Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack


  • This topic is locked This topic is locked
29 replies to this topic

#1 Piermontsteve

Piermontsteve

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 10 May 2015 - 12:48 PM

Hello,

This morning i realized I cannot search using any search engine.  Typing in a url directly will get me to any site but a sarch site (yahoo,bing,google). All my "saved" sites connect, but again, not any of the search sites.  Happens regardless of browser used.  If someone could help me solve this I would appreciate it. Logs attached and thank you in advance for your help.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 olgun52

olgun52

  • Malware Response Team
  • 3,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 10 May 2015 - 04:20 PM

Hello Piermontsteve and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
  

I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
:hello:
 
Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 10 May 2015 - 08:37 PM

Thank you Yilmaz, I have disabled all anti virus (AVG) and windows firewall...I am logged in as administrator .....I will wait for your instructions



#4 olgun52

olgun52

  • Malware Response Team
  • 3,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 11 May 2015 - 11:13 AM

Hi Piermontsteve,

 

Okay,thank you.

Please go to Start, Click Control Panel , click Programs and then click Programs and Features if it still exists:
Please uninstall the following applications:
 
conduit
AVG April 2013 Campaign--AVG 0913a Campaign
Mobogenie
AVG Secure Search
AVG SafeGuard toolbar
Mozilla Maintenance Service
PassShow
C:\Program Files (x86)\PassShow
C:\Program Files (x86)\Mobogenie

 
And PC restart now.
---------------------------------------------------------------------
Step 1:
FRST Script:
Please download this attached txt.gif  fixlist.txt 16.42KB 0 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.
 
Step 2:
Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Double-click mbam-setup-2.1.4.1018.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • At the end of the installation, a database update will be performed.
  • Click on Scan Now.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export.
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

Already installed:
Threat Scan

  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export.
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

Have a nice day.

Attached Files


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 11 May 2015 - 08:41 PM

Hello yilmaz...thanks for replying quickly

I followed your instructions...something wierd happened.  after adwcleane use, a window popped up and kept flicking on and off while moving diagnally across the screen...tried to close it but it moves too fast...rebooted and the window moved around a little slower, but too fast again to close it, third reboot window moves around very slowly, and i can close it and proceed with your instructions.  Window has similar look to "dos Prompt" window and looks like it says combo on the top...hard to read as it moves around fast.  Happens at every reboot.

 

Stll cant access yahoo or any other search engine except bing, and even that wont let me go to Yahoo.  logs are attached, hope you can help

 

# AdwCleaner v4.203 - Logfile created 11/05/2015 at 12:54:09
# Updated 30/04/2015 by Xplode
# Database : 2015-04-30.2 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Steve - STEVE-PC
# Running from : C:\Users\Steve\Downloads\adwcleaner_4.203.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v37.0.2 (x86 en-US)


-\\ Google Chrome v


*************************

AdwCleaner[R0].txt - [9493 bytes] - [10/05/2015 23:35:37]
AdwCleaner[R1].txt - [9552 bytes] - [10/05/2015 23:40:39]
AdwCleaner[R2].txt - [962 bytes] - [11/05/2015 12:52:58]
AdwCleaner[S0].txt - [9348 bytes] - [10/05/2015 23:43:52]
AdwCleaner[S1].txt - [888 bytes] - [11/05/2015 12:54:09]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [946  bytes] ##########
 

 

Junkware Removal Tool (JRT) by Thisisu
Version: 6.7.0 (05.09.2015:1)
OS: Windows 7 Home Premium x64
Ran by Steve on Mon 05/11/2015 at 13:41:56.29
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111991162}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110111991162}



~~~ Files

Successfully deleted: [File] C:\Windows\wininit.ini



~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{046786D0-1BFE-4FC7-B7A0-9096EF4116DA}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{05598E72-0F20-4740-9229-F1DCFA31758E}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{0601438F-9D5C-4990-93E0-F00E940C4FF7}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{067BDF17-5703-45CC-9B9A-D10E8EE973A3}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{0B395AFC-086A-46D6-A7B0-FC7DCC11C599}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{15415E1C-317D-492B-A428-2EF96E294813}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{15B28075-7440-4C47-BC78-E2F68A4E157A}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{174E5C9C-7F99-4E41-B850-AF3E6A7B537E}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{1BC9FEAF-130E-41BD-B2FA-DFAF0A60D9E3}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{2BF52167-5E90-4397-BD26-F5A9704ADE98}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{340DF9BA-132E-4D0F-A28C-4B286B931E38}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{343B1C6B-D29F-47F8-AE7D-B64C370B6AB1}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{34FB818D-9F4F-46E7-B6EC-B611CF948F19}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{3FBC0681-C3A6-494B-8E30-B5E4148A5F90}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{42966C2B-0AB8-4251-800D-7D6CFD275DA0}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{4967C552-C657-423D-994F-12E54256A619}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{50FFE7EF-A363-4A08-8A7E-4AE278CA49E7}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{53892EC0-309B-4742-8959-E585503775FF}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{5B3BD003-4530-4AC0-95B6-3FD4614CB4B9}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{65F25083-DC87-4B06-9C35-575620172ED9}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{69EE8E2B-0F37-45DA-9B3C-2CE89600F9C6}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{6CCC5432-C56E-460B-8232-979DD9179AF2}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{766E20CD-1091-4EEA-B8AB-ED78769E4001}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{76F53E2C-6CAF-4753-9C80-EC3A04A4DA8F}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{7980E24C-1E89-42EB-96AA-891E77177812}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{7E17E8FC-B470-4886-9A54-F8D546D19F49}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{8AD7F68B-159B-4E0F-BB78-6EB7183955D2}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{8BA6E8F8-6F38-4FEB-98DD-2EE9175E1F51}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{8C16C339-02AC-4E7D-AF59-094B851D9FC2}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{932F108B-20C7-48C4-898A-41372E5DD217}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{9DED4659-9D6A-4762-BC28-EBD7D4262CB0}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{B3B3CAF6-F5DF-4418-B637-E193B045CE91}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{B3EDA303-DB03-4C50-A41A-E3C517364F31}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{BB462A59-2B0B-4BC3-96EB-2A77DA218D3B}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{BC2C4218-AC31-4B98-9A04-70FB379F1211}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{BDCC5921-D450-4185-9FDA-9462355D5A76}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{BF5446FA-12E5-418F-A262-05001E000E11}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{C75A0429-9D4C-4514-ACC8-8F11F17DEE70}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{C7610F28-D32B-4DF4-B667-18B2DD5BB6B8}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{D2B86CC9-F747-40E2-8863-BFC7B06CA8CD}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{E177695F-F1AE-433F-B952-CE60A95EC731}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{E42B8BD2-0B15-4168-8464-4E1D0BF4313A}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{E4CA97BC-C511-46D7-87B9-60083B68C415}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{E5906E33-4207-48F1-AD24-F00A06155254}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{E8A83684-DBE6-4BCB-82EA-BCC925E9315D}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{F9047606-23B7-4092-9E47-C1BFF3B7EFBD}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{F96BAE7F-1804-4430-8F64-CCFEF073BAD6}
Successfully deleted: [Empty Folder] C:\Users\Steve\appdata\local\{FF3E6CFD-518A-46B6-BEC3-5687336F3703}



~~~ FireFox

Emptied folder: C:\Users\Steve\AppData\Roaming\mozilla\firefox\profiles\vtwnki1i.default\minidumps [475 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 05/11/2015 at 13:44:24.34
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Attached Files



#6 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 11 May 2015 - 11:20 PM

another note....flashing window name is "combofix", using task manager, i can reboot, and quickly camcel, and that clears the blinking window.  Blinking window does not appear when run in safe mode.  I have made no adjustments to any settings and await to hear from you



#7 olgun52

olgun52

  • Malware Response Team
  • 3,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 12 May 2015 - 09:38 AM

I don't see Fixlog report ?

Have you done scanning with ComboFix. ??


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 12 May 2015 - 10:32 AM

sorry, here is fix log.  I have not scanned with combofix, i think my son may ...I have stopped him from using PC until this is solved. again, thank you for your help

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-05-2015
Ran by Steve at 2015-05-11 12:29:03 Run:1
Running from C:\Users\Steve\Desktop\HTHIS\FRST
Loaded Profiles: Steve (Available profiles: Steve)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
CloseProcesses:
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\ToolbarUpdater.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\loggingserver.exe
C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2503704 2015-04-26] ()
HKLM-x32\...\Run: [mobilegeni daemon] => C:\Program Files (x86)\Mobogenie\DaemonProcess.exe
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\...\Run: [ROC_ROC_APR2013_AV] => C:\Users\Steve\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 3650943c6ec047d08209a90c82cf4da4-587831856733567de9cb5289d1bbf168eb80c415 --CMPID ROC_APR2013_AV --CMP (the data entry has 12 more characters).
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\...\Run: [AVG-Secure-Search-Update_0913a] => C:\Users\Steve\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 3650943c6ec047d08209a90c82cf4da4-587831856733567de9cb5289d1bbf168eb80c415 --CMPID 0913a
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\...\Policies\Explorer: []
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\...\MountPoints2: {d5234d2f-8ec8-11e2-bc43-7845c42ba457} - E:\TLBootstrap_WPP.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {E8E0DC22-9808-47A6-8003-29FC3F9D8280} URL =
SearchScopes: HKU\.DEFAULT -> {E8E0DC22-9808-47A6-8003-29FC3F9D8280} URL =
SearchScopes: HKU\S-1-5-21-2347710922-683995551-2583357650-1000 -> DefaultScope {07D7D235-175E-42D8-9A87-ED0210E49897} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287528&CUI=UN41762946662459219
SearchScopes: HKU\S-1-5-21-2347710922-683995551-2583357650-1000 -> {07D7D235-175E-42D8-9A87-ED0210E49897} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287528&CUI=UN41762946662459219
SearchScopes: HKU\S-1-5-21-2347710922-683995551-2583357650-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={474B6172-DA2D-4436-9365-23CC4AF80353}&mid=3650943c6ec047d08209a90c82cf4da4-587831856733567de9cb5289d1bbf168eb80c415&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214tb&pr=fr&d=2014-02-05 21:46:48&v=18.2.0.829&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2347710922-683995551-2583357650-1000 -> {B5160112-BECD-4D3A-9689-3F01EE261B07} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=58021096-81B9-4487-A420-4B8E3C4F2C59&apn_sauid=E45C5E1B-B2C5-4410-89F5-4E39092228CA
BHO-x32: AVG SafeGuard toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG SafeGuard toolbar\18.3.0.885\AVG SafeGuard toolbar_toolbar.dll [2015-04-26] (AVG Secure Search)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.3.0.885\AVG SafeGuard toolbar_toolbar.dll [2015-04-26] (AVG Secure Search)
Toolbar: HKU\.DEFAULT -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-2347710922-683995551-2583357650-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.3.0\ViProtocol.dll [2015-04-26] (AVG Secure Search)
FF Homepage: hxxp://www.yahoo.com/
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.3.0\\npsitesafety.dll No File
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-09-12] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml [2015-04-26]
FF Extension: Garmin Communicator - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vtwnki1i.default\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [2014-07-07]
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.3.0.885
FF Extension: AVG SafeGuard toolbar - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.3.0.885 [2015-04-26]
FF HKU\S-1-5-21-2347710922-683995551-2583357650-1000\...\Firefox\Extensions: [{8492baab-62ca-4e2c-983b-dfef7cae8082}] - C:\Program Files (x86)\PassShow\154.xpi
CHR HomePage: Default -> hxxp://mysearch.avg.com?cid={474B6172-DA2D-4436-9365-23CC4AF80353}&mid=3650943c6ec047d08209a90c82cf4da4-587831856733567de9cb5289d1bbf168eb80c415&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-05 21:46:48&v=18.1.9.799&pid=safeguard&sg=0&sap=hp
CHR StartupUrls: Default -> "hxxp://mysearch.avg.com?cid={474B6172-DA2D-4436-9365-23CC4AF80353}&mid=3650943c6ec047d08209a90c82cf4da4-587831856733567de9cb5289d1bbf168eb80c415&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-02-05 21:46:48&v=18.1.9.799&pid=safeguard&sg=0&sap=hp"
CHR DefaultSearchKeyword: Default -> yahoo.com
CHR DefaultSearchURL: Default -> https://search.yahoo.com/search?ei={inputEncoding}&fr=crmas&p={searchTerms}
CHR DefaultSuggestURL: Default -> https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms}
CHR Plugin: (Native Client) - C:\Users\Steve\AppData\Local\Google\Chrome\Application\42.0.2311.135\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Steve\AppData\Local\Google\Chrome\Application\42.0.2311.135\pdf.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U17) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.170.2) - C:\Windows\SysWOW64\npDeployJava1.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Extension: (MixiDJ V2) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdipjefcbnbcjgpgbgmpmcmgbmpjpjae [2013-02-25]
CHR Extension: (AVG SafeGuard) - C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2013-12-10]
CHR HKU\S-1-5-21-2347710922-683995551-2583357650-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cdipjefcbnbcjgpgbgmpmcmgbmpjpjae] - C:\Users\Steve\AppData\Local\CRE\cdipjefcbnbcjgpgbgmpmcmgbmpjpjae.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [cdipjefcbnbcjgpgbgmpmcmgbmpjpjae] - C:\Users\Steve\AppData\Local\CRE\cdipjefcbnbcjgpgbgmpmcmgbmpjpjae.crx [Not Found]
StartMenuInternet: Google Chrome.B5EX722MLJWDZ3DJETR2GM6KOQ - C:\Users\Steve\AppData\Local\Google\Chrome\Application\chrome.exe
R2 vToolbarUpdater18.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\ToolbarUpdater.exe [1802776 2015-04-26] (AVG Secure Search)
2015-04-21 09:09 - 2015-04-21 09:09 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2015-04-21 09:02 - 2015-04-21 09:04 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2015-04-21 08:19 - 2015-04-21 08:21 - 152362800 _____ (Apple Inc.) C:\Users\Steve\Downloads\iTunes6464Setup(1).exe
2015-05-10 11:44 - 2013-11-09 13:02 - 00000420 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rmv.job
2015-05-10 11:44 - 2013-11-09 13:02 - 00000370 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rel.job
2015-05-10 11:44 - 2013-04-11 11:51 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-05-10 09:51 - 2012-11-27 14:40 - 00000000 ____D () C:\ProgramData\MFAData
2015-05-09 18:00 - 2014-05-08 16:53 - 00000466 _____ () C:\Windows\Tasks\ParetoLogic Registration.job
2015-04-28 03:22 - 2014-03-06 00:02 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-04-26 23:07 - 2013-09-05 09:10 - 00000000 ____D () C:\Program Files (x86)\AVG SafeGuard toolbar
C:\Windows\system32\Drivers\etc\hosts.umbrella
2014-01-21 15:18 - 2014-01-21 15:18 - 0000000 _____ () C:\ProgramData\3b3d36222a5f292b_c
C:\Users\Steve\AppData\Local\Temp\AAMHelper.exe
C:\Users\Steve\AppData\Local\Temp\AcDeltree.exe
C:\Users\Steve\AppData\Local\Temp\AdobeApplicationManager.exe
C:\Users\Steve\AppData\Local\Temp\Creative Cloud Helper.exe
C:\Users\Steve\AppData\Local\Temp\CreativeCloudSet-Up.exe
C:\Users\Steve\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpq9m2pq.dll
C:\Users\Steve\AppData\Local\Temp\FNP_ACT_InstallerCA.dll
C:\Users\Steve\AppData\Local\Temp\GURD756.exe
C:\Users\Steve\AppData\Local\Temp\ICReinstall_ZipOpenerSetup.exe
C:\Users\Steve\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Steve\AppData\Local\Temp\KUIU.EXE
C:\Users\Steve\AppData\Local\Temp\ose00000.exe
C:\Users\Steve\AppData\Local\Temp\vsdel.exe
CustomCLSID: HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Steve\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
Task: {00AC0204-E318-4522-8996-0456ECF6B668} - System32\Tasks\{EC592D23-0F3B-4E11-9680-BE87507D085C} => pcalua.exe -a "C:\Program Files (x86)\PassShow\Uninstall.exe"
Task: {40C06DD9-42B5-4682-A547-15F6E24CBB6E} - System32\Tasks\AVG-Secure-Search-Update_1013b_rel => C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_1013b.exe
Task: {44451C8B-0894-4BF1-9F85-7DBF3D9C967E} - System32\Tasks\ParetoLogic Registration => Rundll32.exe "C:\Program Files (x86)\Common Files\ParetoLogic\UUS2\UUS.dll" RunUns
Task: {5DD08349-C741-4AD2-AF30-D19139C5FE99} - System32\Tasks\{32D28DB7-3429-45F6-BCFE-348B2AA9AEB7} => pcalua.exe -a C:\Users\Steve\Downloads\HijackThis.exe -d C:\Users\Steve\Downloads
Task: {DBBA08F5-D635-4530-8F6F-51B512FEE7FB} - System32\Tasks\Test TimeTrigger => C:\Users\Steve\AppData\Local\Temp\Runner.exe <==== ATTENTION
Task: {DCB39C3C-FE9C-4DF9-8565-425B45A82F84} - System32\Tasks\AVG-Secure-Search-Update_1013b_rmv => C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_1013b.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rel.job => C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_1013b.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rmv.job => C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_1013b.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2347710922-683995551-2583357650-1000Core.job => C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2347710922-683995551-2583357650-1000UA.job => C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ParetoLogic Registration.job => C:\Windows\system32\rundll32.exeFC:\Program Files (x86)\Common Files\ParetoLogic\UUS2\UUS.dll
2015-04-26 23:07 - 2015-04-26 23:06 - 00159768 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\loggingserver.exe
2013-09-05 09:10 - 2015-04-26 23:06 - 02503704 _____ () C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
2015-05-10 11:45 - 2015-05-10 11:45 - 00013824 _____ () C:\Windows\TEMP\nskE11C.tmp\UAC.dll
2015-05-10 11:45 - 2015-05-10 11:45 - 00011264 _____ () C:\Windows\TEMP\nskE11C.tmp\System.dll
2015-05-10 11:45 - 2015-05-10 11:45 - 00009728 _____ () C:\Windows\TEMP\nskE11C.tmp\nsDialogs.dll
2015-04-26 23:07 - 2015-04-26 23:06 - 00519704 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\log4cplusU.dll
2014-01-10 17:29 - 2014-12-10 12:53 - 01640984 _____ () C:\Program Files (x86)\AVG SafeGuard toolbar\TBAPI.dll
AlternateDataStreams: C:\ProgramData\TEMP:054203E4
AlternateDataStreams: C:\ProgramData\TEMP:9A870F8B
AlternateDataStreams: C:\ProgramData\TEMP:A1EDB939
AlternateDataStreams: C:\Users\Steve\Local Settings:4jr1TERS0V0dfAa66HDQ
AlternateDataStreams: C:\Users\Steve\AppData\Local:4jr1TERS0V0dfAa66HDQ
AlternateDataStreams: C:\Users\Steve\AppData\Local\Application Data:4jr1TERS0V0dfAa66HDQ
AlternateDataStreams: C:\Users\Steve\AppData\Local\NKuDIq1tB:Vlnbz1Wn2bEgly59WHSw1jtsX
AlternateDataStreams: C:\Users\Steve\Documents\Ref claim# HCX0323001H.eml:OECustomProperty
IE trusted site: HKU\S-1-5-21-2347710922-683995551-2583357650-1000\...\hola.org -> hxxp://hola.org
C:\Users\Steve\AppData\Roaming\newnext.me\nengine.dll,EntryPoint -m l
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NextLive
FirewallRules: [{B7B92A4E-6A7B-408F-9562-E62E769F2E84}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{70306116-6189-44F3-A3C5-258A8922A71C}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe
FirewallRules: [{28CDE20F-86D6-4182-8C43-B3EE19CCBEE8}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
FirewallRules: [{E291DAC1-C8B8-416D-AEC9-A50B34875BD0}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
FirewallRules: [{AE6578FC-4E67-44CA-94A7-96847FE9162D}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgdiagex.exe
FirewallRules: [{C23F4D2C-C45F-4EEB-BB1C-6E832515A85A}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgdiagex.exe
FirewallRules: [{DB8F4ECC-8288-483D-8B5B-E74075BB7FBD}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
FirewallRules: [{3B93D211-255E-4C08-9189-764B22C08F95}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
FirewallRules: [{777B963B-7B15-472A-8FDE-0A7D94613BBF}] => (Allow) C:\Users\Steve\AppData\Local\Temp\nsrBB35.tmp\CnetInstaller-10369269.exe
FirewallRules: [{3E23AB9B-32E8-4324-9540-CA6FEFF0A6B8}] => (Allow) C:\Users\Steve\AppData\Local\Temp\nsrBB35.tmp\CnetInstaller-10369269.exe
FirewallRules: [TCP Query User{F1C9F5C6-A5A9-452F-A554-810D4C00CAFD}C:\users\steve\appdata\local\temp\dm2\tinyumbrella_119\software\tinyumbrella.exe] => (Block) C:\users\steve\appdata\local\temp\dm2\tinyumbrella_119\software\tinyumbrella.exe
FirewallRules: [UDP Query User{C9116B5F-B768-4B54-A3E2-04C87DEFBFD5}C:\users\steve\appdata\local\temp\dm2\tinyumbrella_119\software\tinyumbrella.exe] => (Block) C:\users\steve\appdata\local\temp\dm2\tinyumbrella_119\software\tinyumbrella.exe
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:





*****************

Restore point was successfully created.
Processes closed successfully.
"C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\ToolbarUpdater.exe" => File/Directory not found.
"C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\loggingserver.exe" => File/Directory not found.
"C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\vProt => Value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\mobilegeni daemon => Value not found.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ROC_ROC_APR2013_AV => value deleted successfully.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AVG-Secure-Search-Update_0913a => value deleted successfully.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value deleted successfully.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5234d2f-8ec8-11e2-bc43-7845c42ba457} => Key not found.
HKCR\CLSID\{d5234d2f-8ec8-11e2-bc43-7845c42ba457} => Key not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E8E0DC22-9808-47A6-8003-29FC3F9D8280} => Key not found.
HKCR\CLSID\{E8E0DC22-9808-47A6-8003-29FC3F9D8280} => Key not found.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{07D7D235-175E-42D8-9A87-ED0210E49897} => Key not found.
HKCR\CLSID\{07D7D235-175E-42D8-9A87-ED0210E49897} => Key not found.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B5160112-BECD-4D3A-9689-3F01EE261B07} => Key not found.
HKCR\CLSID\{B5160112-BECD-4D3A-9689-3F01EE261B07} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKCR\Wow6432Node\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{95B7759C-8C7F-4BF1-B163-73684A933233} => Value not found.
HKCR\Wow6432Node\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Key not found.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Value not found.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{0E5F0222-96B9-11D3-8997-00104BD12D94}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{0E5F0222-96B9-11D3-8997-00104BD12D94}" => Key deleted successfully.
HKCR\Wow6432Node\PROTOCOLS\Handler\viprotocol => Key not found.
HKCR\Wow6432Node\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9} => Key not found.
Firefox homepage deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect" => Key deleted successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin => Key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater" => Key deleted successfully.
C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll => Moved successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml" => not found.
C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vtwnki1i.default\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} => Moved successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\avg@toolbar => Value not found.
C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.3.0.885 not found.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Mozilla\Firefox\Extensions\\{8492baab-62ca-4e2c-983b-dfef7cae8082} => Value not found.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
Chrome DefaultSearchKeyword deleted successfully.
Chrome DefaultSearchURL deleted successfully.
Chrome DefaultSuggestURL deleted successfully.
C:\Users\Steve\AppData\Local\Google\Chrome\Application\42.0.2311.135\ppGoogleNaClPluginChrome.dll not found.
C:\Users\Steve\AppData\Local\Google\Chrome\Application\42.0.2311.135\pdf.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll not found.
C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll not found.
C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll not found.
C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll not found.
C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_110.dll not found.
C:\Windows\SysWOW64\npDeployJava1.dll not found.
c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll not found.
C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdipjefcbnbcjgpgbgmpmcmgbmpjpjae directory not found.
C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof directory not found.
"HKU\S-1-5-21-2347710922-683995551-2583357650-1000\SOFTWARE\Google\Chrome\Extensions\cdipjefcbnbcjgpgbgmpmcmgbmpjpjae" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cdipjefcbnbcjgpgbgmpmcmgbmpjpjae" => Key deleted successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command\\Default => Value was restored successfully.
vToolbarUpdater18.3.0 => Service deleted successfully.
C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7 => Moved successfully.
C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 => Moved successfully.
C:\Users\Steve\Downloads\iTunes6464Setup(1).exe => Moved successfully.
C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rmv.job => Moved successfully.
C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rel.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\ProgramData\MFAData => Moved successfully.
C:\Windows\Tasks\ParetoLogic Registration.job => Moved successfully.
C:\Program Files (x86)\Mozilla Maintenance Service => Moved successfully.
"C:\Program Files (x86)\AVG SafeGuard toolbar" => File/Directory not found.
C:\Windows\system32\Drivers\etc\hosts.umbrella => Moved successfully.
"C:\ProgramData\3b3d36222a5f292b_c" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\AAMHelper.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\AcDeltree.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\AdobeApplicationManager.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\Creative Cloud Helper.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\CreativeCloudSet-Up.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpq9m2pq.dll" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\FNP_ACT_InstallerCA.dll" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\GURD756.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\ICReinstall_ZipOpenerSetup.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\KUIU.EXE" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\ose00000.exe" => File/Directory not found.
"C:\Users\Steve\AppData\Local\Temp\vsdel.exe" => File/Directory not found.
"HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
"HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => Key deleted successfully.
"HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => Key deleted successfully.
"HKU\S-1-5-21-2347710922-683995551-2583357650-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{00AC0204-E318-4522-8996-0456ECF6B668}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00AC0204-E318-4522-8996-0456ECF6B668}" => Key deleted successfully.
C:\Windows\System32\Tasks\{EC592D23-0F3B-4E11-9680-BE87507D085C} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{EC592D23-0F3B-4E11-9680-BE87507D085C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{40C06DD9-42B5-4682-A547-15F6E24CBB6E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40C06DD9-42B5-4682-A547-15F6E24CBB6E}" => Key deleted successfully.
C:\Windows\System32\Tasks\AVG-Secure-Search-Update_1013b_rel => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVG-Secure-Search-Update_1013b_rel" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{44451C8B-0894-4BF1-9F85-7DBF3D9C967E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{44451C8B-0894-4BF1-9F85-7DBF3D9C967E}" => Key deleted successfully.
C:\Windows\System32\Tasks\ParetoLogic Registration => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ParetoLogic Registration" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5DD08349-C741-4AD2-AF30-D19139C5FE99}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DD08349-C741-4AD2-AF30-D19139C5FE99}" => Key deleted successfully.
C:\Windows\System32\Tasks\{32D28DB7-3429-45F6-BCFE-348B2AA9AEB7} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{32D28DB7-3429-45F6-BCFE-348B2AA9AEB7}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DBBA08F5-D635-4530-8F6F-51B512FEE7FB}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DBBA08F5-D635-4530-8F6F-51B512FEE7FB}" => Key deleted successfully.
C:\Windows\System32\Tasks\Test TimeTrigger => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Test TimeTrigger" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DCB39C3C-FE9C-4DF9-8565-425B45A82F84}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DCB39C3C-FE9C-4DF9-8565-425B45A82F84}" => Key deleted successfully.
C:\Windows\System32\Tasks\AVG-Secure-Search-Update_1013b_rmv => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVG-Secure-Search-Update_1013b_rmv" => Key deleted successfully.
C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rel.job not found.
C:\Windows\Tasks\AVG-Secure-Search-Update_1013b_rmv.job not found.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job not found.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2347710922-683995551-2583357650-1000Core.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2347710922-683995551-2583357650-1000UA.job => Moved successfully.
C:\Windows\Tasks\ParetoLogic Registration.job not found.
"C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\loggingserver.exe" => File/Directory not found.
"C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe" => File/Directory not found.
"C:\Windows\TEMP\nskE11C.tmp\UAC.dll" => File/Directory not found.
"C:\Windows\TEMP\nskE11C.tmp\System.dll" => File/Directory not found.
"C:\Windows\TEMP\nskE11C.tmp\nsDialogs.dll" => File/Directory not found.
"C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\log4cplusU.dll" => File/Directory not found.
"C:\Program Files (x86)\AVG SafeGuard toolbar\TBAPI.dll" => File/Directory not found.
C:\ProgramData\TEMP => ":054203E4" ADS removed successfully.
C:\ProgramData\TEMP => ":9A870F8B" ADS removed successfully.
C:\ProgramData\TEMP => ":A1EDB939" ADS removed successfully.
"C:\Users\Steve\Local Settings" => ":4jr1TERS0V0dfAa66HDQ" ADS not found.
C:\Users\Steve\AppData\Local => ":4jr1TERS0V0dfAa66HDQ" ADS removed successfully.
"C:\Users\Steve\AppData\Local\Application Data" => ":4jr1TERS0V0dfAa66HDQ" ADS not found.
C:\Users\Steve\AppData\Local\NKuDIq1tB => ":Vlnbz1Wn2bEgly59WHSw1jtsX" ADS removed successfully.
C:\Users\Steve\Documents\Ref claim# HCX0323001H.eml => ":OECustomProperty" ADS removed successfully.
HKU\S-1-5-21-2347710922-683995551-2583357650-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org => Key not found.
"C:\Users\Steve\AppData\Roaming\newnext.me\nengine.dll,EntryPoint -m l" => File/Directory not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NextLive => Error: No automatic fix found for this entry.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B7B92A4E-6A7B-408F-9562-E62E769F2E84} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{70306116-6189-44F3-A3C5-258A8922A71C} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{28CDE20F-86D6-4182-8C43-B3EE19CCBEE8} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E291DAC1-C8B8-416D-AEC9-A50B34875BD0} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AE6578FC-4E67-44CA-94A7-96847FE9162D} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C23F4D2C-C45F-4EEB-BB1C-6E832515A85A} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DB8F4ECC-8288-483D-8B5B-E74075BB7FBD} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3B93D211-255E-4C08-9189-764B22C08F95} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{777B963B-7B15-472A-8FDE-0A7D94613BBF} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3E23AB9B-32E8-4324-9540-CA6FEFF0A6B8} => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{F1C9F5C6-A5A9-452F-A554-810D4C00CAFD}C:\users\steve\appdata\local\temp\dm2\tinyumbrella_119\software\tinyumbrella.exe => value deleted successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{C9116B5F-B768-4B54-A3E2-04C87DEFBFD5}C:\users\steve\appdata\local\temp\dm2\tinyumbrella_119\software\tinyumbrella.exe => value deleted successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


=========  netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Restart the computer to complete this action.


========= End of CMD: =========


=========  netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========

EmptyTemp: => Removed 667.7 MB temporary data.


The system needed a reboot.

==== End of Fixlog 12:30:56 ====



#9 olgun52

olgun52

  • Malware Response Team
  • 3,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 12 May 2015 - 11:47 AM

Please be sure to run our tools with administrator rights.
 
ComboFix run:
 
* IMPORTANT : 1   Place ComboFix.exe on your Desktop
* IMPORTANT : 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.
 
Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 12 May 2015 - 12:18 PM

Just ran combofix.......I have a screen that says

 

Preparing log report

Do not run any programs until combofix has finished

 

there is a blinking cursor below above statement

it has been 15 minutes since this screen appeared.....is that normal ?



#11 olgun52

olgun52

  • Malware Response Team
  • 3,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 12 May 2015 - 01:07 PM

It is normal.
You must not touch anything


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#12 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 12 May 2015 - 06:31 PM

Agh....just my luck..... Power went off.......restarted combofix at 2:30 pm....combofix ran, rebooted, and has been running with a window that ssys "please wait" with a cursor below it....: it is now 7:30 pm.......should I still be waiting, or is something wrong.



#13 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 12 May 2015 - 08:43 PM

OK , finally got combofix to run correctly.  Only took 20 min amd didn'y get "hung" like previous attempt.  I appreciate you hanging in there with me.

 

ComboFix 15-05-09.01 - Steve 05/12/2015  20:23:47.5.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3998.2404 [GMT -4:00]
Running from: c:\users\Steve\Desktop\ComboFix.exe
AV: AVG AntiVirus 2015 *Disabled/Outdated* {4D41356F-32AD-7C42-C820-63775EE4F413}
SP: AVG AntiVirus 2015 *Disabled/Outdated* {F620D48B-1497-73CC-F290-58052563BEAE}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\nsq5948.tmp\nsDialogs.dll
c:\windows\TEMP\nsq5948.tmp\System.dll
c:\windows\TEMP\nsq5948.tmp\UAC.dll
.
---- Previous Run -------
.
c:\windows\TEMP\nsa7408.tmp\nsDialogs.dll
c:\windows\TEMP\nsa7408.tmp\System.dll
c:\windows\TEMP\nsa7408.tmp\UAC.dll
.
.
(((((((((((((((((((((((((   Files Created from 2015-04-13 to 2015-05-13  )))))))))))))))))))))))))))))))
.
.
2015-05-13 00:29 . 2015-05-13 00:29    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-05-11 20:04 . 2015-05-13 00:21    --------    d-----w-    c:\programdata\MFAData
2015-05-11 17:41 . 2015-05-11 17:41    --------    d-----w-    C:\RegBackup
2015-05-11 05:08 . 2015-05-11 18:31    136408    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-05-11 05:07 . 2015-05-11 05:07    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2015-05-11 05:07 . 2015-04-14 13:37    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-05-11 05:07 . 2015-04-14 13:37    107736    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-05-11 05:07 . 2015-04-14 13:37    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-05-11 03:35 . 2015-05-11 16:54    --------    d-----w-    C:\AdwCleaner
2015-05-10 18:20 . 2015-05-10 19:17    --------    d-----w-    c:\program files (x86)\Spybot - Search & Destroy 2
2015-05-10 18:12 . 2015-04-30 14:50    429392    ----a-w-    c:\windows\system32\LavasoftTcpService64.dll
2015-05-10 18:12 . 2015-04-30 14:50    347976    ----a-w-    c:\windows\SysWow64\LavasoftTcpService.dll
2015-05-10 17:35 . 2015-05-11 16:33    --------    d-----w-    C:\FRST
2015-05-10 15:33 . 2015-05-10 15:33    --------    d-sh--w-    c:\users\Steve\AppData\Local\EmieUserList
2015-05-10 15:33 . 2015-05-10 15:33    --------    d-sh--w-    c:\users\Steve\AppData\Local\EmieSiteList
2015-05-10 15:33 . 2015-05-10 15:33    --------    d-sh--w-    c:\users\Steve\AppData\Local\EmieBrowserModeList
2015-04-28 02:51 . 2015-04-28 02:51    --------    d-----w-    c:\program files (x86)\Lame For Audacity
2015-04-28 02:16 . 2015-05-06 14:45    --------    d-----w-    c:\users\Steve\AppData\Roaming\Audacity
2015-04-28 02:16 . 2015-04-28 02:16    --------    d-----w-    c:\program files (x86)\Audacity
2015-04-27 03:56 . 2015-04-27 04:06    --------    d-----w-    c:\users\Steve\AppData\Local\WinZip
2015-04-27 03:56 . 2015-04-27 03:57    --------    d-----w-    c:\programdata\WinZip
2015-04-27 03:56 . 2015-04-27 03:56    --------    d-----w-    c:\program files\WinZip
2015-04-27 01:52 . 2015-04-27 01:53    --------    d-----w-    c:\users\Steve\AppData\Local\Garmin_Ltd._or_its_subsid
2015-04-26 02:43 . 2015-04-26 02:43    --------    d-----w-    c:\program files (x86)\Common Files\Java
2015-04-26 02:42 . 2015-04-26 02:42    111016    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2015-04-26 02:16 . 2015-04-29 01:43    --------    d-----w-    c:\program files (x86)\PdaNet for iPhone
2015-04-26 02:16 . 2007-03-07 17:13    17920    ----a-w-    c:\windows\system32\drivers\pnetmdm64.sys
2015-04-21 13:09 . 2015-04-21 13:09    --------    d-----w-    c:\program files\iTunes
2015-04-21 13:09 . 2015-04-21 13:09    --------    d-----w-    c:\program files\iPod
2015-04-21 13:09 . 2015-04-21 13:09    --------    d-----w-    c:\program files (x86)\iTunes
2015-04-21 12:12 . 2012-08-21 17:01    33240    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2015-04-21 04:02 . 2015-04-21 04:02    --------    d-----w-    c:\users\Steve\AppData\Roaming\JGsoft
2015-04-21 04:02 . 2015-04-21 04:02    --------    d-----w-    c:\program files\Just Great Software
2015-04-17 06:25 . 2015-04-17 06:25    --------    d-----w-    c:\users\Steve\AppData\Local\Macroplant_LLC
2015-04-17 06:24 . 2015-05-11 02:42    --------    d-----w-    c:\program files (x86)\iExplorer
2015-04-17 01:34 . 2015-04-17 04:15    --------    d-----w-    c:\program files (x86)\iPhone Backup Unlocker Standard
2015-04-16 04:39 . 2015-04-21 03:26    --------    d-----w-    c:\users\Steve\AppData\Roaming\DiskAid
2015-04-16 02:53 . 2015-04-16 02:53    --------    d-----w-    c:\users\Steve\AppData\Local\iMobie_Inc
2015-04-16 02:52 . 2015-04-16 02:52    --------    d-----w-    c:\users\Steve\AppData\Roaming\iMobie
2015-04-16 02:52 . 2015-04-16 02:52    --------    d-----w-    c:\program files (x86)\iMobie
2015-04-15 17:06 . 2015-04-15 17:06    256992    ----a-w-    c:\windows\system32\drivers\avgldx64.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-26 02:48 . 2012-11-21 04:57    778416    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-04-26 02:48 . 2012-11-21 04:57    142512    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-04-26 02:48 . 2015-01-25 13:47    17593008    ----a-w-    c:\windows\SysWow64\FlashPlayerInstaller.exe
2015-04-09 18:11 . 2015-04-09 18:11    284128    ----a-w-    c:\windows\system32\drivers\avgidsdrivera.sys
2015-04-07 16:39 . 2015-04-07 16:39    291296    ----a-w-    c:\windows\system32\drivers\avgtdia.sys
2015-04-03 13:34 . 2015-04-03 13:34    137184    ----a-w-    c:\windows\system32\drivers\avgmfx64.sys
2015-03-20 16:18 . 2015-03-20 16:18    40928    ----a-w-    c:\windows\system32\drivers\avgrkx64.sys
2015-03-11 16:16 . 2015-03-11 16:16    162784    ----a-w-    c:\windows\system32\drivers\avgdiska.sys
2015-03-11 16:13 . 2015-03-11 16:13    344544    ----a-w-    c:\windows\system32\drivers\avgloga.sys
2015-03-11 16:13 . 2015-03-11 16:13    213984    ----a-w-    c:\windows\system32\drivers\avgidsha.sys
2013-01-25 21:14 . 2013-01-25 21:14    3579256    ----a-w-    c:\program files (x86)\iPCU.exe
2013-01-25 21:07 . 2013-01-25 21:07    260424    ----a-w-    c:\program files (x86)\Nlog.dll
2013-01-25 21:07 . 2013-01-25 21:07    94536    ----a-w-    c:\program files (x86)\ManagedMobileDevice.dll
2013-01-25 21:07 . 2013-01-25 21:07    42824    ----a-w-    c:\program files (x86)\CoreFoundation.NET.dll
2013-01-25 21:07 . 2013-01-25 21:07    36168    ----a-w-    c:\program files (x86)\iPCUScripting.dll
2013-01-25 21:07 . 2013-01-25 21:07    192328    ----a-w-    c:\program files (x86)\DTConfigKit.dll
2013-01-25 21:07 . 2013-01-25 21:07    179528    ----a-w-    c:\program files (x86)\Ionic.Zip.Reduced.dll
2013-01-25 21:07 . 2013-01-25 21:07    1263944    ----a-w-    c:\program files (x86)\BouncyCastle.Crypto.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    131480    ----a-w-    c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\Steve\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 4441920]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2014-11-21 43816]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2015-04-23 1403224]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2014-11-21 43816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-19 1022152]
"Adobe Creative Cloud"="c:\program files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" [2014-05-26 2688920]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
"ADSK DLMSession"="c:\program files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-05-15 1632216]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-03-20 60712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-10-02 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2015-04-10 335232]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AVG_UI"="c:\program files (x86)\AVG\AVG2015\avgui.exe" [2015-04-15 3745232]
.
c:\users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2015-4-2 43382072]
PdaNet Desktop.lnk - c:\program files (x86)\PdaNet for iPhone\PdaNetPC.exe [2015-4-28 227128]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
GoPro Importer.lnk - c:\program files (x86)\GoPro\Tools\Importer\GoPro Importer.exe [2014-12-16 3169792]
hueyTray.lnk - c:\program files (x86)\Pantone\huey\hueyTray.exe [2012-12-7 901120]
MCE Controller.lnk - c:\program files (x86)\Kindel Systems\MCE Controller\MCEControl.exe [2013-1-6 1708032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
.
R1 CSN5PDTS82;CSN5PDTS82 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82.sys;c:\windows\SYSNATIVE\Drivers\CSN5PDTS82.sys [x]
R1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82x64.sys;c:\windows\SYSNATIVE\Drivers\CSN5PDTS82x64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);c:\windows\system32\drivers\WPRO_41_2001.sys;c:\windows\SYSNATIVE\drivers\WPRO_41_2001.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S1 Avgdiska;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiska.sys;c:\windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2015\avgidsagent.exe;c:\program files (x86)\AVG\AVG2015\avgidsagent.exe [x]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2015\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2015\avgwdsvc.exe [x]
S2 Garmin Device Interaction Service;Garmin Device Interaction Service;c:\program files (x86)\Garmin\Device Interaction Service\GarminService.exe;c:\program files (x86)\Garmin\Device Interaction Service\GarminService.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 PasswordBox;PasswordBox;c:\program files (x86)\PasswordBox\pbbtnService.exe;c:\program files (x86)\PasswordBox\pbbtnService.exe [x]
S2 RegAss;RegAss;c:\windows\system32\RegAss.exe;c:\windows\SYSNATIVE\RegAss.exe [x]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\CyberLink\Shared files\RichVideo64.exe;c:\program files\CyberLink\Shared files\RichVideo64.exe [x]
S2 TeamViewer9;TeamViewer 9;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys;c:\windows\SYSNATIVE\DRIVERS\pnetmdm64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-05-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-21 02:48]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco1]
@="{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}"
[HKEY_CLASSES_ROOT\CLSID\{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}]
2014-05-23 06:10    671904    ----a-w-    c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco2]
@="{853B7E05-C47D-4985-909A-D0DC5C6D7303}"
[HKEY_CLASSES_ROOT\CLSID\{853B7E05-C47D-4985-909A-D0DC5C6D7303}]
2014-05-23 06:10    671904    ----a-w-    c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco3]
@="{42D38F2E-98E9-4382-B546-E24E4D6D04BB}"
[HKEY_CLASSES_ROOT\CLSID\{42D38F2E-98E9-4382-B546-E24E4D6D04BB}]
2014-05-23 06:10    671904    ----a-w-    c:\program files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    164760    ----a-w-    c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    164760    ----a-w-    c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    164760    ----a-w-    c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04    164760    ----a-w-    c:\users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2014-02-28 558496]
"Autodesk Sync"="c:\program files\Autodesk\Autodesk Sync\AdSync.exe" [2012-07-25 418280]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2011-12-15 564352]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-06-03 399856]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2013-07-15 36352]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-06-03 172016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-04-07 169768]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-06-03 442352]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.81.1
TCP: Interfaces\{5A2AE5C6-B9FD-4CAD-91BF-9D1A13174F45}: NameServer = 8.8.8.8 8.8.4.4
FF - ProfilePath - c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vtwnki1i.default\
FF - prefs.js: browser.search.selectedEngine - Bing
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKCU-Run-NextLive - c:\users\Steve\AppData\Roaming\newnext.me\nengine.dll
Wow6432Node-HKCU-Run-Web Companion - c:\program files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
Toolbar-Locked - (no file)
AddRemove-MozillaMaintenanceService - c:\program files (x86)\Mozilla Maintenance Service\uninstall.exe
.
.
"ImagePath"="\"c:\program files\CyberLink\Shared files\RichVideo64.exe\"\00Z
[\]^_¤\00\00¤\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~¤\00\00¤\00\00\00\00¤\00\00\00\00\00\00\00\00‘’“"
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{7F6AFBF1-E065-4627-A2FD-810366367D01}"=hex:51,66,7a,6c,4c,1d,38,12,9f,f8,79,
   7b,57,ae,49,03,dd,eb,c2,43,63,68,39,15
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:85,ce,18,59,1a,cd,ce,01
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.17"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Google\Update\GoogleUpdate.exe
c:\program files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
c:\program files (x86)\PasswordBox\application_update.exe
c:\windows\SysWOW64\RegAss.exe
c:\program files (x86)\TeamViewer\Version9\TeamViewer.exe
c:\program files (x86)\TeamViewer\Version9\tv_w32.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\AVG\AVG2015\avgmfapx.exe
.
**************************************************************************
.
Completion time: 2015-05-12  20:40:54 - machine was rebooted
ComboFix-quarantined-files.txt  2015-05-13 00:40
.
Pre-Run: 425,920,593,920 bytes free
Post-Run: 425,054,904,320 bytes free
.
- - End Of File - - ECD2BA6E3C49809F1DC0B072C3E90641
5C616939100B85E558DA92B899A0FC36
 



#14 olgun52

olgun52

  • Malware Response Team
  • 3,778 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:13 PM

Posted 13 May 2015 - 05:09 PM

Uninstall:
c:\program files (x86)\Spybot - Search & Destroy 2
---------------------------------------------------------------------
Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
c:\windows\system32\LavasoftTcpService64.dll
c:\windows\SysWow64\LavasoftTcpService.dll

Folder::
c:\program files (x86)\Spybot - Search & Destroy 2

DDS::  
uStart Page = hxxp://www.yahoo.com/

FireFox::  
FF - ProfilePath - c:\users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vtwnki1i.default\
FF - prefs.js: browser.search.selectedEngine - Bing

Registry::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]

Hosts:

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

CFScriptB-4.gif
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
--------------------------------------------------------------------------------------------------------------------------
Browser Reset
 
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.Proceed with the reset once done.--------------------------------------------------------------------------------------------------------------------
 
Host File:
Replace your current HOSTS file with a tweaked one, as the MVPS Host file, that restricts access to known bad sites improving your security.
It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer.

To do it:
  • Download hosts.zip and save it to your desktop
  • Right click the file you just downloaded on your desktop and select => Extract to "hosts\"
  • In the hosts folder on your desktop, double click on mvps.bat file to run the program
  • A prompt will appear, press any key to continue
A good source of information about safe computing is this topic by quietman7.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 Piermontsteve

Piermontsteve
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 13 May 2015 - 09:57 PM

Ran combofix with file inserted....hung for 1 hr....cancelled, rebooted, again inserted file and it ran, deleted some files, and produced the log below.

Still having redirects away from any search engine but bing

Inserted hosts file as you said....went smoothly, very quick   Hope you hang in and keep trying...Thanx

 

ComboFix 15-05-09.01 - Steve 05/13/2015  22:21:44.7.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3998.2203 [GMT -4:00]
Running from: C:\Users\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Users\Steve\Desktop\CFScript.txt
AV: AVG AntiVirus 2015 *Disabled/Updated* {4D41356F-32AD-7C42-C820-63775EE4F413}
SP: AVG AntiVirus 2015 *Disabled/Updated* {F620D48B-1497-73CC-F290-58052563BEAE}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\LavasoftTcpService64.dll"
"c:\windows\SysWow64\LavasoftTcpService.dll"


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Windows\TEMP\nsvD7E9.tmp\nsDialogs.dll
C:\Windows\TEMP\nsvD7E9.tmp\System.dll
C:\Windows\TEMP\nsvD7E9.tmp\UAC.dll

---- Previous Run -------

C:\Windows\TEMP\nslBEED.tmp\nsDialogs.dll
C:\Windows\TEMP\nslBEED.tmp\System.dll
C:\Windows\TEMP\nslBEED.tmp\UAC.dll


(((((((((((((((((((((((((   Files Created from 2015-04-14 to 2015-05-14  )))))))))))))))))))))))))))))))


2015-05-14 02:27:12 . 2015-05-14 02:27:12    --------    d-----w-    C:\Users\Default\AppData\Local\temp
2015-05-11 20:04:04 . 2015-05-14 01:46:37    --------    d-----w-    C:\ProgramData\MFAData
2015-05-11 17:41:58 . 2015-05-11 17:41:58    --------    d-----w-    C:\RegBackup
2015-05-11 05:08:44 . 2015-05-11 18:31:11    136408    ----a-w-    C:\Windows\system32\drivers\MBAMSwissArmy.sys
2015-05-11 05:07:17 . 2015-05-11 05:07:18    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-05-11 05:07:17 . 2015-04-14 13:37:56    63704    ----a-w-    C:\Windows\system32\drivers\mwac.sys
2015-05-11 05:07:17 . 2015-04-14 13:37:46    107736    ----a-w-    C:\Windows\system32\drivers\mbamchameleon.sys
2015-05-11 05:07:17 . 2015-04-14 13:37:42    25816    ----a-w-    C:\Windows\system32\drivers\mbam.sys
2015-05-11 03:35:25 . 2015-05-11 16:54:12    --------    d-----w-    C:\AdwCleaner
2015-05-10 18:12:18 . 2015-04-30 14:50:58    429392    ----a-w-    C:\Windows\system32\LavasoftTcpService64.dll
2015-05-10 18:12:16 . 2015-04-30 14:50:56    347976    ----a-w-    C:\Windows\SysWow64\LavasoftTcpService.dll
2015-05-10 17:35:44 . 2015-05-11 16:33:50    --------    d-----w-    C:\FRST
2015-05-10 15:33:14 . 2015-05-10 15:33:14    --------    d-sh--w-    C:\Users\Steve\AppData\Local\EmieUserList
2015-05-10 15:33:14 . 2015-05-10 15:33:14    --------    d-sh--w-    C:\Users\Steve\AppData\Local\EmieSiteList
2015-05-10 15:33:14 . 2015-05-10 15:33:14    --------    d-sh--w-    C:\Users\Steve\AppData\Local\EmieBrowserModeList
2015-04-28 02:51:39 . 2015-04-28 02:51:39    --------    d-----w-    C:\Program Files (x86)\Lame For Audacity
2015-04-28 02:16:42 . 2015-05-06 14:45:40    --------    d-----w-    C:\Users\Steve\AppData\Roaming\Audacity
2015-04-28 02:16:09 . 2015-04-28 02:16:16    --------    d-----w-    C:\Program Files (x86)\Audacity
2015-04-27 03:56:36 . 2015-04-27 04:06:08    --------    d-----w-    C:\Users\Steve\AppData\Local\WinZip
2015-04-27 03:56:36 . 2015-04-27 03:57:09    --------    d-----w-    C:\ProgramData\WinZip
2015-04-27 03:56:25 . 2015-04-27 03:56:35    --------    d-----w-    C:\Program Files\WinZip
2015-04-27 01:52:53 . 2015-04-27 01:53:11    --------    d-----w-    C:\Users\Steve\AppData\Local\Garmin_Ltd._or_its_subsid
2015-04-26 02:43:55 . 2015-04-26 02:43:55    --------    d-----w-    C:\Program Files (x86)\Common Files\Java
2015-04-26 02:42:59 . 2015-04-26 02:42:37    111016    ----a-w-    C:\Windows\system32\WindowsAccessBridge-64.dll
2015-04-26 02:16:26 . 2015-04-29 01:43:59    --------    d-----w-    C:\Program Files (x86)\PdaNet for iPhone
2015-04-26 02:16:26 . 2007-03-07 17:13:20    17920    ----a-w-    C:\Windows\system32\drivers\pnetmdm64.sys
2015-04-21 13:09:31 . 2015-04-21 13:09:50    --------    d-----w-    C:\Program Files\iTunes
2015-04-21 13:09:31 . 2015-04-21 13:09:31    --------    d-----w-    C:\Program Files\iPod
2015-04-21 13:09:31 . 2015-04-21 13:09:31    --------    d-----w-    C:\Program Files (x86)\iTunes
2015-04-21 12:12:27 . 2012-08-21 17:01:20    33240    ----a-w-    C:\Windows\system32\drivers\GEARAspiWDM.sys
2015-04-21 04:02:55 . 2015-04-21 04:02:55    --------    d-----w-    C:\Users\Steve\AppData\Roaming\JGsoft
2015-04-21 04:02:48 . 2015-04-21 04:02:48    --------    d-----w-    C:\Program Files\Just Great Software
2015-04-17 06:25:34 . 2015-04-17 06:25:34    --------    d-----w-    C:\Users\Steve\AppData\Local\Macroplant_LLC
2015-04-17 06:24:22 . 2015-05-11 02:42:47    --------    d-----w-    C:\Program Files (x86)\iExplorer
2015-04-17 01:34:34 . 2015-04-17 04:15:11    --------    d-----w-    C:\Program Files (x86)\iPhone Backup Unlocker Standard
2015-04-16 04:39:13 . 2015-04-21 03:26:10    --------    d-----w-    C:\Users\Steve\AppData\Roaming\DiskAid
2015-04-16 02:53:01 . 2015-04-16 02:53:01    --------    d-----w-    C:\Users\Steve\AppData\Local\iMobie_Inc
2015-04-16 02:52:51 . 2015-04-16 02:52:51    --------    d-----w-    C:\Users\Steve\AppData\Roaming\iMobie
2015-04-16 02:52:41 . 2015-04-16 02:52:41    --------    d-----w-    C:\Program Files (x86)\iMobie
2015-04-15 17:06:02 . 2015-04-15 17:06:02    256992    ----a-w-    C:\Windows\system32\drivers\avgldx64.sys
.


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2015-04-26 02:48:17 . 2012-11-21 04:57:04    778416    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2015-04-26 02:48:17 . 2012-11-21 04:57:04    142512    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-04-26 02:48:03 . 2015-01-25 13:47:02    17593008    ----a-w-    C:\Windows\SysWow64\FlashPlayerInstaller.exe
2015-04-09 18:11:14 . 2015-04-09 18:11:14    284128    ----a-w-    C:\Windows\system32\drivers\avgidsdrivera.sys
2015-04-07 16:39:26 . 2015-04-07 16:39:26    291296    ----a-w-    C:\Windows\system32\drivers\avgtdia.sys
2015-04-03 13:34:12 . 2015-04-03 13:34:12    137184    ----a-w-    C:\Windows\system32\drivers\avgmfx64.sys
2015-03-20 16:18:18 . 2015-03-20 16:18:18    40928    ----a-w-    C:\Windows\system32\drivers\avgrkx64.sys
2015-03-11 16:16:06 . 2015-03-11 16:16:06    162784    ----a-w-    C:\Windows\system32\drivers\avgdiska.sys
2015-03-11 16:13:36 . 2015-03-11 16:13:36    344544    ----a-w-    C:\Windows\system32\drivers\avgloga.sys
2015-03-11 16:13:28 . 2015-03-11 16:13:28    213984    ----a-w-    C:\Windows\system32\drivers\avgidsha.sys
2013-01-25 21:14:30 . 2013-01-25 21:14:30    3579256    ----a-w-    C:\Program Files (x86)\iPCU.exe
2013-01-25 21:07:50 . 2013-01-25 21:07:50    260424    ----a-w-    C:\Program Files (x86)\Nlog.dll
2013-01-25 21:07:48 . 2013-01-25 21:07:48    94536    ----a-w-    C:\Program Files (x86)\ManagedMobileDevice.dll
2013-01-25 21:07:48 . 2013-01-25 21:07:48    42824    ----a-w-    C:\Program Files (x86)\CoreFoundation.NET.dll
2013-01-25 21:07:48 . 2013-01-25 21:07:48    36168    ----a-w-    C:\Program Files (x86)\iPCUScripting.dll
2013-01-25 21:07:48 . 2013-01-25 21:07:48    192328    ----a-w-    C:\Program Files (x86)\DTConfigKit.dll
2013-01-25 21:07:48 . 2013-01-25 21:07:48    179528    ----a-w-    C:\Program Files (x86)\Ionic.Zip.Reduced.dll
2013-01-25 21:07:48 . 2013-01-25 21:07:48    1263944    ----a-w-    C:\Program Files (x86)\BouncyCastle.Crypto.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04:54    131480    ----a-w-    C:\Users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04:54    131480    ----a-w-    C:\Users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04:54    131480    ----a-w-    C:\Users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="C:\Users\Steve\AppData\Local\Akamai\netsession_win.exe" [2012-10-09 15:53:36 4441920]
"ApplePhotoStreams"="C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2014-11-21 18:20:38 43816]
"GarminExpressTrayApp"="C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe" [2015-04-23 18:00:06 1403224]
"iCloudServices"="C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2014-11-21 18:20:52 43816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-19 16:50:37 1022152]
"Adobe Creative Cloud"="C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" [2014-05-26 17:57:30 2688920]
"AdobeCS5ServiceManager"="C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 03:10:47 402432]
"ADSK DLMSession"="C:\Program Files (x86)\Common Files\Autodesk Shared\Autodesk Download Manager\DLMSession.exe" [2012-05-15 23:56:08 1632216]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-03-20 22:12:26 60712]
"QuickTime Task"="C:\Program Files (x86)\QuickTime\QTTask.exe" [2014-10-02 19:23:12 421888]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2015-04-10 15:47:38 335232]
"SwitchBoard"="C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 17:37:14 517096]
"AVG_UI"="C:\Program Files (x86)\AVG\AVG2015\avgui.exe" [2015-04-15 17:17:20 3745232]

C:\Users\Steve\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2015-4-2 43382072]
PdaNet Desktop.lnk - C:\Program Files (x86)\PdaNet for iPhone\PdaNetPC.exe [2015-4-28 227128]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
GoPro Importer.lnk - C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe [2014-12-16 3169792]
hueyTray.lnk - C:\Program Files (x86)\Pantone\huey\hueyTray.exe [2012-12-7 901120]
MCE Controller.lnk - C:\Program Files (x86)\Kindel Systems\MCE Controller\MCEControl.exe [2013-1-6 1708032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

R1 CSN5PDTS82;CSN5PDTS82 NDIS Protocol Driver;C:\Windows\system32\Drivers\CSN5PDTS82.sys;C:\Windows\SYSNATIVE\Drivers\CSN5PDTS82.sys [x]
R1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;C:\Windows\system32\Drivers\CSN5PDTS82x64.sys;C:\Windows\SYSNATIVE\Drivers\CSN5PDTS82x64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\system32\IEEtwCollector.exe;C:\Windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe;C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\system32\drivers\mwac.sys;C:\Windows\SYSNATIVE\drivers\mwac.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys;C:\Windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys;C:\Windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys;C:\Windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys;C:\Windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys;C:\Windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe;C:\Windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WPRO_41_2001;WinPcap Packet Driver (WPRO_41_2001);C:\Windows\system32\drivers\WPRO_41_2001.sys;C:\Windows\SYSNATIVE\drivers\WPRO_41_2001.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 AVGIDSHA;AVGIDSHA;C:\Windows\system32\DRIVERS\avgidsha.sys;C:\Windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]
S0 Avgloga;AVG Logging Driver;C:\Windows\system32\DRIVERS\avgloga.sys;C:\Windows\SYSNATIVE\DRIVERS\avgloga.sys [x]
S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys;C:\Windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys;C:\Windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]
S0 iaStorA;iaStorA;C:\Windows\system32\DRIVERS\iaStorA.sys;C:\Windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;C:\Windows\system32\DRIVERS\iaStorF.sys;C:\Windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S1 Avgdiska;AVG Disk Driver;C:\Windows\system32\DRIVERS\avgdiska.sys;C:\Windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]
S1 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\avgidsdrivera.sys;C:\Windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys;C:\Windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]
S1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys;C:\Windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 Autodesk Content Service;Autodesk Content Service;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe;C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe;C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [x]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe;C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [x]
S2 Garmin Device Interaction Service;Garmin Device Interaction Service;C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe;C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe;C:\Program Files\Intel\iCLS Client\HeciServer.exe [x]
S2 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys;C:\Windows\SYSNATIVE\drivers\npf.sys [x]
S2 PasswordBox;PasswordBox;C:\Program Files (x86)\PasswordBox\pbbtnService.exe;C:\Program Files (x86)\PasswordBox\pbbtnService.exe [x]
S2 RegAss;RegAss;C:\Windows\system32\RegAss.exe;C:\Windows\SYSNATIVE\RegAss.exe [x]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe;C:\Program Files\CyberLink\Shared files\RichVideo64.exe [x]
S2 TeamViewer9;TeamViewer 9;C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe;C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [x]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys;C:\Windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 MBAMProtector;MBAMProtector;C:\Windows\system32\drivers\mbam.sys;C:\Windows\SYSNATIVE\drivers\mbam.sys [x]
S3 pnetmdm;PdaNet Modem;C:\Windows\system32\DRIVERS\pnetmdm64.sys;C:\Windows\SYSNATIVE\DRIVERS\pnetmdm64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys;C:\Windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]


Contents of the 'Scheduled Tasks' folder

2015-05-14 C:\Windows\Tasks\Adobe Flash Player Updater.job
- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-21 04:57:04 . 2015-04-26 02:48:19]


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco1]
@="{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}"
[HKEY_CLASSES_ROOT\CLSID\{AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47}]
2014-05-23 06:10:48    671904    ----a-w-    C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco2]
@="{853B7E05-C47D-4985-909A-D0DC5C6D7303}"
[HKEY_CLASSES_ROOT\CLSID\{853B7E05-C47D-4985-909A-D0DC5C6D7303}]
2014-05-23 06:10:48    671904    ----a-w-    C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ AccExtIco3]
@="{42D38F2E-98E9-4382-B546-E24E4D6D04BB}"
[HKEY_CLASSES_ROOT\CLSID\{42D38F2E-98E9-4382-B546-E24E4D6D04BB}]
2014-05-23 06:10:48    671904    ----a-w-    C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04:54    164760    ----a-w-    C:\Users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04:54    164760    ----a-w-    C:\Users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04:54    164760    ----a-w-    C:\Users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2014-06-24 22:04:54    164760    ----a-w-    C:\Users\Steve\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2014-02-28 00:38:18 558496]
"Autodesk Sync"="C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe" [2012-07-25 20:01:18 418280]
"cAudioFilterAgent"="C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2011-12-15 20:19:36 564352]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2014-06-03 20:55:38 399856]
"IAStorIcon"="C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2013-07-15 17:16:38 36352]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2014-06-03 20:55:40 172016]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2015-04-07 04:28:16 169768]
"Logitech Download Assistant"="C:\Windows\System32\LogiLDA.dll" [2012-09-20 21:02:06 1832760]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2014-06-03 20:55:40 442352]

------- Supplementary Scan -------

uLocal Page = C:\Windows\system32\blank.htm
mLocal Page = C:\Windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.81.1
FF - ProfilePath - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\vtwnki1i.default\

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-MozillaMaintenanceService - C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe


"ImagePath"="\"C:\Program Files\CyberLink\Shared files\RichVideo64.exe\"\00Z
[\]^_¤\00\00¤\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~¤\00\00¤\00\00\00\00¤\00\00\00\00\00\00\00\00‘’“"


--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{7F6AFBF1-E065-4627-A2FD-810366367D01}"=hex:51,66,7a,6c,4c,1d,38,12,9f,f8,79,
   7b,57,ae,49,03,dd,eb,c2,43,63,68,39,15
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:85,ce,18,59,1a,cd,ce,01

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_169_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_17_0_0_169_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_17_0_0_169_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.17"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="C:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_17_0_0_169.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

------------------------ Other Running Processes ------------------------

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
C:\Windows\SysWOW64\RegAss.exe
C:\Program Files (x86)\PasswordBox\application_update.exe
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

**************************************************************************

Completion time: 2015-05-13  22:32:05 - machine was rebooted
ComboFix-quarantined-files.txt  2015-05-14 02:32:04
ComboFix2.txt  2015-05-13 00:40:55

Pre-Run: 423,906,103,296 bytes free
Post-Run: 423,824,928,768 bytes free

- - End Of File - - AC499A5B7D532308E2A7456634019762
5C616939100B85E558DA92B899A0FC36
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users