Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pups Apparently Associated With Unknown Temp Users


  • Please log in to reply
36 replies to this topic

#1 WouldBePolymath

WouldBePolymath

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 26 January 2016 - 03:51 AM

This is a question I posted a few days ago at another forum, but I unfortunately I didn't get an answer there.

 

I inherited my Lenovo ThinkCentre M75e 5042A7U. Let's call the person I inherited from "ORIGINAL OWNER".

Now, whenever I run MalwareBytes, I invariably find a PUP that is registry data for the Dogpile search engine, plus 68 other PUPs that are all identical:

PUP.Optional.CrossRider
C:\Users\ ( ORIGINAL OWNER ) \AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd.default-1359751077217\prefs.js9oq

And in C:\Users, I have found 56 users that don't show up in User Accounts:

TEMP
TEMP.(ORIGINAL OWNER)-THINK
TEMP.(ORIGINAL OWNER)-THINK.000

(etcetera)

TEMP.(ORIGINAL OWNER)-THINK.053

Any ideas on what this is all about? Should I just delete all these users?


Edited by hamluis, 26 January 2016 - 11:35 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 26 January 2016 - 12:27 PM

Hi WouldBePolymath :)

You can delete these accounts easily via the System Properties window. Right-click on Computer and select Properties. In the left-pane, click on Advanced System Settings, and in the new window, click on the second Settings button (under User Profiles). There, every userprofiles under C:\Users will be listed. Just delete the ones you don't need. If some fails to delete, you can delete them manually under C:\Users.

Let me know how it goes :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 26 January 2016 - 07:06 PM

Hi WouldBePolymath :)

You can delete these accounts easily via the System Properties window. Right-click on Computer and select Properties. In the left-pane, click on Advanced System Settings, and in the new window, click on the second Settings button (under User Profiles). There, every userprofiles under C:\Users will be listed. Just delete the ones you don't need. If some fails to delete, you can delete them manually under C:\Users.

Let me know how it goes :)

Unfortunately, just like all those TEMP users don't appear in User Accounts, they don't appear in User Profiles either, although they DO appears in C:\Users.

 

Are you sure it's safe to delete them from C:\Users in Windows Explorer?  I don't see why it wouldn't be, but it just seems so strange that they're there at all, and since their names indicate that these users were somehow spawned by the "ORIGINAL OWNER" (who was not all that tech-savvy), I don't know WHAT he might have done to create them, and consequently what potential problems may result from deleting them.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 26 January 2016 - 07:13 PM

What edition of Windows do you have? We could check under Computer Management, Users and Groups if they show up there. If not, it's safe to delete the folders under C:\Users normally, yes.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 26 January 2016 - 07:20 PM

I have Windows 7.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 26 January 2016 - 07:44 PM

I mean, do you have Windows 7 Home Premium, Professional, Entreprise, Ultimate?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 26 January 2016 - 07:45 PM

A Recovery Media allows you to do a Factory Reset of your system, so yes it is.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 26 January 2016 - 08:07 PM

OK, I checked out both Users and Groups in Computer Management, and they're not there either.

 

I was actually thinking of doing a Reset anyway, due to some quirky behavior I've been seeing, but I'm pretty sure that wouldn't actually delete these TEMP user folders, would it?



#9 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 26 January 2016 - 08:20 PM

Sorry, I hadn't seen your last 2 posts before posting myself.  Anyway, I've got Windows 7 Professional.

 

And I didn't mean a Reset, I meant a Refresh.  But still, it's possible that could still cause some apps to be lost, from what I hear.

 

I've just created a Rescue Media on a flash drive, and I have user data backups on a flash drive and 2 places in the cloud, but I have no system backup or disk image because there's not enough room on my hard drive.  I went out and bought an external hard drive for that purpose, but then discovered that a 1TB drive wasn't big enough, so I'll have to return it and buy a bigger one.  So I don't want to d a Refresh until I get that done.



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 26 January 2016 - 09:13 PM

Sorry, the second comment about the Factory Reset was meant to be posted in another thread. I just noticed that I posted it in yours by mistake.

Personally, I would always reset Windows if I got it on a computer that wasn't mine originally. To avoid future issues and current issues hidden in the system.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 27 January 2016 - 02:01 PM

>Personally, I would always reset Windows if I got it on a computer that wasn't mine originally.

 

Knowing what I now know, that sounds like great advice. I'll do that in the future if I ever inherit a computer again or buy a used one. Too late now to do it in this case.

 

Anyway, I checked the contents of all those TEMP user folders, and they all had had the same set of folders with no files:

 

C:\Users\TEMP.(ORIGINAL OWNER)-THINK.###\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ( no files )

 

so I deleted all them all.

 

And then I ran MalwareBytes again, and it detected ALMOST, but not quite, the same set of PUPs:

 

PUP.Optional.CrossRider
C:\Users\ ( ORIGINAL OWNER ) \AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js

 

Notice that the "9oq" has moved from the end of the path/filename to just before ".default".  Plus, now there were only 43 of them, instead of the 68 that were there before.

 

Not that I would expect you or anyone else to know what this all means.  But if you have ANY thoughts on this, I'd be very curious to hear them.
 



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 27 January 2016 - 03:27 PM

You are using the original owner's account, aren't you? Why don't you create a new user, make it Admin, transfer all your data to that userprofile, and delete the old user which belongs to the original owner?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 27 January 2016 - 04:05 PM

No, I'm using my own admin-level account, and all my data is associated with that account.  I'm a little hesitant to delete the original owner's account because he was my brother, and unfortunately he passed away, and I need to comb through his stuff for photos and other memorabilia, and his data is not well organized and there's a lot of it.  But when I get that all sorted out, I will delete his account.



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,607 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:19 AM

Posted 27 January 2016 - 05:20 PM

In that case, let's do a sweep adding JRT and AdwCleaner to the mix.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 WouldBePolymath

WouldBePolymath
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:19 AM

Posted 27 January 2016 - 07:34 PM

********************

****  JRT log  ****

********************

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 7 Professional x64
Ran by Bill (Administrator) on Wed 01/27/2016 at 17:50:46.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 14

Successfully deleted: C:\ProgramData\free youtube downloader (Folder)
Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\anon\AppData\Local\crashrpt (Folder)
Successfully deleted: C:\Users\anon\AppData\Local\free youtube downloader (Folder)
Successfully deleted: C:\Users\anon\AppData\Roaming\productdata (Folder)
Successfully deleted: C:\Windows\system32\Tasks\Uninstaller_SkipUac_Bill (Task)
Successfully deleted: C:\Windows\system32\Tasks\Uninstaller_SkipUac_Chris (Task)
Successfully deleted: C:\Windows\system32\Tasks\Wise Care 365 (Task)
Successfully deleted: C:\Windows\system32\Tasks\Wise Turbo Checker (Task)
Successfully deleted: C:\Windows\Tasks\Wise Care 365.job (Task)
Successfully deleted: C:\Windows\Tasks\Wise Turbo Checker.job (Task)
Successfully deleted: C:\Program Files (x86)\free youtube downloader (Folder)
Successfully deleted: C:\Users\anon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\38RBKIQ1 (Folder)
Successfully deleted: C:\Users\anon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0ECCOWP (Folder)

 

Registry: 4

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 01/27/2016 at 17:54:19.37
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

*****************************

****  AdwCleaner log  ****

*****************************

 

# AdwCleaner v5.031 - Logfile created 27/01/2016 at 18:00:17
# Updated 25/01/2016 by Xplode
# Database : 2016-01-25.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Bill - CHRIS-THINK
# Running from : C:\Users\anon\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage
[-] File Deleted : C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.euask.com_0.localstorage

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\MediaPlayer\ShimInclusionList\browser.exe
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B33BD6CF-BF4C-4CF0-AC84-B2974BC14ABD}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved [{2097A1B6-E86A-4072-A32D-2249A3ECBC5A}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{B33BD6CF-BF4C-4CF0-AC84-B2974BC14ABD}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\news.myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\myway.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\news.myway.com

***** [ Web browsers ] *****

[-] [C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\anon\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [4680 bytes] ##########

 

 

*******************************

****  Malwarebytes log  ****

*******************************

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/27/2016
Scan Time: 6:15 PM
Logfile: 01-27-2016 MB log.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.01.27.07
Rootkit Database: v2016.01.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Bill

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 531604
Time Elapsed: 36 min, 0 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 37
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerParams.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.Ins9com74253.74253.internaldb.InstallerParamsCache.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.InstallerParamsCache.value", "%7B%22source_id%22%3A%22003042%22Replaced,[e6bd56e80b8e2511bf8fb738c143ec14]C%22sub_id%22%3A%220%22Replaced,[e6bd56e80b8e2511bf8fb738c143ec14]C%22uzid%22%3A%220%22Replaced,[e6bd56e80b8e2511bf8fb738c143ec14]C%22__exposedProps__%22%3A%7B%22source_id%22%3A%22wr%22Replaced,[e6bd56e80b8e2511bf8fb738c143ec14]C%22sub_id%22%3A%22wr%22Replaced,[e6bd56e80b8e2511bf8fb738c143ec14]C%22uzid%22%3A%22wr%22%7D%7D");), %5
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (0 00:00:00 GMT-0500 (Easte53.internaldb.InstallerIdentifiers.value", "%7B%22installer_bic%22%3A%222afbf885c0c35bd140122ba2b72ba7c7IE%22Replaced,[287b82bc2f6a41f52826905f40c43bc5]C%22installer_verifier%22%3A%22576fc140cfd959d17aacb0ad1e4437f4%22%7D");
user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerParams.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.Ins9com74253.74253.internaldb.InstallerParamsCache.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.InstallerPara), %5
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (2030 00:00:00 GMT-0500 (Easte53.internaldb.InstallerIdentifiers.value", "%7B%22installer_bic%22%3A%222afbf885c0c35bd140122ba2b72ba7c7IE%22Replaced,[00a3e559e3b662d49eb08d627c882ed2]C%22installer_verifier%22%3A%22576fc140cfd959d17aacb0ad1e4437f4%22%7D");
user_pr), %5
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (piration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8c), Replaced,[445f0a34c2d78fa7e06e9b543ec6768a]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8), Replaced,[c7dc7ec04059cc6af658628d679d817f]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (xpiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519b), Replaced,[dbc882bc8c0d56e0e9654aa544c005fb]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (iration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8cae38), Replaced,[d2d14bf3dbbeea4c4fff0de2d133cd33]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: ("Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerIdentifiers.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.InstallerIdentifiers.value", "%7B%22installer_bic%22%3A%222afbf885c0c35bd140122ba2b72ba7c7IE%22Replaced,[0f9449f54e4b80b6b7974da2aa5a5ea2]C%22installer_verifier%22%3A%22576fc140cfd959d17aacb0ad1e4437f4%22%7D");
user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerParams.expiration", "F), %5
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (40122ba2b72ba7c7IE%22Replaced,[bae9dd61c7d20531da7476797f8526da]C%22installer_verifier%22%3A%22576fc140cfd959d17aacb0ad1e4437f4%22%7D");
user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerParams.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.Ins9com74253.74253.internaldb.InstallerParamsCache.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.Instal), %5
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerIdentifiers.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.InstallerIdentifiers.value", "%7B%22installer_bic%22%3A%222afbf885c0c35bd140122ba2b72ba7c7IE%22Replaced,[fba8cd713a5fcc6a6ae4727d41c312ee]C%22installer_verifier%22%3A%22576fc140cfd959d17aacb0ad1e4437f4%22%7D");
user_pref("extensions.a6a), %5
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (nsions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerIdentifiers.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.internaldb.InstallerIdentifiers.value", "%7B%22installer_), Replaced,[b8eb78c65c3dde58ba948a65fb09966a]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (T-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerIdentifiers.expiration", "Fri Feb 01 2030 ), Replaced,[e3c063db04955ed893bb836cc93b3dc3]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.inter), Replaced,[2e7583bb07921b1bf05ebc337193ae52]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (.cookie.user_id.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

us), Replaced,[049f1628c2d7a98d83cbe70837cdf10f]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (ge.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (East), Replaced,[099ae35be9b0072ff856c02fbc48ed13]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (teionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "Fri Feb 01 2030 00), Replaced,[ecb783bb079239fdf757d718f60e9a66]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (f("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "F), Replaced,[d5ce102e4059989e8ec006e9966e659b]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "Fri ), Replaced,[eeb5c47a8811b77fe16db33c1de7c937]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", ), Replaced,[574cfb43bfda0a2c0d417e71ca3abc44]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (nc

 

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_), Replaced,[ced51f1f3960ff374a04707f46be9e62]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id), Replaced,[683b5ae450494de995b93fb037cd27d9]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.val), Replaced,[51522a1465346fc75cf2e906679d52ae]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (
user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "Fri ), Replaced,[445f4af40b8e70c6024caf40a26220e0]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expi), Replaced,[b8eb3e00cccde84e0747eb04b054946c]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.e), Replaced,[5a49dd61b8e1191d5af46f8029dbf010]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

 

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expi), Replaced,[c4dfdd616b2e4ee8c78741aef90bb34d]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.), Replaced,[6c37330b3861d363fd51d916f60e7987]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (renc

 

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.coo), Replaced,[485b1826d1c8eb4be06e30bf37cdc739]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (erenc

 

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", ), Replaced,[287bd9654b4e0c2ab698fcf3d33116ea]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (eionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration), Replaced,[198ac37b13861d194806569933d1649c]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (referenc

 

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.c), Replaced,[a8fb68d6a2f7fc3ab29c9956ce36dd23]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (enc

 

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_), Replaced,[1a8962dc6336fe38f15d608fa85cbc44]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration), Replaced,[881b0d3190096ec88cc215dadd2747b9]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (r_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.value", "%22150792cd8fc1ecc68544c187f3fa94eb%22");

user_pref("extensions.a6a1a03975fde4c8690f6b883c36bc17d88519bfe73975fde4c8690f6b883c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerIdentifiers.expiration", "Fri Feb 01 2030 00:00:00 G), Replaced,[8221c6780a8fa78f2529a04ff50f06fa]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (c36bc17d88519bfe704d8cae3851239com74253.74253.internaldb.InstallerIdentifiers.expiration", "Fri Feb 01 2030 00:0), Replaced,[792a44fa0693d561c688707f5da711ef]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.ex), Replaced,[3073f5497f1ad561db737a75897b11ef]
PUP.Optional.CrossRider, C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\i6wqd9oq.default-1359751077217\prefs.js, Good: (), Bad: (

user_pref("exteionprevious_page.expiration", "Fri Feb 01 2030 00:00:00 GMT-0500 (Easte53.cookie.user_id.), Replaced,[495a42fcff9a40f64707905fca3af40c]

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

 

Hey, JRT blew away my YouTube Downloader!

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users