-11] (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-02-28] (Google Inc.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2010-11-08] (CANON INC.)
Toolbar: HKLM-x32 - ZoneAlarm Extreme Security Toolbar - {a94e8dc9-07aa-45a7-8af2-a0375473a5cd} -  No File
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-02-28] (Google Inc.)
Toolbar: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-02-28] (Google Inc.)
Toolbar: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: HKLM-x32 {3528A58B-595D-4AFD-A5F6-B914BD306DC3} http://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab
DPF: HKLM-x32 {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: HKLM-x32 {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} http://plugin.slingbox.com/downloads/pc/1.4.0.102/WebSlingPlayer.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.15.1
Tcpip\..\Interfaces\{4F142F6B-3AA0-4CBC-AE08-ACE5CEEB8FDC}: [NameServer] 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\todd\AppData\Roaming\Mozilla\Firefox\Profiles\g7gd6bqi.default
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll [2012-04-07] (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL [2010-04-14] (CANON INC.)
FF Plugin-x32: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll No File
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_37 -> C:\Windows\SysWOW64\npdeployJava1.dll [2012-12-11] (Sun Microsystems, Inc.)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll [2012-12-11] (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin HKU\S-1-5-21-3219075701-2862780633-3647178661-1000: @tools.google.com/Google Update;version=3 -> C:\Users\todd\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin HKU\S-1-5-21-3219075701-2862780633-3647178661-1000: @tools.google.com/Google Update;version=9 -> C:\Users\todd\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-07] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll [2012-10-28] (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npnul32.dll [2010-05-20] (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2015-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2015-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2015-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2015-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2015-03-07] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np_gp.dll [2010-03-29] (NOS Microsystems Ltd.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml [2010-05-20]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml [2010-05-20]
FF Extension: FUT Class - C:\Users\todd\AppData\Roaming\Mozilla\Firefox\Profiles\g7gd6bqi.default\Extensions\{D4671B2A-22BD-32C3-7BB5-30C312BFD15B} [2015-03-15]
FF Extension: Adobe DLM (powered by getPlus®) - C:\Users\todd\AppData\Roaming\Mozilla\Firefox\Profiles\g7gd6bqi.default\Extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [2010-06-07]
FF Extension: Skype extension for Firefox - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2010-03-31]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-06-07]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010-07-31]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2010-12-24]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-12-11]
FF HKLM-x32\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [Not Found]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com"
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\todd\AppData\Local\Google\Chrome\Application\41.0.2272.89\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\todd\AppData\Local\Google\Chrome\Application\41.0.2272.89\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\todd\AppData\Local\Google\Chrome\Application\41.0.2272.89\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U26) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (2007 Microsoft Office system) - C:\Program Files (x86)\Mozilla Firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll No File
CHR Plugin: (getPlusPlus for Adobe 16263) - C:\Program Files (x86)\Mozilla Firefox\plugins\np_gp.dll (NOS Microsystems Ltd.)
CHR Plugin: (CANON iMAGE GATEWAY Album Plugin Utility) - C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (npFFApi) - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll No File
CHR Profile: C:\Users\todd\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Brushed) - C:\Users\todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfjgbcjfpbbfepcccpaffkjofcmglifg [2010-08-05]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Google Wallet) - C:\Users\todd\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-17]
StartMenuInternet: Google Chrome - C:\Users\todd\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AcfXAudioService; C:\Windows\SysWOW64\ACFXAU64.dll [436736 2009-04-29] (Conexant Systems, Inc.)
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-20] (Apple Inc.)
S3 getPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll [68000 2010-03-29] (NOS Microsystems Ltd.)
S2 IJPLMSVC; C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE [137680 2010-07-27] ()
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2015-01-30] (Microsoft Corporation)
S2 NETGEARGenieDaemon; C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [225792 2014-03-23] (NETGEAR) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366512 2015-01-30] (Microsoft Corporation)
S2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [1793976 2009-12-07] (UltraVNC)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 Norton Internet Security; "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 acfva; C:\Windows\System32\DRIVERS\ACFVA64.sys [123008 2009-09-02] (Conexant Systems Inc.)
S3 dgcfltr; C:\Windows\System32\DRIVERS\ACFDCP64.sys [34944 2009-04-29] (Conexant Systems, Inc.)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-03-20] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
S2 mdmxsdk; C:\Windows\System32\DRIVERS\ACFSDK64.sys [17024 2007-03-15] (Conexant)
S3 MODEMCSA; C:\Windows\system32\drivers\MODEMCSA.sys [24064 2009-07-13] (Microsoft Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2014-11-15] (Microsoft Corporation)
S3 mv2; C:\Windows\System32\DRIVERS\mv2.sys [12096 2011-01-24] (UVNC BVBA)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124560 2014-11-15] (Microsoft Corporation)
S2 NPF; C:\Windows\system32\drivers\npf.sys [35344 2014-05-18] (CACE Technologies, Inc.)
S2 XAudio; C:\Windows\System32\DRIVERS\ACFXAU64.sys [10240 2009-04-29] (Conexant Systems, Inc.)
R3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
S3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\ENG64.SYS [X]
S3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\EX64.SYS [X]
S1 SRTSP; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSP64.SYS [X]
S1 SRTSPX; \??\C:\Windows\system32\drivers\NISx64\1000000.07D\SRTSPX64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-20 17:20 - 2015-03-20 17:21 - 00024520 _____ () C:\Users\todd\Downloads\FRST.txt
2015-03-20 17:20 - 2015-03-20 17:20 - 02095616 _____ (Farbar) C:\Users\todd\Downloads\FRST64.exe
2015-03-20 17:20 - 2015-03-20 17:20 - 00000000 ____D () C:\FRST
2015-03-20 16:38 - 2015-03-20 16:38 - 00287812 _____ () C:\Users\todd\Desktop\ESETPoweliksCleaner.exe_20150320.163802.1756.log
2015-03-20 16:38 - 2015-03-20 16:38 - 00000022 _____ () C:\Users\todd\Desktop\ESETPoweliksCleaner.exe_20150320.163802.1756.zip
2015-03-20 16:37 - 2015-03-20 16:38 - 00220872 _____ (ESET) C:\Users\todd\Desktop\ESETPoweliksCleaner.exe
2015-03-18 21:15 - 2015-03-20 16:10 - 00000073 _____ () C:\Users\todd\Desktop\New Text Document (2).txt
2015-03-17 12:58 - 2015-03-20 16:15 - 00000000 ____D () C:\Users\todd\AppData\Local\Insoft
2015-03-15 13:47 - 2015-03-20 16:57 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-15 13:46 - 2015-03-15 13:46 - 00001108 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-15 13:46 - 2015-03-15 13:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-15 13:46 - 2015-03-15 13:46 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-15 13:46 - 2015-03-15 13:46 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-03-15 13:46 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-15 13:46 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-15 13:46 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-15 13:45 - 2015-03-15 13:46 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\todd\Downloads\mbam-setup-2.0.4.1028.exe
2015-03-15 13:19 - 2015-03-15 13:42 - 00000000 ____D () C:\Program Files (x86)\PCPitstop
2015-03-15 13:19 - 2015-03-15 13:32 - 00000000 ____D () C:\ProgramData\PCPitstop
2015-03-15 13:19 - 2015-03-15 13:19 - 01399992 _____ (PC Pitstop LLC ) C:\Users\todd\Downloads\pcmatic-setup-1067.exe
2015-03-11 10:16 - 2015-03-12 10:02 - 00000664 ____H () C:\ProgramData\@system.temp
2015-03-11 10:16 - 2015-03-12 10:02 - 00000400 ____H () C:\ProgramData\@system3.att
2015-03-11 10:16 - 2015-03-11 10:16 - 00000480 ____H () C:\Users\todd\AppData\Roaming\麽鎒駓覜
2015-03-11 10:15 - 2015-03-12 10:10 - 00000000 ____D () C:\Users\todd\AppData\Roaming\FrameworkUpdate
2015-03-10 21:27 - 2015-02-20 00:41 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-03-10 21:27 - 2015-02-20 00:40 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-03-10 21:27 - 2015-02-20 00:40 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-03-10 21:27 - 2015-02-20 00:40 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-03-10 21:27 - 2015-02-20 00:13 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2015-03-10 21:27 - 2015-02-20 00:13 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-03-10 21:27 - 2015-02-20 00:13 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2015-03-10 21:27 - 2015-02-20 00:12 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2015-03-10 21:27 - 2015-02-19 23:29 - 00372224 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-03-10 21:27 - 2015-02-19 23:09 - 00299008 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-03-10 21:27 - 2015-02-02 23:34 - 05554104 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-03-10 21:27 - 2015-02-02 23:12 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2015-03-10 21:26 - 2015-02-02 23:34 - 00693176 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2015-03-10 21:26 - 2015-02-02 23:34 - 00094656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2015-03-10 21:26 - 2015-02-02 23:33 - 00616360 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2015-03-10 21:26 - 2015-02-02 23:31 - 14632960 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 01574400 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00782848 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00641024 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00432128 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00229376 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00188416 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00063488 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-03-10 21:26 - 2015-02-02 23:31 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-03-10 21:26 - 2015-02-02 23:31 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-03-10 21:26 - 2015-02-02 23:30 - 01480192 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 01202176 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00842240 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00631808 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00187904 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00140288 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00126464 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00058880 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-03-10 21:26 - 2015-02-02 23:30 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00011264 _____ (Microsoft Corporation) C:\Windows\system32\pcawrk.exe
2015-03-10 21:26 - 2015-02-02 23:30 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2015-03-10 21:26 - 2015-02-02 23:29 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\pcaevts.dll
2015-03-10 21:26 - 2015-02-02 23:28 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-03-10 21:26 - 2015-02-02 23:28 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2015-03-10 21:26 - 2015-02-02 23:19 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys
2015-03-10 21:26 - 2015-02-02 23:16 - 03973048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-03-10 21:26 - 2015-02-02 23:16 - 03917760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-03-10 21:26 - 2015-02-02 23:12 - 11411968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 01329664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 01174528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 01005056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptui.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00988160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmv2clt.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00744960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\blackbox.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00617984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmdrmsdk.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00504320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msscp.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00489984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\evr.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00406016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\drmmgrtn.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00354816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfplat.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00265216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msnetobj.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00179200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00143872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00103936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00081408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cryptsp.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\appidapi.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-03-10 21:26 - 2015-02-02 23:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-03-10 21:26 - 2015-02-02 23:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-03-10 21:26 - 2015-02-02 23:11 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-03-10 21:26 - 2015-02-02 23:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2015-03-10 21:26 - 2015-02-02 23:11 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2015-03-10 21:26 - 2015-02-02 23:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2015-03-10 21:26 - 2015-02-02 23:08 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-03-10 21:26 - 2015-02-02 22:32 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-03-10 21:26 - 2014-10-31 18:24 - 00619056 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-03-10 21:25 - 2015-03-06 01:56 - 00155576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-03-10 21:25 - 2015-03-06 01:56 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-03-10 21:25 - 2015-03-06 01:42 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-03-10 21:25 - 2015-03-06 01:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-03-10 21:25 - 2015-03-06 01:41 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-03-10 21:25 - 2015-03-06 01:41 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-03-10 21:25 - 2015-03-06 01:10 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-03-10 21:25 - 2015-03-06 01:10 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-03-10 21:25 - 2015-03-06 01:10 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-03-10 21:25 - 2015-03-06 01:10 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-03-10 21:25 - 2015-03-06 01:10 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-03-10 21:25 - 2015-03-06 01:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-03-10 21:25 - 2015-03-06 01:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-03-10 21:25 - 2015-03-06 01:10 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-03-10 21:25 - 2015-03-06 01:09 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-03-10 21:25 - 2015-03-06 01:09 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-03-10 21:25 - 2015-02-13 01:26 - 12875264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2015-03-10 21:25 - 2015-02-13 01:22 - 14177280 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-03-10 21:25 - 2015-02-02 23:31 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\ubpm.dll
2015-03-10 21:25 - 2015-02-02 23:12 - 00171520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ubpm.dll
2015-03-10 21:25 - 2015-01-30 23:48 - 03179520 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2015-03-10 21:25 - 2015-01-30 23:48 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2015-03-10 21:25 - 2015-01-30 19:56 - 00459336 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-03-10 21:25 - 2015-01-30 19:56 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2015-03-10 21:24 - 2015-03-06 01:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-03-10 21:24 - 2015-03-06 01:38 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-03-10 21:24 - 2015-03-06 01:36 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-03-10 21:24 - 2015-03-06 01:07 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-03-10 21:24 - 2015-03-06 01:07 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-03-10 21:24 - 2015-03-06 01:06 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-03-10 21:24 - 2015-02-25 23:25 - 03204096 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-03-10 21:24 - 2015-02-23 23:15 - 00389800 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-03-10 21:24 - 2015-02-23 22:32 - 00342696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-03-10 21:24 - 2015-02-20 21:16 - 25021440 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-03-10 21:24 - 2015-02-20 20:41 - 12827648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-03-10 21:24 - 2015-02-20 20:27 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-03-10 21:24 - 2015-02-20 20:27 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-03-10 21:24 - 2015-02-20 20:25 - 19720192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-03-10 21:24 - 2015-02-20 19:58 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-03-10 21:24 - 2015-02-20 19:32 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-03-10 21:24 - 2015-02-19 23:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-03-10 21:24 - 2015-02-19 23:05 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-03-10 21:24 - 2015-02-19 22:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-03-10 21:24 - 2015-02-19 22:49 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-03-10 21:24 - 2015-02-19 22:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-03-10 21:24 - 2015-02-19 22:48 - 02886144 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-03-10 21:24 - 2015-02-19 22:47 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-03-10 21:24 - 2015-02-19 22:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-03-10 21:24 - 2015-02-19 22:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-03-10 21:24 - 2015-02-19 22:36 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-03-10 21:24 - 2015-02-19 22:35 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-03-10 21:24 - 2015-02-19 22:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-03-10 21:24 - 2015-02-19 22:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-03-10 21:24 - 2015-02-19 22:32 - 06035456 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-03-10 21:24 - 2015-02-19 22:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-03-10 21:24 - 2015-02-19 22:22 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-03-10 21:24 - 2015-02-19 22:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-03-10 21:24 - 2015-02-19 22:13 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-03-10 21:24 - 2015-02-19 22:09 - 00503296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-03-10 21:24 - 2015-02-19 22:08 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-03-10 21:24 - 2015-02-19 22:08 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-03-10 21:24 - 2015-02-19 22:08 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-03-10 21:24 - 2015-02-19 22:06 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-03-10 21:24 - 2015-02-19 22:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-03-10 21:24 - 2015-02-19 22:03 - 02278400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-03-10 21:24 - 2015-02-19 22:01 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-03-10 21:24 - 2015-02-19 22:00 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-03-10 21:24 - 2015-02-19 21:58 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-03-10 21:24 - 2015-02-19 21:56 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-03-10 21:24 - 2015-02-19 21:56 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-03-10 21:24 - 2015-02-19 21:49 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-03-10 21:24 - 2015-02-19 21:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-03-10 21:24 - 2015-02-19 21:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-03-10 21:24 - 2015-02-19 21:46 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-03-10 21:24 - 2015-02-19 21:43 - 14398976 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-03-10 21:24 - 2015-02-19 21:41 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-03-10 21:24 - 2015-02-19 21:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-03-10 21:24 - 2015-02-19 21:30 - 04300288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-03-10 21:24 - 2015-02-19 21:28 - 02358784 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-03-10 21:24 - 2015-02-19 21:24 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-03-10 21:24 - 2015-02-19 21:24 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-03-10 21:24 - 2015-02-19 21:23 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-03-10 21:24 - 2015-02-19 21:16 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-03-10 21:24 - 2015-02-19 21:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-03-10 21:24 - 2015-02-19 21:01 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-03-10 21:24 - 2015-02-19 20:57 - 01311232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-03-10 21:24 - 2015-02-19 20:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-03-10 21:24 - 2015-02-02 23:31 - 01424896 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-03-10 21:24 - 2015-02-02 23:12 - 01230848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2015-03-10 21:24 - 2015-01-16 22:48 - 01067520 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-03-10 21:24 - 2015-01-16 22:30 - 00828928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2015-03-10 21:22 - 2015-02-03 23:16 - 00465920 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2015-03-10 21:22 - 2015-02-03 22:54 - 00417792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMPhoto.dll
2015-03-07 23:14 - 2015-03-07 23:14 - 00001755 _____ () C:\Users\Public\Desktop\iTunes.lnk
2015-03-07 23:14 - 2015-03-07 23:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-03-07 23:12 - 2015-03-07 23:14 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2015-03-07 23:12 - 2015-03-07 23:14 - 00000000 ____D () C:\Program Files\iTunes
2015-03-07 23:12 - 2015-03-07 23:12 - 00000000 ____D () C:\Program Files\iPod
2015-03-07 23:12 - 2015-03-07 23:12 - 00000000 ____D () C:\Program Files (x86)\iTunes
2015-03-07 18:22 - 2015-03-07 18:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Player - Codec Pack
2015-03-07 18:19 - 2015-03-07 18:23 - 00000000 ____D () C:\Windows\SysWOW64\C2MP
2015-03-07 18:18 - 2015-03-07 18:19 - 34446616 _____ (Media Player - Codec Pack) C:\Users\todd\Downloads\media.player.codec.pack.v4.3.5.setup.exe
2015-03-07 18:07 - 2015-03-07 18:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2015-03-07 18:04 - 2015-03-07 18:04 - 00001847 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2015-03-07 18:04 - 2015-03-07 18:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-03-07 17:43 - 2015-03-07 17:43 - 00000000 ____D () C:\ProgramData\Movavi Video Converter 15
2015-03-07 17:30 - 2015-03-07 17:30 - 00000000 ____D () C:\Users\todd\AppData\Local\videoconverter
2015-03-07 17:30 - 2015-03-07 17:30 - 00000000 ____D () C:\Users\todd\AppData\Local\Movavi
2015-03-07 17:29 - 2015-03-07 17:29 - 00001162 _____ () C:\Users\Public\Desktop\Movavi Video Converter 15.lnk
2015-03-07 17:29 - 2015-03-07 17:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movavi Video Converter 15
2015-03-07 17:28 - 2015-03-07 17:29 - 00000000 ____D () C:\Program Files (x86)\Movavi Video Converter 15
2015-03-07 17:28 - 2015-03-07 17:28 - 00000000 ____D () C:\ProgramData\Movavi
2015-03-07 17:22 - 2015-03-07 17:27 - 36855944 _____ (Movavi) C:\Users\todd\Downloads\MovaviVideoConverterSetupC_1.exe
2015-03-07 16:30 - 2015-03-07 16:34 - 00000000 ____D () C:\Users\todd\AppData\Roaming\GoPro
2015-03-07 16:30 - 2015-03-07 16:31 - 00000000 ____D () C:\Users\todd\AppData\Local\GoPro
2015-03-07 16:29 - 2015-03-07 16:31 - 00000000 ____D () C:\Users\Public\CineForm
2015-03-07 16:29 - 2015-03-07 16:29 - 00001114 _____ () C:\Users\todd\Desktop\GoPro Studio.lnk
2015-03-07 16:29 - 2015-03-07 16:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GoPro
2015-03-07 16:29 - 2015-03-07 16:29 - 00000000 ____D () C:\Program Files\DIFX
2015-03-07 16:29 - 2015-03-07 16:29 - 00000000 ____D () C:\Program Files (x86)\CineForm
2015-03-07 16:28 - 2015-03-07 16:29 - 00004470 _____ () C:\Windows\DPINST.LOG
2015-03-07 16:27 - 2015-03-07 16:29 - 00000000 ____D () C:\Program Files (x86)\GoPro
2015-03-07 16:26 - 2015-03-07 16:27 - 00000000 ____D () C:\ProgramData\Package Cache
2015-03-07 16:16 - 2015-03-07 16:21 - 163904608 _____ () C:\Users\todd\Downloads\GoProStudioPC-2.5.4.404.exe
2015-03-07 15:50 - 2015-03-20 16:15 - 00000761 _____ () C:\Windows\system32\Drivers\etc\hosts.txt
2015-03-07 15:49 - 2015-03-07 15:50 - 15588536 _____ (EffectMatrix Inc. ) C:\Users\todd\Downloads\tvc371.exe
2015-03-07 15:32 - 2015-03-07 15:37 - 00000000 ____D () C:\Users\todd\Downloads\Total Video Converter
2015-03-07 15:32 - 2015-03-07 15:32 - 00015879 _____ () C:\Users\todd\Downloads\Total Video Converter.torrent
2015-03-06 11:43 - 2015-03-06 11:43 - 00000000 ____D () C:\Users\todd\AppData\Roaming\Digiarty
2015-03-06 11:37 - 2015-03-06 11:38 - 31224784 _____ (Digiarty Software, Inc. ) C:\Users\todd\Downloads\winx-mov-to-mpeg.exe
2015-03-05 09:27 - 2015-03-05 09:27 - 00000000 __SHD () C:\Users\todd\AppData\Local\EmieUserList
2015-03-05 09:27 - 2015-03-05 09:27 - 00000000 __SHD () C:\Users\todd\AppData\Local\EmieSiteList
2015-03-05 09:27 - 2015-03-05 09:27 - 00000000 __SHD () C:\Users\todd\AppData\Local\EmieBrowserModeList
2015-02-27 11:52 - 2015-02-27 11:52 - 00000000 ____D () C:\Users\todd\AppData\Local\Intuit
2015-02-26 18:17 - 2015-02-26 18:17 - 00000000 ____D () C:\Users\todd\Desktop\Adobe CS5
2015-02-26 17:46 - 2015-02-26 18:10 - 00000000 ____D () C:\Users\todd\Downloads\Adobe Photoshop CS5 Extended
2015-02-26 17:45 - 2015-02-26 17:45 - 00020588 _____ () C:\Users\todd\Downloads\[kickass.to]adobe.photoshop.cs5.extended.crack.torrent
2015-02-26 11:00 - 2015-02-26 11:14 - 00000000 ____D () C:\Users\todd\Downloads\Microsoft Office Proffesional Plus 2010 Corporate Final Full Activated -NoGRp
2015-02-26 10:59 - 2015-02-26 10:59 - 00061061 _____ () C:\Users\todd\Downloads\[kickass.to]microsoft.office.proffesional.plus.2010.corporate.final.full.activated.nogrp.torrent
2015-02-26 10:55 - 2015-02-26 10:55 - 00000854 _____ () C:\Users\todd\Desktop\µTorrent.lnk
2015-02-26 10:55 - 2015-02-26 10:55 - 00000834 _____ () C:\Users\todd\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2015-02-26 04:00 - 2015-01-08 19:44 - 00419936 _____ () C:\Windows\SysWOW64\locale.nls
2015-02-26 04:00 - 2015-01-08 19:43 - 00419936 _____ () C:\Windows\system32\locale.nls

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-20 17:06 - 2010-01-18 19:01 - 01181366 _____ () C:\Windows\WindowsUpdate.log
2015-03-20 17:02 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-20 16:55 - 2010-01-18 18:57 - 00483148 _____ () C:\Windows\PFRO.log
2015-03-20 16:55 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2015-03-20 15:41 - 2010-08-05 11:58 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219075701-2862780633-3647178661-1000UA.job
2015-03-20 15:20 - 2010-01-29 21:49 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-20 14:41 - 2010-08-05 11:58 - 00000852 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219075701-2862780633-3647178661-1000Core.job
2015-03-19 17:29 - 2010-01-29 21:49 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-17 22:15 - 2010-01-18 18:46 - 00019344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-17 22:15 - 2010-01-18 18:46 - 00019344 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-17 22:08 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-17 22:08 - 2009-07-14 00:51 - 10960786 _____ () C:\Windows\setupact.log
2015-03-17 22:08 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SchCache
2015-03-17 18:39 - 2010-01-18 19:42 - 00003922 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{D81ED89A-A0BC-45B4-A67A-7AAD2007C971}
2015-03-15 23:32 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\TAPI
2015-03-12 10:18 - 2010-07-03 20:19 - 00000000 ____D () C:\Users\todd\AppData\Roaming\uTorrent
2015-03-12 03:02 - 2009-04-10 01:34 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-11 15:59 - 2010-08-05 11:59 - 00002367 _____ () C:\Users\todd\Desktop\Google Chrome.lnk
2015-03-11 10:16 - 2013-09-24 20:29 - 00000000 ____D () C:\Users\todd\AppData\Local\8842DCFB-A68F-4077-9D50-DE7892B29C62.aplzod
2015-03-11 04:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2015-03-11 03:43 - 2009-07-14 00:45 - 00426760 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-11 03:40 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2015-03-11 03:40 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\Dism
2015-03-11 03:39 - 2011-07-24 14:30 - 00000000 ____D () C:\ProgramData\CanonIJPLM
2015-03-11 03:15 - 2013-08-14 03:02 - 00000000 ____D () C:\Windows\system32\MRT
2015-03-11 03:06 - 2010-01-18 19:29 - 122905848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-03-09 03:01 - 2009-07-13 23:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-03-07 23:12 - 2010-01-25 21:47 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-03-07 18:04 - 2014-03-22 17:51 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2015-03-07 18:03 - 2010-01-25 21:49 - 00000000 ____D () C:\Users\todd\AppData\Local\Apple Computer
2015-03-07 17:31 - 2010-01-18 18:47 - 00000000 ____D () C:\Users\todd
2015-03-06 13:58 - 2014-07-28 17:25 - 00000000 ____D () C:\Users\todd\Downloads\P90X.Xtreme.Workout.Series.COMPLETE PACK.DVDrip.Xvid-SCP
2015-03-06 11:27 - 2010-07-03 16:08 - 00010240 _____ () C:\Users\todd\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-05 09:27 - 2010-01-18 18:01 - 00000000 ____D () C:\Users\todd\AppData\Local\Google
2015-03-03 09:17 - 2010-01-18 19:23 - 00295552 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-27 11:52 - 2010-01-31 17:25 - 00000000 ____D () C:\Users\todd\Documents\TurboTax
2015-02-26 18:22 - 2010-03-31 21:26 - 00000000 ____D () C:\Users\todd\AppData\Local\Adobe

==================== Files in the root of some directories =======

2015-03-11 10:16 - 2015-03-11 10:16 - 0000480 ____H () C:\Users\todd\AppData\Roaming\麽鎒駓覜
2010-07-03 16:08 - 2015-03-06 11:27 - 0010240 _____ () C:\Users\todd\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-03-11 10:16 - 2015-03-12 10:02 - 0000664 ____H () C:\ProgramData\@system.temp
2015-03-11 10:16 - 2015-03-12 10:02 - 0000400 ____H () C:\ProgramData\@system3.att
2010-02-02 00:09 - 2010-02-02 00:09 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
2010-03-31 20:48 - 2011-06-23 21:59 - 0000370 _____ () C:\ProgramData\lxdxDiagnostics.log
2012-01-08 14:27 - 2015-02-07 15:39 - 0001095 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2011-01-01 23:08 - 2011-01-03 21:46 - 0030396 _____ () C:\ProgramData\SlingSetup.log
2010-11-25 19:33 - 2010-11-25 19:33 - 0787951 _____ () C:\ProgramData\SPL4F09.tmp
2011-07-16 19:23 - 2011-07-16 19:23 - 0290105 _____ () C:\ProgramData\SPL6807.tmp
2010-05-05 09:34 - 2010-05-05 09:34 - 0075850 _____ () C:\ProgramData\SPL7F8E.tmp
2011-04-02 09:59 - 2011-04-02 09:59 - 0676306 _____ () C:\ProgramData\SPL813E.tmp
2011-06-23 21:45 - 2011-06-23 21:45 - 18661161 _____ () C:\ProgramData\SPL8A93.tmp
2010-12-24 15:30 - 2010-12-24 15:30 - 9754985 _____ () C:\ProgramData\SPL9128.tmp
2011-06-24 03:25 - 2011-06-24 03:25 - 18661161 _____ () C:\ProgramData\SPL9FE6.tmp
2011-06-30 03:17 - 2011-06-30 03:18 - 18661161 _____ () C:\ProgramData\SPLA275.tmp
2010-12-18 12:03 - 2010-12-18 12:03 - 0093152 _____ () C:\ProgramData\SPLF6BB.tmp
2010-03-31 20:48 - 2010-03-31 20:48 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt

Some content of TEMP:
====================
C:\Users\todd\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\todd\AppData\Local\Temp\gtalkwmp1.dll
C:\Users\todd\AppData\Local\Temp\jna5110121732798985358.dll
C:\Users\todd\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\todd\AppData\Local\Temp\MSETUP4.EXE
C:\Users\todd\AppData\Local\Temp\MSNF883.exe
C:\Users\todd\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\todd\AppData\Local\Temp\SkypeSetup.exe
C:\Users\todd\AppData\Local\Temp\Uninstall.exe
C:\Users\todd\AppData\Local\Temp\utt2736.tmp.exe
C:\Users\todd\AppData\Local\Temp\zauninst.exe
C:\Users\todd\AppData\Local\Temp\ZoneAlarm_Extreme_Security.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-03-16 10:12

==================== End Of Log ============================

.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 22 March 2015 - 10:59 PM

I'm not here to pass judgement, but pirated programs are a certain way to get infected

() C:\Users\todd\Downloads\[kickass.to]adobe.photoshop.cs5.extended.crack.torrent
C:\Users\todd\Downloads\Microsoft Office Proffesional Plus 2010 Corporate Final Full Activated -NoGRp
C:\Users\todd\Downloads\[kickass.to]microsoft.office.proffesional.plus.2010.corporate.final.full.activated.nogrp.torrent

You have likely compromised your system and/or your personal and financial information, it is really not worth it.
I recommend removing this software and refrain from this practice, your personal security is more important.


Please do the following:

Download attached fixlist.txt file and save it to the Downloads folder
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Attached File  FixList.txt   2.89KB   1 downloads


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Dudleydog73

Dudleydog73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 23 March 2015 - 03:57 PM

Fair enough.  This is a secondary PC and I am not even sure those were installed.  They have been removed at any rate and your warning is indeed heeded.

 

The fixlog.txt is below after running:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by todd at 2015-03-23 16:52:50 Run:1
Running from C:\Users\todd\Desktop
Loaded Profiles: todd (Available profiles: todd)
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\...\Run: [Insoft] => regsvr32.exe C:\Users\todd\AppData\Local\Insoft\CatDBtraceVdm64.dll <===== ATTENTION
C:\Users\todd\AppData\Local\Insoft\CatDBtraceVdm64.dll
ShellIconOverlayIdentifiers: [0WinSecurityProvider] -> {F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} =>  No File
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2925418
SearchScopes: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2925418
Toolbar: HKU\S-1-5-21-3219075701-2862780633-3647178661-1000 -> No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} -  No File
Hosts:
2015-03-17 12:58 - 2015-03-20 16:15 - 00000000 ____D () C:\Users\todd\AppData\Local\Insoft
2015-03-11 10:16 - 2015-03-12 10:02 - 00000664 ____H () C:\ProgramData\@system.temp
2015-03-11 10:16 - 2015-03-12 10:02 - 00000400 ____H () C:\ProgramData\@system3.att
2015-03-11 10:16 - 2015-03-11 10:16 - 00000480 ____H () C:\Users\todd\AppData\Roaming\麽鎒駓覜
2015-03-11 10:15 - 2015-03-12 10:10 - 00000000 ____D () C:\Users\todd\AppData\Roaming\FrameworkUpdate
2010-11-25 19:33 - 2010-11-25 19:33 - 0787951 _____ () C:\ProgramData\SPL4F09.tmp
2011-07-16 19:23 - 2011-07-16 19:23 - 0290105 _____ () C:\ProgramData\SPL6807.tmp
2010-05-05 09:34 - 2010-05-05 09:34 - 0075850 _____ () C:\ProgramData\SPL7F8E.tmp
2011-04-02 09:59 - 2011-04-02 09:59 - 0676306 _____ () C:\ProgramData\SPL813E.tmp
2011-06-23 21:45 - 2011-06-23 21:45 - 18661161 _____ () C:\ProgramData\SPL8A93.tmp
2010-12-24 15:30 - 2010-12-24 15:30 - 9754985 _____ () C:\ProgramData\SPL9128.tmp
2011-06-24 03:25 - 2011-06-24 03:25 - 18661161 _____ () C:\ProgramData\SPL9FE6.tmp
2011-06-30 03:17 - 2011-06-30 03:18 - 18661161 _____ () C:\ProgramData\SPLA275.tmp
2010-12-18 12:03 - 2010-12-18 12:03 - 0093152 _____ () C:\ProgramData\SPLF6BB.tmp
C:\Users\todd\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\todd\AppData\Local\Temp\gtalkwmp1.dll
C:\Users\todd\AppData\Local\Temp\jna5110121732798985358.dll
C:\Users\todd\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\todd\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\todd\AppData\Local\Temp\MSETUP4.EXE
C:\Users\todd\AppData\Local\Temp\MSNF883.exe
C:\Users\todd\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\todd\AppData\Local\Temp\SkypeSetup.exe
C:\Users\todd\AppData\Local\Temp\Uninstall.exe
C:\Users\todd\AppData\Local\Temp\utt2736.tmp.exe
C:\Users\todd\AppData\Local\Temp\zauninst.exe
C:\Users\todd\AppData\Local\Temp\ZoneAlarm_Extreme_Security.exe

 

 

*****************

HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Insoft => value deleted successfully.
C:\Users\todd\AppData\Local\Insoft\CatDBtraceVdm64.dll => Moved successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0WinSecurityProvider" => Key deleted successfully.
HKCR\CLSID\{F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found.
"HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}" => Key deleted successfully.
HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found.
HKU\S-1-5-21-3219075701-2862780633-3647178661-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => value deleted successfully.
HKCR\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => Key not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
C:\Users\todd\AppData\Local\Insoft => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.
C:\ProgramData\@system3.att => Moved successfully.
C:\Users\todd\AppData\Roaming\麽鎒駓覜 => Moved successfully.
C:\Users\todd\AppData\Roaming\FrameworkUpdate => Moved successfully.
C:\ProgramData\SPL4F09.tmp => Moved successfully.
C:\ProgramData\SPL6807.tmp => Moved successfully.
C:\ProgramData\SPL7F8E.tmp => Moved successfully.
C:\ProgramData\SPL813E.tmp => Moved successfully.
C:\ProgramData\SPL8A93.tmp => Moved successfully.
C:\ProgramData\SPL9128.tmp => Moved successfully.
C:\ProgramData\SPL9FE6.tmp => Moved successfully.
C:\ProgramData\SPLA275.tmp => Moved successfully.
C:\ProgramData\SPLF6BB.tmp => Moved successfully.
C:\Users\todd\AppData\Local\Temp\FlashPlayerUpdate.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\gtalkwmp1.dll => Moved successfully.
C:\Users\todd\AppData\Local\Temp\jna5110121732798985358.dll => Moved successfully.
C:\Users\todd\AppData\Local\Temp\jre-6u21-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\MSETUP4.EXE => Moved successfully.
C:\Users\todd\AppData\Local\Temp\MSNF883.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\SearchWithGoogleUpdate.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\SkypeSetup.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\Uninstall.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\utt2736.tmp.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\zauninst.exe => Moved successfully.
C:\Users\todd\AppData\Local\Temp\ZoneAlarm_Extreme_Security.exe => Moved successfully.

==== End of Fixlog 16:52:51 ====



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 23 March 2015 - 04:27 PM

Ok, looks better, please run the following:

Download ComboFix from the following location:
http://goo.gl/De5j

* IMPORTANT !!! Place ComboFix.exe on your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here:
http://goo.gl/9rtkbu

Double click on ComboFix.exe & follow the prompts.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you.

Please attach that log in your next reply

Note: Do not mouse click combofix's window whilst it's running. That may cause it to stall.

Ensure your AntiVirus and AntiSpyware applications are re-enabled.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Dudleydog73

Dudleydog73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 23 March 2015 - 05:12 PM

I know MS Security Essentials was running but I didn't see that until after I had clicked on ComboFix to run it.  I was in safe mode so it wasn't in my system tray.  It did state that real time protection was disabled in safe mode so I allowed COmboFix to keep running and it looks like it ran successfully.

 

ComboFix 15-03-23.01 - todd 03/23/2015  17:51:13.1.2 - x64 NETWORK
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5887.4641 [GMT -4:00]
Running from: c:\users\todd\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_mv2
-------\Service_NPF
-------\Service_uvnc_service
.
.
(((((((((((((((((((((((((   Files Created from 2015-02-23 to 2015-03-23  )))))))))))))))))))))))))))))))
.
.
2015-03-23 22:00 . 2015-03-23 22:00 75888 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C8114037-C0C9-4DE5-A99C-AA21EE839134}\offreg.dll
2015-03-23 21:17 . 2015-03-14 10:02 12002392 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C8114037-C0C9-4DE5-A99C-AA21EE839134}\mpengine.dll
2015-03-20 21:20 . 2015-03-23 20:52 -------- d-----w- C:\FRST
2015-03-17 13:10 . 2015-01-29 09:07 11910896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-03-15 17:47 . 2015-03-23 21:59 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-03-15 17:46 . 2015-03-15 17:46 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-03-15 17:46 . 2015-03-15 17:46 -------- d-----w- c:\programdata\Malwarebytes
2015-03-15 17:46 . 2014-11-21 10:14 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-03-15 17:46 . 2014-11-21 10:14 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-03-15 17:46 . 2014-11-21 10:14 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-03-15 17:19 . 2015-03-15 17:32 -------- d-----w- c:\programdata\PCPitstop
2015-03-15 17:19 . 2015-03-15 17:42 -------- d-----w- c:\program files (x86)\PCPitstop
2015-03-11 01:27 . 2015-02-20 04:41 41984 ----a-w- c:\windows\system32\lpk.dll
2015-03-11 01:27 . 2015-02-20 03:29 372224 ----a-w- c:\windows\system32\atmfd.dll
2015-03-11 01:27 . 2015-02-20 03:09 299008 ----a-w- c:\windows\SysWow64\atmfd.dll
2015-03-11 01:27 . 2015-02-20 04:40 100864 ----a-w- c:\windows\system32\fontsub.dll
2015-03-11 01:27 . 2015-02-20 04:40 14336 ----a-w- c:\windows\system32\dciman32.dll
2015-03-11 01:27 . 2015-02-20 04:40 46080 ----a-w- c:\windows\system32\atmlib.dll
2015-03-11 01:27 . 2015-02-20 04:13 70656 ----a-w- c:\windows\SysWow64\fontsub.dll
2015-03-11 01:27 . 2015-02-20 04:13 10240 ----a-w- c:\windows\SysWow64\dciman32.dll
2015-03-11 01:27 . 2015-02-20 04:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2015-03-11 01:27 . 2015-02-20 04:12 25600 ----a-w- c:\windows\SysWow64\lpk.dll
2015-03-11 01:27 . 2015-02-03 03:34 5554104 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-03-11 01:27 . 2015-02-03 03:12 3209728 ----a-w- c:\windows\SysWow64\mf.dll
2015-03-11 01:25 . 2015-01-31 03:48 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2015-03-11 01:24 . 2015-03-06 05:38 146432 ----a-w- c:\windows\system32\msaudite.dll
2015-03-11 01:22 . 2015-02-04 03:16 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2015-03-11 01:22 . 2015-02-04 02:54 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2015-03-08 03:12 . 2015-03-08 03:12 -------- d-----w- c:\program files (x86)\iTunes
2015-03-08 03:12 . 2015-03-08 03:12 -------- d-----w- c:\program files\iPod
2015-03-08 03:12 . 2015-03-08 03:14 -------- d-----w- c:\programdata\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2015-03-08 03:12 . 2015-03-08 03:14 -------- d-----w- c:\program files\iTunes
2015-03-07 22:19 . 2015-03-07 22:23 -------- d-----w- c:\windows\SysWow64\C2MP
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2015-03-07 22:04 . 2015-03-07 22:04 159744 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
2015-03-07 21:43 . 2015-03-07 21:43 -------- d-----w- c:\programdata\Movavi Video Converter 15
2015-03-07 21:31 . 2015-03-07 21:31 -------- d-----w- c:\users\todd\.fontconfig
2015-03-07 21:30 . 2015-03-07 21:30 -------- d-----w- c:\users\todd\AppData\Local\Movavi
2015-03-07 21:30 . 2015-03-07 21:30 -------- d-----w- c:\users\todd\AppData\Local\videoconverter
2015-03-07 21:28 . 2015-03-07 21:28 -------- d-----w- c:\programdata\Movavi
2015-03-07 21:28 . 2015-03-07 21:29 -------- d-----w- c:\program files (x86)\Movavi Video Converter 15
2015-03-07 20:30 . 2015-03-07 20:34 -------- d-----w- c:\users\todd\AppData\Roaming\GoPro
2015-03-07 20:30 . 2015-03-07 20:31 -------- d-----w- c:\users\todd\AppData\Local\GoPro
2015-03-07 20:29 . 2015-03-07 20:29 -------- d-----w- c:\program files (x86)\CineForm
2015-03-07 20:29 . 2015-03-07 20:31 -------- d-----w- c:\users\Public\CineForm
2015-03-07 20:29 . 2015-03-07 20:29 -------- d-----w- c:\program files\DIFX
2015-03-07 20:27 . 2015-03-07 20:29 -------- d-----w- c:\program files (x86)\GoPro
2015-03-07 20:26 . 2015-03-07 20:27 -------- d-----w- c:\programdata\Package Cache
2015-03-06 15:43 . 2015-03-06 15:43 -------- d-----w- c:\users\todd\AppData\Roaming\Digiarty
2015-03-06 15:38 . 2015-03-06 15:38 -------- d-----w- c:\users\todd\AppData\Local\Programs
2015-03-05 13:27 . 2015-03-05 13:27 -------- d-sh--w- c:\users\todd\AppData\Local\EmieBrowserModeList
2015-03-05 13:27 . 2015-03-05 13:27 -------- d-sh--w- c:\users\todd\AppData\Local\EmieUserList
2015-03-05 13:27 . 2015-03-05 13:27 -------- d-sh--w- c:\users\todd\AppData\Local\EmieSiteList
2015-02-27 15:52 . 2015-02-27 15:52 -------- d-----w- c:\users\todd\AppData\Local\Intuit
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-03-11 07:06 . 2010-01-18 23:29 122905848 ----a-w- c:\windows\system32\MRT.exe
2015-03-03 13:17 . 2010-01-18 23:23 295552 ------w- c:\windows\system32\MpSigStub.exe
2015-02-17 20:04 . 2015-02-17 20:04 1202848 ----a-w- c:\windows\SysWow64\FM20.DLL
2015-02-04 03:16 . 2015-02-11 10:12 609280 ----a-w- c:\windows\system32\generaltel.dll
2015-02-04 03:16 . 2015-02-11 10:12 762368 ----a-w- c:\windows\system32\invagent.dll
2015-02-04 03:16 . 2015-02-11 10:12 414720 ----a-w- c:\windows\system32\devinv.dll
2015-02-04 03:16 . 2015-02-11 10:12 894976 ----a-w- c:\windows\system32\appraiser.dll
2015-02-04 03:16 . 2015-02-11 10:12 227328 ----a-w- c:\windows\system32\aepdu.dll
2015-02-04 03:16 . 2015-02-11 10:12 192000 ----a-w- c:\windows\system32\aepic.dll
2015-02-04 03:13 . 2015-02-11 10:12 1098752 ----a-w- c:\windows\system32\aeinv.dll
2015-01-27 23:36 . 2015-02-11 10:12 1239720 ----a-w- c:\windows\system32\aitstatic.exe
2015-01-09 03:14 . 2015-02-11 10:13 91136 ----a-w- c:\windows\system32\wdi.dll
2015-01-09 03:14 . 2015-02-11 10:13 950272 ----a-w- c:\windows\system32\perftrack.dll
2015-01-09 03:14 . 2015-02-11 10:13 29696 ----a-w- c:\windows\system32\powertracker.dll
2015-01-09 02:48 . 2015-02-11 10:13 76800 ----a-w- c:\windows\SysWow64\wdi.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-01-18 68856]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"CmTray"="c:\program files (x86)\Content Manager\launchCM.exe" [2011-12-28 94208]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2014-11-21 43816]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2014-11-21 43816]
"NETGEARGenie"="c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" [2014-04-22 596480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-05-05 123904]
"LchDrvKey"="LchDrvKey.exe" [2007-03-28 36864]
"LedKey"="CNYHKey.exe" [2008-04-23 339968]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-02-13 60712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-10-02 421888]
"Codec Settings UAC Manager"="c:\windows\system32\C2MP\CodecUACManager.exe" [2014-12-21 60344]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
CodecPackTrayMenu.lnk - c:\windows\SysWOW64\C2MP\TrayMenu.exe [2014-12-20 208415]
GoPro Importer.lnk - c:\program files (x86)\GoPro\Tools\Importer\GoPro Importer.exe [2014-12-16 3169792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Norton Internet Security;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 acfva;acfva;c:\windows\system32\DRIVERS\ACFVA64.sys;c:\windows\SYSNATIVE\DRIVERS\ACFVA64.sys [x]
R3 dgcfltr;DGC Filter Driver;c:\windows\system32\DRIVERS\ACFDCP64.sys;c:\windows\SYSNATIVE\DRIVERS\ACFDCP64.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 ahcix64s;ahcix64s;c:\windows\system32\drivers\ahcix64s.sys;c:\windows\SYSNATIVE\drivers\ahcix64s.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S2 AcfXAudioService;AcfXAudioService;c:\windows\system32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 NETGEARGenieDaemon;NETGEARGenieDaemon;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe;c:\program files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [x]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - NPF
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2015-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:04]
.
2015-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:04]
.
2015-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219075701-2862780633-3647178661-1000Core.job
- c:\users\todd\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-05 05:40]
.
2015-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3219075701-2862780633-3647178661-1000UA.job
- c:\users\todd\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-05 05:40]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-06 7940128]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-07-06 1833504]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-26 2782096]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-01-30 1332296]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-02-13 169768]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0110&m=dx4300
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{4F142F6B-3AA0-4CBC-AE08-ACE5CEEB8FDC}: NameServer = 8.8.8.8,8.8.8.8,8.8.8.8,8.8.8.8
DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab
FF - ProfilePath - c:\users\todd\AppData\Roaming\Mozilla\Firefox\Profiles\g7gd6bqi.default\
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - (no file)
BHO-{a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - (no file)
Toolbar-{a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - (no file)
Wow6432Node-HKCU-Run-MobileDocuments - c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\Malwarebytes Anti-Malware\mbam.exe
c:\windows\MHotKey.exe
c:\program files (x86)\TeamViewer\Version8\TeamViewer.exe
c:\program files (x86)\TeamViewer\Version8\tv_w32.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2015-03-23  18:06:55 - machine was rebooted
ComboFix-quarantined-files.txt  2015-03-23 22:06
.
Pre-Run: 394,057,494,528 bytes free
Post-Run: 410,796,871,680 bytes free
.
- - End Of File - - 536758911CC2C8C742813CA85A815286
A36C5E4F47E84449FF07ED3517B43A31
 



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 23 March 2015 - 06:24 PM

Looks better,

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • If items are found, please select the Cleaning button
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
Please let me know if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Dudleydog73

Dudleydog73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 23 March 2015 - 07:01 PM

# AdwCleaner v4.113 - Logfile created 23/03/2015 at 19:54:48
# Updated 22/03/2015 by Xplode
# Database : 2015-03-23.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : todd - DUDLEYGW
# Running from : C:\Users\todd\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\ConduitEngine
Folder Deleted : C:\Program Files (x86)\Common Files\DVDVideoSoft\TB
Folder Deleted : C:\Users\todd\AppData\Local\Conduit
Folder Deleted : C:\Users\todd\AppData\Local\VideoConverter
Folder Deleted : C:\Users\todd\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\todd\AppData\LocalLow\ConduitEngine
File Deleted : C:\Windows\SysWOW64\conduitEngine.tmp

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}]
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2925418
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A94E8DC9-07AA-45A7-8AF2-A0375473A5CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A94E8DC9-07AA-45A7-8AF2-A0375473A5CD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A94E8DC9-07AA-45A7-8AF2-A0375473A5CD}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{A94E8DC9-07AA-45A7-8AF2-A0375473A5CD}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{A94E8DC9-07AA-45A7-8AF2-A0375473A5CD}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689

-\\ Mozilla Firefox v3.6.3 (en-US)

[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.InstallationType", "ConduitIntegration");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usage.ashx?ctid=EB_TOOLBAR_ID");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2925418");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.conduit.com;apps.conduit.com;services.apps.conduit.com\",\"AppsDetectionUrlPattern\":\"hxxp://appdown[...]
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CT2925418.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT2925418/CT2925418", "\"b73a3795568b91c415b52281de90d2be2\"");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1317307/1312978/US", "\"0\"");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2925418", "\"1295868936\"");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en", "C5ZJe6gL80JBW5CuLy+wkg==");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en", "2E1/v7EfCEDbv3VaBQMELg==");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en", "UgzXjW7BIkfdx+x39Ruv3w==");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en", "FqddrIU7eyJgaaLyHDeVMQ==");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\"8076e3ce381dcd1:0\"");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.5.1.1", "\"0d648794549cd1:0\"");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2925418", "\"84df7a85bec3b2a3dd055a4bedea5adc\"");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"21ba1682b5b6825cbfd420592a540476\"");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\todd\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\g7gd6bqi.default\\conduitCommon\\modules\\3.5.1.1");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.5.1.1");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.properties");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2925418");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2925418");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2925418");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.globalUserId", "a8c1de88-de9c-49d5-9e94-e2b68127c84f");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2925418");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Sat Jul 07 2012 15:15:14 GMT-0400 (Eastern Daylight Time)");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 60);
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Sat Jul 07 2012 15:15:22 GMT-0400 (Eastern Daylight Time)");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Sat Jul 07 2012 15:15:13 GMT-0400 (Eastern Daylight Time)");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
[g7gd6bqi.default\prefs.js] - Line Deleted : user_pref("CommunityToolbar.notifications.userId", "6a6b8fbd-f067-4d29-abe0-73096ee1f57b");

-\\ Google Chrome v

[C:\Users\todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\todd\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [10730 bytes] - [23/03/2015 19:51:43]
AdwCleaner[S0].txt - [11184 bytes] - [23/03/2015 19:54:48]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [11244  bytes] ##########



#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 24 March 2015 - 10:54 AM

That looks a lot better

Please update your Malwarebytes Antimalware data base and run a scan > remove anything found and reboot.

Attach the new log:

History > application logs > newest scan log > export to .txt file > save > attach.


NEXT


Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
  • Click the blue Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
  • Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Dudleydog73

Dudleydog73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 25 March 2015 - 02:31 PM

Argh.  I forgot yesterday was Microsoft Update Tuesday so my scans that ran overnight got obliterated when the automatic reboot kicked in.  I am running the ESET scan now but my MalwareBytes scan results is below: 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/25/2015
Scan Time: 3:03:20 PM
Logfile:
Administrator: Yes

Version: 2.01.4.1018
Malware Database: v2015.03.25.06
Rootkit Database: v2015.02.25.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: todd

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 391467
Time Elapsed: 14 min, 26 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 25 March 2015 - 06:33 PM

ok good, let me know what ESET finds


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Dudleydog73

Dudleydog73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 26 March 2015 - 01:05 PM

ESET tool results are below:

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Common Files\DVDVideoSoft\TB\DVDVideoSoftTB.exe.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ConduitEngine\ConduitEngin.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ConduitEngine\ConduitEngineHelper.exe.vir Win32/Toolbar.Conduit.Q potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ConduitEngine\ldrConduitEngin.dll.vir a variant of Win32/Toolbar.Conduit.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\todd\AppData\Local\Conduit\CT2925418\ZoneAlarm_Extreme_SecurityAutoUpdateHelper.exe.vir Win32/Toolbar.Conduit.Q potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\todd\AppData\LocalLow\ConduitEngine\ConduitEngin.dll.vir a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\todd\AppData\LocalLow\ConduitEngine\ldrConduitEngin.dll.vir a variant of Win32/Toolbar.Conduit.P potentially unwanted application
C:\FRST\Quarantine\C\Users\todd\AppData\Local\Temp\ZoneAlarm_Extreme_Security.exe.xBAD Win32/Toolbar.Conduit.Y potentially unwanted application
C:\Program Files (x86)\GlobalSCAPE\CuteFTP 7 Professional\patch.exe a variant of Win32/HackTool.Patcher.X potentially unsafe application
C:\Program Files (x86)\ZoneAlarm_Extreme_Security\ldrtbZone.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application
C:\Program Files (x86)\ZoneAlarm_Extreme_Security\tbZone.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\Program Files (x86)\ZoneAlarm_Extreme_Security\ZoneAlarm_Extreme_SecurityToolbarHelper.exe Win32/Toolbar.Conduit.Q potentially unwanted application
C:\Users\todd\AppData\LocalLow\ZoneAlarm_Extreme_Security\ldrtbZone.dll a variant of Win32/Toolbar.Conduit.P potentially unwanted application
C:\Users\todd\AppData\LocalLow\ZoneAlarm_Extreme_Security\tbZone.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\Users\todd\Documents\External Harddrive contents\Temp\TextPad_v4[1].7.1.zip a variant of Win32/Keygen.CY potentially unsafe application
C:\Users\todd\Documents\External Harddrive contents\Temp\new\cuteftp_pro_home_v7.0_reg_patch.rar a variant of Win32/HackTool.Patcher.X potentially unsafe application
C:\Users\todd\Documents\External Harddrive contents\Temp\new\Cute FTP 7\patch.exe a variant of Win32/HackTool.Patcher.X potentially unsafe application
C:\Users\todd\Downloads\ZASPSetup_100_250_000_en.exe Win32/Toolbar.Conduit.Y potentially unwanted application
C:\Users\todd\Downloads\Nero Ultra Edition 8\nue8.0.3.0r.iso Win32/Toolbar.AskSBar potentially unwanted application
C:\Users\todd\Downloads\Windows 7\WINDOWS_7_X64_OEM_EN\WINDOWS_7_X64_OEM.iso multiple threats
K:\downloads\Microsoft Office 2010 Pro Plus x64 and x86\Microsoft Office 2010 Pro Plus x64 and x86 Full - Windows 7 Compat.rar a variant of MSIL/Agent.NCF trojan
K:\downloads\Microsoft Office 2010 Pro Plus x64 and x86\Microsoft Office 2010 Pro Plus x64 and x86 Full - Windows 7 Compat\Microsoft Office 2010 Beta.exe a variant of MSIL/Agent.NCF trojan
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 14.zip a variant of Win32/Toolbar.Conduit.P potentially unwanted application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 20.zip Win32/Toolbar.Conduit.Q potentially unwanted application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 21.zip a variant of Win32/Toolbar.Conduit.B potentially unwanted application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 253.zip a variant of Win32/Keygen.CY potentially unsafe application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 27.zip a variant of Win32/HackTool.Patcher.X potentially unsafe application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 316.zip Win32/Toolbar.AskSBar potentially unwanted application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 4.zip Win32/Toolbar.Conduit.Y potentially unwanted application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 6.zip a variant of Win32/Toolbar.Conduit.B potentially unwanted application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 7.zip Win32/Toolbar.Conduit.Y potentially unwanted application
K:\DUDLEYGW\Backup Set 2012-07-01 190002\Backup Files 2012-07-01 190002\Backup files 9.zip a variant of Win32/HackTool.Patcher.X potentially unsafe application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 10.zip a variant of Win32/HackTool.Patcher.X potentially unsafe application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 15.zip a variant of Win32/Toolbar.Conduit.P potentially unwanted application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 20.zip Win32/Toolbar.Conduit.Q potentially unwanted application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 21.zip a variant of Win32/Toolbar.Conduit.B potentially unwanted application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 30.zip a variant of Win32/HackTool.Patcher.X potentially unsafe application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 305.zip a variant of Win32/Keygen.CY potentially unsafe application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 368.zip Win32/Toolbar.AskSBar potentially unwanted application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 5.zip a variant of Win32/Toolbar.Conduit.B potentially unwanted application
K:\DUDLEYGW\Backup Set 2013-07-14 190002\Backup Files 2013-07-14 190002\Backup files 8.zip Win32/Toolbar.Conduit.Y potentially unwanted application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 10.zip a variant of Win32/HackTool.Patcher.X potentially unsafe application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 16.zip a variant of Win32/Toolbar.Conduit.P potentially unwanted application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 21.zip Win32/Toolbar.Conduit.Q potentially unwanted application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 23.zip a variant of Win32/Toolbar.Conduit.B potentially unwanted application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 323.zip a variant of Win32/Keygen.CY potentially unsafe application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 34.zip a variant of Win32/HackTool.Patcher.X potentially unsafe application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 386.zip Win32/Toolbar.AskSBar potentially unwanted application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 5.zip a variant of Win32/Toolbar.Conduit.B potentially unwanted application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2014-03-23 190002\Backup files 8.zip Win32/Toolbar.Conduit.Y potentially unwanted application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2015-03-01 190003\Backup files 22.zip a variant of MSIL/HackKMS.A potentially unsafe application
K:\DUDLEYGW\Backup Set 2014-03-23 190002\Backup Files 2015-03-08 190002\Backup files 2.zip a variant of Win64/Sathurbot.A trojan
 



#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 26 March 2015 - 04:28 PM

a lot of what is there is either in quarantine already (adwClearer) or old back-up sets (delete them after creating a new set when we are done, or installation files that are bundled with adware, so work through the detections and manually delete the files that aren't in quarantine or backup, then once adwcleaner is removed, you can delete the quarantine.

If there are no outstanding issues, then we can clean up the tools:

You can delete the FRST logs and program from your desktop.

NEXT

Follow these steps to uninstall Combofix
Make sure your security programs are totally disabled.
Press the WinKey +R to open a run box
Now copy/paste the following command into the runbox and click OK.
Combofix /uninstall

(Note the space between the ..x and the u, it needs to be there.)

NEXT

Double click on adwcleaner.exe to run the tool.
Click on the Uninstall button
Confirm with yes

If there are any logs/tools remaining on your desktop > right click and delete them

NEXT

Below I have included a couple of recommendations for how to protect your computer against malware infections.
It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection.
Refer to this Microsoft article - Strong passwords: How to create and use them
http://www.microsoft.com/security/online-privacy/passwords-create.aspx

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com

This will ensure your computer has always the latest security updates available installed on your computer.

http://www.mywot.com
Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go
Yellow for caution
Red to stop
WOT has an addon available for Chrome, Firefox and IE

AdblockPlus, Surf the web without annoying ads!
Blocks banners, pop-ups and video ads - even on Facebook and YouTube
Protects your online privacy
Two-click installation, It's free!
https://adblockplus.org/en/internet-explorer
https://adblockplus.org/en/firefox
https://adblockplus.org/en/chrome
click the link(s) for your browser(s) and download.


Thank you for your patience, and performing all of the procedures requested.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 29 March 2015 - 11:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:04 AM

Posted 29 March 2015 - 11:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users