Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hicosmea


  • This topic is locked This topic is locked
19 replies to this topic

#1 careful

careful

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 26 November 2015 - 05:10 AM

windows 7, intel core i7, 16 GB RAM, 64 bit OS

 

I had posted before but I didn't see the response until too late and the email was sent to spam. I uninstalled the coupon.com program from the add&remove in control panel before posting this and malewarebytes removed the hicosmea (that is what it said any way) this seems to come back though? I will be more diligent in watching for a response, thanks.

Below is the frst.txt and attached is the addition.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:18-11-2015
Ran by Petit (administrator) on PETIT-PC (26-11-2015 05:01:37)
Running from C:\Users\Petit\Desktop\malware
Loaded Profiles: Petit (Available Profiles: Petit)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Ulrich Krebs) C:\Program Files (x86)\Kalender\Kalender.exe
(GFI Software Ltd.) C:\Program Files (x86)\GFI\GFI BackUp Freeware\GFIAgent.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
(GFI Software Ltd.) C:\Program Files (x86)\GFI\GFI BackUp Freeware\GFIFInst.exe
(GFI Software Ltd.) C:\Program Files (x86)\GFI\GFI BackUp Freeware\GFIFSched.exe
() C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
(Ruiware) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Siber Systems) C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
(Dropbox, Inc.) C:\Users\Petit\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
() C:\Program Files\Macrium\Reflect\ReflectService.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Windows Mail\WinMail.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\SysWOW64\cmd.exe
(Siber Systems Inc.) C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome-nm-host.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11613288 2010-11-19] (Realtek Semiconductor)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [617120 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe [379552 2011-03-13] (Atheros Commnucations)
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2417032 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-10-16] (Apple Inc.)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60688 2015-10-13] (Apple Inc.)
HKLM-x32\...\Run: [DBAgent] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1454216 2012-06-07] (Seagate Technology LLC)
HKLM-x32\...\Run: [CanonQuickMenu] => C:\Program Files (x86)\Canon\Quick Menu\CNQMMAIN.EXE [1282632 2013-07-23] (CANON INC.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [6133520 2015-11-09] (AVAST Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2015-08-06] (Apple Inc.)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [Kalender] => C:\Program Files (x86)\Kalender\Kalender.exe [933888 2010-08-22] (Ulrich Krebs)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [GFI BackUp Freeware] => C:\Program Files (x86)\GFI\GFI BackUp Freeware\GFIAgent.exe [2318704 2012-02-16] (GFI Software Ltd.)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [Uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [119984 2012-06-07] (Seagate Technology LLC)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [Google Update] => C:\Users\Petit\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-08-30] (Google Inc.)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1238152 2015-05-17] (Ruiware)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [Dropbox Update] => C:\Users\Petit\AppData\Local\Dropbox\Update\DropboxUpdate.exe [134512 2015-06-19] (Dropbox, Inc.)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [60688 2015-10-21] (Apple Inc.)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [61200 2015-10-21] (Apple Inc.)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Run: [RoboForm] => C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [110160 2015-09-21] (Siber Systems)
HKU\S-1-5-21-1307173437-486162635-2919381003-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [241664 2010-11-20] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-09-22] (AVAST Software)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll [2015-11-04] (Dropbox, Inc.)
Startup: C:\Users\Petit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2015-11-14]
ShortcutTarget: Dropbox.lnk -> C:\Users\Petit\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{B9B1F45C-399E-4AA1-93AE-B99067BF3371}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2015-09-21] (Siber Systems Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-08-18] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll [2010-11-08] (CANON INC.)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2015-09-21] (Siber Systems Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-07-31] (Oracle Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2011-03-13] (Atheros Commnucations)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-08-18] (AVAST Software)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-07-31] (Oracle Corporation)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2015-09-21] (Siber Systems Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll [2015-09-21] (Siber Systems Inc.)
Toolbar: HKLM-x32 - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll [2010-11-08] (CANON INC.)
Toolbar: HKU\S-1-5-21-1307173437-486162635-2919381003-1000 -> &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll [2015-09-21] (Siber Systems Inc.)
Toolbar: HKU\S-1-5-21-1307173437-486162635-2919381003-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T28L10NSP9-15980/webex/ieatgpc1.cab
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2015-08-14] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2015-08-14] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2015-08-14] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2015-08-14] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default
FF DefaultSearchEngine.US: Google
FF SearchEngineOrder.3: Bing
FF Homepage: google.com
FF Session Restore: -> is enabled.
FF Keyword.URL: hxxp://www.bing.com/search?FORM=U079DF&PC=U079&q=
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-14] ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll [2013-08-10] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-14] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1216156.dll [2015-01-09] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-08] ()
FF Plugin-x32: @dynamsoft.com/DynamicWebTwainPlugin -> C:\Windows\SysWOW64\dynamsoft\dynamicwebtwain\NPDynamicWebTwain.dll [2013-12-17] (Dynamsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-07-31] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-07-31] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-16] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2011-02-28] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2011-02-28] (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1307173437-486162635-2919381003-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Petit\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2013-07-15] (Citrix Online)
FF Plugin HKU\S-1-5-21-1307173437-486162635-2919381003-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Petit\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin HKU\S-1-5-21-1307173437-486162635-2919381003-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Petit\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-15] (Google Inc.)
FF Plugin HKU\S-1-5-21-1307173437-486162635-2919381003-1000: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101799.dll [2013-03-07] (Amazon.com, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll [2012-10-19] (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2015-11-14] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2015-11-14] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2015-11-14] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2015-11-14] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2015-11-14] (Apple Inc.)
FF Extension: NoSquint - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\extensions\nosquint@urandom.ca.xpi [2015-05-29]
FF Extension: Print Without Ads - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\extensions\printwithoutads@oleg.vaskevich.xpi [2015-05-29]
FF Extension: Garmin Communicator - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [2015-05-29]
FF Extension: IE View Lite - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\extensions\{FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3}.xpi [2015-05-29]
FF Extension: No Color - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\extensions\{ae443e4d-02db-4eef-bcc2-0f1b17edb941}.xpi [2015-05-29]
FF Extension: Page Zoom Button - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org.xpi [2015-05-29]
FF Extension: Print Edit - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\extensions\printedit@DW-dev.xpi [2015-10-02]
FF Extension: Amazon Price Tracker - Keepa.com - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\amptra@keepa.com.xpi [2015-11-09]
FF Extension: HTTPS-Everywhere - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\https-everywhere@eff.org [2015-05-16] [not signed]
FF Extension: No Name - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\jid0-5R3LLpyrG0a1kPDXAA8ZKmM0bgM@jetpack.xpi [2015-05-29] [not signed]
FF Extension: No Name - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\jid1-qj0w91o64N7Eeg@jetpack.xpi [2015-10-31] [not signed]
FF Extension: KeeFox - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\keefox@chris.tomlinson [2015-09-13]
FF Extension: Open in IE - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\openinie@wittersworld.com.xpi [2015-09-09]
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2015-05-29]
FF Extension: BugMeNot Plugin - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi [2015-05-29]
FF Extension: Adblock Plus - C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-11-26]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-09-22] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi
FF Extension: No Name - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi [2015-09-21] [not signed]
FF HKU\S-1-5-21-1307173437-486162635-2919381003-1000\...\Firefox\Extensions: [{22119944-ED35-4ab1-910B-E619EA06A115}] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi
FF Extension: No Name - C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi [2015-09-21] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "chrome://syncpromo/?is_launch_page=true&source=&next_page=chrome%3A%2F%2Fnewtab%2F","hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Adblock Plus) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-11-25]
CHR Extension: (Google Search) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (HTML5 video for YouTube™) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\dolajcekhnohkpncmhgledbmndjpblei [2014-08-07]
CHR Extension: (Avast SafePrice) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2015-10-30]
CHR Extension: (Avast Online Security) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-11-03]
CHR Extension: (IE Tab) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd [2015-11-15]
CHR Extension: (Zoom Text Only) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\jamhfhbppcmkgghlkeieococonlbppjg [2015-06-26]
CHR Extension: (Zoomy) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgfonhdeiaaflpgphemdgfkjimojblie [2015-06-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-25]
CHR Extension: (Gmail) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-03]
CHR Extension: (RoboForm Password Manager) - C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob [2015-11-09]
CHR HKLM\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2014-03-17]
CHR HKU\S-1-5-21-1307173437-486162635-2919381003-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-05-20]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-05-20]
CHR HKLM-x32\...\Chrome\Extension: [pnlccmojcmeohlpggmfnbbiapkmbliob] - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx [2014-03-17]
StartMenuInternet: Google Chrome.FTBPBSSRZHNZT4PNMXNBJVL5J4 - C:\Users\Petit\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [74912 2011-03-13] (Atheros Commnucations) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [146600 2015-09-22] (AVAST Software)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2012-05-09] (Macrovision Europe Ltd.) [File not signed]
R2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [186200 2013-03-20] (Garmin Ltd or its subsidiaries)
R2 GFIBckFAtt; C:\Program Files (x86)\GFI\GFI BackUp Freeware\GFIFInst.exe [1011056 2012-02-16] (GFI Software Ltd.)
R2 GFIBckFSched; C:\Program Files (x86)\GFI\GFI BackUp Freeware\GFIFSched.exe [2664816 2012-02-16] (GFI Software Ltd.)
R2 GsServer; C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe [5345968 2012-05-08] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 PMBDeviceInfoProvider; C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [474168 2012-04-22] (Sony Corporation)
R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [301760 2012-09-25] ()
R2 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [14528 2012-06-07] (Seagate Technology LLC)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-09-22] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [90968 2015-09-22] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-09-22] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-09-22] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1059656 2015-11-09] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449992 2015-11-09] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [153744 2015-09-22] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [274808 2015-09-22] (AVAST Software)
S3 cricut; C:\Windows\System32\DRIVERS\cricut_x64.sys [72248 2012-09-27] ()
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 LVPr2M64; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-07] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-11-26] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 MODEMCSA; C:\Windows\System32\drivers\MODEMCSA.sys [24064 2009-07-13] (Microsoft Corporation)
S3 PSMounter; C:\Windows\system32\drivers\psmounter.sys [57496 2012-04-26] (Macrium Software)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-25 12:35 - 2015-11-25 12:35 - 00000000 ___RD C:\Users\Petit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2015-11-24 13:19 - 2015-11-24 13:19 - 00536576 _____ C:\Users\Petit\Downloads\DynamicWebTWAINPlugIn (1).msi
2015-11-22 05:00 - 2015-11-25 12:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-11-21 08:06 - 2015-11-21 08:06 - 00417074 _____ C:\Users\Petit\Downloads\Christmas-Lanterns.zip
2015-11-18 07:36 - 2015-11-18 07:55 - 00000000 ____D C:\Users\Petit\Desktop\malware
2015-11-18 07:33 - 2015-11-18 07:33 - 05198336 _____ (AVAST Software) C:\Users\Petit\Downloads\aswMBR.exe
2015-11-18 07:31 - 2015-11-18 07:32 - 00000000 ____D C:\Users\Petit\Documents\hijackthis
2015-11-18 06:31 - 2015-11-18 06:32 - 00048751 _____ C:\Users\Petit\Downloads\Addition.txt
2015-11-18 06:30 - 2015-11-26 05:01 - 00000000 ____D C:\FRST
2015-11-14 15:56 - 2015-11-14 15:56 - 00000000 ____D C:\Users\Petit\AppData\Local\Apple Inc
2015-11-14 15:56 - 2015-11-14 15:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2015-11-14 15:55 - 2015-11-14 15:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-11-14 15:54 - 2015-11-14 15:55 - 00000000 ____D C:\Program Files\iTunes
2015-11-14 15:54 - 2015-11-14 15:54 - 00000000 ____D C:\Program Files\iPod
2015-11-14 15:54 - 2015-11-14 15:54 - 00000000 ____D C:\Program Files (x86)\iTunes
2015-11-14 15:53 - 2015-11-14 15:53 - 00000000 ____D C:\Program Files\Bonjour
2015-11-14 15:53 - 2015-11-14 15:53 - 00000000 ____D C:\Program Files (x86)\Bonjour
2015-11-14 15:51 - 2015-11-14 15:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-11-14 15:51 - 2015-11-14 15:51 - 00000000 ____D C:\Program Files (x86)\QuickTime
2015-11-14 15:50 - 2015-11-14 15:50 - 00000000 ____D C:\Windows\System32\Tasks\Apple
2015-11-14 15:50 - 2015-11-14 15:50 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2015-11-14 06:24 - 2015-11-14 06:24 - 00000000 ____D C:\Users\Petit\Documents\Router
2015-11-11 03:50 - 2015-11-11 03:50 - 00000000 ____D C:\Users\Petit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-26 04:56 - 2012-05-07 15:23 - 02001981 _____ C:\Windows\WindowsUpdate.log
2015-11-26 04:42 - 2012-05-09 01:44 - 00000000 ____D C:\Users\Petit\AppData\Roaming\UK's Kalender
2015-11-26 04:40 - 2015-06-19 04:22 - 00000918 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000UA.job
2015-11-26 04:40 - 2012-05-08 16:54 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000UA.job
2015-11-26 04:39 - 2015-06-16 06:10 - 00000658 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-1307173437-486162635-2919381003-1000.job
2015-11-26 04:39 - 2014-06-24 11:54 - 00000562 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-1307173437-486162635-2919381003-1000.job
2015-11-26 04:39 - 2014-06-18 13:56 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-26 04:39 - 2013-03-26 05:21 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-11-26 04:39 - 2012-05-11 01:06 - 00000000 _____ C:\Windows\system32\Drivers\lvuvc.hs
2015-11-25 12:44 - 2009-07-13 23:45 - 00027360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-25 12:44 - 2009-07-13 23:45 - 00027360 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-25 12:41 - 2009-07-14 00:13 - 00789504 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-25 12:36 - 2013-01-01 07:43 - 00000000 ___RD C:\Users\Petit\Dropbox
2015-11-25 12:36 - 2013-01-01 07:36 - 00000000 ____D C:\Users\Petit\AppData\Roaming\Dropbox
2015-11-25 12:35 - 2012-05-08 16:08 - 00062433 _____ C:\Windows\setupact.log
2015-11-25 12:35 - 2012-05-07 12:56 - 00000000 ____D C:\ProgramData\NVIDIA
2015-11-25 12:35 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-25 12:34 - 2012-05-11 04:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-11-25 12:34 - 2012-05-08 22:42 - 00234822 _____ C:\Windows\PFRO.log
2015-11-25 12:27 - 2015-06-19 04:22 - 00000866 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000Core.job
2015-11-25 12:25 - 2012-05-08 16:54 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000Core.job
2015-11-25 06:54 - 2012-12-22 06:30 - 00000000 ____D C:\Users\Petit\Documents\Christlst
2015-11-25 06:25 - 2012-05-08 23:39 - 00000000 ____D C:\Users\Petit\Documents\surveys
2015-11-24 11:09 - 2015-08-27 14:31 - 00000000 ____D C:\Users\Petit\Documents\patterns
2015-11-24 10:51 - 2012-05-12 20:54 - 00000000 ____D C:\Users\Petit\Desktop\studyhints
2015-11-23 11:54 - 2012-05-26 12:41 - 00000000 ____D C:\Users\Petit\AppData\Local\CrashDumps
2015-11-18 11:59 - 2015-05-20 12:26 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-11-18 06:14 - 2013-11-28 06:35 - 00000000 ____D C:\Users\Petit\AppData\LocalLow\Unity
2015-11-14 15:54 - 2012-05-10 17:03 - 00000000 ____D C:\Program Files\Common Files\Apple
2015-11-14 15:50 - 2012-05-08 19:55 - 00002519 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2015-11-14 07:35 - 2013-03-26 05:21 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-11-14 07:35 - 2012-05-11 13:19 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-11-14 07:35 - 2012-05-11 13:19 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-11-09 17:06 - 2015-05-20 12:25 - 01059656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2015-11-09 17:06 - 2015-05-20 12:25 - 00449992 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2015-11-08 14:19 - 2012-12-04 06:20 - 00000000 ____D C:\Users\Petit\Documents\recipe
2015-11-06 18:52 - 2012-05-08 23:43 - 00000000 ____D C:\Users\Petit\Desktop\comunities
2015-11-06 14:18 - 2014-11-15 05:21 - 00000000 ____D C:\Users\Petit\Documents\healthcare
2015-11-03 17:00 - 2014-11-15 14:08 - 00000000 ____D C:\Users\Petit\Documents\classaction
2015-11-03 05:48 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2015-10-30 14:33 - 2015-07-07 13:47 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-10-30 14:32 - 2014-12-24 08:21 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-10-30 07:22 - 2012-05-09 02:37 - 00000000 ____D C:\Users\Petit\Documents\Quicken
2015-10-30 07:22 - 2012-05-09 00:02 - 00000000 ____D C:\Users\Petit\Desktop\bookmrk
2015-10-28 06:31 - 2015-06-16 06:10 - 00003684 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-1307173437-486162635-2919381003-1000
2015-10-28 06:31 - 2014-06-24 11:54 - 00003588 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-1307173437-486162635-2919381003-1000

==================== Files in the root of some directories =======

2012-11-13 14:06 - 2012-12-14 14:19 - 16672456 _____ (Gathr) C:\Program Files (x86)\Common Files\lpuninstall.exe
2015-08-01 07:22 - 2015-08-04 06:16 - 0007620 _____ () C:\Users\Petit\AppData\Local\Resmon.ResmonCfg

Some files in TEMP:
====================
C:\Users\Petit\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpxp2yfu.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-11-10 08:26

==================== End of FRST.txt ============================


Edited by careful, 26 November 2015 - 05:13 AM.


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 26 November 2015 - 08:38 PM

Hello careful and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
---------------------------------------------------------------------------------------------------------
 Step 1:
Scan with ZOEK:

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

createsrpoint;
autoclean;
emptyalltemp;
emptyclsid;
iedefaults;
FFdefaults;
CHRdefaults;
emptyfolderscheck;delete
ipconfig /flushdns;b
  • Right-click on icon and select Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete or Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Step 4:

Please download ZHPcleaner to your desktop.

  • Double click on ZHPCleaner to run the tool.
  • If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".
  • Please klick Ashampoo_Snap_20140819_13h09m50s_001__zp
  • Then press ''Repair'' button.
  • Browsers will automatically shut down.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

Edited by olgun52, 26 November 2015 - 08:42 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 27 November 2015 - 10:46 AM

OK I did step 1

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Petit on Fri 11/27/2015 at 10:23:58.82.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Petit\Desktop\malware\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

11/27/2015 10:25:50 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\NStorm deleted successfully
C:\PROGRA~2\Windows Home Server deleted successfully
C:\PROGRA~3\CanonEPP deleted successfully
C:\PROGRA~3\CanonIJEPPEX2 deleted successfully
C:\Users\Petit\AppData\Roaming\10586 deleted successfully
C:\Users\Petit\AppData\Roaming\Malwarebytes deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1307173437-486162635-2919381003-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C255C8A-E604-49b4-9D64-90988571CECB} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\prefs.js:
user_pref("browser.startup.homepage", "google.com");
user_pref("browser.search.defaultenginename.US", "Google");
user_pref("services.sync.prefs.sync.browser.search.selectedEngine", true);
user_pref("keyword.URL", "http://www.bing.com/search?FORM=U079DF&PC=U079&q=");
user_pref("browser.search.useDBForOrder", true);

Added to C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\prefs.js:

Deleted from C:\Users\Petit\AppData\Roaming\Mozilla\SeaMonkey\Profiles\r3g924je.default\prefs.js:

Added to C:\Users\Petit\AppData\Roaming\Mozilla\SeaMonkey\Profiles\r3g924je.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20151127_1034_.backup

ProfilePath: C:\Users\Petit\AppData\Roaming\Mozilla\SeaMonkey\Profiles\r3g924je.default

user.js not found
---- Lines Downloader.com removed from prefs.js ----
user_pref("browser.history.last_page_visited", "http://www.cys-audiovideodownloader.com/updated/version5632.html");
---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 3);
---- FireFox user.js and prefs.js backups ----

prefs_20151127_1034_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\NStorm not found
C:\PROGRA~2\Windows Home Server not found
C:\PROGRA~2\Windows Live SkyDrive deleted
C:\Users\Petit\AppData\Roaming\calibre deleted
C:\Users\Petit\AppData\Roaming\Catalina Marketing Corp deleted
C:\PROGRA~3\InstallMate deleted
C:\PROGRA~3\{93E26451-CD9A-43A5-A2FA-C42392EA4001} deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Petit\AppData\Local\APN deleted
C:\Users\Petit\AppData\Local\{9786DD96-CA07-450D-A03E-6FA033ACF77F} deleted
C:\Users\Petit\AppData\Local\Unity deleted
C:\Users\Petit\Downloads\avast_free_antivirus_setup_online_cnet.exe deleted
C:\Users\Petit\Downloads\CouponActivator.exe deleted
C:\Users\Petit\Downloads\couponprinter (1).exe deleted
C:\Users\Petit\Downloads\CouponPrinter (2).exe deleted
C:\Users\Petit\Downloads\CouponPrinter(1).exe deleted
C:\Users\Petit\Downloads\CouponPrinter(2).exe deleted
C:\Users\Petit\Downloads\CouponPrinter.exe deleted
C:\Users\Petit\Downloads\CouponPrinterCPS (1).exe deleted
C:\Users\Petit\Downloads\CouponPrinterCPS (2).exe deleted
C:\Users\Petit\Downloads\CouponPrinterCPS.exe deleted
C:\Users\Petit\AppData\LocalLow\Unity deleted
C:\Windows\WININIT.INI deleted
C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\jetpack deleted
C:\Users\Petit\Downloads\wpsetup(1).exe deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Petit\AppData\Roaming\Mozilla\SeaMonkey\Profiles\r3g924je.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{22119944-ED35-4ab1-910B-E619EA06A115}"="C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi" [09/21/2015 05:51 AM]
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"{22119944-ED35-4ab1-910B-E619EA06A115}"="C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox\roboform.xpi" [09/21/2015 05:51 AM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default
- HTTPS-Everywhere - %ProfilePath%\extensions\https-everywhere@eff.org
- KeeFox - %ProfilePath%\extensions\keefox@chris.tomlinson
- Garmin Communicator - %ProfilePath%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
- Page Zoom Button - %ProfilePath%\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org.xpi
- Amazon Price Tracker - Keepa.com - %ProfilePath%\extensions\amptra@keepa.com.xpi
- Coupons at Checkout - %ProfilePath%\extensions\jid0-5R3LLpyrG0a1kPDXAA8ZKmM0bgM@jetpack.xpi
- YouTube ALL HTML5 - %ProfilePath%\extensions\jid1-qj0w91o64N7Eeg@jetpack.xpi
- NoSquint - %ProfilePath%\extensions\nosquint@urandom.ca.xpi
- Open in IE - %ProfilePath%\extensions\openinie@wittersworld.com.xpi
- Print Edit - %ProfilePath%\extensions\printedit@DW-dev.xpi
- Print Without Ads - %ProfilePath%\extensions\printwithoutads@oleg.vaskevich.xpi
- Microsoft .NET Framework Assistant - %ProfilePath%\extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi
- BugMeNot Plugin - %ProfilePath%\extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi
- No Color - %ProfilePath%\extensions\{ae443e4d-02db-4eef-bcc2-0f1b17edb941}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- IE View Lite - %ProfilePath%\extensions\{FDD8ECF0-451A-414D-8C8F-7B7F78B0ECD3}.xpi

ProfilePath: C:\Users\Petit\AppData\Roaming\Mozilla\SeaMonkey\Profiles\r3g924je.default
- DOM - %ProfilePath%\extensions\inspector@mozilla.org
- FireShot - %ProfilePath%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
- IE Tab 2 SM 2.0 - %ProfilePath%\extensions\{486CD626-5781-11E2-906E-409F6188709B}
- ChatZilla - %ProfilePath%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
- Complete YouTube Saver - %ProfilePath%\extensions\{AF445D67-154C-4c69-A17B-7F392BCC36A3}
- Autofill Forms - %ProfilePath%\extensions\autofillForms@blueimp.net.xpi
- fireform - %ProfilePath%\extensions\fireform@mozilla.org.xpi
- Private Tab - %ProfilePath%\extensions\privateTab@infocatcher.xpi
- Download YouTube Videos as MP4 - %ProfilePath%\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- JavaScript Debugger - %ProfilePath%\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default
96BD4C7ED87690021739940042B2A909    - C:\Windows\SysWOW64\dynamsoft\dynamicwebtwain\NPDynamicWebTwain.dll -    Dynamic Web TWAIN Plugin
AD76B0F3348914E133455E52743C839D    - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1216156.dll -    Shockwave for Director / Shockwave for Director
F114FBA6246530B89DD1E04351E0EAC5    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll -    Shockwave Flash
7D127425BBE91DF37448A7F44C1DDA52    - C:\Users\Petit\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll -    Google Update
E3B4EA121F7BDEB0F6366E2BA9608CB5    - C:\Users\Petit\AppData\Local\Citrix\Plugins\104\npappdetector.dll -    Citrix Online Web Deployment Plugin 1.0.0.104


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[05/20/2015 12:25 PM]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[05/20/2015 12:25 PM]
pnlccmojcmeohlpggmfnbbiapkmbliob - C:\Program Files (x86)\Siber Systems\AI RoboForm\Chrome\rf-chrome.crx[09/21/2015 05:51 AM]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bmkckgpgekmanipelfidlhmkfcjicion - No path found[]

Avast SafePrice - Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Avast Online Security - Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
IE Tab - Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd
Zoom Text Only - Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\jamhfhbppcmkgghlkeieococonlbppjg
Zoomy - Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgfonhdeiaaflpgphemdgfkjimojblie
RoboForm - Petit\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://google.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://google.com/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Reset Google Chrome ======================

C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Preferences.bad was reset successfully
C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Preferences.bak was reset successfully
C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2} deleted successfully
HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Policies\Chromium deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Petit\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Petit\AppData\Local\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Petit\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Petit\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache is not empty, a reboot is needed

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=59 folders=32 70177188 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Petit\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Petit\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Petit\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not deleted
"C:\Users\Petit\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PEM2BYYC\admin.brightcove.com"  not found
"C:\Users\Petit\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PEM2BYYC\f.vimeocdn.com"  not found
"C:\Users\Petit\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\PEM2BYYC\sadmin.brightcove.com"  not found

==== EOF on Fri 11/27/2015 at 10:40:53.84 ======================
 



#4 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 27 November 2015 - 10:53 AM

step 2

# AdwCleaner v5.022 - Logfile created 27/11/2015 at 10:57:33
# Updated 22/11/2015 by Xplode
# Database : 2015-11-22.2 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Petit - PETIT-PC
# Running from : C:\Users\Petit\Desktop\malware\adwcleaner_5.022.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[x] Folder Not Deleted : C:\Program Files (x86)\SmartSound Software

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70099F10-F25C-11d6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70099F70-F25C-11d6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70099FA8-F25C-11D6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70099FAF-F25C-11D6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70099FB0-F25C-11D6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70099FB8-F25C-11D6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70099FF0-F25C-11D6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{7009A000-F25C-11D6-8552-00065B31EEC6}
[-] Key Deleted : HKLM\SOFTWARE\SmartSound Software

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1737 bytes] ##########
 

 

step 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Ultimate x64
Ran by Petit (Administrator) on Fri 11/27/2015 at 10:48:36.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\ProgramData\esellerate (Folder)
Successfully deleted: C:\Program Files\alawar (Folder)

Registry: 0


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 11/27/2015 at 10:51:03.16
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


Edited by careful, 27 November 2015 - 11:01 AM.


#5 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 27 November 2015 - 11:12 AM

This is the final step

~ ZHPCleaner v2015.11.25.385 by Nicolas Coolman (2015/11/25)
~ Run by Petit (Administrator)  (27/11/2015 11:10:34)
~ Site : http://www.nicolascoolman.fr
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\Petit\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\Petit\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 7 Ultimate, 64-bit Service Pack 1 (Build 7601)


---\\  Services (0)
~ No malicious or unnecessary items found.


---\\  Browser internet (0)
~ No malicious or unnecessary items found.


---\\  Hosts file (1)
~ The hosts file is legitimate (21)


---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.


---\\  Explorer ( File, Folder) (3)
MOVED folder: C:\Windows\Installer\MSI1C82.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI2401.tmp-  =>Empty
MOVED folder: C:\Windows\Installer\MSI7D79.tmp-  =>Empty


---\\  Registry ( Key, Value, Data) (9)
DELETED data: [X64] HKLM\SOFTWARE\Classes\Opera.HTML\Shell\Open\Command\\Default [Bad : [html] "C:\Program Files (x86)\Opera\Opera.exe" "%1"]  =>Broken.OpenCommand
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Download.SwInstaller [SwInstaller Class]  =>PUP.Optional.CrossRider
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Download.SwInstaller.1 [SwInstaller Class]  =>PUP.Optional.CrossRider
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Download.SwInstallerAttributes [SwInstallerAttributes Class]  =>PUP.Optional.CrossRider
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Download.SwInstallerAttributes.1 [SwInstallerAttributes Class]  =>PUP.Optional.CrossRider
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Swdir.SwInstallerCtl [SwInstallerCtl Class]  =>PUP.Optional.CrossRider
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Swdir.SwInstallerCtl.1 [SwInstallerCtl Class]  =>PUP.Optional.CrossRider
DELETED key*: [X64] HKLM\SOFTWARE\Classes\CLSID\{320AF880-6646-11D3-ABEE-C5DBF3571F49} [SavePass]  =>PUP.Optional.CrossRider
DELETED key: [X64] HKLM\SOFTWARE\Classes\CLSID\{320AF880-6646-11D3-ABEE-C5DBF3571F49}\InprocServer32 [C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll]  =>PUP.Optional.CrossRider


---\\  Summary of the elements found (2)




---\\  Other deletions. (0)
~ Registry Keys Tracing deleted (0)
~ Remove the old reports ZHPCleaner. (0)


---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Google Chrome)


---\\ Statistics
~ Items scanned : 1411
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 12


~ End of clean in 0 minutes
===================
ZHPCleaner-[R]-27112015-11_10_59.txt
ZHPCleaner-[S]-27112015-11_07_01.txt
 



#6 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 27 November 2015 - 02:43 PM

Good job. :thumbup2:

How is the PC running now ?

---------------------------------------------------

Firefox Extensions ==>> Coupons at Checkout

Please check and If you see, delete it.

-------------------------------------------------------------------------

C:\Users\Petit\Downloads\CouponActivator.exe deleted
C:\Users\Petit\Downloads\CouponPrinter.exe deleted

----------------------------------------------------------------------------

Firefox proxy reset:

http://How to reset the proxy infirefox

 

 To check your Firefox proxy settings:

  1. Click the menu button and choose Options

  2. Select the Advanced panel.
  3. Select the Network tab.
  4. In the Connection section, click Settings....
  5. Change your proxy settings:
    • If you don't connect to the Internet through a proxy (or don't know whether you connect through a proxy), select No Proxy.
  6. Click OK to close the Connection Settings window.
  7. Click OK to close the Options window

================================================================================

Step 1:
 Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 2:

ComboFix run:

Please be sure to run our tools with administrator rights.

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 27 November 2015 - 06:36 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/27/2015
Scan Time: 6:10 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.27.04
Rootkit Database: v2015.11.26.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Petit

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 387977
Time Elapsed: 17 min, 20 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Trojan.Poweliks.B, HKU\S-1-5-21-1307173437-486162635-2919381003-1000_Classes\WOW6432NODE\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}, Quarantined, [4bb53c4765260630cdd3a75b916f26da],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
PUP.Optional.InstallCore, C:\Users\Petit\Desktop\download\clipboard\cnet2_freeclip_exe.exe, Quarantined, [966acfb40a813105ffeb81c8e0219070],
PUP.Optional.InstallCore, C:\Users\Petit\Desktop\download\duplicatefile\cnet2_FastDuplicateFileFinder_exe.exe, Quarantined, [f90793f06922999d6b7fc1883dc4f709],
PUP.Optional.InstallCore, C:\Users\Petit\Desktop\download\treesize\cnet2_TreeSizeFreeSetup_exe.exe, Quarantined, [7b85146ffa911b1bc32759f0ca37ec14],

Physical Sectors: 0
(No malicious items detected)


(end)


Edited by careful, 27 November 2015 - 06:56 PM.


#8 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 27 November 2015 - 06:50 PM

ComboFix 15-11-27.01 - Petit 11/27/2015  18:41:38.1.8 - x64
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.16351.12920 [GMT -5:00]
Running from: c:\users\Petit\Desktop\malware\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Petit\AppData\Roaming\Microsoft\Windows\Recent\Amazon.com George Griffin Wish List(1).URL
c:\users\Petit\AppData\Roaming\Microsoft\Windows\Recent\Amazon.com George Griffin Wish List.URL
c:\users\Petit\g2mdlhlpx.exe
.
.
(((((((((((((((((((((((((   Files Created from 2015-10-27 to 2015-11-27  )))))))))))))))))))))))))))))))
.
.
2015-11-27 23:47 . 2015-11-27 23:47    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-11-27 23:45 . 2015-11-27 23:45    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{8FBB847E-D394-4365-9F57-184E476DC63C}\offreg.6592.dll
2015-11-27 16:03 . 2015-11-27 16:10    --------    d-----w-    c:\users\Petit\AppData\Roaming\ZHP
2015-11-27 15:55 . 2015-11-27 15:57    --------    d-----w-    C:\AdwCleaner
2015-11-27 15:37 . 2015-11-27 15:23    24064    ----a-w-    c:\windows\zoek-delete.exe
2015-11-27 15:37 . 2015-11-27 23:47    --------    d-----w-    c:\users\Petit\AppData\Local\Temp
2015-11-27 15:23 . 2015-11-27 15:34    --------    d-----w-    C:\zoek_backup
2015-11-24 12:05 . 2015-10-29 09:28    11138400    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{8FBB847E-D394-4365-9F57-184E476DC63C}\mpengine.dll
2015-11-18 11:30 . 2015-11-26 10:02    --------    d-----w-    C:\FRST
2015-11-14 20:56 . 2015-11-14 20:56    --------    d-----w-    c:\users\Petit\AppData\Local\Apple Inc
2015-11-14 20:54 . 2015-11-14 20:54    --------    d-----w-    c:\program files (x86)\iTunes
2015-11-14 20:54 . 2015-11-14 20:55    --------    d-----w-    c:\program files\iTunes
2015-11-14 20:54 . 2015-11-14 20:54    --------    d-----w-    c:\program files\iPod
2015-11-14 20:53 . 2015-11-14 20:53    --------    d-----w-    c:\program files\Bonjour
2015-11-14 20:53 . 2015-11-14 20:53    --------    d-----w-    c:\program files (x86)\Bonjour
2015-11-14 20:51 . 2015-11-14 20:51    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2015-11-14 20:51 . 2015-11-14 20:51    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2015-11-14 20:51 . 2015-11-14 20:51    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2015-11-14 20:51 . 2015-11-14 20:51    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2015-11-14 20:51 . 2015-11-14 20:51    159744    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2015-11-14 20:51 . 2015-11-14 20:51    --------    d-----w-    c:\program files (x86)\QuickTime
2015-11-14 20:50 . 2015-11-14 20:50    --------    d-----w-    c:\program files (x86)\Apple Software Update
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-11-27 23:34 . 2014-06-18 18:56    192216    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-11-14 12:35 . 2012-05-11 18:19    780488    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-11-14 12:35 . 2012-05-11 18:19    142536    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-11-09 22:06 . 2015-05-20 17:25    449992    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2015-11-09 22:06 . 2015-05-20 17:25    1059656    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2015-10-05 13:50 . 2014-06-18 18:56    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2015-10-05 13:50 . 2014-06-18 18:56    109272    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2015-10-05 13:50 . 2012-05-07 19:03    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2015-09-22 22:05 . 2015-09-22 22:05    378880    ----a-w-    c:\windows\system32\aswBoot.exe
2015-09-22 22:05 . 2015-05-20 17:25    153744    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2015-09-22 22:05 . 2015-05-20 17:25    274808    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2015-09-22 22:05 . 2015-05-20 17:25    65224    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2015-09-22 22:05 . 2015-05-20 17:25    90968    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2015-09-22 22:05 . 2015-05-20 17:25    28656    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2015-09-22 22:05 . 2015-05-20 17:25    93528    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2015-09-22 22:05 . 2015-09-22 22:05    43112    ----a-w-    c:\windows\avastSS.scr
2015-09-02 03:04 . 2015-10-03 13:03    41984    ----a-w-    c:\windows\system32\lpk.dll
2015-09-02 03:04 . 2015-10-03 13:03    100864    ----a-w-    c:\windows\system32\fontsub.dll
2015-09-02 03:04 . 2015-10-03 13:03    14336    ----a-w-    c:\windows\system32\dciman32.dll
2015-09-02 03:04 . 2015-10-03 13:03    46080    ----a-w-    c:\windows\system32\atmlib.dll
2015-09-02 02:48 . 2015-10-03 13:03    70656    ----a-w-    c:\windows\SysWow64\fontsub.dll
2015-09-02 02:48 . 2015-10-03 13:03    10240    ----a-w-    c:\windows\SysWow64\dciman32.dll
2015-09-02 02:48 . 2015-10-03 13:03    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2015-09-02 02:47 . 2015-10-03 13:03    25600    ----a-w-    c:\windows\SysWow64\lpk.dll
2015-09-02 01:51 . 2015-10-03 13:03    3209216    ----a-w-    c:\windows\system32\win32k.sys
2015-09-02 01:47 . 2015-10-03 13:03    372736    ----a-w-    c:\windows\system32\atmfd.dll
2015-09-02 01:33 . 2015-10-03 13:03    299520    ----a-w-    c:\windows\SysWow64\atmfd.dll
2012-12-14 19:19 . 2012-11-13 19:06    16672456    ----a-w-    c:\program files (x86)\Common Files\lpuninstall.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2015-11-04 23:46    198464    ----a-w-    c:\users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2015-11-04 23:46    198464    ----a-w-    c:\users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2015-11-04 23:46    198464    ----a-w-    c:\users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt.28.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kalender"="c:\program files (x86)\Kalender\Kalender.exe" [2010-08-22 933888]
"GFI BackUp Freeware"="c:\program files (x86)\GFI\GFI BackUp Freeware\GFIAgent.exe" [2012-02-16 2318704]
"Uploader"="c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe" [2012-06-07 119984]
"WinPatrol"="c:\program files (x86)\Ruiware\WinPatrol\winpatrol.exe" [2015-05-17 1238152]
"Dropbox Update"="c:\users\Petit\AppData\Local\Dropbox\Update\DropboxUpdate.exe" [2015-06-19 134512]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2015-10-21 60688]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2015-10-21 61200]
"RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2015-09-21 110160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-10-13 60688]
"DBAgent"="c:\program files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe" [2012-06-07 1454216]
"CanonQuickMenu"="c:\program files (x86)\Canon\Quick Menu\CNQMMAIN.EXE" [2013-07-23 1282632]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-11-09 6133520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2015-06-08 334896]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2015-08-06 421888]
.
c:\users\Petit\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Petit\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2015-5-4 36713096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
"SoftwareSASGeneration"= 1 (0x1)
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [x]
R3 ATHDFU;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys;c:\windows\SYSNATIVE\Drivers\AthDfu.sys [x]
R3 cricut;cricut;c:\windows\system32\DRIVERS\cricut_x64.sys;c:\windows\SYSNATIVE\DRIVERS\cricut_x64.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys;c:\windows\SYSNATIVE\drivers\psmounter.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SrvHsfPCI;SrvHsfPCI;c:\windows\system32\DRIVERS\VSTBS26.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTBS26.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys;c:\windows\SYSNATIVE\DRIVERS\mv91xx.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 GFIBckFAtt;GFI BackUp Freeware Attendant Service;c:\progra~2\GFI\GFIBAC~1\GFIFInst.exe;c:\progra~2\GFI\GFIBAC~1\GFIFInst.exe [x]
S2 GFIBckFSched;GFI BackUp Freeware Scheduler Service;c:\progra~2\GFI\GFIBAC~1\GFIFSC~1.EXE;c:\progra~2\GFI\GFIBAC~1\GFIFSC~1.EXE [x]
S2 GsServer;GoodSync Server;c:\program files\Siber Systems\GoodSync\Gs-Server.exe;c:\program files\Siber Systems\GoodSync\Gs-Server.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe;c:\program files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [x]
S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe;c:\program files\Macrium\Reflect\ReflectService.exe [x]
S2 Seagate Dashboard Services;Seagate Dashboard Services;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe;c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x]
S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x]
S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x]
S3 CAXHWBS2;CAXHWBS2;c:\windows\system32\DRIVERS\CAXHWBS2.sys;c:\windows\SYSNATIVE\DRIVERS\CAXHWBS2.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys;c:\windows\SYSNATIVE\DRIVERS\LVPr2M64.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech QuickCam S5500(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder
.
2015-11-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-11 12:35]
.
2015-11-27 c:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000Core.job
- c:\users\Petit\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2015-06-19 09:22]
.
2015-11-27 c:\windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000UA.job
- c:\users\Petit\AppData\Local\Dropbox\Update\DropboxUpdate.exe [2015-06-19 09:22]
.
2015-11-27 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-1307173437-486162635-2919381003-1000.job
- c:\users\Petit\AppData\Local\Citrix\GoToMeeting\3770\g2mupdate.exe [2015-10-28 11:31]
.
2015-11-27 c:\windows\Tasks\G2MUploadTask-S-1-5-21-1307173437-486162635-2919381003-1000.job
- c:\users\Petit\AppData\Local\Citrix\GoToMeeting\3770\g2mupload.exe [2015-10-28 11:31]
.
2012-05-11 c:\windows\Tasks\GoodSync - Cbackup.job
- c:\program files\Siber Systems\GoodSync\gsync.exe [2012-05-08 21:49]
.
2015-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000Core.job
- c:\users\Petit\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-08 10:01]
.
2015-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1307173437-486162635-2919381003-1000UA.job
- c:\users\Petit\AppData\Local\Google\Update\GoogleUpdate.exe [2012-05-08 10:01]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-09-22 22:05    780616    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2015-11-04 23:46    236352    ----a-w-    c:\users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2015-11-04 23:46    236352    ----a-w-    c:\users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2015-11-04 23:46    236352    ----a-w-    c:\users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2015-11-04 23:46    236352    ----a-w-    c:\users\Petit\AppData\Roaming\Dropbox\bin\DropboxExt64.28.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-19 11613288]
"AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2011-03-13 617120]
"AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2011-03-13 379552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2010-11-04 1580368]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-10-16 170256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Customize Menu - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Fill Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComFillForms.html
IE: Save Forms - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComSavePass.html
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: Show RoboForm Toolbar - file://C:/Program Files (x86)/Siber Systems/AI RoboForm/RoboFormComShowToolbar.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Petit\AppData\Roaming\Mozilla\Firefox\Profiles\h1tzmmfl.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Magic Ball - c:\program files\Alawar\Magic Ball\uninstal.exe
AddRemove-{6c14a7ec-7ed6-47f1-bb64-afc001a60a24} - c:\programdata\Package Cache\{6c14a7ec-7ed6-47f1-bb64-afc001a60a24}\GarminExpressInstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-11-27  18:48:50
ComboFix-quarantined-files.txt  2015-11-27 23:48
.
Pre-Run: 835,225,886,720 bytes free
Post-Run: 834,858,741,760 bytes free
.
- - End Of File - - 9329CD560C44BA9A70ACA1EF2E513C5C
A36C5E4F47E84449FF07ED3517B43A31
 



#9 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 27 November 2015 - 06:50 PM

This is not Application Logs. Protection is log.

Send Application Logs

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#10 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 27 November 2015 - 07:01 PM

Thank you careful. :thumbup2:

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

===================================================
Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under Scan Settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

=========================================================================
How is the machine running now and any issues ? Please let me know.
----------------------------------------------------------------
Things I would like to see in your next reply. :thumbup2:

  • Eset report
  • Emsisoft report

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 28 November 2015 - 06:19 AM

This is not Application Logs. Protection is log.

Send Application Logs

I am not sure what you are referring to? Thanks



#12 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 28 November 2015 - 08:46 AM

Emsisoft Emergency Kit - Version 10.0
Last update: 11/28/2015 8:35:08 AM
User account: Petit-PC\Petit

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    11/28/2015 8:35:50 AM
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)

Scanned    82080
Found    1

Scan end:    11/28/2015 8:37:42 AM
Scan time:    0:01:52

Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    Quarantined Setting.DisableRegistryTools (A)

Quarantined    1

 



#13 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 28 November 2015 - 11:05 AM

Please run MalwareBytes again and send Eset log


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 28 November 2015 - 04:27 PM

eset scan, I didn't select to delete or to quarantine since I don't know if all of these are real threats? I haven't had time to test out the computer yet since it took a really long time for the eset scan to complete.

 

C:\Users\Petit\Desktop\desk\download\defrag\cnet_disk-defrag-setup_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
C:\Users\Petit\Desktop\desk\download\games\MahjongTheEndlessJourney-dm(1).exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    cleaned by deleting - quarantined
C:\Users\Petit\Desktop\download\FotoSketcher.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    deleted - quarantined
C:\Users\Petit\Downloads\Avery Wizard 4.01 - US 20111209.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\Petit\Downloads\ccsetup326.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\Petit\Downloads\disk-defrag-setup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
C:\Users\Petit\Downloads\spsetup118.exe    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\2\A0\8B1B0d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\3\22\C1E39d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\5\59\5E04Fd01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\6\9B\BE221d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\7\35\50E89d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\7\3A\DDDA5d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\8\0F\FBB98d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\8\1F\45797d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\9\6B\AF210d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\9\8A\9DEC9d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\B\03\6A201d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\B\B5\F6461d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\C\53\25D3Ed01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\D\36\917E1d01    JS/TrojanDownloader.Iframe.NKE trojan    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\D\3C\EC0E4d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\D\52\132B2d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\D\BB\56AE6d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\D\D1\2BF64d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\E\7E\31642d01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\F\00\9DEEBd01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\Cache\F\E4\6FCCCd01    HTML/Iframe.B.Gen virus    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Mozilla\Firefox\Profiles\h1tzmmfl.default\cache2\entries\55A5649851E6970875538CE5D19B1786549C733A    HTML/Refresh.BC trojan    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\ACD9.tmp    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\ApnStub.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\AskSLib.dll    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\ICReinstall\cnet2_FastDuplicateFileFinder_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\ICReinstall\cnet2_TreeSizeFreeSetup_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\ICReinstall\cnet_disk-defrag-setup_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\is1598539481\306270692_Setup.DAT    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\is1598539481\blekkoTb_1.0.0.12.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\is1598539481\searchcom_001.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\AppData\Local\Temp\NeroInstallFiles\NERO20101021110139892\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Desktop\desk\download\defrag\cnet_disk-defrag-setup_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Desktop\desk\download\games\MahjongTheEndlessJourney-dm(1).exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Desktop\download\avast_antivirus_free_setup.exe    a variant of Win32/Soft32Downloader.A potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Desktop\download\FotoSketcher.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Desktop\download\clipboard\cnet2_freeclip_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Desktop\download\duplicatefile\cnet2_FastDuplicateFileFinder_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Desktop\download\treesize\cnet2_TreeSizeFreeSetup_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Downloads\Avery Wizard 4.01 - US 20111209.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Downloads\ccsetup326.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Downloads\cnet2_atlantis16en_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Downloads\disk-defrag-setup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    deleted - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Downloads\OffercastInstaller_AVR_U-0087-01-P_.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    cleaned by deleting - quarantined
G:\gfi\PETIT-PC\MyBackup 1\C\Users\Petit\Downloads\spsetup118.exe    Win32/Bundled.Toolbar.Google.E potentially unsafe application    deleted - quarantined
G:\goodsyncb\Petit\AppData\Local\Temp\ICReinstall\cnet2_FastDuplicateFileFinder_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\goodsyncb\Petit\AppData\Local\Temp\is1598539481\blekkoTb_1.0.0.12.exe    a variant of Win32/Toolbar.Visicom.A potentially unwanted application    deleted - quarantined
G:\goodsyncb\Petit\AppData\Local\Temp\NeroInstallFiles\NERO20101021110139892\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting - quarantined
G:\goodsyncb\Petit\Desktop\desk\download\defrag\cnet_disk-defrag-setup_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\goodsyncb\Petit\Desktop\desk\download\games\MahjongTheEndlessJourney-dm(1).exe    a variant of Win32/Adware.Trymedia.A potentially unwanted application    cleaned by deleting - quarantined
G:\goodsyncb\Petit\Desktop\download\avast_antivirus_free_setup.exe    a variant of Win32/Soft32Downloader.A potentially unwanted application    cleaned by deleting - quarantined
G:\goodsyncb\Petit\Desktop\download\clipboard\cnet2_freeclip_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\goodsyncb\Petit\Desktop\download\duplicatefile\cnet2_FastDuplicateFileFinder_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
G:\goodsyncb\Petit\Desktop\download\treesize\cnet2_TreeSizeFreeSetup_exe.exe    a variant of Win32/InstallCore.D potentially unwanted application    cleaned by deleting - quarantined
 


Edited by careful, 28 November 2015 - 04:30 PM.


#15 careful

careful
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:47 PM

Posted 28 November 2015 - 05:04 PM

my computer does seem to be faster. Can I use some or all of these scanners on a regular basis? Thank you so much for your help

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/28/2015
Scan Time: 4:41 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.28.05
Rootkit Database: v2015.11.26.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Petit

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 411650
Time Elapsed: 20 min, 53 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Edited by careful, 28 November 2015 - 05:05 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users