Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Super-Resume.com Pop-up Malware


  • This topic is locked This topic is locked
6 replies to this topic

#1 datasci

datasci

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 09 November 2015 - 01:24 PM

My computer has persistent pop-ups from "Super-Resume.com" which habr evaded a number of security precautions and attempts to find a remove it.

 

It's gone on for at least 6 months.

 

The pesky pop-up always advertises "super-resume.com" with a https://href.li/ link.

Here's the security that was in place during the original infection and every time the malware has popped up, without ever setting off any warning or alert:

  1. Symantec Endpoint Protection (Virus, Spyware, Proactive Threat and Network Threat Protection modules all enabled and updated)
  2. Daily anti-virus and anti-malware scan
  3. Corporate firewall

Here are the things that have been done off the top of my head to try to find/remove it:

  1. Uninstalled and reinstalled Mozilla Firefox
  2. Tried using different builds of Firefox, including Beta and Alpha releases (now back to the production release)
  3. Many Malware Bytes scans
  4. Removing all browser addons
  5. Using Ad Block Plus with pop-ups disabled
  6. Many Spybot Search and Destroy scans
  7. Audited the registry
  8. Many CCleaner runs

All failed miserably. Nothing ever detected a threat and nothing has prevented the pop-up from recurring. User has not visited an infected site since the original infection.

 

Finally, just today I was getting the pop-up again and I found a semi-related thread on the MalwareBytes forum that suggested using Combofix (a la this website, bleepingcomputer.com). So I tried that and it went through the whole long process, but the pop-ups are still occurring. I have appended the log.

 

 

Any thoughts?

 

ComboFix 15-11-09.01 - kchen 11/09/2015  11:28:44.1.4 - x64
Microsoft Windows 7 Enterprise N   6.1.7601.1.1252.1.1033.18.16334.11638 [GMT -5:00]
Running from: c:\users\kchen\Downloads\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
FW: Symantec Endpoint Protection *Enabled* {6BFC5632-188D-B806-D13E-C607121B42A0}
SP: Symantec Endpoint Protection *Enabled/Updated* {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\JonDoFox.paf.exe
c:\users\kchen\AppData\Local\assembly\tmp
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome.manifest
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\asyncDB.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\background.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\browserAction.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\contextMenu.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\dbManager.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\dom_bg.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\fileManager.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\firefox.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\firefoxNotifications.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\firefoxOmnibox.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\message.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\pageAction.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\request.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\tabs.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\webRequest.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\api\windowsMessagingHandler.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\background.html
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\baseObject.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\browser.xul
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\addressBarChangeObserver.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\console.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\consts.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\delegate.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\extensionDataStore.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\folderIOWrapper.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\httpObserver.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\IDBWrapper.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\installer.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\logFile.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\prefs.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\progressListenerObserver.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\registry.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\reloadObserver.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\reports.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\requestObject.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\searchSettings.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\uninstallObserver.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\updateManager.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\utils.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\core\xhr.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\dialog.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\ffCoreFilesIndex.txt
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\main.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\migration.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\options.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\options.xul
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\platformVersion.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\search_dialog.xul
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\chrome\content\setup.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\defaults\preferences\prefs.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\manifest.xml
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins.json
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\1.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\13.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\14.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\16.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\17.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\177.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\182.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\183.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\207.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\21.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\22.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\28.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\4.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\47.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\64.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\7.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\72.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\78.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\9.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\plugins\98.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\userCode\background.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\extensionData\userCode\extension.js
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\install.rdf
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\locale\en-US\translations.dtd
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\button1.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\button2.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\button3.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\button4.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\button5.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\crossrider_statusbar.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\icon128.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\icon16.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\icon24.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\icon48.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\panelarrow-up.png
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\popup.html
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\skin.css
c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\extensions\crossriderapp13872@crossrider.com\skin\update.css
c:\users\kchen\CURL.EXE
c:\windows\apppatch\AppLoc.exe
c:\windows\cyggcc_s-1.dll
c:\windows\msdownld.tmp
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2015-10-09 to 2015-11-09  )))))))))))))))))))))))))))))))
.
.
2015-11-09 16:40 . 2015-11-09 16:40    --------    d-----w-    c:\users\ppeng\AppData\Local\temp
2015-11-09 16:40 . 2015-11-09 16:40    --------    d-----w-    c:\users\postgres\AppData\Local\temp
2015-11-09 16:40 . 2015-11-09 16:40    --------    d-----w-    c:\users\kaseya_install\AppData\Local\temp
2015-11-09 16:40 . 2015-11-09 16:40    --------    d-----w-    c:\users\kchen.MD-LT05255\AppData\Local\temp
2015-11-09 16:40 . 2015-11-09 16:40    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-11-09 16:40 . 2015-11-09 16:40    --------    d-----w-    c:\users\Administrator\AppData\Local\temp
2015-11-07 21:02 . 2015-11-07 21:02    --------    d-----w-    C:\Snort
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-10-16 19:50 . 2012-08-22 19:40    780488    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-10-16 19:50 . 2011-05-25 19:20    142536    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-10-08 15:12 . 2014-05-19 10:58    110688    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2015-08-19 12:50 . 2013-10-16 14:53    581176    ----a-w-    c:\windows\system32\SymVPN.dll
2015-08-19 12:50 . 2013-10-16 14:53    52792    ----a-w-    c:\windows\SysWow64\snacnp.dll
2015-08-19 12:50 . 2013-10-16 14:53    425528    ----a-w-    c:\windows\SysWow64\SymVPN.dll
2015-08-19 12:50 . 2013-10-16 14:53    39384    ----a-w-    c:\windows\system32\drivers\WGX64.SYS
2015-08-19 12:50 . 2013-10-16 14:53    140344    ----a-w-    c:\windows\SysWow64\FwsVpn.dll
2015-08-19 12:50 . 2013-10-10 14:51    59960    ----a-w-    c:\windows\system32\snacnp.dll
2015-08-19 12:50 . 2013-10-16 14:53    467512    ----a-w-    c:\windows\system32\sysfer.dll
2015-08-19 12:50 . 2013-10-16 14:53    369208    ----a-w-    c:\windows\SysWow64\sysfer.dll
2015-08-19 12:50 . 2013-10-16 14:53    168304    ----a-w-    c:\windows\system32\drivers\SysPlant.sys
2015-08-19 12:50 . 2013-10-16 14:53    160312    ----a-w-    c:\windows\system32\FwsVpn.dll
2015-08-13 02:44 . 2015-03-10 13:27    631504    ----a-w-    c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-09-11 13:57 . 2014-09-11 13:57    536256    ----a-w-    c:\program files (x86)\Handle.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2013-04-22 720064]
"Lync"="c:\program files\Microsoft Office 15\root\office15\lync.exe" [2015-08-12 24059464]
"Office Timeline Performance Helper"="c:\program files (x86)\Office Timeline\Current\OfficeTimelineStartup.exe" [2015-03-02 13056]
"Epic Privacy Browser Installer"="c:\users\kchen\AppData\Local\Epic Privacy Browser\Installer\EpicUpdate.exe" [2015-08-04 509096]
"join.me.launcher"="c:\users\kchen\AppData\Local\join.me.launcher\join.me.launcher.exe" [2015-07-20 168720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"OMClient"="c:\program files (x86)\iPass\Open Mobile\bin\iMobility.exe" [2014-08-06 1349632]
"Communicator"="c:\program files (x86)\Microsoft Lync\communicator.exe" [2010-10-22 11937552]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2015-06-17 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2015-08-04 597552]
.
c:\users\kchen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
EvernoteClipper.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteClipper.exe [2015-9-3 1195016]
EvernoteTray.lnk - c:\program files (x86)\Evernote\Evernote\EvernoteTray.exe [2015-9-3 402952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
xServer - (xChanger View Increasing Server).lnk - c:\program files\xChanger\xServer.exe [2014-10-6 330240]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableSecureUIAPaths"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDefaultTile"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceRunOnStartMenu"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"AlwaysShowClassicMenu"= 1 (0x1)
"ClearRecentProgForNewUserInStartMenu"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages    REG_MULTI_SZ       kerberos msv1_0 schannel wdigest tspkg pku2u livessp msoidssp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4116589685-853428776-1685442481-74104\Scripts\Logon\0\0]
"Script"=\\loe.corp\netlogon\InstKasSEP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4116589685-853428776-1685442481-74104\Scripts\Logon\1\0]
"Script"=mdlogon.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KALRTDCT49214969531673]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 KALRTDCT49214969531673;Kaseya Agent;c:\program files (x86)\Kaseya\LRTDCT49214969531673\AgentMon.exe;c:\program files (x86)\Kaseya\LRTDCT49214969531673\AgentMon.exe [x]
R2 ManageEngine AssetExplorer Agent;ManageEngine AssetExplorer Agent;c:\program files (x86)\ManageEngine\AssetExplorer\bin\agentmonitor.exe;c:\program files (x86)\ManageEngine\AssetExplorer\bin\agentmonitor.exe [x]
R2 Publication Service;Publication Service for xDB Replication Server.;c:\program files (x86)\PostgreSQL\EnterpriseDB-xDBReplicationServer\scripts\ServiceWrapper.exe;c:\program files (x86)\PostgreSQL\EnterpriseDB-xDBReplicationServer\scripts\ServiceWrapper.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 Subscription Service;Subscription Service for xDB Replication Server.;c:\program files (x86)\PostgreSQL\EnterpriseDB-xDBReplicationServer\scripts\ServiceWrapper.exe;c:\program files (x86)\PostgreSQL\EnterpriseDB-xDBReplicationServer\scripts\ServiceWrapper.exe [x]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x]
R3 andnetadb;ADB Interface DriverNet;c:\windows\system32\Drivers\lgandnetadb.sys;c:\windows\SYSNATIVE\Drivers\lgandnetadb.sys [x]
R3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetdiag64.sys [x]
R3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetmodem64.sys [x]
R3 asvpndrv;Astrill SSL VPN Adapter;c:\windows\system32\DRIVERS\asvpndrv.sys;c:\windows\SYSNATIVE\DRIVERS\asvpndrv.sys [x]
R3 bcbtums;Bluetooth RAM Firmware Download USB Filter;c:\windows\system32\drivers\bcbtums.sys;c:\windows\SYSNATIVE\drivers\bcbtums.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys;c:\windows\SYSNATIVE\DRIVERS\e1k62x64.sys [x]
R3 FlexNet Licensing Service 64;FlexNet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService64.exe [x]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys;c:\windows\SYSNATIVE\drivers\HECIx64.sys [x]
R3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM60x64.sys;c:\windows\SYSNATIVE\drivers\ifM60x64.sys [x]
R3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52X64.sys;c:\windows\SYSNATIVE\drivers\ifP52X64.sys [x]
R3 iMobilityService;iMobilityService;c:\program files (x86)\iPass\Open Mobile\bin\iMobilityService.exe;c:\program files (x86)\iPass\Open Mobile\bin\iMobilityService.exe [x]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys;c:\windows\SYSNATIVE\drivers\iusb3hub.sys [x]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys;c:\windows\SYSNATIVE\drivers\iusb3xhc.sys [x]
R3 ManageEngine AssetExplorer RemoteControl;ManageEngine AssetExplorer RemoteControl;c:\program files (x86)\ManageEngine\AssetExplorer\RemoteControl\Service.exe;c:\program files (x86)\ManageEngine\AssetExplorer\RemoteControl\Service.exe [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 NvStUSB;NVIDIA Stereoscopic 3D USB driver;c:\windows\system32\drivers\nvstusb.sys;c:\windows\SYSNATIVE\drivers\nvstusb.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 rimspci;rimspci;c:\windows\system32\drivers\rimspe64.sys;c:\windows\SYSNATIVE\drivers\rimspe64.sys [x]
R3 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe64.sys;c:\windows\SYSNATIVE\drivers\risdpe64.sys [x]
R3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe64.sys;c:\windows\SYSNATIVE\drivers\rixdpe64.sys [x]
R3 SmbDrv;SmbDrv;c:\windows\system32\drivers\Smb_driver_AMDASF.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_AMDASF.sys [x]
R3 SmbDrvI;SmbDrvI;c:\windows\system32\drivers\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\drivers\Smb_driver_Intel.sys [x]
R3 SyDvCtrl;SyDvCtrl;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin64\SyDvCtrl64.sys;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin64\SyDvCtrl64.sys [x]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]
R3 Te.Service;Te.Service;c:\program files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe;c:\program files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys;c:\windows\SYSNATIVE\Drivers\VBoxUSB.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 VsEtwService120;Visual Studio ETW Event Collection Service;c:\program files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe;c:\program files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0153;RsFx0153 Driver;c:\windows\system32\DRIVERS\RsFx0153.sys;c:\windows\SYSNATIVE\DRIVERS\RsFx0153.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE;c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys;c:\windows\SYSNATIVE\drivers\iusb3hcs.sys [x]
S0 SymEFASI;Symantec Extended File Attributes (SI);c:\windows\system32\drivers\symefasi\0501010.002\symefasi.sys;c:\windows\SYSNATIVE\drivers\symefasi\0501010.002\symefasi.sys [x]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys;c:\windows\SYSNATIVE\DRIVERS\vmci.sys [x]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys;c:\windows\SYSNATIVE\drivers\vsock.sys [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\BASHDefs\20151023.011\BHDrvx64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\BASHDefs\20151023.011\BHDrvx64.sys [x]
S1 ccSettings_{074772AE-B3BA-4F23-8E12-773353CB6A63};Symantec Endpoint Protection 12.1.6168.6000.105 Settings Manager;c:\windows\system32\Drivers\SEP\0C011818\1770.105\x64\ccSetx64.sys;c:\windows\SYSNATIVE\Drivers\SEP\0C011818\1770.105\x64\ccSetx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\IPSDefs\20151106.011\IDSvia64.sys;c:\programdata\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Definitions\IPSDefs\20151106.011\IDSvia64.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\Drivers\SEP\0C011818\1770.105\x64\Ironx64.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C011818\1770.105\x64\Ironx64.SYS [x]
S1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\Drivers\SEP\0C011818\1770.105\x64\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\SEP\0C011818\1770.105\x64\SYMNETS.SYS [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxUSBMon.sys [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [x]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 EnterpriseDBApachePHP;EnterpriseDB ApachePHP;c:\program files (x86)\PostgreSQL\EnterpriseDB-ApachePHP\apache\bin\httpd.exe;c:\program files (x86)\PostgreSQL\EnterpriseDB-ApachePHP\apache\bin\httpd.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
S2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;c:\program files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe;c:\program files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [x]
S2 IntelHaxm;Intel HAXM Service;c:\windows\system32\DRIVERS\IntelHaxm.sys;c:\windows\SYSNATIVE\DRIVERS\IntelHaxm.sys [x]
S2 iPlatformService;iPlatformService;c:\program files (x86)\iPass\Open Mobile\omsi\iPlatformService.exe;c:\program files (x86)\iPass\Open Mobile\omsi\iPlatformService.exe [x]
S2 IpOverUsbSvc;Windows Phone IP over USB Transport (IpOverUsbSvc);c:\program files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe;c:\program files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe [x]
S2 msoidsvc;Microsoft Online Services Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE;c:\program files\Common Files\Microsoft Shared\Microsoft Online Services\MSOIDSVC.EXE [x]
S2 pcapsvc;ProxyCap Service;c:\program files\Proxy Labs\ProxyCap\pcapsvc.exe;c:\program files\Proxy Labs\ProxyCap\pcapsvc.exe [x]
S2 postgresql-x64-9.1;postgresql-x64-9.1 - PostgreSQL Server 9.1;c:\program files\PostgreSQL\9.1\bin\pg_ctl.exe runservice -N postgresql-x64-9.1 -D C:/Program Files/PostgreSQL/9.1/data -w;c:\program files\PostgreSQL\9.1\bin\pg_ctl.exe runservice -N postgresql-x64-9.1 -D C:/Program Files/PostgreSQL/9.1/data -w [x]
S2 postgresql-x64-9.3;postgresql-x64-9.3 - PostgreSQL Server 9.3;c:\program files\PostgreSQL\9.3\bin\pg_ctl.exe runservice -N postgresql-x64-9.3 -D C:/Program Files/PostgreSQL/9.3/data -w;c:\program files\PostgreSQL\9.3\bin\pg_ctl.exe runservice -N postgresql-x64-9.3 -D C:/Program Files/PostgreSQL/9.3/data -w [x]
S2 postgresql-x64-9.4;postgresql-x64-9.4 - PostgreSQL Server 9.4;c:\program files\PostgreSQL\9.4\bin\pg_ctl.exe;c:\program files\PostgreSQL\9.4\bin\pg_ctl.exe [x]
S2 Process Blocker;Process Blocker;c:\program files\Softros Systems\Process Blocker\Process Blocker.exe;c:\program files\Softros Systems\Process Blocker\Process Blocker.exe [x]
S2 SepMasterService;Symantec Endpoint Protection;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S3 AESTAud;IDT AE Audio Service;c:\windows\system32\drivers\AESTAu64.sys;c:\windows\SYSNATIVE\drivers\AESTAu64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys;c:\windows\SYSNATIVE\DRIVERS\johci.sys [x]
S3 KAPFA;KAPFA;c:\windows\system32\drivers\KAPFA.SYS;c:\windows\SYSNATIVE\drivers\KAPFA.SYS [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SPUVCbv;SPUVCb Driver Service;c:\windows\system32\Drivers\SPUVCbv_x64.sys;c:\windows\SYSNATIVE\Drivers\SPUVCbv_x64.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys;c:\windows\SYSNATIVE\DRIVERS\VBoxNetFlt.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-11-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-22 19:50]
.
2015-11-09 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-4116589685-853428776-1685442481-74104.job
- c:\program files (x86)\Citrix\GoToMeeting\3770\g2mupdate.exe [2015-10-30 14:53]
.
2015-11-09 c:\windows\Tasks\G2MUploadTask-S-1-5-21-4116589685-853428776-1685442481-74104.job
- c:\program files (x86)\Citrix\GoToMeeting\3770\g2mupload.exe [2015-10-30 14:53]
.
2015-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-02-02 14:56]
.
2015-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2015-02-02 14:56]
.
2015-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4116589685-853428776-1685442481-74104Core.job
- c:\users\kchen\AppData\Local\Google\Update\GoogleUpdate.exe [2015-07-20 16:39]
.
2015-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4116589685-853428776-1685442481-74104UA.job
- c:\users\kchen\AppData\Local\Google\Update\GoogleUpdate.exe [2015-07-20 16:39]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2015-08-12 03:15    2340472    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2015-08-12 03:15    2340472    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2015-08-12 03:15    2340472    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\grooveex.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 14:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-02-01 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-02-01 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-02-01 416024]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-01-31 2041192]
"ProxyCap"="c:\progra~1\PROXYL~1\ProxyCap\pcapui.exe" [2014-07-06 2599936]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://stackoverflow.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>
IE: Clip bookmark - c:\program files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=0
IE: Clip image - c:\program files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - c:\program files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - c:\program files (x86)\Evernote\Evernote\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - c:\program files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: New note - c:\program files (x86)\Evernote\Evernote\EvernoteIERes\NewNote.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: adp.com
Trusted Zone: campuscruiser.com\my
Trusted Zone: canternet.corp\onyx
Trusted Zone: knowlagentondemand.com\laureate
Trusted Zone: mdbpsonyx1
Trusted Zone: mdiisonyx5
Trusted Zone: mdiisonyx6
Trusted Zone: mdiisonyx7
Trusted Zone: ohecampus.com
Trusted Zone: onyx
Trusted Zone: waldenu.edu
TCP: DhcpNameServer = 172.18.81.51 172.16.25.51 172.16.25.52 172.16.25.55
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL
DPF: {538793D5-659C-4639-A56C-A179AD87ED44} - hxxps://balt.remote.laureate.net/CACHE/stc/1/binaries/vpnweb.cab
DPF: {98A52828-A5D6-11D3-82B8-00104B39A31D} - hxxp://onyx.canternet.corp/onyxemployeeportal_onyx/OnyxMaskEdit2Dual.cab
DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} - hxxp://mdappbanner3.loe.corp:9090/forms/jinitiator/jinit.exe
FF - ProfilePath - c:\users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Astrill - c:\program files (x86)\Astrill\astrill.exe
HKLM_Wow6432Node-ActiveSetup-{8A69D345-D564-463c-AFF1-A69D9E530F96} - c:\program files (x86)\Google\Chrome\Application\46.0.2490.71\Installer\chrmstp.exe
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-AESTFltr - c:\windows\system32\AESTFltr.exe
AddRemove-MultiBit 0.5.18 - c:\program files (x86)\Java\jre7\bin\javaw.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\postgresql-x64-9.1]
"ImagePath"="\"c:\program files\PostgreSQL\9.1\bin\pg_ctl.exe\" runservice -N \"postgresql-x64-9.1\" -D \"C:/Program Files/PostgreSQL/9.1/data\" -w"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\postgresql-x64-9.3]
"ImagePath"="\"c:\program files\PostgreSQL\9.3\bin\pg_ctl.exe\" runservice -N \"postgresql-x64-9.3\" -D \"C:/Program Files/PostgreSQL/9.3/data\" -w"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SepMasterService]
"ImagePath"="\"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Bin\sms.dll\" /prefetch:1"
"ImagePath"="system32\Drivers\SEP\0C011818\1770.105\x64\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\bin;c:\program files (x86)\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\bin64"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_19_0_0_226_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.19"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_19_0_0_226.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\iPass\Open Mobile\omsi\iPlatformHost.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\TeamViewer\TeamViewer_Service.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\RealVNC\VNC4\WinVNC4.exe
c:\program files (x86)\RealVNC\VNC4\winvnc4.exe
c:\windows\SysWOW64\CCM\CcmExec.exe
c:\program files (x86)\VMware\VMware Player\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\iPass\Open Mobile\omsi\iPlatformHost.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Evernote\Evernote\Evernote.exe
c:\program files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
c:\program files (x86)\Microsoft Office\Office15\UcMapi.exe
c:\program files (x86)\Common Files\Java\Java Update\jucheck.exe
c:\program files (x86)\Microsoft Office\Office15\lynchtmlconv.exe
c:\program files (x86)\Mozilla Firefox\firefox.exe
c:\program files (x86)\Mozilla Firefox\plugin-container.exe
c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_226.exe
c:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_226.exe
.
**************************************************************************
.
Completion time: 2015-11-09  11:55:32 - machine was rebooted
ComboFix-quarantined-files.txt  2015-11-09 16:55
.
Pre-Run: 295,444,639,744 bytes free
Post-Run: 294,907,281,408 bytes free
.
- - End Of File - - 4FA1FC3176F3586AE0D71E20B1D6C722
A36C5E4F47E84449FF07ED3517B43A31
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:40 AM

Posted 12 November 2015 - 09:56 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


How is the computer running now?
Wait for further instructions.

#3 datasci

datasci
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 13 November 2015 - 10:13 AM

Thanks for your help, nasdaq!

I followed your directions and I did not need to uncheck any items. I think it must be the "Crossrider" thing, because I've seen this come up in prior malware scans and regenerate itself after being removed. Here's the log:

 

# AdwCleaner v5.020 - Logfile created 13/11/2015 at 10:02:39
# Updated 13/11/2015 by Xplode
# Database : 2015-11-13.3 [Server]
# Operating system : Windows 7 Enterprise N Service Pack 1 (x64)
# Username : kchen - MD-LT05255
# Running from : C:\Users\kchen\Downloads\adwcleaner_5.020.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
[-] Key Deleted : HKCU\Software\distromatic
[-] Key Deleted : [x64] HKLM\SOFTWARE\Description
[!] Key Not Deleted : HKU\S-1-5-21-4116589685-853428776-1685442481-74104\Software\distromatic

***** [ Web browsers ] *****

[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossrider.bic", "148655df94f4fa1e96fbce48c7a85271");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.InstallationTime", 1410449931);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.active", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.addressbar", "NA");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.addressbarenhanced", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.asyncdb.was_copied", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.asyncinternaldb.was_copied", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.backgroundver", 8);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.certdomaininstaller", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.changeprevious", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.InstallationTime.value", "1410449931");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.pluginOn.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.pluginOn.value", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.searchOn.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.searchOn.value", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncdb_dbWasSet", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncdb_dbWasSet_FF25_FIX", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncinternaldb_dbWasSet", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncinternaldb_dbWasSet_FF25_FIX", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comcrossriderapp13872_dbWasSet", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comcrossriderapp13872_dbWasSet_FF25_FIX", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.description", "See articles on Google Scholar, PubMed, and Google search which are available on DeepDyve. This Official DeepDyve plug-in makes it easy by[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.domain", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.enablesearch", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.homepage", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.iframe", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.InstallerParamsCache.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.InstallerParamsCache.value", "%7B%22source_id%22%3A%220%22%2C%22sub_id%22%3A%220%22%2C%22uzid%22%3A%220%22%7D");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_appVer.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_appVer.value", "86");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_lastVersion.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_lastVersion.value", "21");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_meta.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_meta.value", "%7B%22html/output.xml%22%3A%7B%22id%22%3A806800%2C%22ver%22%3A21%2C%22status%22%3A1%2C%22name%22%3A%22html/output.xml%[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_nextCheck.expiration", "Mon May 18 2015 14:55:30 GMT-0400 (Eastern Standard Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_nextCheck.value", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_queue.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_queue.value", "%7B%7D");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_remote_resources.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_remote_resources.value", "%7B%22remoteId%22%3A0%7D");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806802.expiration", "Tue Aug 11 2015 10:26:24 GMT-0400 (Eastern Standard Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806802.value", "%22%3Chtml%3E%5Cr%5Cn%5Ct%3Chead%3E%5Cr%5Cn%5Ct%5Ct%3Clink%20rel%3D%5C%22stylesheet%5C%22%20type%3D%5C%22te[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806805.expiration", "Tue Aug 11 2015 10:26:24 GMT-0400 (Eastern Standard Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806805.value", "%22data%3Aimage/png%3Bbase64%2CAAABAAEAEBAAAAAAAABoBQAAFgAAACgAAAAQAAAAIAAAAAEACAAAAAAAAAEAAAAAAAAAAAAAAAEA[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.lastDailyReport", "1431953602020");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.lastUpdate", "1431953730478");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.manifesturl", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.name", "DeepDyve Plugin");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.newtab", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.opensearch", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.pluginsurl", "hxxps://w9u6a2p6.ssl.hwcdn.net/plugin/apps/13872/plugins/na/ff/plugins.json");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.pluginsversion", 28);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.publisher", "DeepDyve");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.searchstatus", 0);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.setnewtab", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.thankyou", "hxxp://crossrider.com/thank_you/13872");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.updateinterval", 360);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.ver", 86);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.apps", "13872");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.bic", "148655df94f4fa1e96fbce48c7a85271");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.cid", 13872);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.firstrun", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.hadappinstalled", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.installationdate", 1410449931);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.modetype", "production");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.reportInstall", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.statsDailyCounter", 557);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossrider.bic", "148655df94f4fa1e96fbce48c7a85271");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.InstallationTime", 1410449931);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.active", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.addressbar", "NA");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.addressbarenhanced", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.asyncdb.was_copied", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.asyncinternaldb.was_copied", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.backgroundver", 8);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.certdomaininstaller", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.changeprevious", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.InstallationTime.value", "1410449931");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.pluginOn.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.pluginOn.value", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.searchOn.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.cookie.searchOn.value", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncdb_dbWasSet", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncdb_dbWasSet_FF25_FIX", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncinternaldb_dbWasSet", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comasyncinternaldb_dbWasSet_FF25_FIX", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comcrossriderapp13872_dbWasSet", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.crossriderapp13872@crossrider.comcrossriderapp13872_dbWasSet_FF25_FIX", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.description", "See articles on Google Scholar, PubMed, and Google search which are available on DeepDyve. This Official DeepDyve plug-in makes it easy by[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.domain", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.enablesearch", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.homepage", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.iframe", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.InstallerParamsCache.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.InstallerParamsCache.value", "%7B%22source_id%22%3A%220%22%2C%22sub_id%22%3A%220%22%2C%22uzid%22%3A%220%22%7D");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_appVer.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_appVer.value", "86");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_lastVersion.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_lastVersion.value", "21");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_meta.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_meta.value", "%7B%22html/output.xml%22%3A%7B%22id%22%3A806800%2C%22ver%22%3A21%2C%22status%22%3A1%2C%22name%22%3A%22html/output.xml%[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_nextCheck.expiration", "Mon May 18 2015 14:55:30 GMT-0400 (Eastern Standard Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_nextCheck.value", "true");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_queue.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_queue.value", "%7B%7D");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_remote_resources.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Eastern Daylight Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_remote_resources.value", "%7B%22remoteId%22%3A0%7D");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806802.expiration", "Tue Aug 11 2015 10:26:24 GMT-0400 (Eastern Standard Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806802.value", "%22%3Chtml%3E%5Cr%5Cn%5Ct%3Chead%3E%5Cr%5Cn%5Ct%5Ct%3Clink%20rel%3D%5C%22stylesheet%5C%22%20type%3D%5C%22te[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806805.expiration", "Tue Aug 11 2015 10:26:24 GMT-0400 (Eastern Standard Time)");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.internaldb.Resources_resource_806805.value", "%22data%3Aimage/png%3Bbase64%2CAAABAAEAEBAAAAAAAABoBQAAFgAAACgAAAAQAAAAIAAAAAEACAAAAAAAAAEAAAAAAAAAAAAAAAEA[...]
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.lastDailyReport", "1431953602020");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.lastUpdate", "1431953730478");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.manifesturl", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.name", "DeepDyve Plugin");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.newtab", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.opensearch", "");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.pluginsurl", "hxxps://w9u6a2p6.ssl.hwcdn.net/plugin/apps/13872/plugins/na/ff/plugins.json");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.pluginsversion", 28);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.publisher", "DeepDyve");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.searchstatus", 0);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.setnewtab", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.thankyou", "hxxp://crossrider.com/thank_you/13872");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.updateinterval", 360);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.13872.ver", 86);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.apps", "13872");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.bic", "148655df94f4fa1e96fbce48c7a85271");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.cid", 13872);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.firstrun", false);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.hadappinstalled", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.installationdate", 1410449931);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.modetype", "production");
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.reportInstall", true);
[-] [C:\Users\kchen\AppData\Roaming\Mozilla\Firefox\Profiles\7sn4bphk.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossriderapp13872.statsDailyCounter", 557);
[-] [C:\Users\kchen\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : privatelee.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\kchen\AppData\Local\Chromium\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\kchen\AppData\Local\Chromium\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : privatelee.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\kchen\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\kchen\AppData\Local\Chromium\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\kchen\AppData\Local\Chromium\User Data\Default\Web Data] [Search Provider] Deleted : aol.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [32995 bytes] ##########
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:40 AM

Posted 13 November 2015 - 10:48 AM

Is you problem solved?

If not run the other tools.

#5 datasci

datasci
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 13 November 2015 - 11:23 AM

@nasdaq   I think my problem is solved...  as long as it doesn't regenerate. Like with a human virus the only way I'll know for sure is if some time goes by and it doesn't come back.

 

If it does, I'll try Farbar, as you suggested.

Thanks much!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:40 AM

Posted 14 November 2015 - 08:56 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:40 AM

Posted 20 November 2015 - 08:57 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users