Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected with IDP.Program.D1B0A5C0

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 10:36 am

I am not able to open up any program on the username I ran the programs on (I was also mainly using this username for most of the time when the malware was wrecking havoc) Using a different username I was able to run programs and that is from where I ran the next scans that you asked me to do. When I ran FRST this last time it said it was creating a fixlog. I will post this also.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-12-2014
Ran by Daddy (administrator) on THEMOSTAWESOME on 21-12-2014 09:23:51
Running from C:\Users\Daddy\Desktop
Loaded Profiles: Daddy & Yael & Shalom & Atara & Michal & Sara (Available profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Brother Industries, Ltd.) C:\Windows\System32\BrmfRsmg.exe
(Brother Industries, Ltd.) C:\Windows\System32\BrmfRsmg.exe
(Verizon) C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
() C:\Windows\jmesoft\Service.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
() C:\Users\Daddy\AppData\Local\ospd_us_375\upospd_us_375.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Google Inc.) C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
() C:\FRST\Quarantine\C\Program Files (x86)\ospd_us_375\ospd_us_375.exe.xBAD
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\ConfigurationWizard.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-12] (Logitech Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ospd_us_375] => "C:\Program Files (x86)\ospd_us_375\ospd_us_375.exe"
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3653136 2014-11-09] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\RunOnce: [upospd_us_375.exe] => C:\Users\Daddy\AppData\Local\ospd_us_375\upospd_us_375.exe [3306440 2014-11-06] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\Run: [Google Update] => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-22] (Google Inc.)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [Google Update] => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-05] (Google Inc.)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [Spotify Web Helper] => C:\Users\Yael\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1171000 2014-06-20] (Spotify Ltd)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [Spotify] => C:\Users\Yael\AppData\Roaming\Spotify\spotify.exe [6087224 2014-06-20] (Spotify Ltd)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - F:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - F:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Run: [Google Update] => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-06] (Google Inc.)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Startup: C:\Users\Yael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-4229975068-1931466670-3666739151-1002\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-4229975068-1931466670-3666739151-1001] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-4229975068-1931466670-3666739151-1001] => http=127.0.0.1:62855;https=127.0.0.1:62855
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKLM-x32 -> Backup.Old.DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> Backup.Old.DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
BHO: No Name -> {72351B45-9636-4F99-820B-7C552D27897D}} -> No File
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121225094235.dll No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {72351B45-9636-4F99-820B-7C552D27897D}} -> No File
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121225094235.dll No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> No Name - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.adobe.com/pub/shockwa ... wflash.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\npmvtplugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1006: @tools.google.com/Google Update;version=3 -> C:\Users\Michal\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1006: @tools.google.com/Google Update;version=9 -> C:\Users\Michal\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: No Name - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2013-01-11]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK

Chrome:
=======
CHR HomePage: Default -> hxxp://Vosteran.com/?f=1&a=vst_cmi_14_4 ... 361997&ir=
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_cmi_14_47_ch&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAzz0B0A0DtB0E0AtG0ByByByDtGyE0FyByBtG0FtB0C0FtGtAyDyDyEtBtB0DtDtD0EtAzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0Azy0FyB0EyD0FtGyCzztAtAtGyEtDyDyEtGzztB0FtDtG0AyC0B0AtDzy0EtCyB0E0DyE2Q&cr=960361997&ir="
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.5.671\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Daddy\AppData\Local\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Daddy\AppData\Local\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Daddy\AppData\Local\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Citrix ICA Client) - C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Daddy\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
CHR Profile: C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-11]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (YouTube) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-06-14]
CHR Extension: (Google Search) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-14]
CHR Extension: (snipsmart) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaccgfkbmhkegoljkoefhpifoaehnhjp [2014-11-23]
CHR Extension: (BucksBee RewardsBar) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajcmjjdlglpcfblcnjilhodiondejlm [2014-01-26]
CHR Extension: (Google Wallet) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]
CHR Extension: (Gmail) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-06-14]
CHR HKLM-x32\...\Chrome\Extension: [lajcmjjdlglpcfblcnjilhodiondejlm] - C:\Users\Daddy\AppData\Roaming\Bucksbee Loyalty Plugin 100815.b for Chrome\Toolbar_production_100815_12.crx [2012-05-21]
CHR StartMenuInternet: Google Chrome - C:\Users\Yael\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 0134851357934090mcinstcleanup; C:\Users\Daddy\AppData\Local\Temp\013485~1.EXE [832664 2012-09-28] () [File not signed]
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3488784 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 brmfrsmg; C:\Windows\system32\BrmfRsmg.exe [52736 2009-07-13] (Brother Industries, Ltd.)
S4 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-10-07] (McAfee, Inc.)
R2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [290832 2011-12-12] (Verizon) [File not signed]
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-15] () [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-11-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-11-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S4 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-10-07] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218320 2012-11-09] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [177680 2012-11-09] (McAfee, Inc.)
S2 cozhost; C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe /ts2=1 [X]
S2 cozwhost; C:\PROGRA~3\zoomify2\110~1.27\cozwhost.exe -scm [X]
S3 GoToAssist; "C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe" Start=service [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [263960 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R3 brfilt; C:\Windows\System32\Drivers\Brfilt.sys [6144 2009-06-10] (Brother Industries Ltd.)
R3 BrUsbScn; C:\Windows\System32\Drivers\BrUsbScn.sys [14336 2009-06-10] (Brother Industries Ltd.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [69672 2012-11-09] (McAfee, Inc.)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-29] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [178840 2012-11-09] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309400 2012-11-09] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515528 2012-11-09] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771096 2012-11-09] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [339776 2012-11-09] (McAfee, Inc.)
R0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
R0 WinI2C-DDC; C:\Windows\SysWOW64\drivers\DDCDrv.sys [15712 2010-03-22] (Nicomsoft Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-21 09:23 - 2014-12-21 09:24 - 00033550 _____ () C:\Users\Daddy\Desktop\FRST.txt
2014-12-21 09:21 - 2014-12-19 09:30 - 02121216 _____ (Farbar) C:\Users\Daddy\Desktop\FRST64.exe
2014-12-19 09:52 - 2014-12-19 09:52 - 00015719 _____ () C:\Users\Mommy\Desktop\Search.txt
2014-12-19 09:46 - 2014-12-19 09:46 - 00046661 _____ () C:\Users\Mommy\Desktop\Addition.txt
2014-12-19 09:44 - 2014-12-21 09:23 - 00000000 ____D () C:\FRST
2014-12-19 09:44 - 2014-12-19 09:46 - 00060762 _____ () C:\Users\Mommy\Desktop\FRST.txt
2014-12-19 09:35 - 2014-12-19 13:34 - 00000000 ____D () C:\AdwCleaner
2014-12-19 09:35 - 2014-12-19 09:34 - 00000111 _____ () C:\Users\Mommy\Desktop\virus.txt
2014-12-19 09:35 - 2014-12-19 09:30 - 02166272 _____ () C:\Users\Mommy\Desktop\adwcleaner_4.105.exe
2014-12-19 09:35 - 2014-12-19 09:30 - 02121216 _____ (Farbar) C:\Users\Mommy\Desktop\FRST64.exe
2014-12-19 09:18 - 2014-12-19 09:18 - 00000207 _____ () C:\windows\tweaking.com-regbackup-THEMOSTAWESOME-Microsoft-Windows-7-Home-Premium-(64-bit).dat
2014-12-19 09:16 - 2014-12-19 09:16 - 00002239 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\RegBackup
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-12-19 09:14 - 2014-12-19 09:14 - 04215584 _____ () C:\Users\Mommy\Desktop\tweaking.com_registry_backup_setup.exe
2014-12-19 09:13 - 2014-10-17 21:05 - 04121600 _____ (Microsoft Corporation) C:\windows\system32\mf.dll
2014-12-19 09:13 - 2014-10-17 20:33 - 03209728 _____ (Microsoft Corporation) C:\windows\SysWOW64\mf.dll
2014-12-18 23:33 - 2014-12-18 23:48 - 00000308 _____ () C:\windows\Tasks\Tempo Runner coz32host.job
2014-12-18 23:31 - 2014-12-18 23:48 - 00000306 _____ () C:\windows\Tasks\Tempo Runner cozahost.job
2014-12-18 23:30 - 2014-11-10 20:46 - 00119296 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tdx.sys
2014-12-18 23:29 - 2014-11-26 20:43 - 00389296 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-12-18 23:29 - 2014-11-26 20:10 - 00342200 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-12-18 23:29 - 2014-11-21 22:13 - 25059840 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-12-18 23:29 - 2014-11-21 22:06 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-12-18 23:29 - 2014-11-21 22:06 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-12-18 23:29 - 2014-11-21 21:50 - 00580096 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-12-18 23:29 - 2014-11-21 21:50 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-12-18 23:29 - 2014-11-21 21:49 - 02885120 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-12-18 23:29 - 2014-11-21 21:49 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-12-18 23:29 - 2014-11-21 21:48 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-12-18 23:29 - 2014-11-21 21:41 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-12-18 23:29 - 2014-11-21 21:40 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-12-18 23:29 - 2014-11-21 21:37 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-12-18 23:29 - 2014-11-21 21:35 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-12-18 23:29 - 2014-11-21 21:35 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-12-18 23:29 - 2014-11-21 21:34 - 06039552 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-12-18 23:29 - 2014-11-21 21:34 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-12-18 23:29 - 2014-11-21 21:26 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-12-18 23:29 - 2014-11-21 21:22 - 19749376 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-12-18 23:29 - 2014-11-21 21:22 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-12-18 23:29 - 2014-11-21 21:20 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-12-18 23:29 - 2014-11-21 21:14 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-12-18 23:29 - 2014-11-21 21:09 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-12-18 23:29 - 2014-11-21 21:08 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-12-18 23:29 - 2014-11-21 21:07 - 00501248 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-12-18 23:29 - 2014-11-21 21:07 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-12-18 23:29 - 2014-11-21 21:06 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-12-18 23:29 - 2014-11-21 21:05 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-12-18 23:29 - 2014-11-21 21:05 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-12-18 23:29 - 2014-11-21 21:01 - 02277888 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-12-18 23:29 - 2014-11-21 20:59 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-12-18 23:29 - 2014-11-21 20:58 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-12-18 23:29 - 2014-11-21 20:56 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-12-18 23:29 - 2014-11-21 20:55 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-12-18 23:29 - 2014-11-21 20:54 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-12-18 23:29 - 2014-11-21 20:49 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-12-18 23:29 - 2014-11-21 20:49 - 00718848 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-12-18 23:29 - 2014-11-21 20:47 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-12-18 23:29 - 2014-11-21 20:46 - 02125312 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-12-18 23:29 - 2014-11-21 20:45 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-12-18 23:29 - 2014-11-21 20:43 - 14412800 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-12-18 23:29 - 2014-11-21 20:40 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-18 23:29 - 2014-11-21 20:36 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-12-18 23:29 - 2014-11-21 20:35 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-12-18 23:29 - 2014-11-21 20:33 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-12-18 23:29 - 2014-11-21 20:29 - 04299264 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-12-18 23:29 - 2014-11-21 20:28 - 02358272 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-12-18 23:29 - 2014-11-21 20:23 - 00688640 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-12-18 23:29 - 2014-11-21 20:22 - 02052096 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-12-18 23:29 - 2014-11-21 20:21 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-12-18 23:29 - 2014-11-21 20:15 - 01548288 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-12-18 23:29 - 2014-11-21 20:13 - 12836864 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-12-18 23:29 - 2014-11-21 20:03 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-12-18 23:29 - 2014-11-21 20:00 - 01888256 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-12-18 23:29 - 2014-11-21 19:56 - 01307136 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-12-18 23:29 - 2014-11-21 19:54 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-12-18 23:29 - 2014-11-10 22:09 - 01424384 _____ (Microsoft Corporation) C:\windows\system32\WindowsCodecs.dll
2014-12-18 23:29 - 2014-11-10 21:44 - 01230336 _____ (Microsoft Corporation) C:\windows\SysWOW64\WindowsCodecs.dll
2014-12-18 23:28 - 2014-10-29 21:03 - 00165888 _____ (Microsoft Corporation) C:\windows\system32\charmap.exe
2014-12-18 23:28 - 2014-10-29 20:45 - 00155136 _____ (Microsoft Corporation) C:\windows\SysWOW64\charmap.exe
2014-12-18 23:21 - 2014-10-02 21:12 - 02020352 _____ (Microsoft Corporation) C:\windows\system32\WsmSvc.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00346624 _____ (Microsoft Corporation) C:\windows\system32\WSManMigrationPlugin.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00310272 _____ (Microsoft Corporation) C:\windows\system32\WsmWmiPl.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00181248 _____ (Microsoft Corporation) C:\windows\system32\WsmAuto.dll
2014-12-18 23:21 - 2014-10-02 21:11 - 00266240 _____ (Microsoft Corporation) C:\windows\system32\WSManHTTPConfig.exe
2014-12-18 23:21 - 2014-10-02 20:45 - 01177088 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmSvc.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00214016 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmWmiPl.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00145920 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmAuto.dll
2014-12-18 23:21 - 2014-10-02 20:44 - 00198656 _____ (Microsoft Corporation) C:\windows\SysWOW64\WSManHTTPConfig.exe
2014-12-18 23:20 - 2014-11-07 22:16 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2014-12-18 23:20 - 2014-11-07 21:45 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2014-12-18 23:14 - 2014-12-18 23:14 - 00026445 _____ () C:\Users\Daddy\Desktop\dds.txt
2014-12-18 23:14 - 2014-12-18 23:14 - 00009128 _____ () C:\Users\Daddy\Desktop\attach.txt
2014-12-18 23:07 - 2014-12-18 23:07 - 00688992 ____R (Swearware) C:\Users\Mommy\Downloads\dds.scr
2014-12-18 23:07 - 2014-12-18 23:07 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\HpUpdate
2014-11-24 20:41 - 2014-11-24 20:42 - 00000000 ____D () C:\Users\Mommy\AppData\Local\Avg2015
2014-11-24 20:41 - 2014-11-24 20:41 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\AVG2015
2014-11-24 20:39 - 2014-11-24 20:39 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-11-24 20:39 - 2014-11-24 20:39 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\AVG2015
2014-11-24 20:39 - 2014-11-24 20:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-11-24 20:38 - 2014-12-19 09:04 - 00000000 ____D () C:\ProgramData\AVG2015
2014-11-24 20:38 - 2014-11-24 20:38 - 00000000 ___HD () C:\$AVG
2014-11-24 20:38 - 2014-11-24 20:38 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-11-24 20:36 - 2014-12-21 08:34 - 00000000 ____D () C:\ProgramData\MFAData
2014-11-24 20:36 - 2014-11-24 20:39 - 00000000 ____D () C:\Users\Daddy\AppData\Local\Avg2015
2014-11-24 20:36 - 2014-11-24 20:36 - 04637504 _____ (AVG Technologies) C:\Users\Mommy\Downloads\avg_free_stb_all_2015_5557_cnet.exe
2014-11-24 20:36 - 2014-11-24 20:36 - 00000000 ____D () C:\Users\Daddy\AppData\Local\MFAData
2014-11-24 20:17 - 2014-11-24 20:17 - 00000000 ____D () C:\Users\Mommy\AppData\Local\ospd_us_375
2014-11-24 17:26 - 2014-11-24 17:26 - 01944256 _____ () C:\windows\shost.bin
2014-11-24 07:33 - 2014-12-19 13:16 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2014-11-23 18:54 - 2014-11-23 18:54 - 00000000 __SHD () C:\Users\Mommy\AppData\Local\EmieBrowserModeList
2014-11-23 18:53 - 2014-11-23 18:53 - 00000000 ____D () C:\Users\Mommy\AppData\Local\HP
2014-11-23 18:40 - 2014-11-23 18:40 - 00000047 _____ () C:\Users\Daddy\AppData\Roaming\WB.CFG
2014-11-23 18:39 - 2014-11-23 18:39 - 00628496 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsh3FDD.tmp
2014-11-23 18:08 - 2014-11-23 18:09 - 00000000 ____D () C:\Users\Mommy\AppData\Local\{8F85811F-A8AD-4ABD-82A8-29D28DC27661}
2014-11-23 18:01 - 2014-11-23 18:01 - 00613057 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsi226C.tmp
2014-11-23 18:00 - 2014-11-23 18:00 - 00000000 ____D () C:\Users\Daddy\AppData\Local\WorldofTanks
2014-11-23 17:59 - 2014-11-23 17:59 - 00000000 ____D () C:\Users\Daddy\AppData\Local\StormFall
2014-11-23 17:52 - 2014-11-23 17:53 - 106859936 _____ () C:\Users\Daddy\Downloads\DJ2540_188 (1).exe
2014-11-23 17:41 - 2014-11-23 17:41 - 00613057 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsa441E.tmp
2014-11-23 17:40 - 2014-12-21 08:56 - 00000000 ____D () C:\Users\Daddy\AppData\Local\ospd_us_375
2014-11-23 17:35 - 2014-11-23 17:35 - 106859936 _____ () C:\Users\Daddy\Downloads\Unconfirmed 828580.crdownload
2014-11-23 17:33 - 2014-11-23 17:33 - 00834488 _____ (SlimWare Utilities, Inc.) C:\Users\Daddy\Downloads\DriverUpdate-setup.exe
2014-11-23 17:27 - 2014-11-23 17:27 - 00003626 _____ () C:\windows\System32\Tasks\HPCustParticipation HP Deskjet 2540 series
2014-11-23 17:27 - 2014-11-23 17:27 - 00001995 _____ () C:\Users\Public\Desktop\HP Photo Creations.lnk
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\HpUpdate
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\Visan
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\HP Photo Creations
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Program Files (x86)\HP Photo Creations
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Program Files (x86)\Hewlett-Packard
2014-11-23 17:26 - 2014-11-23 17:51 - 00000000 ____D () C:\Program Files (x86)\HP
2014-11-23 17:26 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2014-11-23 17:26 - 2014-11-23 17:26 - 00002212 _____ () C:\Users\Public\Desktop\HP Deskjet 2540 series.lnk
2014-11-23 17:26 - 2014-11-23 17:26 - 00001159 _____ () C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 2540 series.lnk
2014-11-23 17:26 - 2014-11-23 17:26 - 00000000 ____D () C:\ProgramData\HP
2014-11-23 17:26 - 2014-11-23 17:26 - 00000000 ____D () C:\Program Files\HP
2014-11-23 17:26 - 2014-03-06 12:51 - 00763912 ____N (Hewlett-Packard Co.) C:\windows\system32\HPDiscoPMC211.dll
2014-11-23 17:25 - 2014-11-23 17:25 - 00000057 _____ () C:\ProgramData\Ament.ini
2014-11-23 17:23 - 2014-11-23 17:24 - 106859936 _____ () C:\Users\Daddy\Downloads\DJ2540_188.exe
2014-11-23 17:22 - 2014-11-23 17:27 - 00000000 ____D () C:\Users\Daddy\AppData\Local\HP
2014-11-23 12:41 - 2014-11-23 12:41 - 00584504 _____ () C:\Users\Daddy\Downloads\Installation.exe
2014-11-23 09:01 - 2014-11-23 09:01 - 00012678 _____ () C:\Users\Daddy\Downloads\contemp- cash flow.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-21 09:23 - 2012-07-11 18:57 - 00000008 __RSH () C:\Users\Mommy\ntuser.pol
2014-12-21 09:23 - 2012-04-30 09:58 - 00000000 ____D () C:\Users\Mommy
2014-12-21 09:21 - 2009-07-13 22:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2014-12-21 09:17 - 2012-08-19 20:06 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-12-21 09:16 - 2012-07-22 14:14 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA.job
2014-12-21 09:07 - 2012-07-05 14:19 - 00000904 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA.job
2014-12-21 08:53 - 2011-12-21 19:15 - 01075242 _____ () C:\windows\WindowsUpdate.log
2014-12-21 08:48 - 2012-07-20 16:53 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA.job
2014-12-21 08:41 - 2012-07-06 17:21 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA.job
2014-12-21 08:23 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\rescache
2014-12-21 07:57 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-21 07:57 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-21 07:49 - 2014-01-23 04:28 - 00000923 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2014-12-21 07:49 - 2014-01-23 04:28 - 00000907 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-12-21 07:49 - 2012-05-01 21:49 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-12-21 07:49 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-12-21 07:49 - 2009-07-13 23:51 - 00073897 _____ () C:\windows\setupact.log
2014-12-20 18:21 - 2009-07-14 00:13 - 00006206 _____ () C:\windows\system32\PerfStringBackup.INI
2014-12-19 14:21 - 2014-10-07 11:58 - 00002515 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-12-19 14:21 - 2014-10-07 11:58 - 00000000 ____D () C:\ProgramData\Skype
2014-12-19 14:21 - 2014-10-07 11:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-12-19 13:37 - 2013-03-24 12:18 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\Spotify
2014-12-19 13:35 - 2010-11-20 22:47 - 00840900 _____ () C:\windows\PFRO.log
2014-12-19 13:25 - 2012-06-09 21:37 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2014-12-19 13:19 - 2012-09-15 19:11 - 00020786 _____ () C:\INSTALLHELPER.LOG
2014-12-19 10:04 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\PolicyDefinitions
2014-12-19 09:22 - 2013-06-20 07:02 - 00002374 _____ () C:\Users\Mommy\Desktop\Google Chrome.lnk
2014-12-19 09:18 - 2012-04-29 21:37 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-19 09:06 - 2009-07-13 21:34 - 00000537 _____ () C:\windows\win.ini
2014-12-18 23:47 - 2013-08-14 02:02 - 00000000 ____D () C:\windows\system32\MRT
2014-12-18 23:30 - 2012-06-01 09:10 - 112710672 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-11-24 20:42 - 2014-07-17 22:05 - 00000177 _____ () C:\Users\Mommy\Desktop\avgrep.txt
2014-11-24 19:41 - 2012-07-06 17:21 - 00000860 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core.job
2014-11-24 19:07 - 2012-07-05 14:19 - 00000852 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core.job
2014-11-24 13:15 - 2012-07-22 14:14 - 00000856 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core.job
2014-11-23 20:33 - 2013-03-24 12:18 - 00000000 ____D () C:\Users\Mommy\AppData\Local\Spotify
2014-11-23 17:35 - 2012-05-20 07:21 - 00000000 ____D () C:\Users\Daddy\AppData\Local\Adobe
2014-11-23 17:30 - 2011-12-21 19:47 - 00002398 _____ () C:\Users\Public\Desktop\Internet Browser.lnk
2014-11-23 17:30 - 2011-12-21 19:47 - 00000000 ____D () C:\Program Files (x86)\Google
2014-11-23 06:48 - 2012-07-20 16:53 - 00000856 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core.job

Some content of TEMP:
====================
C:\Users\Daddy\AppData\Local\Temp\0134851357934090mcinst.exe
C:\Users\Daddy\AppData\Local\Temp\2F658057-A565-F64A-D98A-1AE05C625B6D.dll
C:\Users\Daddy\AppData\Local\Temp\2F658057-A565-F64A-D98A-1AE05C625B6D.exe
C:\Users\Daddy\AppData\Local\Temp\321D0B64-DA79-1F48-57D5-F28ACE24334D.exe
C:\Users\Daddy\AppData\Local\Temp\avg-dfc21d4c-ec33-4d5f-838b-bf2ecb78a763.exe
C:\Users\Daddy\AppData\Local\Temp\bq4u_otq.dll
C:\Users\Daddy\AppData\Local\Temp\ICReinstall_DownloadManagerSetup.exe
C:\Users\Daddy\AppData\Local\Temp\mcinsint.exe
C:\Users\Daddy\AppData\Local\Temp\n1hex_8y.dll
C:\Users\Daddy\AppData\Local\Temp\oi_{7E984432-BFC1-4E2B-BAD6-05CC4B3F7F45}.exe
C:\Users\Daddy\AppData\Local\Temp\ose00000.exe
C:\Users\Daddy\AppData\Local\Temp\Package_en_ww.exe
C:\Users\Daddy\AppData\Local\Temp\Quarantine.exe
C:\Users\Daddy\AppData\Local\Temp\Setup.exe
C:\Users\Daddy\AppData\Local\Temp\sqlite3.dll
C:\Users\Daddy\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\Daddy\AppData\Local\Temp\System.Data.SQLite31822.dll
C:\Users\Daddy\AppData\Local\Temp\System.Data.SQLite38049.dll
C:\Users\Daddy\AppData\Local\Temp\System.Data.SQLite66487.dll
C:\Users\Daddy\AppData\Local\Temp\The_Weather_Channel_Application.exe
C:\Users\Daddy\AppData\Local\Temp\VASInstallerWizard.exe
C:\Users\Daddy\AppData\Local\Temp\winziprosetup.exe
C:\Users\Yael\AppData\Local\Temp\mcinsint.exe
C:\Users\Yael\AppData\Local\Temp\VASInstallerWizard.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-21 08:16

==================== End Of Log ============================
Last edited by shalom123 on December 21st, 2014, 10:41 am, edited 1 time in total.
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm
Advertisement
Register to Remove

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 10:36 am

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-21 09:24:55
Running from C:\Users\Daddy\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - )
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.7) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5577 - AVG Technologies)
AVG 2015 (Version: 15.0.4223 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5577 - AVG Technologies) Hidden
AVS Audio Converter 7 (HKLM-x32\...\AVS Audio Converter_is1) (Version: - Online Media Technologies Ltd.)
AVS Update Manager 1.0 (HKLM-x32\...\AVS Update Manager_is1) (Version: - Online Media Technologies Ltd.)
AVS4YOU Software Navigator 1.4 (HKLM-x32\...\AVS4YOU Software Navigator_is1) (Version: - Online Media Technologies Ltd.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bucksbee Loyalty Plugin 100815.b for Chrome (HKLM-x32\...\Bucksbee Loyalty Plugin 100815.b for Chrome) (Version: - )
CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) Hidden
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.1.0.0 - Citrix Systems, Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
ffdshow v1.1.4369 [2012-03-03] (HKLM-x32\...\ffdshow_is1) (Version: 1.1.4369.0 - )
Google Chrome (HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\Google Chrome) (Version: 39.0.2171.65 - Google Inc.)
Google Chrome (HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Google Chrome) (Version: 34.0.1847.131 - Google Inc.)
Google Chrome (HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Google Chrome) (Version: 37.0.2062.120 - Google Inc.)
Google Talk Plugin (HKLM-x32\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
HP Deskjet 2540 series Basic Device Software (HKLM\...\{6A79CD11-0C1C-4E24-A8C6-46A02F680346}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
HP Deskjet 2540 series Help (HKLM-x32\...\{4539575D-C09D-4E71-B207-0F2D6BD74DA2}) (Version: 30.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticCoreDll (HKLM-x32\...\{9262B08F-E183-4FED-A2BD-23FF1A84EB79}) (Version: 1.0.15.0 - Hewlett Packard)
IHA_MessageCenter (HKLM-x32\...\{53C49C8D-DFB2-42B9-A7EF-0F9CA386CC13}) (Version: 1.8.17 - Verizon)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1118 - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2246 - Intel Corporation)
iTunes (HKLM\...\{76FF0F03-B707-4332-B5D1-A56C8303514E}) (Version: 11.0.4.4 - Apple Inc.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
K-Lite Codec Pack 7.0.0 (Standard) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 7.0.0 - )
Lenovo Blacksilk USB Keyboard Driver (HKLM-x32\...\{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.4.11.0608 - Lenovo)
Lenovo Driver and Application Installation (HKLM-x32\...\{45970CD1-D599-47D4-938F-3E9800D54ED1}) (Version: 5.10.1809 - Lenovo)
Lenovo Dynamic Brightness System (HKLM-x32\...\{D9ED6D06-6002-495E-A7BC-46E6AE386996}) (Version: 4.0.00.22080 - Lenovo)
Lenovo Eye Distance System (HKLM-x32\...\{5183D7AB-D09B-411F-A74E-BBAEA61C6505}) (Version: 4.0.00.21090 - Lenovo)
Lenovo Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.4827a - CyberLink Corp.)
Lenovo Power2Go (x32 Version: 6.0.4827a - CyberLink Corp.) Hidden
Lenovo Rescue System (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 3.0.1409 - CyberLink Corp.)
Lenovo Rescue System (Version: 3.0.1409 - CyberLink Corp.) Hidden
Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
LogMeIn (HKLM-x32\...\{2BFDA78F-39F7-4537-9995-71424CFA88BB}) (Version: 4.1.2138 - LogMeIn, Inc.)
LVT (HKLM-x32\...\{D3063097-EC84-4D21-84A4-9D852E974355}) (Version: 4.1.2.0919 - Lenovo)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyTomTom 3.1.0.530 (HKLM-x32\...\MyTomTom) (Version: 3.1.0.530 - TomTom)
OneSoftPerDay 025.375 (HKLM-x32\...\ospd_us_375_is1) (Version: - ONESOFTPERDAY)
Online Plug-in (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) Hidden
Online Plug-in (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Open Freely (HKLM\...\{1BF14E04-85DE-480C-9A04-EB36744C66C3}_is1) (Version: 1.0 - Download Freely, LLC)
Opera Stable 24.0.1558.64 (HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\Opera 24.0.1558.64) (Version: 24.0.1558.64 - Opera Software ASA)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.2.0 - Frank Heindörfer, Philip Chinery)
Product Improvement Study for HP Deskjet 2540 series (HKLM\...\{DF34643B-A745-430C-B27B-A48F853C81E4}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6230 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30123 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 2.5.5 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.5 - VS Revo Group, Ltd.)
Self-service Plug-in (x32 Version: 3.2.0.24226 - Citrix Systems, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 6.21 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Spotify) (Version: 0.9.8.296.g91f68827 - Spotify AB)
The Weather Channel App (HKLM-x32\...\The Weather Channel App) (Version: - )
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.1 - Tweaking.com)
Uninstall Helper (HKLM-x32\...\Uninstall Helper 2.0.0.0) (Version: 2.0.0.0 - W3i, LLC)
Uninstall Helper (x32 Version: 2.0.0.0 - W3i, LLC) Hidden
Version Checker for Funmoods (HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Funmoods) (Version: - ) <==== ATTENTION
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
Vz In Home Agent (HKLM-x32\...\{07FF08D2-C0CD-4B02-B9A6-E2E7E5762AA9}) (Version: 8.03.53 - Verizon)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Media Player Firefox Plugin (HKLM-x32\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Wondershare Music Converter(Build 1.3.4.0) (HKLM-x32\...\Wondershare Music Converter_is1) (Version: - Wondershare Software)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version: - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File

==================== Restore Points =========================

19-11-2014 03:00:12 Windows Update
20-11-2014 03:00:11 Windows Update
21-11-2014 03:00:13 Windows Update
21-11-2014 15:35:11 Windows Update
23-11-2014 03:00:16 Windows Update
23-11-2014 17:48:56 Installed HPDiagnosticCoreDll
23-11-2014 20:50:22 Windows Update
24-11-2014 21:07:22 Windows Update
28-11-2014 10:27:25 Windows Update
18-12-2014 23:21:48 Windows Update
19-12-2014 09:07:25 Windows Update
19-12-2014 10:02:38 Windows Update
19-12-2014 13:21:42 Removed BabylonObjectInstaller

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2014-12-19 13:28 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {00795989-470E-4684-8A9D-906937F4C470} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-22] (Google Inc.)
Task: {1000D3AB-9434-44CF-8D6B-734A5DD37CAE} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-22] (Google Inc.)
Task: {146528BB-FFA9-456E-8A09-36384BD798E8} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-06] (Google Inc.)
Task: {2020BA66-8A14-4BCE-A037-E3FF2948531A} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA => C:\Users\Mommy\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20] (Google Inc.)
Task: {38DF6085-0128-4DED-B910-6A93E0C2E96F} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-06] (Adobe Systems Incorporated)
Task: {3AB368A3-87A1-4CE2-8646-5E1F38BA9066} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {6368AB21-97F4-4BDC-AA96-602A90C7FF08} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {9816FAC7-E576-4F38-9A87-5A611323D59D} - \Tempo Runner coz64host No Task File <==== ATTENTION
Task: {99CF03C7-333A-4179-A452-227579C02576} - System32\Tasks\HPCustParticipation HP Deskjet 2540 series => C:\Program Files\HP\HP Deskjet 2540 series\Bin\HPCustPartic.exe [2014-03-06] (Hewlett-Packard Co.)
Task: {AD7861D0-9A5A-474E-ABDB-F780D0583FDC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core => C:\Users\Mommy\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-20] (Google Inc.)
Task: {B2617A12-4249-4966-AD0A-BAD11FB25D56} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-05] (Google Inc.)
Task: {BD60DC31-998E-4C8E-B3ED-D301DBB8FDC2} - System32\Tasks\Opera scheduled Autoupdate 1412647504 => C:\Users\Shalom\AppData\Local\Programs\Opera\launcher.exe [2014-09-25] (Opera Software)
Task: {FB1B7925-2108-442C-9449-7926650ECBA3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-06] (Google Inc.)
Task: {FDCA8E1E-79C4-42C0-9FF5-7911D11BE7E4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-05] (Google Inc.)
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core.job => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA.job => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core.job => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA.job => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core.job => C:\Users\Mommy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA.job => C:\Users\Mommy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core.job => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA.job => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\Tempo Runner coz32host.job => C:\ProgramData\zoomify2\1.1.0.27\coz32host.exe
Task: C:\windows\Tasks\Tempo Runner cozahost.job => C:\ProgramData\zoomify2\1.1.0.27\cozahost.exe

==================== Loaded Modules (whitelisted) =============

2012-08-20 21:44 - 2005-03-11 23:07 - 00087040 _____ () C:\windows\System32\pdfcmnnt.dll
2011-12-21 19:18 - 2011-03-15 23:47 - 00032768 _____ () C:\Windows\jmesoft\Service.exe
2014-11-23 17:40 - 2014-11-06 13:16 - 03306440 _____ () C:\Users\Daddy\AppData\Local\ospd_us_375\upospd_us_375.exe
2012-05-30 19:06 - 2012-05-30 19:06 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2012-05-30 19:06 - 2012-05-30 19:06 - 01242512 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 02144104 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtCore4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 07955304 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtGui4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 00341352 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtXml4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 00028008 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QGif4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 00127336 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-4229975068-1931466670-3666739151-500 - Administrator - Disabled)
Atara (S-1-5-21-4229975068-1931466670-3666739151-1005 - Limited - Enabled) => C:\Users\Atara
Daddy (S-1-5-21-4229975068-1931466670-3666739151-1001 - Administrator - Enabled) => C:\Users\Daddy
Guest (S-1-5-21-4229975068-1931466670-3666739151-501 - Limited - Disabled)
Michal (S-1-5-21-4229975068-1931466670-3666739151-1006 - Limited - Enabled) => C:\Users\Michal
Mommy (S-1-5-21-4229975068-1931466670-3666739151-1003 - Limited - Enabled) => C:\Users\Mommy
Sara (S-1-5-21-4229975068-1931466670-3666739151-1007 - Limited - Enabled) => C:\Users\Sara
Shalom (S-1-5-21-4229975068-1931466670-3666739151-1004 - Limited - Enabled) => C:\Users\Shalom
Yael (S-1-5-21-4229975068-1931466670-3666739151-1002 - Limited - Enabled) => C:\Users\Yael

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/21/2014 07:50:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/20/2014 06:08:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/19/2014 02:23:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/19/2014 02:23:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/19/2014 02:07:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/19/2014 01:51:46 PM) (Source: Self-service Plug-in) (EventID: 0) (User: )
Description: Self-service Plug-in exited unexpectedly. Exception was Unknown error (0xfffffffe) at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start()
at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start(String fileName, String arguments)
at DazzlePlugin.ARForm.TimerPoll()
at DazzlePlugin.ARForm.RefreshTimerTick(Object sender, EventArgs e)
at System.Windows.Forms.Timer.OnTick(EventArgs e)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam).


System errors:
=============
Error: (12/21/2014 09:23:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/21/2014 08:31:44 AM) (Source: Microsoft-Windows-Kernel-General) (EventID: 5) (User: NT AUTHORITY)
Description: 0x8000002a171\??\Volume{601787c5-2c31-11e1-b772-806e6f6e6963}\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{B312E00D-AB5A-4D05-9E0B-EB06A35F2F57}

Error: (12/21/2014 07:49:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/21/2014 07:49:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/20/2014 06:07:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/20/2014 06:07:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/19/2014 02:05:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/19/2014 02:05:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/19/2014 01:35:37 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/19/2014 01:35:37 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (12/21/2014 07:50:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (12/20/2014 06:08:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/19/2014 02:23:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (12/19/2014 02:23:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (12/19/2014 02:07:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/19/2014 01:51:46 PM) (Source: Self-service Plug-in) (EventID: 0) (User: )
Description: Self-service Plug-in exited unexpectedly. Exception was Unknown error (0xfffffffe) at System.Diagnostics.Process.StartWithShellExecuteEx(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start()
at System.Diagnostics.Process.Start(ProcessStartInfo startInfo)
at System.Diagnostics.Process.Start(String fileName, String arguments)
at DazzlePlugin.ARForm.TimerPoll()
at DazzlePlugin.ARForm.RefreshTimerTick(Object sender, EventArgs e)
at System.Windows.Forms.Timer.OnTick(EventArgs e)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam).


CodeIntegrity Errors:
===================================
Date: 2013-06-30 13:42:13.733
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-30 13:42:13.729
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-30 13:42:13.726
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.896
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.894
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.892
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.023
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.020
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.018
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz
Percentage of memory in use: 29%
Total physical RAM: 5992.37 MB
Available physical RAM: 4207.77 MB
Total Pagefile: 11982.92 MB
Available Pagefile: 10173.31 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:906.34 GB) (Free:579.44 GB) NTFS
Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive f: (FreeAgent GoFlex Drive) (Fixed) (Total:1397.26 GB) (Free:1330.2 GB) NTFS
Drive h: () (Removable) (Total:1.9 GB) (Free:0.93 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 4079EF22)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=906.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=25.1 GB) - (Type=12)

========================================================
Disk: 1 (Size: 1397.3 GB) (Disk ID: E6A01404)
Partition 1: (Not Active) - (Size=1397.3 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 1.9 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 10:37 am

Farbar Recovery Scan Tool (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-21 09:29:06
Running from C:\Users\Daddy\Desktop
Boot Mode: Normal

================== Search Registry: "ALOT;AnyProtect;Babylon;BetterBrain;BlockAndSurf;ConvertAd;DealCabby;EasyDriver;RemoteDesktopAccess;RocketTab;Savepass;SearchProtect;snipsmart;StormWatch;Vosteran;WSE_Vosteran;Zoomify" ===========


===================== Search result for "ALOT" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}]
"DllName"="alotBHO.dll;alotBHO.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}]
"DllName"="alot.dll;alot.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}]
"DllName"="alotBHO.dll;alotBHO.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}]
"DllName"="alot.dll;alot.dll"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_SETCAPTURE_XDOMAIN]
"ALOTWidgets.exe"="0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION]
"ALOTWidgets.exe"="0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]
"C:\Users\Daddy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EUWTFVC2\alot-appbar-installer.exe"="1"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar]


===================== Search result for "AnyProtect" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\46f233a4_0]
""="{0.0.0.00000000}.{ac8da424-b853-4e50-b219-96acac38218b}|\Device\HarddiskVolume2\Program Files (x86)\AnyProtectEx\AnyProtect.exe%b{00000000-0000-0000-0000-000000000000}"


===================== Search result for "Babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}]
"DllName"="BabylonToolbar.dll"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]
"C:\Users\Daddy\AppData\Local\Temp\MybabylonTB.exe"="1"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\Users\Sara\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_BabylonToolbarsr_41b7b4d549671c222de32cd9874d4346715478_cab_01623ee4"


===================== Search result for "BlockAndSurf" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf]


===================== Search result for "DealCabby" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\DealCabby]


===================== Search result for "EasyDriver" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\Probit Software\Easy Driver Pro\EasyDriverPro.exe"="RUNASADMIN ELEVATECREATEPROCESS"


===================== Search result for "Savepass" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622612261}\InprocServer32]
""="C:\Program Files (x86)\Savepass 3.0\Savepass 3.0-bho64.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}\1.0\0\win64]
""="C:\Program Files (x86)\Savepass 3.0\Savepass 3.0-bho64.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{44444444-4444-4444-4444-440644614461}\1.0\0\win64]
""="C:\Program Files (x86)\Savepass 3.0\Savepass 3.0-bho64.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}\1.0\0\win64]
""="C:\Program Files (x86)\Savepass 3.0\Savepass 3.0-bho64.dll"

[HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c83a006-90c0-43da-832c-548bfd0297a4}]
"AppName"="Savepass 3.0-bg.exe"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16985C8-3D0C-4A34-8939-8C89E46B4622}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{966d045c-60f6-4103-80a6-0b47f658a874}]
"AppName"="Savepass 3.0-codedownloader.exe"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4E5D7E7-37ED-4592-9BDE-E1AEB758C25E}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CF10CD7C-22C3-439C-9713-D3FD5C11469D}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E3B0F446-995B-47B3-B5B8-0E5FA6ABAD2}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Savepass 3.0]


===================== Search result for "snipsmart" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}]
""="IsnipsmartBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}\1.0\0\win32]
""="C:\Program Files (x86)\snipsmart\snipsmartbho.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}]
""="snipsmart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}]
""="IsnipsmartBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}\1.0\0\win32]
""="C:\Program Files (x86)\snipsmart\snipsmartbho.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION]
"snipsmart.BOAS.exe"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"snipsmart.BOAS.exe"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING]
"snipsmart.BOAS.exe"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
"snipsmart.BOAS.exe"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION]
"snipsmart.BOAS.exe"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}]
""="snipsmart"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}]
""="IsnipsmartBHO"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}\1.0\0\win32]
""="C:\Program Files (x86)\snipsmart\snipsmartbho.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{C61E1BB8-C039-4913-90C2-1EDA84237B4A}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\snipsmart\bin\snipsmart.BRT.Helper.exe|Name=snipsmart.BRT.Helper.exe|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\NlaSvc\Parameters\Internet\ManualProxies]
""="0file://C:\Program Files (x86)\snipsmart\bin\Pac9064.js"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{C61E1BB8-C039-4913-90C2-1EDA84237B4A}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\snipsmart\bin\snipsmart.BRT.Helper.exe|Name=snipsmart.BRT.Helper.exe|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{C61E1BB8-C039-4913-90C2-1EDA84237B4A}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\snipsmart\bin\snipsmart.BRT.Helper.exe|Name=snipsmart.BRT.Helper.exe|"


===================== Search result for "StormWatch" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"StormWatchApp.exe"="65535"


===================== Search result for "Vosteran" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I\DefaultIcon]
""="C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe,0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities]
"ApplicationDescription"="Vosteran is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Vosteran."

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities]
"ApplicationName"="Vosteran"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\FileAssociations]
".html"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\FileAssociations]
".xht"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\FileAssociations]
".webp"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"ftp"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"https"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"mailto"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"news"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"sms"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"tel"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"webcal"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\InstallInfo]
"ReinstallCommand"=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" --make-default-browser"

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\InstallInfo]
"ShowIconsCommand"=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" --show-icons"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe]
"Path"="C:\Users\Daddy\AppData\Local\Vosteran\Application"

[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
"Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I"="Software\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
"AppPath"="C:\Program Files (x86)\WSE_Vosteran\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\ShimInclusionList\vosteran.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe]
""="C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities]
"ApplicationDescription"="Vosteran is a web browser that runs webpages and applications with lightning speed. It's fast, stable, and easy to use. Browse the web more safely with malware and phishing protection built into Vosteran."

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities]
"ApplicationName"="Vosteran"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\FileAssociations]
".html"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\FileAssociations]
".xht"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\FileAssociations]
".webp"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"ftp"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"https"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"mailto"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"news"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"sms"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"tel"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities\URLAssociations]
"webcal"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\InstallInfo]
"ReinstallCommand"=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" --make-default-browser"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\InstallInfo]
"ShowIconsCommand"=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" --show-icons"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RegisteredApplications]
"Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I"="Software\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I\Capabilities"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Clients\StartMenuInternet]
""="Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.htm]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.shtml]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.xhtml]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\ftp\shell\open\command]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" -- "%1""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\http\shell\open\command]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" -- "%1""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\https\shell\open\command]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" -- "%1""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\31.0.1650.23\delegate_execute.exe""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.htm]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.shtml]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.xhtml]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\ftp\shell\open\command]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" -- "%1""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\http\shell\open\command]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" -- "%1""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\https\shell\open\command]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe" -- "%1""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32]
""=""C:\Users\Daddy\AppData\Local\Vosteran\Application\31.0.1650.23\delegate_execute.exe""


===================== Search result for "WSE_Vosteran" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
"AppPath"="C:\Program Files (x86)\WSE_Vosteran\\"


===================== Search result for "Zoomify" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}]
""="Zoomify"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\0\win32]
""="C:\ProgramData\zoomify2\1.1.0.27\zoomify64.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}]
""="Zoomify"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\0\win32]
""="C:\ProgramData\zoomify2\1.1.0.27\zoomify64.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}]
""="Zoomify"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}\1.0\0\win32]
""="C:\ProgramData\zoomify2\1.1.0.27\zoomify64.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cozhost]
"ImagePath"="C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe /ts2=1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0303AE19-BCF3-42B1-A8DB-A300A8184C15}"="v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{875112DC-5DB7-458D-962D-30C553B79C4D}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{E6BD37CC-7116-4B9E-A591-60D35140769E}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cozhost]
"ImagePath"="C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe /ts2=1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0303AE19-BCF3-42B1-A8DB-A300A8184C15}"="v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{875112DC-5DB7-458D-962D-30C553B79C4D}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{E6BD37CC-7116-4B9E-A591-60D35140769E}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cozhost]
"ImagePath"="C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe /ts2=1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0303AE19-BCF3-42B1-A8DB-A300A8184C15}"="v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{875112DC-5DB7-458D-962D-30C553B79C4D}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{E6BD37CC-7116-4B9E-A591-60D35140769E}"="v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\zoomify2\1.1.0.27\cozhost.exe|Name=zoomify|"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify]

====== End Of Search ======
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 10:41 am

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-21 09:21:55)<=

==> ATTENTION: System is not rebooted.
C:\windows\system32\GroupPolicy\Machine\Registry.pol => Moved successfully.
C:\windows\system32\GroupPolicy\Machine => Moved successfully.
C:\windows\system32\GroupPolicy\GPT.ini => Moved successfully.
C:\windows\system32\GroupPolicy\GPT.ini => Is moved successfully.
C:\windows\patsearch.bin => Moved successfully.
C:\windows\system32\Drivers\Msft_Kernel_webinstrT_01009.Wdf => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ONESOFTPERDAY\Onesoftperday.lnk => Moved successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ONESOFTPERDAY => Moved successfully.
C:\Program Files (x86)\ospd_us_375\onesoftperday_widget.exe => Moved successfully.
C:\Program Files (x86)\ospd_us_375\ospd_us_375.exe => Moved successfully.
C:\Program Files (x86)\ospd_us_375\predm.exe => Moved successfully.
C:\Program Files (x86)\ospd_us_375\qwert.txt => Moved successfully.
C:\Program Files (x86)\ospd_us_375\qwert10.txt => Moved successfully.
C:\Program Files (x86)\ospd_us_375\qwert4.txt => Moved successfully.
C:\Program Files (x86)\ospd_us_375\qwert5.txt => Moved successfully.
C:\Program Files (x86)\ospd_us_375\qwert6.txt => Moved successfully.
C:\Program Files (x86)\ospd_us_375\qwert9.txt => Moved successfully.
C:\Program Files (x86)\ospd_us_375\unins000.dat => Moved successfully.
C:\Program Files (x86)\ospd_us_375\unins000.exe => Moved successfully.
C:\Program Files (x86)\ospd_us_375\unins000.msg => Moved successfully.
C:\Program Files (x86)\ospd_us_375 => Moved successfully.
C:\ProgramData\flashax10.exe => Moved successfully.
C:\Windows\System32\Tasks\Tempo Runner coz64host => Moved successfully.

==== End of Fixlog ====
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 21st, 2014, 1:30 pm

I didn't really want to start running a cleanup from the other accounts yet, but since you've sent me the logs, I guess we can start, and see if it relieves any of the problems in the first account.

So, with your computer booted into the 2nd account (the one you've just run the scan in) ....

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad. (don't include Code: Select all)
Code: Select all
HKLM-x32\...\Run: [ospd_us_375] => "C:\Program Files (x86)\ospd_us_375\ospd_us_375.exe"
HKLM-x32\...\RunOnce: [upospd_us_375.exe] => C:\Users\Daddy\AppData\Local\ospd_us_375\upospd_us_375.exe [3306440 2014-11-06] ()
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - F:\LaunchU3.exe -a
GroupPolicyUsers\S-1-5-21-4229975068-1931466670-3666739151-1002\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKLM-x32 -> Backup.Old.DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q= {searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> Backup.Old.DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q= {searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
BHO: No Name -> {72351B45-9636-4F99-820B-7C552D27897D}} -> No File
BHO-x32: No Name -> {72351B45-9636-4F99-820B-7C552D27897D}} -> No File
Toolbar: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> No Name - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
CHR HomePage: Default -> hxxp://Vosteran.com/?f=1&a=vst_cmi_14_4 ... 361997&ir=
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_cmi_14_47_ch&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAzz0B0A0DtB0E0AtG0ByByByDtGyE0FyByBtG0FtB0C0FtGtAyDyDyEtBtB0DtDtD0EtAzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0Azy0FyB0EyD0FtGyCzztAtAtGyEtDyDyEtGzztB0FtDtG0AyC0B0AtDzy0EtCyB0E0DyE2Q&cr=960361997&ir="
CHR Extension: (snipsmart) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaccgfkbmhkegoljkoefhpifoaehnhjp [2014-11-23]
CHR Extension: (BucksBee RewardsBar) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajcmjjdlglpcfblcnjilhodiondejlm [2014-01-26]
CHR HKLM-x32\...\Chrome\Extension: [lajcmjjdlglpcfblcnjilhodiondejlm] - C:\Users\Daddy\AppData\Roaming\Bucksbee Loyalty Plugin 100815.b for Chrome\Toolbar_production_100815_12.crx [2012-05-21]
S2 cozhost; C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe /ts2=1 [X]
S2 cozwhost; C:\PROGRA~3\zoomify2\110~1.27\cozwhost.exe -scm [X]
C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe
C:\PROGRA~3\zoomify2\110~1.27\cozwhost.exe
2014-12-18 23:33 - 2014-12-18 23:48 - 00000308 _____ () C:\windows\Tasks\Tempo Runner coz32host.job
2014-12-18 23:31 - 2014-12-18 23:48 - 00000306 _____ () C:\windows\Tasks\Tempo Runner cozahost.job
2014-11-24 20:17 - 2014-11-24 20:17 - 00000000 ____D () C:\Users\Mommy\AppData\Local\ospd_us_375
2014-11-23 18:39 - 2014-11-23 18:39 - 00628496 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsh3FDD.tmp
2014-11-23 18:01 - 2014-11-23 18:01 - 00613057 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsi226C.tmp
2014-11-23 17:41 - 2014-11-23 17:41 - 00613057 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsa441E.tmp
2014-11-23 17:40 - 2014-12-21 08:56 - 00000000 ____D () C:\Users\Daddy\AppData\Local\ospd_us_375
Task: {9816FAC7-E576-4F38-9A87-5A611323D59D} - \Tempo Runner coz64host No Task File <==== ATTENTION
Task: C:\windows\Tasks\Tempo Runner coz32host.job => C:\ProgramData\zoomify2\1.1.0.27\coz32host.exe
Task: C:\windows\Tasks\Tempo Runner cozahost.job => C:\ProgramData\zoomify2\1.1.0.27\cozahost.exe
C:\Program Files (x86)\Savepass 3.0
C:\Program Files (x86)\WSE_Vosteran
C:\ProgramData\zoomify2
Hosts:
EmptyTemp:
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_SETCAPTURE_XDOMAIN" /v "ALOTWidgets.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION" /v ALOTWidgets.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Daddy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EUWTFVC2\alot-appbar-installer.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\46f233a4_0" /v "" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Daddy\AppData\Local\Temp\MybabylonTB.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\DealCabby" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Program Files (x86)\Probit Software\Easy Driver Pro\EasyDriverPro.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622612261}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{44444444-4444-4444-4444-440644614461}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}" /f
Reg: Reg.exe delete "HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c83a006-90c0-43da-832c-548bfd0297a4}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16985C8-3D0C-4A34-8939-8C89E46B4622}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{966d045c-60f6-4103-80a6-0b47f658a874}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4E5D7E7-37ED-4592-9BDE-E1AEB758C25E}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CF10CD7C-22C3-439C-9713-D3FD5C11469D}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E3B0F446-995B-47B3-B5B8-0E5FA6ABAD2}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f
"{C61E1BB8-C039-4913-90C2-1EDA84237B4A}"=
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION" /v "StormWatchApp.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications" /v "Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy" /v "AppPath" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\ShimInclusionList\vosteran.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Clients\StartMenuInternet" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.htm" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.shtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.xhtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\ftp\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\http\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\https\shell\open\command" /v " /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.htm" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.shtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.xhtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\ftp\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\http\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\https\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32" /v "" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy" /v "AppPath" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cozhost" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cozhost" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{0303AE19-BCF3-42B1-A8DB-A300A8184C15}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{875112DC-5DB7-458D-962D-30C553B79C4D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{E6BD37CC-7116-4B9E-A591-60D35140769E}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify" /f

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Please let me know if you are now able to run any programs in the first account you ran FRST in.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 2:03 pm

I am still not able to run any programs in the first account even after running FRST in the second. Below is the fixlog from the second account
Thank you very much
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-21 12:50:29 Run:2
Running from C:\Users\Daddy\Desktop
Loaded Profile: Daddy (Available profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [ospd_us_375] => "C:\Program Files (x86)\ospd_us_375\ospd_us_375.exe"
HKLM-x32\...\RunOnce: [upospd_us_375.exe] => C:\Users\Daddy\AppData\Local\ospd_us_375\upospd_us_375.exe [3306440 2014-11-06] ()
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - F:\LaunchU3.exe -a
GroupPolicyUsers\S-1-5-21-4229975068-1931466670-3666739151-1002\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKLM-x32 -> Backup.Old.DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q= {searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> Backup.Old.DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q= {searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
BHO: No Name -> {72351B45-9636-4F99-820B-7C552D27897D}} -> No File
BHO-x32: No Name -> {72351B45-9636-4F99-820B-7C552D27897D}} -> No File
Toolbar: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> No Name - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
CHR HomePage: Default -> hxxp://Vosteran.com/?f=1&a=vst_cmi_14_4 ... 361997&ir=
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_cmi_14_47_ch&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAzz0B0A0DtB0E0AtG0ByByByDtGyE0FyByBtG0FtB0C0FtGtAyDyDyEtBtB0DtDtD0EtAzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0Azy0FyB0EyD0FtGyCzztAtAtGyEtDyDyEtGzztB0FtDtG0AyC0B0AtDzy0EtCyB0E0DyE2Q&cr=960361997&ir="
CHR Extension: (snipsmart) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaccgfkbmhkegoljkoefhpifoaehnhjp [2014-11-23]
CHR Extension: (BucksBee RewardsBar) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajcmjjdlglpcfblcnjilhodiondejlm [2014-01-26]
CHR HKLM-x32\...\Chrome\Extension: [lajcmjjdlglpcfblcnjilhodiondejlm] - C:\Users\Daddy\AppData\Roaming\Bucksbee Loyalty Plugin 100815.b for Chrome\Toolbar_production_100815_12.crx [2012-05-21]
S2 cozhost; C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe /ts2=1 [X]
S2 cozwhost; C:\PROGRA~3\zoomify2\110~1.27\cozwhost.exe -scm [X]
C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe
C:\PROGRA~3\zoomify2\110~1.27\cozwhost.exe
2014-12-18 23:33 - 2014-12-18 23:48 - 00000308 _____ () C:\windows\Tasks\Tempo Runner coz32host.job
2014-12-18 23:31 - 2014-12-18 23:48 - 00000306 _____ () C:\windows\Tasks\Tempo Runner cozahost.job
2014-11-24 20:17 - 2014-11-24 20:17 - 00000000 ____D () C:\Users\Mommy\AppData\Local\ospd_us_375
2014-11-23 18:39 - 2014-11-23 18:39 - 00628496 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsh3FDD.tmp
2014-11-23 18:01 - 2014-11-23 18:01 - 00613057 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsi226C.tmp
2014-11-23 17:41 - 2014-11-23 17:41 - 00613057 _____ (CMI Limited) C:\Users\Daddy\AppData\Local\nsa441E.tmp
2014-11-23 17:40 - 2014-12-21 08:56 - 00000000 ____D () C:\Users\Daddy\AppData\Local\ospd_us_375
Task: {9816FAC7-E576-4F38-9A87-5A611323D59D} - \Tempo Runner coz64host No Task File <==== ATTENTION
Task: C:\windows\Tasks\Tempo Runner coz32host.job => C:\ProgramData\zoomify2\1.1.0.27\coz32host.exe
Task: C:\windows\Tasks\Tempo Runner cozahost.job => C:\ProgramData\zoomify2\1.1.0.27\cozahost.exe
C:\Program Files (x86)\Savepass 3.0
C:\Program Files (x86)\WSE_Vosteran
C:\ProgramData\zoomify2
Hosts:
EmptyTemp:
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_SETCAPTURE_XDOMAIN" /v "ALOTWidgets.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION" /v ALOTWidgets.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Daddy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EUWTFVC2\alot-appbar-installer.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\46f233a4_0" /v "" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Daddy\AppData\Local\Temp\MybabylonTB.exe" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\DealCabby" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Program Files (x86)\Probit Software\Easy Driver Pro\EasyDriverPro.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622612261}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{44444444-4444-4444-4444-440644614461}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}" /f
Reg: Reg.exe delete "HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c83a006-90c0-43da-832c-548bfd0297a4}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16985C8-3D0C-4A34-8939-8C89E46B4622}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{966d045c-60f6-4103-80a6-0b47f658a874}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4E5D7E7-37ED-4592-9BDE-E1AEB758C25E}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CF10CD7C-22C3-439C-9713-D3FD5C11469D}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E3B0F446-995B-47B3-B5B8-0E5FA6ABAD2}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f
"{C61E1BB8-C039-4913-90C2-1EDA84237B4A}"=
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION" /v "StormWatchApp.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications" /v "Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy" /v "AppPath" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\ShimInclusionList\vosteran.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Clients\StartMenuInternet" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.htm" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.shtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.xhtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\ftp\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\http\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\https\shell\open\command" /v " /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.htm" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.shtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.xhtml" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\ftp\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\http\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\https\shell\open\command" /v "" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32" /v "" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy" /v "AppPath" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cozhost" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cozhost" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{0303AE19-BCF3-42B1-A8DB-A300A8184C15}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{875112DC-5DB7-458D-962D-30C553B79C4D}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{E6BD37CC-7116-4B9E-A591-60D35140769E}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\zoomify" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify" /f
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ospd_us_375 => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\upospd_us_375.exe => value deleted successfully.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key deleted successfully.
"HKCR\CLSID\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key not found.
"HKCR\CLSID\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key not found.
C:\windows\system32\GroupPolicyUsers\S-1-5-21-4229975068-1931466670-3666739151-1002\User => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Value not found.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Value not found.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Value not found.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => Value not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key deleted successfully.
"HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\Backup.Old.DefaultScope => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value not found.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\Backup.Old.DefaultScope => Value not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key not found.
"HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72DE6055-3568-696D-18F3-25733E4372F6}" => Key not found.
"HKCR\CLSID\{72DE6055-3568-696D-18F3-25733E4372F6}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72DE6055-3568-696D-18F3-25733E4372F6}" => Key not found.
"HKCR\CLSID\{72DE6055-3568-696D-18F3-25733E4372F6}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}}" => Key deleted successfully.
"HKCR\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72351B45-9636-4F99-820B-7C552D27897D}}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}}" => Key not found.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0123B506-0AD9-43AA-B0CF-916C122AD4C5} => Value not found.
"HKCR\CLSID\{0123B506-0AD9-43AA-B0CF-916C122AD4C5}" => Key not found.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gaccgfkbmhkegoljkoefhpifoaehnhjp => Moved successfully.
C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lajcmjjdlglpcfblcnjilhodiondejlm => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lajcmjjdlglpcfblcnjilhodiondejlm" => Key deleted successfully.
C:\Users\Daddy\AppData\Roaming\Bucksbee Loyalty Plugin 100815.b for Chrome\Toolbar_production_100815_12.crx => Moved successfully.
cozhost => Service deleted successfully.
cozwhost => Service deleted successfully.
"C:\PROGRA~3\zoomify2\110~1.27\cozhost.exe" => File/Directory not found.
"C:\PROGRA~3\zoomify2\110~1.27\cozwhost.exe" => File/Directory not found.
C:\windows\Tasks\Tempo Runner coz32host.job => Moved successfully.
C:\windows\Tasks\Tempo Runner cozahost.job => Moved successfully.
C:\Users\Mommy\AppData\Local\ospd_us_375 => Moved successfully.
C:\Users\Daddy\AppData\Local\nsh3FDD.tmp => Moved successfully.
C:\Users\Daddy\AppData\Local\nsi226C.tmp => Moved successfully.
C:\Users\Daddy\AppData\Local\nsa441E.tmp => Moved successfully.
C:\Users\Daddy\AppData\Local\ospd_us_375 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9816FAC7-E576-4F38-9A87-5A611323D59D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9816FAC7-E576-4F38-9A87-5A611323D59D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Tempo Runner coz64host" => Key deleted successfully.
C:\windows\Tasks\Tempo Runner coz32host.job not found.
C:\windows\Tasks\Tempo Runner cozahost.job not found.
"C:\Program Files (x86)\Savepass 3.0" => File/Directory not found.
"C:\Program Files (x86)\WSE_Vosteran" => File/Directory not found.
"C:\ProgramData\zoomify2" => File/Directory not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.

========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_SETCAPTURE_XDOMAIN" /v "ALOTWidgets.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOMAIN_REDIRECT_MITIGATION" /v ALOTWidgets.exe" /f =========



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Daddy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EUWTFVC2\alot-appbar-installer.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\alotappbar" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\alotappbar" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\alotappbar" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\alotappbar" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\46f233a4_0" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Daddy\AppData\Local\Temp\MybabylonTB.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\BlockAndSurf" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\BlockAndSurf" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\BlockAndSurf" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\BlockAndSurf" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\DealCabby" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Program Files (x86)\Probit Software\Easy Driver Pro\EasyDriverPro.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220622612261}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{44444444-4444-4444-4444-440644614461}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{44444444-4444-4444-4444-440644614461}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Savepass 3.0" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0c83a006-90c0-43da-832c-548bfd0297a4}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16985C8-3D0C-4A34-8939-8C89E46B4622}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{966d045c-60f6-4103-80a6-0b47f658a874}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4E5D7E7-37ED-4592-9BDE-E1AEB758C25E}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CF10CD7C-22C3-439C-9713-D3FD5C11469D}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E3B0F446-995B-47B3-B5B8-0E5FA6ABAD2}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION" /v "snipsmart.BOAS.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" /v "snipsmart.BOAS.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING" /v "snipsmart.BOAS.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD" /v "snipsmart.BOAS.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION" /v "snipsmart.BOAS.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{68261aaa-dc9f-4c2b-a168-c323e304c3a2}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{4086DF47-C0E9-4EA0-A7E4-FDD954B182A1}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{0C8E7DE5-D3F4-4FF0-BE7D-2547FF22A3BB}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /f =========

The operation completed successfully.



========= End of Reg: =========

"{C61E1BB8-C039-4913-90C2-1EDA84237B4A}"= => Error: No automatic fix found for this entry.

========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION" /v "StormWatchApp.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications" /v "Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy" /v "AppPath" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\ShimInclusionList\vosteran.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\vosteran.exe" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\Vosteran.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Clients\StartMenuInternet" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v "Progid" /f =========

ERROR: Access is denied.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice" /v "Progid" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" /v "Progid" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.htm" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.shtml" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.xhtml" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\ftp\shell\open\command" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\http\shell\open\command" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\https\shell\open\command" /v " /f =========



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.htm" /v "" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.shtml" /v "" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.xhtml" /v "" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\ftp\shell\open\command" /v "" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\http\shell\open\command" /v "" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\https\shell\open\command" /v "" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\Wow6432Node\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\LocalServer32" /v "" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy" /v "AppPath" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{72351B45-9636-4F99-820B-7C552D27897D}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{99C1EDDE-1A80-48EA-BD58-CEA4B2DFAC81}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cozhost" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cozhost" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{0303AE19-BCF3-42B1-A8DB-A300A8184C15}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{875112DC-5DB7-458D-962D-30C553B79C4D}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules" /v "{E6BD37CC-7116-4B9E-A591-60D35140769E}" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\zoomify" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\zoomify" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\zoomify" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\zoomify" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

EmptyTemp: => Removed 19.5 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 21st, 2014, 2:34 pm

Have you rebooted your computer yet ? If you haven't, then please reboot it now, then see if you can launch any programs.

If you've already rebooted, then it seems like we're going to have to go through each account on the computer, one at a time, until we've scanned every account and removed any signs of infection that we find in each account.

Please let me know if you're having any problems in the 2nd account since you ran the last FRST fix.

If not, then please log into the next account we haven't looked at, and run a FRST scan, and a FRST search, as detailed in the earlier post ... viewtopic.php?p=639363#p639363

PS. I'm going to be out for the rest of this evening, so it will be tomorrow morning my time (GMT) before I get to look at your latest logs.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 3:07 pm

I already have rebooted my computer. The first account still has the same problems. The second account seems to be working fine. Below are the logs requested
Thank you very much.
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-12-2014
Ran by Sara (ATTENTION: The logged in user is not administrator) on THEMOSTAWESOME on 21-12-2014 13:58:58
Running from C:\Users\Sara\Desktop
Loaded Profile: Sara (Available profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
() C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-12] (Logitech Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3653136 2014-11-09] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121225094235.dll No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121225094235.dll No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.adobe.com/pub/shockwa ... wflash.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\npmvtplugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: No Name - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2013-01-11]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK

Chrome:
=======
CHR StartMenuInternet: Google Chrome - C:\Users\Yael\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3488784 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 brmfrsmg; C:\Windows\system32\BrmfRsmg.exe [52736 2009-07-13] (Brother Industries, Ltd.)
S4 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-10-07] (McAfee, Inc.)
R2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [290832 2011-12-12] (Verizon) [File not signed]
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-15] () [File not signed]
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-11-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-11-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S4 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-10-07] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218320 2012-11-09] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [177680 2012-11-09] (McAfee, Inc.)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S4 0134851357934090mcinstcleanup; C:\Users\Daddy\AppData\Local\Temp\013485~1.EXE -cleanup -nolog [X]
S3 GoToAssist; "C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe" Start=service [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [263960 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R3 brfilt; C:\Windows\System32\Drivers\Brfilt.sys [6144 2009-06-10] (Brother Industries Ltd.)
R3 BrUsbScn; C:\Windows\System32\Drivers\BrUsbScn.sys [14336 2009-06-10] (Brother Industries Ltd.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [69672 2012-11-09] (McAfee, Inc.)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-29] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [178840 2012-11-09] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309400 2012-11-09] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515528 2012-11-09] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771096 2012-11-09] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [339776 2012-11-09] (McAfee, Inc.)
R0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
R0 WinI2C-DDC; C:\Windows\SysWOW64\drivers\DDCDrv.sys [15712 2010-03-22] (Nicomsoft Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-21 13:58 - 2014-12-21 13:59 - 00016204 _____ () C:\Users\Sara\Desktop\FRST.txt
2014-12-21 13:57 - 2014-12-19 09:30 - 02121216 _____ (Farbar) C:\Users\Sara\Desktop\FRST64.exe
2014-12-21 13:54 - 2014-12-21 13:54 - 00000000 ____D () C:\Users\Sara\AppData\Local\Logitech® Webcam Software
2014-12-21 13:52 - 2014-12-21 13:52 - 00000000 ____D () C:\Users\Sara\AppData\Roaming\AVG2015
2014-12-21 13:52 - 2014-12-21 13:52 - 00000000 ____D () C:\Users\Sara\AppData\Local\Avg2015
2014-12-19 09:44 - 2014-12-21 13:58 - 00000000 ____D () C:\FRST
2014-12-19 09:35 - 2014-12-19 13:34 - 00000000 ____D () C:\AdwCleaner
2014-12-19 09:18 - 2014-12-19 09:18 - 00000207 _____ () C:\windows\tweaking.com-regbackup-THEMOSTAWESOME-Microsoft-Windows-7-Home-Premium-(64-bit).dat
2014-12-19 09:16 - 2014-12-19 09:16 - 00002239 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\RegBackup
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-12-19 09:13 - 2014-10-17 21:05 - 04121600 _____ (Microsoft Corporation) C:\windows\system32\mf.dll
2014-12-19 09:13 - 2014-10-17 20:33 - 03209728 _____ (Microsoft Corporation) C:\windows\SysWOW64\mf.dll
2014-12-18 23:30 - 2014-11-10 20:46 - 00119296 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tdx.sys
2014-12-18 23:29 - 2014-11-26 20:43 - 00389296 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-12-18 23:29 - 2014-11-26 20:10 - 00342200 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-12-18 23:29 - 2014-11-21 22:13 - 25059840 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-12-18 23:29 - 2014-11-21 22:06 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-12-18 23:29 - 2014-11-21 22:06 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-12-18 23:29 - 2014-11-21 21:50 - 00580096 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-12-18 23:29 - 2014-11-21 21:50 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-12-18 23:29 - 2014-11-21 21:49 - 02885120 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-12-18 23:29 - 2014-11-21 21:49 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-12-18 23:29 - 2014-11-21 21:48 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-12-18 23:29 - 2014-11-21 21:41 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-12-18 23:29 - 2014-11-21 21:40 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-12-18 23:29 - 2014-11-21 21:37 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-12-18 23:29 - 2014-11-21 21:35 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-12-18 23:29 - 2014-11-21 21:35 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-12-18 23:29 - 2014-11-21 21:34 - 06039552 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-12-18 23:29 - 2014-11-21 21:34 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-12-18 23:29 - 2014-11-21 21:26 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-12-18 23:29 - 2014-11-21 21:22 - 19749376 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-12-18 23:29 - 2014-11-21 21:22 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-12-18 23:29 - 2014-11-21 21:20 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-12-18 23:29 - 2014-11-21 21:14 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-12-18 23:29 - 2014-11-21 21:09 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-12-18 23:29 - 2014-11-21 21:08 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-12-18 23:29 - 2014-11-21 21:07 - 00501248 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-12-18 23:29 - 2014-11-21 21:07 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-12-18 23:29 - 2014-11-21 21:06 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-12-18 23:29 - 2014-11-21 21:05 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-12-18 23:29 - 2014-11-21 21:05 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-12-18 23:29 - 2014-11-21 21:01 - 02277888 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-12-18 23:29 - 2014-11-21 20:59 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-12-18 23:29 - 2014-11-21 20:58 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-12-18 23:29 - 2014-11-21 20:56 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-12-18 23:29 - 2014-11-21 20:55 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-12-18 23:29 - 2014-11-21 20:54 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-12-18 23:29 - 2014-11-21 20:49 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-12-18 23:29 - 2014-11-21 20:49 - 00718848 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-12-18 23:29 - 2014-11-21 20:47 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-12-18 23:29 - 2014-11-21 20:46 - 02125312 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-12-18 23:29 - 2014-11-21 20:45 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-12-18 23:29 - 2014-11-21 20:43 - 14412800 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-12-18 23:29 - 2014-11-21 20:40 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-18 23:29 - 2014-11-21 20:36 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-12-18 23:29 - 2014-11-21 20:35 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-12-18 23:29 - 2014-11-21 20:33 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-12-18 23:29 - 2014-11-21 20:29 - 04299264 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-12-18 23:29 - 2014-11-21 20:28 - 02358272 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-12-18 23:29 - 2014-11-21 20:23 - 00688640 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-12-18 23:29 - 2014-11-21 20:22 - 02052096 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-12-18 23:29 - 2014-11-21 20:21 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-12-18 23:29 - 2014-11-21 20:15 - 01548288 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-12-18 23:29 - 2014-11-21 20:13 - 12836864 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-12-18 23:29 - 2014-11-21 20:03 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-12-18 23:29 - 2014-11-21 20:00 - 01888256 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-12-18 23:29 - 2014-11-21 19:56 - 01307136 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-12-18 23:29 - 2014-11-21 19:54 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-12-18 23:29 - 2014-11-10 22:09 - 01424384 _____ (Microsoft Corporation) C:\windows\system32\WindowsCodecs.dll
2014-12-18 23:29 - 2014-11-10 21:44 - 01230336 _____ (Microsoft Corporation) C:\windows\SysWOW64\WindowsCodecs.dll
2014-12-18 23:28 - 2014-10-29 21:03 - 00165888 _____ (Microsoft Corporation) C:\windows\system32\charmap.exe
2014-12-18 23:28 - 2014-10-29 20:45 - 00155136 _____ (Microsoft Corporation) C:\windows\SysWOW64\charmap.exe
2014-12-18 23:21 - 2014-10-02 21:12 - 02020352 _____ (Microsoft Corporation) C:\windows\system32\WsmSvc.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00346624 _____ (Microsoft Corporation) C:\windows\system32\WSManMigrationPlugin.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00310272 _____ (Microsoft Corporation) C:\windows\system32\WsmWmiPl.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00181248 _____ (Microsoft Corporation) C:\windows\system32\WsmAuto.dll
2014-12-18 23:21 - 2014-10-02 21:11 - 00266240 _____ (Microsoft Corporation) C:\windows\system32\WSManHTTPConfig.exe
2014-12-18 23:21 - 2014-10-02 20:45 - 01177088 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmSvc.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00214016 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmWmiPl.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00145920 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmAuto.dll
2014-12-18 23:21 - 2014-10-02 20:44 - 00198656 _____ (Microsoft Corporation) C:\windows\SysWOW64\WSManHTTPConfig.exe
2014-12-18 23:20 - 2014-11-07 22:16 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2014-12-18 23:20 - 2014-11-07 21:45 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2014-12-18 23:07 - 2014-12-18 23:07 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\HpUpdate
2014-11-24 20:41 - 2014-11-24 20:41 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\AVG2015
2014-11-24 20:39 - 2014-11-24 20:39 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-11-24 20:39 - 2014-11-24 20:39 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\AVG2015
2014-11-24 20:39 - 2014-11-24 20:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-11-24 20:38 - 2014-12-19 09:04 - 00000000 ____D () C:\ProgramData\AVG2015
2014-11-24 20:38 - 2014-11-24 20:38 - 00000000 ___HD () C:\$AVG
2014-11-24 20:38 - 2014-11-24 20:38 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-11-24 20:36 - 2014-12-21 08:34 - 00000000 ____D () C:\ProgramData\MFAData
2014-11-24 17:26 - 2014-11-24 17:26 - 01944256 _____ () C:\windows\shost.bin
2014-11-24 07:33 - 2014-12-19 13:16 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2014-11-23 18:40 - 2014-11-23 18:40 - 00000047 _____ () C:\Users\Daddy\AppData\Roaming\WB.CFG
2014-11-23 17:27 - 2014-11-23 17:27 - 00001995 _____ () C:\Users\Public\Desktop\HP Photo Creations.lnk
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\HpUpdate
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\Visan
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\HP Photo Creations
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Program Files (x86)\HP Photo Creations
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Program Files (x86)\Hewlett-Packard
2014-11-23 17:26 - 2014-11-23 17:51 - 00000000 ____D () C:\Program Files (x86)\HP
2014-11-23 17:26 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2014-11-23 17:26 - 2014-11-23 17:26 - 00002212 _____ () C:\Users\Public\Desktop\HP Deskjet 2540 series.lnk
2014-11-23 17:26 - 2014-11-23 17:26 - 00001159 _____ () C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 2540 series.lnk
2014-11-23 17:26 - 2014-11-23 17:26 - 00000000 ____D () C:\ProgramData\HP
2014-11-23 17:26 - 2014-11-23 17:26 - 00000000 ____D () C:\Program Files\HP
2014-11-23 17:26 - 2014-03-06 12:51 - 00763912 ____N (Hewlett-Packard Co.) C:\windows\system32\HPDiscoPMC211.dll
2014-11-23 17:25 - 2014-11-23 17:25 - 00000057 _____ () C:\ProgramData\Ament.ini

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-21 13:56 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-21 13:56 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-21 13:52 - 2012-12-15 17:56 - 00091584 _____ () C:\Users\Sara\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-21 13:52 - 2011-12-21 19:15 - 01093904 _____ () C:\windows\WindowsUpdate.log
2014-12-21 13:51 - 2012-08-25 19:40 - 00000008 __RSH () C:\Users\Sara\ntuser.pol
2014-12-21 13:51 - 2012-08-25 19:40 - 00000000 ____D () C:\Users\Sara
2014-12-21 13:49 - 2014-01-23 04:28 - 00000923 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2014-12-21 13:49 - 2014-01-23 04:28 - 00000907 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-12-21 13:49 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-12-21 13:49 - 2009-07-13 23:51 - 00074065 _____ () C:\windows\setupact.log
2014-12-21 13:48 - 2012-07-20 16:53 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA.job
2014-12-21 13:41 - 2012-07-06 17:21 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA.job
2014-12-21 13:17 - 2012-08-19 20:06 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-12-21 13:15 - 2012-07-22 14:14 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA.job
2014-12-21 13:15 - 2012-07-22 14:14 - 00000856 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core.job
2014-12-21 13:07 - 2012-07-05 14:19 - 00000904 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA.job
2014-12-21 12:51 - 2012-08-20 21:43 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\Bucksbee Loyalty Plugin 100815.b for Chrome
2014-12-21 12:48 - 2012-07-14 20:40 - 00000008 __RSH () C:\Users\Daddy\ntuser.pol
2014-12-21 12:48 - 2012-04-29 18:44 - 00000000 ____D () C:\Users\Daddy
2014-12-21 09:24 - 2009-07-14 00:13 - 00006206 _____ () C:\windows\system32\PerfStringBackup.INI
2014-12-21 09:23 - 2012-07-11 18:57 - 00000008 __RSH () C:\Users\Mommy\ntuser.pol
2014-12-21 09:23 - 2012-04-30 09:58 - 00000000 ____D () C:\Users\Mommy
2014-12-21 09:21 - 2009-07-13 22:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2014-12-21 08:23 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\rescache
2014-12-21 07:49 - 2012-05-01 21:49 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-12-19 14:21 - 2014-10-07 11:58 - 00002515 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-12-19 14:21 - 2014-10-07 11:58 - 00000000 ____D () C:\ProgramData\Skype
2014-12-19 14:21 - 2014-10-07 11:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-12-19 13:37 - 2013-03-24 12:18 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\Spotify
2014-12-19 13:35 - 2010-11-20 22:47 - 00840900 _____ () C:\windows\PFRO.log
2014-12-19 13:25 - 2012-06-09 21:37 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2014-12-19 13:19 - 2012-09-15 19:11 - 00020786 _____ () C:\INSTALLHELPER.LOG
2014-12-19 10:04 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\PolicyDefinitions
2014-12-19 09:18 - 2012-04-29 21:37 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-19 09:06 - 2009-07-13 21:34 - 00000537 _____ () C:\windows\win.ini
2014-12-18 23:47 - 2013-08-14 02:02 - 00000000 ____D () C:\windows\system32\MRT
2014-12-18 23:30 - 2012-06-01 09:10 - 112710672 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-11-24 19:41 - 2012-07-06 17:21 - 00000860 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core.job
2014-11-24 19:07 - 2012-07-05 14:19 - 00000852 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core.job
2014-11-23 17:30 - 2011-12-21 19:47 - 00002398 _____ () C:\Users\Public\Desktop\Internet Browser.lnk
2014-11-23 17:30 - 2011-12-21 19:47 - 00000000 ____D () C:\Program Files (x86)\Google
2014-11-23 06:48 - 2012-07-20 16:53 - 00000856 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core.job

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD, see Addition.txt for additional information.

==================== End Of Log ============================
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 3:07 pm

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-12-2014
Ran by Sara at 2014-12-21 13:59:42
Running from C:\Users\Sara\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - )
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.7) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5577 - AVG Technologies)
AVG 2015 (Version: 15.0.4223 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5577 - AVG Technologies) Hidden
AVS Audio Converter 7 (HKLM-x32\...\AVS Audio Converter_is1) (Version: - Online Media Technologies Ltd.)
AVS Update Manager 1.0 (HKLM-x32\...\AVS Update Manager_is1) (Version: - Online Media Technologies Ltd.)
AVS4YOU Software Navigator 1.4 (HKLM-x32\...\AVS4YOU Software Navigator_is1) (Version: - Online Media Technologies Ltd.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bucksbee Loyalty Plugin 100815.b for Chrome (HKLM-x32\...\Bucksbee Loyalty Plugin 100815.b for Chrome) (Version: - )
CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) Hidden
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.1.0.0 - Citrix Systems, Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
ffdshow v1.1.4369 [2012-03-03] (HKLM-x32\...\ffdshow_is1) (Version: 1.1.4369.0 - )
Google Talk Plugin (HKLM-x32\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
HP Deskjet 2540 series Basic Device Software (HKLM\...\{6A79CD11-0C1C-4E24-A8C6-46A02F680346}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
HP Deskjet 2540 series Help (HKLM-x32\...\{4539575D-C09D-4E71-B207-0F2D6BD74DA2}) (Version: 30.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticCoreDll (HKLM-x32\...\{9262B08F-E183-4FED-A2BD-23FF1A84EB79}) (Version: 1.0.15.0 - Hewlett Packard)
IHA_MessageCenter (HKLM-x32\...\{53C49C8D-DFB2-42B9-A7EF-0F9CA386CC13}) (Version: 1.8.17 - Verizon)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1118 - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2246 - Intel Corporation)
iTunes (HKLM\...\{76FF0F03-B707-4332-B5D1-A56C8303514E}) (Version: 11.0.4.4 - Apple Inc.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
K-Lite Codec Pack 7.0.0 (Standard) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 7.0.0 - )
Lenovo Blacksilk USB Keyboard Driver (HKLM-x32\...\{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.4.11.0608 - Lenovo)
Lenovo Driver and Application Installation (HKLM-x32\...\{45970CD1-D599-47D4-938F-3E9800D54ED1}) (Version: 5.10.1809 - Lenovo)
Lenovo Dynamic Brightness System (HKLM-x32\...\{D9ED6D06-6002-495E-A7BC-46E6AE386996}) (Version: 4.0.00.22080 - Lenovo)
Lenovo Eye Distance System (HKLM-x32\...\{5183D7AB-D09B-411F-A74E-BBAEA61C6505}) (Version: 4.0.00.21090 - Lenovo)
Lenovo Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.4827a - CyberLink Corp.)
Lenovo Power2Go (x32 Version: 6.0.4827a - CyberLink Corp.) Hidden
Lenovo Rescue System (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 3.0.1409 - CyberLink Corp.)
Lenovo Rescue System (Version: 3.0.1409 - CyberLink Corp.) Hidden
Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
LogMeIn (HKLM-x32\...\{2BFDA78F-39F7-4537-9995-71424CFA88BB}) (Version: 4.1.2138 - LogMeIn, Inc.)
LVT (HKLM-x32\...\{D3063097-EC84-4D21-84A4-9D852E974355}) (Version: 4.1.2.0919 - Lenovo)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyTomTom 3.1.0.530 (HKLM-x32\...\MyTomTom) (Version: 3.1.0.530 - TomTom)
OneSoftPerDay 025.375 (HKLM-x32\...\ospd_us_375_is1) (Version: - ONESOFTPERDAY)
Online Plug-in (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) Hidden
Online Plug-in (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Open Freely (HKLM\...\{1BF14E04-85DE-480C-9A04-EB36744C66C3}_is1) (Version: 1.0 - Download Freely, LLC)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.2.0 - Frank Heindörfer, Philip Chinery)
Product Improvement Study for HP Deskjet 2540 series (HKLM\...\{DF34643B-A745-430C-B27B-A48F853C81E4}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6230 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30123 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 2.5.5 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.5 - VS Revo Group, Ltd.)
Self-service Plug-in (x32 Version: 3.2.0.24226 - Citrix Systems, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 6.21 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
The Weather Channel App (HKLM-x32\...\The Weather Channel App) (Version: - )
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.1 - Tweaking.com)
Uninstall Helper (HKLM-x32\...\Uninstall Helper 2.0.0.0) (Version: 2.0.0.0 - W3i, LLC)
Uninstall Helper (x32 Version: 2.0.0.0 - W3i, LLC) Hidden
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
Vz In Home Agent (HKLM-x32\...\{07FF08D2-C0CD-4B02-B9A6-E2E7E5762AA9}) (Version: 8.03.53 - Verizon)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Media Player Firefox Plugin (HKLM-x32\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Wondershare Music Converter(Build 1.3.4.0) (HKLM-x32\...\Wondershare Music Converter_is1) (Version: - Wondershare Software)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version: - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2014-12-21 12:51 - 00000035 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {00795989-470E-4684-8A9D-906937F4C470} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core No Task File <==== ATTENTION
Task: {1000D3AB-9434-44CF-8D6B-734A5DD37CAE} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA No Task File <==== ATTENTION
Task: {146528BB-FFA9-456E-8A09-36384BD798E8} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core No Task File <==== ATTENTION
Task: {2020BA66-8A14-4BCE-A037-E3FF2948531A} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA No Task File <==== ATTENTION
Task: {38DF6085-0128-4DED-B910-6A93E0C2E96F} - \Adobe Flash Player Updater No Task File <==== ATTENTION
Task: {3AB368A3-87A1-4CE2-8646-5E1F38BA9066} - \OfficeSoftwareProtectionPlatform\SvcRestartTask No Task File <==== ATTENTION
Task: {5A40E926-9E86-4B89-9CFD-B12311724371} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig
Task: {6368AB21-97F4-4BDC-AA96-602A90C7FF08} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {72DB7465-BC54-491B-A92A-4637A28C9BBF} - System32\Tasks\Microsoft\Windows\AppID\VerifiedPublisherCertStoreCheck
Task: {99CF03C7-333A-4179-A452-227579C02576} - \HPCustParticipation HP Deskjet 2540 series No Task File <==== ATTENTION
Task: {A48CABBF-24C8-4B87-B00F-9261807C3B43} - System32\Tasks\Microsoft\Windows\AppID\PolicyConverter
Task: {A8F6D489-9667-4836-B08F-4EAB88396ABA} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - System32\Tasks\Microsoft\Windows\Application Experience\AitAgent
Task: {AD7861D0-9A5A-474E-ABDB-F780D0583FDC} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core No Task File <==== ATTENTION
Task: {AF53B4F9-58BC-4942-90E8-668431AF62A0} - \WPD\SqmUpload_S-1-5-21-4229975068-1931466670-3666739151-1001 No Task File <==== ATTENTION
Task: {B2617A12-4249-4966-AD0A-BAD11FB25D56} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core No Task File <==== ATTENTION
Task: {BD60DC31-998E-4C8E-B3ED-D301DBB8FDC2} - \Opera scheduled Autoupdate 1412647504 No Task File <==== ATTENTION
Task: {C4F75A0F-8C90-4C8B-A765-C35E9F38D830} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTask
Task: {CB3D64BF-C0C9-45FF-BFB0-FF1A8F680186} - System32\Tasks\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask
Task: {E3163C33-301D-4730-A266-5518C5ED3967} - System32\Tasks\Microsoft\Windows\Bluetooth\UninstallDeviceTask
Task: {FB1B7925-2108-442C-9449-7926650ECBA3} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA No Task File <==== ATTENTION
Task: {FDCA8E1E-79C4-42C0-9FF5-7911D11BE7E4} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA No Task File <==== ATTENTION
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core.job => ?
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA.job => ?

==================== Loaded Modules (whitelisted) =============

2012-09-12 23:38 - 2012-09-12 23:38 - 00264040 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-4229975068-1931466670-3666739151-500 - Administrator - Disabled)
Atara (S-1-5-21-4229975068-1931466670-3666739151-1005 - Limited - Enabled) => C:\Users\Atara
Daddy (S-1-5-21-4229975068-1931466670-3666739151-1001 - Administrator - Enabled) => C:\Users\Daddy
Guest (S-1-5-21-4229975068-1931466670-3666739151-501 - Limited - Disabled)
Michal (S-1-5-21-4229975068-1931466670-3666739151-1006 - Limited - Enabled) => C:\Users\Michal
Mommy (S-1-5-21-4229975068-1931466670-3666739151-1003 - Limited - Enabled) => C:\Users\Mommy
Sara (S-1-5-21-4229975068-1931466670-3666739151-1007 - Limited - Enabled) => C:\Users\Sara
Shalom (S-1-5-21-4229975068-1931466670-3666739151-1004 - Limited - Enabled) => C:\Users\Shalom
Yael (S-1-5-21-4229975068-1931466670-3666739151-1002 - Limited - Enabled) => C:\Users\Yael

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/21/2014 01:50:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:57:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:49:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/21/2014 07:50:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/20/2014 06:08:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/19/2014 02:23:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.


System errors:
=============
Error: (12/21/2014 00:47:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/21/2014 00:47:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/21/2014 09:23:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/21/2014 08:31:44 AM) (Source: Microsoft-Windows-Kernel-General) (EventID: 5) (User: NT AUTHORITY)
Description: 0x8000002a171\??\Volume{601787c5-2c31-11e1-b772-806e6f6e6963}\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{B312E00D-AB5A-4D05-9E0B-EB06A35F2F57}

Error: (12/21/2014 07:49:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/21/2014 07:49:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/20/2014 06:07:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/20/2014 06:07:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/19/2014 02:05:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/19/2014 02:05:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (12/21/2014 01:50:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:57:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:49:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (12/21/2014 07:50:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (12/20/2014 06:21:14 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (12/20/2014 06:08:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/19/2014 02:23:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000


CodeIntegrity Errors:
===================================
Date: 2013-06-30 13:42:13.733
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-30 13:42:13.729
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-30 13:42:13.726
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.896
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.894
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.892
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.023
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.020
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.018
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz
Percentage of memory in use: 26%
Total physical RAM: 5992.37 MB
Available physical RAM: 4414.49 MB
Total Pagefile: 11982.92 MB
Available Pagefile: 10352.37 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:906.34 GB) (Free:608.07 GB) NTFS
Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
Drive f: (FreeAgent GoFlex Drive) (Fixed) (Total:1397.26 GB) (Free:1330.2 GB) NTFS
Drive h: () (Removable) (Total:1.9 GB) (Free:0.93 GB) FAT

==================== MBR & Partition Table ==================

==================== End Of Log ============================
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 21st, 2014, 3:08 pm

Farbar Recovery Scan Tool (x64) Version: 17-12-2014
Ran by Sara at 2014-12-21 14:01:36
Running from C:\Users\Sara\Desktop
Boot Mode: Normal

================== Search Registry: "ALOT;AnyProtect;Babylon;BetterBrain;BlockAndSurf;ConvertAd;DealCabby;EasyDriver;RemoteDesktopAccess;RocketTab;Savepass;SearchProtect;snipsmart;StormWatch;Vosteran;WSE_Vosteran;Zoomify" ===========


===================== Search result for "ALOT" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar]


===================== Search result for "Babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\FF\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\Users\Sara\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_BabylonToolbarsr_41b7b4d549671c222de32cd9874d4346715478_cab_01623ee4"


===================== Search result for "BlockAndSurf" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf]


===================== Search result for "Savepass" ==========

[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0]

===================== Search result for "snipsmart" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"snipsmart.BOAS.exe"="8888"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING]
"snipsmart.BOAS.exe"="1"


===================== Search result for "Vosteran" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""


===================== Search result for "Zoomify" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify]

====== End Of Search ======
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 22nd, 2014, 5:14 am

Not quite so much to do with this one. :)

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.(Don't include Code: Select all)
Code: Select all
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
Task: {00795989-470E-4684-8A9D-906937F4C470} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core No Task File <==== ATTENTION
Task: {1000D3AB-9434-44CF-8D6B-734A5DD37CAE} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA No Task File <==== ATTENTION
Task: {146528BB-FFA9-456E-8A09-36384BD798E8} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core No Task File <==== ATTENTION
Task: {2020BA66-8A14-4BCE-A037-E3FF2948531A} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA No Task File <==== ATTENTION
Task: {38DF6085-0128-4DED-B910-6A93E0C2E96F} - \Adobe Flash Player Updater No Task File <==== ATTENTION
Task: {3AB368A3-87A1-4CE2-8646-5E1F38BA9066} - \OfficeSoftwareProtectionPlatform\SvcRestartTask No Task File <==== ATTENTION
Task: {99CF03C7-333A-4179-A452-227579C02576} - \HPCustParticipation HP Deskjet 2540 series No Task File <==== ATTENTION
Task: {AD7861D0-9A5A-474E-ABDB-F780D0583FDC} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core No Task File <==== ATTENTION
Task: {AF53B4F9-58BC-4942-90E8-668431AF62A0} - \WPD\SqmUpload_S-1-5-21-4229975068-1931466670-3666739151-1001 No Task File <==== ATTENTION
Task: {B2617A12-4249-4966-AD0A-BAD11FB25D56} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core No Task File <==== ATTENTION
Task: {BD60DC31-998E-4C8E-B3ED-D301DBB8FDC2} - \Opera scheduled Autoupdate 1412647504 No Task File <==== ATTENTION
Task: {FB1B7925-2108-442C-9449-7926650ECBA3} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA No Task File <==== ATTENTION
Task: {FDCA8E1E-79C4-42C0-9FF5-7911D11BE7E4} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA No Task File <==== ATTENTION
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\FF\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug" /v "StoreLocation" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify" /f
Hosts:
EmptyTemp:

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Right click on FRST and select Run as Administrator, you will be prompted to type in an Administrator password, in which case use the password for either of the Mommy or Daddy accounts. When FRST opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Check to make sure the computer is running OK in this account afterwards, let me know of any problems.

Next ....

Run a scan and search with FRST on the next account, like you did on this one, and post me the logs from that please.

Summary of the logs I need from you in your next post:
  • Fixlog.txt (from this account)
  • FRST.txt (from next account)
  • Addition.txt (from next account)
  • Search.txt (from next account)


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21863
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 22nd, 2014, 10:43 pm

Thank you

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-22 19:30:04 Run:3
Running from C:\Users\Sara\Desktop
Loaded Profiles: Daddy & Sara (Available profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1007 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
Task: {00795989-470E-4684-8A9D-906937F4C470} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core No Task File <==== ATTENTION
Task: {1000D3AB-9434-44CF-8D6B-734A5DD37CAE} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA No Task File <==== ATTENTION
Task: {146528BB-FFA9-456E-8A09-36384BD798E8} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core No Task File <==== ATTENTION
Task: {2020BA66-8A14-4BCE-A037-E3FF2948531A} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA No Task File <==== ATTENTION
Task: {38DF6085-0128-4DED-B910-6A93E0C2E96F} - \Adobe Flash Player Updater No Task File <==== ATTENTION
Task: {3AB368A3-87A1-4CE2-8646-5E1F38BA9066} - \OfficeSoftwareProtectionPlatform\SvcRestartTask No Task File <==== ATTENTION
Task: {99CF03C7-333A-4179-A452-227579C02576} - \HPCustParticipation HP Deskjet 2540 series No Task File <==== ATTENTION
Task: {AD7861D0-9A5A-474E-ABDB-F780D0583FDC} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core No Task File <==== ATTENTION
Task: {AF53B4F9-58BC-4942-90E8-668431AF62A0} - \WPD\SqmUpload_S-1-5-21-4229975068-1931466670-3666739151-1001 No Task File <==== ATTENTION
Task: {B2617A12-4249-4966-AD0A-BAD11FB25D56} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core No Task File <==== ATTENTION
Task: {BD60DC31-998E-4C8E-B3ED-D301DBB8FDC2} - \Opera scheduled Autoupdate 1412647504 No Task File <==== ATTENTION
Task: {FB1B7925-2108-442C-9449-7926650ECBA3} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA No Task File <==== ATTENTION
Task: {FDCA8E1E-79C4-42C0-9FF5-7911D11BE7E4} - \GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA No Task File <==== ATTENTION
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\FF\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug" /v "StoreLocation" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf" /f
Reg: Reg.exe delete "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING" /v "snipsmart.BOAS.exe" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify" /f
Hosts:
EmptyTemp:
*****************

"HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key deleted successfully.
"HKCR\CLSID\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1007\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{72DE6055-3568-696D-18F3-25733E4372F6}" => Key deleted successfully.
"HKCR\CLSID\{72DE6055-3568-696D-18F3-25733E4372F6}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{00795989-470E-4684-8A9D-906937F4C470}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00795989-470E-4684-8A9D-906937F4C470}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1000D3AB-9434-44CF-8D6B-734A5DD37CAE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1000D3AB-9434-44CF-8D6B-734A5DD37CAE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{146528BB-FFA9-456E-8A09-36384BD798E8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{146528BB-FFA9-456E-8A09-36384BD798E8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2020BA66-8A14-4BCE-A037-E3FF2948531A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2020BA66-8A14-4BCE-A037-E3FF2948531A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{38DF6085-0128-4DED-B910-6A93E0C2E96F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{38DF6085-0128-4DED-B910-6A93E0C2E96F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Adobe Flash Player Updater" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3AB368A3-87A1-4CE2-8646-5E1F38BA9066}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3AB368A3-87A1-4CE2-8646-5E1F38BA9066}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OfficeSoftwareProtectionPlatform\SvcRestartTask" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{99CF03C7-333A-4179-A452-227579C02576}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{99CF03C7-333A-4179-A452-227579C02576}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\HPCustParticipation HP Deskjet 2540 series" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD7861D0-9A5A-474E-ABDB-F780D0583FDC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD7861D0-9A5A-474E-ABDB-F780D0583FDC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AF53B4F9-58BC-4942-90E8-668431AF62A0}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AF53B4F9-58BC-4942-90E8-668431AF62A0}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-4229975068-1931466670-3666739151-1001" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B2617A12-4249-4966-AD0A-BAD11FB25D56}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B2617A12-4249-4966-AD0A-BAD11FB25D56}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BD60DC31-998E-4C8E-B3ED-D301DBB8FDC2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BD60DC31-998E-4C8E-B3ED-D301DBB8FDC2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Opera scheduled Autoupdate 1412647504" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FB1B7925-2108-442C-9449-7926650ECBA3}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FB1B7925-2108-442C-9449-7926650ECBA3}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FDCA8E1E-79C4-42C0-9FF5-7911D11BE7E4}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDCA8E1E-79C4-42C0-9FF5-7911D11BE7E4}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA" => Key deleted successfully.

========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\alotappbar" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\FF\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar\FF" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\BabylonToolbar" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\Microsoft\Windows\Windows Error Reporting\Debug" /v "StoreLocation" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\BlockAndSurf" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\Savepass 3.0" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Savepass 3.0" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION" /v "snipsmart.BOAS.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING" /v "snipsmart.BOAS.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgids" /v "VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1007\Software\AppDataLow\Software\zoomify" /f =========

The operation completed successfully.



========= End of Reg: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 2.3 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 22nd, 2014, 10:44 pm

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-12-2014
Ran by Daddy (administrator) on THEMOSTAWESOME on 22-12-2014 21:12:15
Running from C:\Users\Atara\Desktop
Loaded Profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal (Available profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Brother Industries, Ltd.) C:\Windows\System32\BrmfRsmg.exe
(Brother Industries, Ltd.) C:\Windows\System32\BrmfRsmg.exe
(Verizon) C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
() C:\Windows\jmesoft\Service.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
() C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2011-09-16] (LogMeIn, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-10-01] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-12] (Logitech Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3653136 2014-11-09] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\615\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\Run: [Google Update] => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-22] (Google Inc.)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [Google Update] => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-05] (Google Inc.)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [Spotify Web Helper] => C:\Users\Yael\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1171000 2014-06-20] (Spotify Ltd)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Run: [Spotify] => C:\Users\Yael\AppData\Roaming\Spotify\spotify.exe [6087224 2014-06-20] (Spotify Ltd)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - F:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\Run: [Google Update] => C:\Users\Mommy\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-20] (Google Inc.)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\Run: [Spotify Web Helper] => C:\Users\Mommy\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-10-04] (Spotify Ltd)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\Run: [Spotify] => C:\Users\Mommy\AppData\Roaming\Spotify\spotify.exe [6553144 2014-10-04] (Spotify Ltd)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\Run: [Driver Support] => C:\Program Files (x86)\Driver Support\Driver Support\DriverSupport.exe /applicationMode:systemTray /showWelcome:false
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\MountPoints2: F - F:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - E:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - F:\LaunchU3.exe -a
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Run: [Google Update] => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-06] (Google Inc.)
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Startup: C:\Users\Yael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-4229975068-1931466670-3666739151-1001] => Internet Explorer proxy is enabled.
ProxyServer: [S-1-5-21-4229975068-1931466670-3666739151-1001] => http=127.0.0.1:62855;https=127.0.0.1:62855
HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.com/ig/redirectdomain ... &bmod=LEND
http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.lenovo.com
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain ... &bmod=LEND
HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain ... &bmod=LEND
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
URLSearchHook: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - No File
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> Backup.Old.DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64}
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1005 -> {72DE6055-3568-696D-18F3-25733E4372F6} URL =
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7LEND
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20121225094235.dll No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20121225094235.dll No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-4229975068-1931466670-3666739151-1006 -> No Name - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.adobe.com/pub/shockwa ... wflash.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\npmvtplugin.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1003: @talk.google.com/GoogleTalkPlugin -> C:\Users\Mommy\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1003: @talk.google.com/O1DPlugin -> C:\Users\Mommy\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1003: @tools.google.com/Google Update;version=3 -> C:\Users\Mommy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1003: @tools.google.com/Google Update;version=9 -> C:\Users\Mommy\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1006: @tools.google.com/Google Update;version=3 -> C:\Users\Michal\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-4229975068-1931466670-3666739151-1006: @tools.google.com/Google Update;version=9 -> C:\Users\Michal\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: No Name - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2013-01-11]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_cmi_14_47_ch&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAzz0B0A0DtB0E0AtG0ByByByDtGyE0FyByBtG0FtB0C0FtGtAyDyDyEtBtB0DtDtD0EtAzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0Azy0FyB0EyD0FtGyCzztAtAtGyEtDyDyEtGzztB0FtDtG0AyC0B0AtDzy0EtCyB0E0DyE2Q&cr=960361997&ir="
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.5.671\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Daddy\AppData\Local\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Daddy\AppData\Local\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Daddy\AppData\Local\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Citrix ICA Client) - C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Google Update) - C:\Users\Daddy\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
CHR Profile: C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-11]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (YouTube) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-06-14]
CHR Extension: (Google Search) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-14]
CHR Extension: (Google Wallet) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]
CHR Extension: (Gmail) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-06-14]
CHR StartMenuInternet: Google Chrome - C:\Users\Yael\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3488784 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-11-09] (AVG Technologies CZ, s.r.o.)
R2 brmfrsmg; C:\Windows\system32\BrmfRsmg.exe [52736 2009-07-13] (Brother Industries, Ltd.)
S4 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-10-07] (McAfee, Inc.)
R2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [290832 2011-12-12] (Verizon) [File not signed]
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-15] () [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-11-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-11-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2011-09-16] (LogMeIn, Inc.)
S4 McProxy; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [220856 2012-10-07] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218320 2012-11-09] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [177680 2012-11-09] (McAfee, Inc.)
S4 0134851357934090mcinstcleanup; C:\Users\Daddy\AppData\Local\Temp\013485~1.EXE -cleanup -nolog [X]
S3 GoToAssist; "C:\Program Files (x86)\Citrix\GoToAssist\615\g2aservice.exe" Start=service [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [263960 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R3 brfilt; C:\Windows\System32\Drivers\Brfilt.sys [6144 2009-06-10] (Brother Industries Ltd.)
R3 BrUsbScn; C:\Windows\System32\Drivers\BrUsbScn.sys [14336 2009-06-10] (Brother Industries Ltd.)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [69672 2012-11-09] (McAfee, Inc.)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-29] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [178840 2012-11-09] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309400 2012-11-09] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [515528 2012-11-09] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [771096 2012-11-09] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [339776 2012-11-09] (McAfee, Inc.)
R0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
R0 WinI2C-DDC; C:\Windows\SysWOW64\drivers\DDCDrv.sys [15712 2010-03-22] (Nicomsoft Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-22 21:12 - 2014-12-22 21:12 - 00031451 _____ () C:\Users\Atara\Desktop\FRST.txt
2014-12-22 21:11 - 2014-12-19 09:30 - 02121216 _____ (Farbar) C:\Users\Atara\Desktop\FRST64.exe
2014-12-22 21:09 - 2014-12-22 21:09 - 00000000 ____D () C:\Users\Atara\AppData\Roaming\AVG2015
2014-12-22 21:09 - 2014-12-22 21:09 - 00000000 ____D () C:\Users\Atara\AppData\Local\Avg2015
2014-12-21 14:01 - 2014-12-21 14:01 - 00003361 _____ () C:\Users\Sara\Desktop\Search.txt
2014-12-21 14:01 - 2014-12-21 14:01 - 00000000 ____D () C:\Users\Sara\AppData\Local\Microsoft Games
2014-12-21 13:59 - 2014-12-21 13:59 - 00028589 _____ () C:\Users\Sara\Desktop\Addition.txt
2014-12-21 13:58 - 2014-12-21 13:59 - 00034033 _____ () C:\Users\Sara\Desktop\FRST.txt
2014-12-21 13:57 - 2014-12-19 09:30 - 02121216 _____ (Farbar) C:\Users\Sara\Desktop\FRST64.exe
2014-12-21 13:54 - 2014-12-21 13:54 - 00000000 ____D () C:\Users\Sara\AppData\Local\Logitech® Webcam Software
2014-12-21 13:52 - 2014-12-21 13:52 - 00000000 ____D () C:\Users\Sara\AppData\Roaming\AVG2015
2014-12-21 13:52 - 2014-12-21 13:52 - 00000000 ____D () C:\Users\Sara\AppData\Local\Avg2015
2014-12-21 12:49 - 2014-12-21 12:49 - 00000000 ____D () C:\Users\Daddy\Desktop\New folder
2014-12-21 09:29 - 2014-12-21 09:29 - 00027979 _____ () C:\Users\Daddy\Desktop\Search.txt
2014-12-21 09:24 - 2014-12-21 09:25 - 00034752 _____ () C:\Users\Daddy\Desktop\Addition.txt
2014-12-21 09:23 - 2014-12-21 09:25 - 00055826 _____ () C:\Users\Daddy\Desktop\FRST.txt
2014-12-21 09:21 - 2014-12-19 09:30 - 02121216 _____ (Farbar) C:\Users\Daddy\Desktop\FRST64.exe
2014-12-19 09:52 - 2014-12-19 09:52 - 00015719 _____ () C:\Users\Mommy\Desktop\Search.txt
2014-12-19 09:46 - 2014-12-19 09:46 - 00046661 _____ () C:\Users\Mommy\Desktop\Addition.txt
2014-12-19 09:44 - 2014-12-22 21:12 - 00000000 ____D () C:\FRST
2014-12-19 09:44 - 2014-12-19 09:46 - 00060762 _____ () C:\Users\Mommy\Desktop\FRST.txt
2014-12-19 09:35 - 2014-12-19 13:34 - 00000000 ____D () C:\AdwCleaner
2014-12-19 09:35 - 2014-12-19 09:34 - 00000111 _____ () C:\Users\Mommy\Desktop\virus.txt
2014-12-19 09:35 - 2014-12-19 09:30 - 02166272 _____ () C:\Users\Mommy\Desktop\adwcleaner_4.105.exe
2014-12-19 09:35 - 2014-12-19 09:30 - 02121216 _____ (Farbar) C:\Users\Mommy\Desktop\FRST64.exe
2014-12-19 09:18 - 2014-12-19 09:18 - 00000207 _____ () C:\windows\tweaking.com-regbackup-THEMOSTAWESOME-Microsoft-Windows-7-Home-Premium-(64-bit).dat
2014-12-19 09:16 - 2014-12-19 09:16 - 00002239 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\RegBackup
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-12-19 09:16 - 2014-12-19 09:16 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com
2014-12-19 09:14 - 2014-12-19 09:14 - 04215584 _____ () C:\Users\Mommy\Desktop\tweaking.com_registry_backup_setup.exe
2014-12-19 09:13 - 2014-10-17 21:05 - 04121600 _____ (Microsoft Corporation) C:\windows\system32\mf.dll
2014-12-19 09:13 - 2014-10-17 20:33 - 03209728 _____ (Microsoft Corporation) C:\windows\SysWOW64\mf.dll
2014-12-18 23:30 - 2014-11-10 20:46 - 00119296 _____ (Microsoft Corporation) C:\windows\system32\Drivers\tdx.sys
2014-12-18 23:29 - 2014-11-26 20:43 - 00389296 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-12-18 23:29 - 2014-11-26 20:10 - 00342200 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-12-18 23:29 - 2014-11-21 22:13 - 25059840 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-12-18 23:29 - 2014-11-21 22:06 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-12-18 23:29 - 2014-11-21 22:06 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-12-18 23:29 - 2014-11-21 21:50 - 00580096 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-12-18 23:29 - 2014-11-21 21:50 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-12-18 23:29 - 2014-11-21 21:49 - 02885120 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-12-18 23:29 - 2014-11-21 21:49 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-12-18 23:29 - 2014-11-21 21:48 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-12-18 23:29 - 2014-11-21 21:41 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-12-18 23:29 - 2014-11-21 21:40 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-12-18 23:29 - 2014-11-21 21:37 - 00633856 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-12-18 23:29 - 2014-11-21 21:35 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-12-18 23:29 - 2014-11-21 21:35 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-12-18 23:29 - 2014-11-21 21:34 - 06039552 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-12-18 23:29 - 2014-11-21 21:34 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-12-18 23:29 - 2014-11-21 21:26 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-12-18 23:29 - 2014-11-21 21:22 - 19749376 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-12-18 23:29 - 2014-11-21 21:22 - 00490496 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-12-18 23:29 - 2014-11-21 21:20 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-12-18 23:29 - 2014-11-21 21:14 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-12-18 23:29 - 2014-11-21 21:09 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-12-18 23:29 - 2014-11-21 21:08 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-12-18 23:29 - 2014-11-21 21:07 - 00501248 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-12-18 23:29 - 2014-11-21 21:07 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-12-18 23:29 - 2014-11-21 21:06 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-12-18 23:29 - 2014-11-21 21:05 - 00316928 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-12-18 23:29 - 2014-11-21 21:05 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-12-18 23:29 - 2014-11-21 21:01 - 02277888 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-12-18 23:29 - 2014-11-21 20:59 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-12-18 23:29 - 2014-11-21 20:58 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-12-18 23:29 - 2014-11-21 20:56 - 00478208 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-12-18 23:29 - 2014-11-21 20:55 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-12-18 23:29 - 2014-11-21 20:54 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-12-18 23:29 - 2014-11-21 20:49 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-12-18 23:29 - 2014-11-21 20:49 - 00718848 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-12-18 23:29 - 2014-11-21 20:47 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-12-18 23:29 - 2014-11-21 20:46 - 02125312 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-12-18 23:29 - 2014-11-21 20:45 - 00418304 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-12-18 23:29 - 2014-11-21 20:43 - 14412800 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-12-18 23:29 - 2014-11-21 20:40 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-18 23:29 - 2014-11-21 20:36 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-12-18 23:29 - 2014-11-21 20:35 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-12-18 23:29 - 2014-11-21 20:33 - 00285696 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-12-18 23:29 - 2014-11-21 20:29 - 04299264 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-12-18 23:29 - 2014-11-21 20:28 - 02358272 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-12-18 23:29 - 2014-11-21 20:23 - 00688640 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-12-18 23:29 - 2014-11-21 20:22 - 02052096 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-12-18 23:29 - 2014-11-21 20:21 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-12-18 23:29 - 2014-11-21 20:15 - 01548288 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-12-18 23:29 - 2014-11-21 20:13 - 12836864 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-12-18 23:29 - 2014-11-21 20:03 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-12-18 23:29 - 2014-11-21 20:00 - 01888256 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-12-18 23:29 - 2014-11-21 19:56 - 01307136 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-12-18 23:29 - 2014-11-21 19:54 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-12-18 23:29 - 2014-11-10 22:09 - 01424384 _____ (Microsoft Corporation) C:\windows\system32\WindowsCodecs.dll
2014-12-18 23:29 - 2014-11-10 21:44 - 01230336 _____ (Microsoft Corporation) C:\windows\SysWOW64\WindowsCodecs.dll
2014-12-18 23:28 - 2014-10-29 21:03 - 00165888 _____ (Microsoft Corporation) C:\windows\system32\charmap.exe
2014-12-18 23:28 - 2014-10-29 20:45 - 00155136 _____ (Microsoft Corporation) C:\windows\SysWOW64\charmap.exe
2014-12-18 23:21 - 2014-10-02 21:12 - 02020352 _____ (Microsoft Corporation) C:\windows\system32\WsmSvc.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00346624 _____ (Microsoft Corporation) C:\windows\system32\WSManMigrationPlugin.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00310272 _____ (Microsoft Corporation) C:\windows\system32\WsmWmiPl.dll
2014-12-18 23:21 - 2014-10-02 21:12 - 00181248 _____ (Microsoft Corporation) C:\windows\system32\WsmAuto.dll
2014-12-18 23:21 - 2014-10-02 21:11 - 00266240 _____ (Microsoft Corporation) C:\windows\system32\WSManHTTPConfig.exe
2014-12-18 23:21 - 2014-10-02 20:45 - 01177088 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmSvc.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00248832 _____ (Microsoft Corporation) C:\windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00214016 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmWmiPl.dll
2014-12-18 23:21 - 2014-10-02 20:45 - 00145920 _____ (Microsoft Corporation) C:\windows\SysWOW64\WsmAuto.dll
2014-12-18 23:21 - 2014-10-02 20:44 - 00198656 _____ (Microsoft Corporation) C:\windows\SysWOW64\WSManHTTPConfig.exe
2014-12-18 23:20 - 2014-11-07 22:16 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2014-12-18 23:20 - 2014-11-07 21:45 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2014-12-18 23:14 - 2014-12-18 23:14 - 00026445 _____ () C:\Users\Daddy\Desktop\dds.txt
2014-12-18 23:14 - 2014-12-18 23:14 - 00009128 _____ () C:\Users\Daddy\Desktop\attach.txt
2014-12-18 23:07 - 2014-12-18 23:07 - 00688992 ____R (Swearware) C:\Users\Mommy\Downloads\dds.scr
2014-12-18 23:07 - 2014-12-18 23:07 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\HpUpdate
2014-11-24 20:41 - 2014-11-24 20:42 - 00000000 ____D () C:\Users\Mommy\AppData\Local\Avg2015
2014-11-24 20:41 - 2014-11-24 20:41 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\AVG2015
2014-11-24 20:39 - 2014-11-24 20:39 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-11-24 20:39 - 2014-11-24 20:39 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\AVG2015
2014-11-24 20:39 - 2014-11-24 20:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-11-24 20:38 - 2014-12-19 09:04 - 00000000 ____D () C:\ProgramData\AVG2015
2014-11-24 20:38 - 2014-11-24 20:38 - 00000000 ___HD () C:\$AVG
2014-11-24 20:38 - 2014-11-24 20:38 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-11-24 20:36 - 2014-12-22 21:02 - 00000000 ____D () C:\ProgramData\MFAData
2014-11-24 20:36 - 2014-11-24 20:39 - 00000000 ____D () C:\Users\Daddy\AppData\Local\Avg2015
2014-11-24 20:36 - 2014-11-24 20:36 - 04637504 _____ (AVG Technologies) C:\Users\Mommy\Downloads\avg_free_stb_all_2015_5557_cnet.exe
2014-11-24 20:36 - 2014-11-24 20:36 - 00000000 ____D () C:\Users\Daddy\AppData\Local\MFAData
2014-11-24 17:26 - 2014-11-24 17:26 - 01944256 _____ () C:\windows\shost.bin
2014-11-24 07:33 - 2014-12-19 13:16 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2014-11-23 18:54 - 2014-11-23 18:54 - 00000000 __SHD () C:\Users\Mommy\AppData\Local\EmieBrowserModeList
2014-11-23 18:53 - 2014-11-23 18:53 - 00000000 ____D () C:\Users\Mommy\AppData\Local\HP
2014-11-23 18:40 - 2014-11-23 18:40 - 00000047 _____ () C:\Users\Daddy\AppData\Roaming\WB.CFG
2014-11-23 18:08 - 2014-11-23 18:09 - 00000000 ____D () C:\Users\Mommy\AppData\Local\{8F85811F-A8AD-4ABD-82A8-29D28DC27661}
2014-11-23 18:00 - 2014-11-23 18:00 - 00000000 ____D () C:\Users\Daddy\AppData\Local\WorldofTanks
2014-11-23 17:59 - 2014-11-23 17:59 - 00000000 ____D () C:\Users\Daddy\AppData\Local\StormFall
2014-11-23 17:52 - 2014-11-23 17:53 - 106859936 _____ () C:\Users\Daddy\Downloads\DJ2540_188 (1).exe
2014-11-23 17:35 - 2014-11-23 17:35 - 106859936 _____ () C:\Users\Daddy\Downloads\Unconfirmed 828580.crdownload
2014-11-23 17:33 - 2014-11-23 17:33 - 00834488 _____ (SlimWare Utilities, Inc.) C:\Users\Daddy\Downloads\DriverUpdate-setup.exe
2014-11-23 17:27 - 2014-11-23 17:27 - 00003626 _____ () C:\windows\System32\Tasks\HPCustParticipation HP Deskjet 2540 series
2014-11-23 17:27 - 2014-11-23 17:27 - 00001995 _____ () C:\Users\Public\Desktop\HP Photo Creations.lnk
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\HpUpdate
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\Visan
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\HP Photo Creations
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Program Files (x86)\HP Photo Creations
2014-11-23 17:27 - 2014-11-23 17:27 - 00000000 ____D () C:\Program Files (x86)\Hewlett-Packard
2014-11-23 17:26 - 2014-11-23 17:51 - 00000000 ____D () C:\Program Files (x86)\HP
2014-11-23 17:26 - 2014-11-23 17:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2014-11-23 17:26 - 2014-11-23 17:26 - 00002212 _____ () C:\Users\Public\Desktop\HP Deskjet 2540 series.lnk
2014-11-23 17:26 - 2014-11-23 17:26 - 00001159 _____ () C:\Users\Public\Desktop\Shop for Supplies - HP Deskjet 2540 series.lnk
2014-11-23 17:26 - 2014-11-23 17:26 - 00000000 ____D () C:\ProgramData\HP
2014-11-23 17:26 - 2014-11-23 17:26 - 00000000 ____D () C:\Program Files\HP
2014-11-23 17:26 - 2014-03-06 12:51 - 00763912 ____N (Hewlett-Packard Co.) C:\windows\system32\HPDiscoPMC211.dll
2014-11-23 17:25 - 2014-11-23 17:25 - 00000057 _____ () C:\ProgramData\Ament.ini
2014-11-23 17:23 - 2014-11-23 17:24 - 106859936 _____ () C:\Users\Daddy\Downloads\DJ2540_188.exe
2014-11-23 17:22 - 2014-11-23 17:27 - 00000000 ____D () C:\Users\Daddy\AppData\Local\HP
2014-11-23 12:41 - 2014-11-23 12:41 - 00584504 _____ () C:\Users\Daddy\Downloads\Installation.exe
2014-11-23 09:01 - 2014-11-23 09:01 - 00012678 _____ () C:\Users\Daddy\Downloads\contemp- cash flow.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-22 21:09 - 2014-05-27 14:12 - 00091584 _____ () C:\Users\Atara\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-22 21:09 - 2012-07-22 09:21 - 00000008 __RSH () C:\Users\Atara\ntuser.pol
2014-12-22 21:09 - 2012-05-03 09:01 - 00000000 ____D () C:\Users\Atara
2014-12-22 21:05 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-22 21:05 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-22 21:01 - 2011-12-21 19:15 - 01113087 _____ () C:\windows\WindowsUpdate.log
2014-12-22 20:57 - 2014-01-23 04:28 - 00000923 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2014-12-22 20:57 - 2014-01-23 04:28 - 00000907 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-12-22 20:57 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-12-22 20:57 - 2009-07-13 23:51 - 00075085 _____ () C:\windows\setupact.log
2014-12-22 19:29 - 2009-07-14 00:13 - 00006206 _____ () C:\windows\system32\PerfStringBackup.INI
2014-12-22 19:26 - 2012-05-01 21:49 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-12-21 13:52 - 2012-12-15 17:56 - 00091584 _____ () C:\Users\Sara\AppData\Local\GDIPFONTCACHEV1.DAT
2014-12-21 13:51 - 2012-08-25 19:40 - 00000008 __RSH () C:\Users\Sara\ntuser.pol
2014-12-21 13:51 - 2012-08-25 19:40 - 00000000 ____D () C:\Users\Sara
2014-12-21 13:48 - 2012-07-20 16:53 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA.job
2014-12-21 13:41 - 2012-07-06 17:21 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA.job
2014-12-21 13:17 - 2012-08-19 20:06 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2014-12-21 13:15 - 2012-07-22 14:14 - 00000908 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA.job
2014-12-21 13:15 - 2012-07-22 14:14 - 00000856 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core.job
2014-12-21 13:07 - 2012-07-05 14:19 - 00000904 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA.job
2014-12-21 12:51 - 2012-08-20 21:43 - 00000000 ____D () C:\Users\Daddy\AppData\Roaming\Bucksbee Loyalty Plugin 100815.b for Chrome
2014-12-21 12:48 - 2012-07-14 20:40 - 00000008 __RSH () C:\Users\Daddy\ntuser.pol
2014-12-21 12:48 - 2012-04-29 18:44 - 00000000 ____D () C:\Users\Daddy
2014-12-21 09:23 - 2012-07-11 18:57 - 00000008 __RSH () C:\Users\Mommy\ntuser.pol
2014-12-21 09:23 - 2012-04-30 09:58 - 00000000 ____D () C:\Users\Mommy
2014-12-21 09:21 - 2009-07-13 22:20 - 00000000 ___HD () C:\windows\system32\GroupPolicy
2014-12-21 08:23 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\rescache
2014-12-19 14:21 - 2014-10-07 11:58 - 00002515 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-12-19 14:21 - 2014-10-07 11:58 - 00000000 ____D () C:\ProgramData\Skype
2014-12-19 14:21 - 2014-10-07 11:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-12-19 13:37 - 2013-03-24 12:18 - 00000000 ____D () C:\Users\Mommy\AppData\Roaming\Spotify
2014-12-19 13:35 - 2010-11-20 22:47 - 00840900 _____ () C:\windows\PFRO.log
2014-12-19 13:25 - 2012-06-09 21:37 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2014-12-19 13:19 - 2012-09-15 19:11 - 00020786 _____ () C:\INSTALLHELPER.LOG
2014-12-19 10:04 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\PolicyDefinitions
2014-12-19 09:22 - 2013-06-20 07:02 - 00002374 _____ () C:\Users\Mommy\Desktop\Google Chrome.lnk
2014-12-19 09:18 - 2012-04-29 21:37 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-19 09:06 - 2009-07-13 21:34 - 00000537 _____ () C:\windows\win.ini
2014-12-18 23:47 - 2013-08-14 02:02 - 00000000 ____D () C:\windows\system32\MRT
2014-12-18 23:30 - 2012-06-01 09:10 - 112710672 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-11-24 20:42 - 2014-07-17 22:05 - 00000177 _____ () C:\Users\Mommy\Desktop\avgrep.txt
2014-11-24 19:41 - 2012-07-06 17:21 - 00000860 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core.job
2014-11-24 19:07 - 2012-07-05 14:19 - 00000852 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core.job
2014-11-23 20:33 - 2013-03-24 12:18 - 00000000 ____D () C:\Users\Mommy\AppData\Local\Spotify
2014-11-23 17:35 - 2012-05-20 07:21 - 00000000 ____D () C:\Users\Daddy\AppData\Local\Adobe
2014-11-23 17:30 - 2011-12-21 19:47 - 00002398 _____ () C:\Users\Public\Desktop\Internet Browser.lnk
2014-11-23 17:30 - 2011-12-21 19:47 - 00000000 ____D () C:\Program Files (x86)\Google
2014-11-23 06:48 - 2012-07-20 16:53 - 00000856 _____ () C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core.job

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-12-21 08:16

==================== End Of Log ============================
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 22nd, 2014, 10:45 pm

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-22 21:13:10
Running from C:\Users\Atara\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - )
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.7) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5577 - AVG Technologies)
AVG 2015 (Version: 15.0.4223 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5577 - AVG Technologies) Hidden
AVS Audio Converter 7 (HKLM-x32\...\AVS Audio Converter_is1) (Version: - Online Media Technologies Ltd.)
AVS Update Manager 1.0 (HKLM-x32\...\AVS Update Manager_is1) (Version: - Online Media Technologies Ltd.)
AVS4YOU Software Navigator 1.4 (HKLM-x32\...\AVS4YOU Software Navigator_is1) (Version: - Online Media Technologies Ltd.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bucksbee Loyalty Plugin 100815.b for Chrome (HKLM-x32\...\Bucksbee Loyalty Plugin 100815.b for Chrome) (Version: - )
CameraHelperMsi (x32 Version: 13.51.815.0 - Logitech) Hidden
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.1.0.0 - Citrix Systems, Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
ffdshow v1.1.4369 [2012-03-03] (HKLM-x32\...\ffdshow_is1) (Version: 1.1.4369.0 - )
Google Chrome (HKU\S-1-5-21-4229975068-1931466670-3666739151-1001\...\Google Chrome) (Version: 39.0.2171.65 - Google Inc.)
Google Chrome (HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Google Chrome) (Version: 34.0.1847.131 - Google Inc.)
Google Chrome (HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Chrome (HKU\S-1-5-21-4229975068-1931466670-3666739151-1006\...\Google Chrome) (Version: 37.0.2062.120 - Google Inc.)
Google Talk Plugin (HKLM-x32\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
HP Deskjet 2540 series Basic Device Software (HKLM\...\{6A79CD11-0C1C-4E24-A8C6-46A02F680346}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
HP Deskjet 2540 series Help (HKLM-x32\...\{4539575D-C09D-4E71-B207-0F2D6BD74DA2}) (Version: 30.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticCoreDll (HKLM-x32\...\{9262B08F-E183-4FED-A2BD-23FF1A84EB79}) (Version: 1.0.15.0 - Hewlett Packard)
IHA_MessageCenter (HKLM-x32\...\{53C49C8D-DFB2-42B9-A7EF-0F9CA386CC13}) (Version: 1.8.17 - Verizon)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1118 - Intel Corporation)
Intel(R) Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2246 - Intel Corporation)
iTunes (HKLM\...\{76FF0F03-B707-4332-B5D1-A56C8303514E}) (Version: 11.0.4.4 - Apple Inc.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
K-Lite Codec Pack 7.0.0 (Standard) (HKLM-x32\...\KLiteCodecPack_is1) (Version: 7.0.0 - )
Lenovo Blacksilk USB Keyboard Driver (HKLM-x32\...\{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.4.11.0608 - Lenovo)
Lenovo Driver and Application Installation (HKLM-x32\...\{45970CD1-D599-47D4-938F-3E9800D54ED1}) (Version: 5.10.1809 - Lenovo)
Lenovo Dynamic Brightness System (HKLM-x32\...\{D9ED6D06-6002-495E-A7BC-46E6AE386996}) (Version: 4.0.00.22080 - Lenovo)
Lenovo Eye Distance System (HKLM-x32\...\{5183D7AB-D09B-411F-A74E-BBAEA61C6505}) (Version: 4.0.00.21090 - Lenovo)
Lenovo Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.4827a - CyberLink Corp.)
Lenovo Power2Go (x32 Version: 6.0.4827a - CyberLink Corp.) Hidden
Lenovo Rescue System (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 3.0.1409 - CyberLink Corp.)
Lenovo Rescue System (Version: 3.0.1409 - CyberLink Corp.) Hidden
Logitech Webcam Software (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
LogMeIn (HKLM-x32\...\{2BFDA78F-39F7-4537-9995-71424CFA88BB}) (Version: 4.1.2138 - LogMeIn, Inc.)
LVT (HKLM-x32\...\{D3063097-EC84-4D21-84A4-9D852E974355}) (Version: 4.1.2.0919 - Lenovo)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyTomTom 3.1.0.530 (HKLM-x32\...\MyTomTom) (Version: 3.1.0.530 - TomTom)
OneSoftPerDay 025.375 (HKLM-x32\...\ospd_us_375_is1) (Version: - ONESOFTPERDAY)
Online Plug-in (x32 Version: 13.1.201.3 - Citrix Systems, Inc.) Hidden
Online Plug-in (x32 Version: 14.1.0.0 - Citrix Systems, Inc.) Hidden
Open Freely (HKLM\...\{1BF14E04-85DE-480C-9A04-EB36744C66C3}_is1) (Version: 1.0 - Download Freely, LLC)
Opera Stable 24.0.1558.64 (HKU\S-1-5-21-4229975068-1931466670-3666739151-1004\...\Opera 24.0.1558.64) (Version: 24.0.1558.64 - Opera Software ASA)
PDFCreator (HKLM-x32\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.2.0 - Frank Heindörfer, Philip Chinery)
Product Improvement Study for HP Deskjet 2540 series (HKLM\...\{DF34643B-A745-430C-B27B-A48F853C81E4}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6230 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30123 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 2.5.5 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.5 - VS Revo Group, Ltd.)
Self-service Plug-in (x32 Version: 3.2.0.24226 - Citrix Systems, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Skype Click to Call (HKLM-x32\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 6.21 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Spotify) (Version: 0.9.8.296.g91f68827 - Spotify AB)
Spotify (HKU\S-1-5-21-4229975068-1931466670-3666739151-1003\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
The Weather Channel App (HKLM-x32\...\The Weather Channel App) (Version: - )
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.1 - Tweaking.com)
Uninstall Helper (HKLM-x32\...\Uninstall Helper 2.0.0.0) (Version: 2.0.0.0 - W3i, LLC)
Uninstall Helper (x32 Version: 2.0.0.0 - W3i, LLC) Hidden
Version Checker for Funmoods (HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\Funmoods) (Version: - ) <==== ATTENTION
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
Vz In Home Agent (HKLM-x32\...\{07FF08D2-C0CD-4B02-B9A6-E2E7E5762AA9}) (Version: 8.03.53 - Verizon)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Media Player Firefox Plugin (HKLM-x32\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Wondershare Music Converter(Build 1.3.4.0) (HKLM-x32\...\Wondershare Music Converter_is1) (Version: - Wondershare Software)
Yahoo! Software Update (HKLM-x32\...\Yahoo! Software Update) (Version: - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File

==================== Restore Points =========================

19-11-2014 03:00:12 Windows Update
20-11-2014 03:00:11 Windows Update
21-11-2014 03:00:13 Windows Update
21-11-2014 15:35:11 Windows Update
23-11-2014 03:00:16 Windows Update
23-11-2014 17:48:56 Installed HPDiagnosticCoreDll
23-11-2014 20:50:22 Windows Update
24-11-2014 21:07:22 Windows Update
28-11-2014 10:27:25 Windows Update
18-12-2014 23:21:48 Windows Update
19-12-2014 09:07:25 Windows Update
19-12-2014 10:02:38 Windows Update
19-12-2014 13:21:42 Removed BabylonObjectInstaller

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2014-12-22 19:30 - 00000035 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {6368AB21-97F4-4BDC-AA96-602A90C7FF08} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001Core.job => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1001UA.job => C:\Users\Daddy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002Core.job => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1002UA.job => C:\Users\Yael\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003Core.job => C:\Users\Mommy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1003UA.job => C:\Users\Mommy\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006Core.job => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229975068-1931466670-3666739151-1006UA.job => C:\Users\Michal\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2012-08-20 21:44 - 2005-03-11 23:07 - 00087040 _____ () C:\windows\System32\pdfcmnnt.dll
2011-12-21 19:18 - 2011-03-15 23:47 - 00032768 _____ () C:\Windows\jmesoft\Service.exe
2012-09-12 23:38 - 2012-09-12 23:38 - 00264040 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
2012-05-30 19:06 - 2012-05-30 19:06 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2012-05-30 19:06 - 2012-05-30 19:06 - 01242512 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 02144104 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtCore4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 07955304 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtGui4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 00341352 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\QtXml4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 00028008 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QGif4.dll
2012-09-12 23:38 - 2012-09-12 23:38 - 00127336 _____ () C:\Program Files (x86)\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll
2012-09-12 23:39 - 2012-09-12 23:39 - 00336232 _____ () C:\Program Files (x86)\Common Files\logishrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-4229975068-1931466670-3666739151-500 - Administrator - Disabled)
Atara (S-1-5-21-4229975068-1931466670-3666739151-1005 - Limited - Enabled) => C:\Users\Atara
Daddy (S-1-5-21-4229975068-1931466670-3666739151-1001 - Administrator - Enabled) => C:\Users\Daddy
Guest (S-1-5-21-4229975068-1931466670-3666739151-501 - Limited - Disabled)
Michal (S-1-5-21-4229975068-1931466670-3666739151-1006 - Limited - Enabled) => C:\Users\Michal
Mommy (S-1-5-21-4229975068-1931466670-3666739151-1003 - Limited - Enabled) => C:\Users\Mommy
Sara (S-1-5-21-4229975068-1931466670-3666739151-1007 - Limited - Enabled) => C:\Users\Sara
Shalom (S-1-5-21-4229975068-1931466670-3666739151-1004 - Limited - Enabled) => C:\Users\Shalom
Yael (S-1-5-21-4229975068-1931466670-3666739151-1002 - Limited - Enabled) => C:\Users\Yael

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/22/2014 08:59:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/22/2014 07:38:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/22/2014 07:29:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (12/22/2014 07:29:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (12/22/2014 07:28:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 05:38:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 01:50:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:57:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:49:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.


System errors:
=============
Error: (12/21/2014 00:47:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/21/2014 00:47:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/21/2014 09:23:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (12/21/2014 08:31:44 AM) (Source: Microsoft-Windows-Kernel-General) (EventID: 5) (User: NT AUTHORITY)
Description: 0x8000002a171\??\Volume{601787c5-2c31-11e1-b772-806e6f6e6963}\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{B312E00D-AB5A-4D05-9E0B-EB06A35F2F57}

Error: (12/21/2014 07:49:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/21/2014 07:49:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/20/2014 06:07:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/20/2014 06:07:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2

Error: (12/19/2014 02:05:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozwhost service failed to start due to the following error:
%%2

Error: (12/19/2014 02:05:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozhost service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (12/22/2014 08:59:19 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/22/2014 07:38:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/22/2014 07:29:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (12/22/2014 07:29:55 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (12/22/2014 07:28:18 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 05:38:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 01:50:47 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:57:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 00:49:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/21/2014 09:24:50 AM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000


CodeIntegrity Errors:
===================================
Date: 2013-06-30 13:42:13.733
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-30 13:42:13.729
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-30 13:42:13.726
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.896
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.894
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2013-06-18 00:35:21.892
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.023
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.020
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

Date: 2012-12-31 20:48:51.018
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-2320 CPU @ 3.00GHz
Percentage of memory in use: 26%
Total physical RAM: 5992.37 MB
Available physical RAM: 4406.48 MB
Total Pagefile: 11982.92 MB
Available Pagefile: 10328.75 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:906.34 GB) (Free:608.07 GB) NTFS
Drive e: () (Removable) (Total:1.92 GB) (Free:0.26 GB) FAT
Drive f: (FreeAgent GoFlex Drive) (Fixed) (Total:1397.26 GB) (Free:1330.2 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 4079EF22)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=906.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=25.1 GB) - (Type=12)

========================================================
Disk: 1 (Size: 1397.3 GB) (Disk ID: E6A01404)
Partition 1: (Not Active) - (Size=1397.3 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 1.9 GB) (Disk ID: 221E5780)
Partition 1: (Active) - (Size=1.9 GB) - (Type=06)

==================== End Of Log ============================
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 22nd, 2014, 10:45 pm

Farbar Recovery Scan Tool (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-22 21:28:44
Running from C:\Users\Atara\Desktop
Boot Mode: Normal

================== Search Registry: "ALOT;AnyProtect;Babylon;BetterBrain;BlockAndSurf;ConvertAd;DealCabby;EasyDriver;RemoteDesktopAccess;RocketTab;Savepass;SearchProtect;snipsmart;StormWatch;Vosteran;WSE_Vosteran;Zoomify" ===========


===================== Search result for "ALOT" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"ALOTWidgets.exe"="9999"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION]
"ALOTWidgets.exe"="0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\alotappbar]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\alotappbar]


===================== Search result for "Babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\"=""


===================== Search result for "BlockAndSurf" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\BlockAndSurf]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\BlockAndSurf]


===================== Search result for "DealCabby" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\DealCabby]


===================== Search result for "EasyDriver" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]
"C:\Users\Mommy\Downloads\EasyDriverPro.exe"="1"


===================== Search result for "Savepass" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E540A74-25E-4C6A-91C5-AEFB8C9E7258}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E197BA28-6497-4D92-8BC-7BA8888B5B5}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\AppDataLow\Software\Savepass 3.0\Background]
"__onDocumentStart_script_store__"="

(function (){try {window.__blackListUrls__ =
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\AppDataLow\Software\Savepass 3.0\Manifest]
"Name"="Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16985C8-3D0C-4A34-8939-8C89E46B4622}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{291C2B3E-BC10-47B9-82F7-476F237FD90}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AEC82FB-F75E-4086-B041-7F34AAD0E3F6}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4772716C-A71E-48BB-859C-873545C762F0}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{645608CD-FC18-474E-924F-68573FD6DCB3}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6E0133CF-F549-4DC4-B7CE-947660F01EBA}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7C87B9BB-842C-4424-8096-B832D41FD6CC}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E540A74-25E-4C6A-91C5-AEFB8C9E7258}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4E5D7E7-37ED-4592-9BDE-E1AEB758C25E}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C19BF089-7D4D-420C-B470-C482F42960BD}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D3A14A00-B866-4D44-9D68-28F0F527B2E6}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0E45F32-C550-41DC-A81B-B0915D64E8E3}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=
[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\Savepass 3.0]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\Savepass 3.0\Plugins\91]
"JavaScript"="
(function(K){var y=

===================== Search result for "snipsmart" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING]
"snipsmart.BOAS.exe"="1"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\AppDataLow\Software\snipsmart]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\snipsmart]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\1382c0bf_0]
""="{0.0.0.00000000}.{ac8da424-b853-4e50-b219-96acac38218b}|\Device\HarddiskVolume2\Program Files (x86)\snipsmart\bin\snipsmart.BOAS.exe%b{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\apisnipsmartinfo-a.akamaihd.net]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\snipsmart]


===================== Search result for "Vosteran" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids]
"VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"=""

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Direct3D\MostRecentApplication]
"Name"="vosteran.exe"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\.xht]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Classes\http\DefaultIcon]
""="C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe,0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\.html]
""="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\ftp\DefaultIcon]
""="C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe,0"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001_Classes\https\DefaultIcon]
""="C:\Users\Daddy\AppData\Local\Vosteran\Application\vosteran.exe,0"


===================== Search result for "Zoomify" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1002\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1003\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1004\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1005\Software\AppDataLow\Software\zoomify]

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1006\Software\AppDataLow\Software\zoomify]
====== End Of Search ======
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 14 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware