I need help removing TrojanClicker and maybe other related malware
- Thread starter starmusic
- Start date
- Apr 24, 2014
- 3,395
Hello,
Download
Malwarebytes Anti-Rootkit to your desktop.
Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
Download
- Double-click the icon to start the tool.
- It will ask you where to extract it, then it will start.
- Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
- Click in the introduction screen "next" to continue.
- Click in the following screen "Update" to obtain the latest malware definitions.
- Once the update is complete select "Next" and click "Scan".
- When the scan is finished and no malware has been found select "Exit".
- If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
- Open the MBAR folder and paste the content of the following files in your next reply:
- "mbar-log-{date} (xx-xx-xx).txt"
- "system-log.txt"
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
- Right-click on
icon and select
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File). - Make sure that Addition option is checked.
- Press Scan button and wait.
- The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
MBAR insists that MalwareBytes itself be fully unloaded, but that is my current AV background program, and TaskManager Processes won't let me end its tasks.Hello,
DownloadMalwarebytes Anti-Rootkit to your desktop.
- Double-click the icon to start the tool.
- It will ask you where to extract it, then it will start.
- Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
- Click in the introduction screen "next" to continue.
- Click in the following screen "Update" to obtain the latest malware definitions.
- Once the update is complete select "Next" and click "Scan".
- When the scan is finished and no malware has been found select "Exit".
- If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
- Open the MBAR folder and paste the content of the following files in your next reply:
- "mbar-log-{date} (xx-xx-xx).txt"
- "system-log.txt"
Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
Please include their content into your next reply.
- Right-click on
icon and selectRun as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).- Make sure that Addition option is checked.
- Press Scan button and wait.
- The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
How do I get "The MB app fully unloaded" so MBAR will run?
Thanks!
- Apr 24, 2014
- 3,395
Here are the logs.Hello,
DownloadMalwarebytes Anti-Rootkit to your desktop.
- Double-click the icon to start the tool.
- It will ask you where to extract it, then it will start.
- Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
- Click in the introduction screen "next" to continue.
- Click in the following screen "Update" to obtain the latest malware definitions.
- Once the update is complete select "Next" and click "Scan".
- When the scan is finished and no malware has been found select "Exit".
- If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
- Open the MBAR folder and paste the content of the following files in your next reply:
- "mbar-log-{date} (xx-xx-xx).txt"
- "system-log.txt"
Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
Please include their content into your next reply.
- Right-click on
icon and selectRun as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).- Make sure that Addition option is checked.
- Press Scan button and wait.
- The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
There is currently one instance of dllhost.exe running; I don't yet know if it is legitimate or if the malware will start up again.
Usually MB's runtime protection will start saying something like "disallowed malicious webite" every 15 seconds.
Thanks!
- Apr 24, 2014
- 3,395
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
icon and select
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File). - Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
IE history shows two hits to twitter sites, which I don't use. Syndication.twitter.com and platform.twitter.com.
I don't know for sure if those occurred before or after that last action.
TaskMgr shows one instance of dllhost.exe... actually a second just popped up and down as I was watching it.
Nothing logged to History, and no AV runtime notice of stopping a malicious website, but I noticed yesterday after a scan and threat removal that it seemed to take up to a half hour for things to get rolling.
I don't know what legitimate uses dllhost.exe might have, but I don't imagine it's a good sign that it's running new instances repeatedly as I type this.
I'll be brave and leave my network connection enabled overnight; I'm running an MB scan now and will follow up in the morning.
Any chance you can tell me how dangerous this Trojan might be in terms of identity theft or uploading of sensitive stuff from my computer? Or is it just a "Link clicker" to defraud website pay-per-click stuff?
Thanks for all your help.
I don't know for sure if those occurred before or after that last action.
TaskMgr shows one instance of dllhost.exe... actually a second just popped up and down as I was watching it.
Nothing logged to History, and no AV runtime notice of stopping a malicious website, but I noticed yesterday after a scan and threat removal that it seemed to take up to a half hour for things to get rolling.
I don't know what legitimate uses dllhost.exe might have, but I don't imagine it's a good sign that it's running new instances repeatedly as I type this.
I'll be brave and leave my network connection enabled overnight; I'm running an MB scan now and will follow up in the morning.
Any chance you can tell me how dangerous this Trojan might be in terms of identity theft or uploading of sensitive stuff from my computer? Or is it just a "Link clicker" to defraud website pay-per-click stuff?
Thanks for all your help.
- Apr 24, 2014
- 3,395
Trojan is a backdoor poweliks.
http://en.wikipedia.org/wiki/Backdoor_(computing)
Re-run Farbar again.
http://en.wikipedia.org/wiki/Backdoor_(computing)
Re-run Farbar again.
- Apr 24, 2014
- 3,395
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
icon and select
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File). - Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Fix with Farbar Recovery Scan Tool
Download attached fixlist.txt file and save it to the Desktop:This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
icon and selectRun as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Here is the new log file.Fix with Farbar Recovery Scan Tool
Download attached fixlist.txt file and save it to the Desktop:This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
- Right-click on
icon and selectRun as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Situation seems the same; it already touched the same twitter sites, and dllhost.exe has one instance running and a second that comes and goes.
Is it possible to remove that file altogether? Is it a needed file? and is the idea that it got replaced by the Trojan, or that some other process is using dllhost.exe to do its stuff?
Thanks,
I noticed this MB announcement:
https://blog.malwarebytes.org/security-threat/2014/11/no-more-poweliks/
which says there’s a new MBAR that can remove this Trojan.
But the version number they specify (1.08) matches the one you had me download (it doesn’t mention the Micro version number).
I ran MBAR again and it did update its db, and I had it do a Scan, but did NOT find anything, and I did not tell it to clean anything,
anticipating that you may have another process for me to run.
My history DID show the unknown visits to the twitter URLs that I believe are from the malware.
I've never used twitter. And dllhost still shows in the TaskMgr as I described earlier.
But I am NOT seeing any runtime warnings that a malicious website was stopped -- is there a chance the malware is gone, and these other issues are something else (twitter history and dllhost)?
What’s next?
Thanks,
https://blog.malwarebytes.org/security-threat/2014/11/no-more-poweliks/
which says there’s a new MBAR that can remove this Trojan.
But the version number they specify (1.08) matches the one you had me download (it doesn’t mention the Micro version number).
I ran MBAR again and it did update its db, and I had it do a Scan, but did NOT find anything, and I did not tell it to clean anything,
anticipating that you may have another process for me to run.
My history DID show the unknown visits to the twitter URLs that I believe are from the malware.
I've never used twitter. And dllhost still shows in the TaskMgr as I described earlier.
But I am NOT seeing any runtime warnings that a malicious website was stopped -- is there a chance the malware is gone, and these other issues are something else (twitter history and dllhost)?
What’s next?
Thanks,
- Apr 24, 2014
- 3,395
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
- Right-click on
icon and select
Run as Administrator to start the tool.
- Wait patiently until the main console will appear, it may take a minute or two.
- In the main box please paste in the following script:
Code:Autoclean; Quickscan; - Make sure that Scan All Users option is checked.
- Push Run Script and wait patiently. The scan may take a couple of minutes.
- When the scan completes, a zoek-results logfile should open in notepad.
- If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
Post its content into your next reply.
Here is the zoek-results. Thanks:
Zoek.exe v5.0.0.0 Updated 11-November-2014
Tool run by Brian Hays on Tue 11/11/2014 at 23:14:30.71.
Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Brian Hays\Downloads\zoek.exe [Scan all users] [Script inserted]
==== System Restore Info ======================
11/11/2014 11:15:17 PM Zoek.exe System Restore Point Created Succesfully.
==== Deleting CLSID Registry Keys ======================
==== Deleting CLSID Registry Values ======================
==== Deleting Services ======================
==== Deleting Files \ Folders ======================
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted
C:\abacuslaw2013.exe deleted
C:\PROGRA~3\Package Cache deleted
C:\windows\SysNative\tasks\WinZip Job-WorkBackup deleted
C:\Windows\tasks\WinZip Job-WorkBackup.job deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
"C:\Users\Brian Hays\AppData\Roaming\????" not deleted
"C:\Users\Brian Hays\AppData\Roaming\Help" deleted
"C:\Users\Brian Hays\AppData\Roaming\webex" deleted
==== Files Recently Created / Modified ======================
====== C:\Windows ====
====== C:\Users\BRIANH~1\AppData\Local\Temp ====
====== Java Cache =====
====== C:\Windows\SysWOW64 =====
====== C:\Windows\SysWOW64\drivers =====
====== C:\Windows\Sysnative =====
====== C:\Windows\Sysnative\drivers =====
2014-11-09 07:20:14 26C43960C99EE861A5D0EDC4DCF3B1C3 129752 ----a-w- C:\Windows\Sysnative\drivers\MBAMSwissArmy.sys
2014-11-09 07:19:45 95EF63A7827D4E3A229CBBCB42619E93 63704 ----a-w- C:\Windows\Sysnative\drivers\mwac.sys
2014-11-09 07:19:45 5C3669B71657F22E67A1D4BD49D2CBE7 25816 ----a-w- C:\Windows\Sysnative\drivers\mbam.sys
2014-11-09 07:19:45 3540DDFAC8A076B983F86EB2A79D8FBD 96472 ----a-w- C:\Windows\Sysnative\drivers\mbamchameleon.sys
2014-10-15 03:57:38 FE571E088C2D83619D2D48D4E961BF41 212480 ----a-w- C:\Windows\Sysnative\drivers\rdpwd.sys
2014-10-15 03:57:38 E232A3B43A894BB327FC161529BD9ED1 39936 ----a-w- C:\Windows\Sysnative\drivers\tssecsrv.sys
====== C:\Windows\Tasks ======
2014-11-06 19:55:27 8F94877C4EF34E2232E455D4B4CC9B6C 3858 ----a-w- C:\Windows\Sysnative\Tasks\{F4AD976A-66F4-D4E7-AEBF-3A4AF39440D5}
====== C:\Windows\Temp ======
======= C:\Program Files =====
======= C:\PROGRA~2 =====
2014-10-18 17:38:36 -------- d-----w- C:\PROGRA~2\Hewlett-Packard
======= C: =====
2014-11-09 09:23:31 F669A9BF8C17C190FAB2E034D9BCF4A8 2580945 ----a-w- C:\My RoboForm Data.zip
2014-10-16 18:26:00 627B0245E004197E03F71F5C93543E3D 42 ----a-w- C:\bh.ini
2014-10-16 18:26:00 00914039B2C4F0D5411BB2B88E783F3C 42 ----a-w- C:\bh.BAK
====== C:\Users\Brian Hays\AppData\Roaming ======
2014-11-11 19:12:54 -------- d-----w- C:\Users\Brian Hays\AppData\Roaming\Mozilla
2014-10-18 17:38:40 -------- d-----w- C:\Users\Brian Hays\AppData\Local\Hewlett-Packard
====== C:\Users\Brian Hays ======
2014-11-10 16:36:28 405E11DD1024625E4ABB8925F3C3CBDA 14439144 ----a-w- C:\Users\Brian Hays\Downloads\mbar-1.08.0.1001.exe
2014-11-10 08:28:54 78BDCC72BEE314FA1715E2D7617757B3 2116096 ----a-w- C:\Users\Brian Hays\Desktop\FRST64.exe
2014-11-10 00:26:57 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AI RoboForm
2014-11-09 20:23:00 6504113C2218667814D4F54847BA046A 2140160 ----a-w- C:\Users\Brian Hays\Downloads\adwcleaner_4.101.exe
2014-11-09 07:18:38 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\Brian Hays\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-09 03:39:58 EA11B5C84321B89C4CE7C5EED3602C2A 1706808 ----a-w- C:\Users\Brian Hays\Desktop\JRT_NEW.exe
====== C: exe-files ==
2014-11-11 09:05:07 821E577AB0B119278BD1940FEF224DDA 51080 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateBroker.exe
2014-11-11 09:05:07 4067DC9EA0640485F1CF395427FD5E9B 51080 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe
2014-11-11 09:05:07 27DC334376EE08A0962E6367E23D3CBA 880272 ----a-w- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateSetup.exe
2014-11-11 09:04:59 976D5F35A058340DA2C160CEC4063C4B 230792 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleCrashHandler.exe
2014-11-11 09:04:59 26E37D5EAC3F1CF66587183AB348168C 114568 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateComRegisterShell64.exe
2014-11-11 09:04:59 047556104954A72A2222FFF169166EEE 285064 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleCrashHandler64.exe
2014-11-11 09:04:55 51508F0C2476177E50C31B0BBFBF1BDB 107912 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdate.exe
2014-11-11 09:04:53 27DC334376EE08A0962E6367E23D3CBA 880272 ----a-w- C:\Users\Brian Hays\AppData\Local\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.25.5\GoogleUpdateSetup.exe
2014-11-10 16:38:06 3CADE61FCDF50CC17ECB7664220E31DC 54072 ----a-w- C:\Users\Brian Hays\Desktop\mbar\mbamdor.exe
2014-11-10 16:38:06 0A4EC663BF58FB4290674679FD075F58 1211192 ----a-w- C:\Users\Brian Hays\Desktop\mbar\mbar.exe
2014-11-10 16:38:03 C68AA07C443FB26A44E17A6649EE1D3C 821560 ----a-w- C:\Users\Brian Hays\Desktop\mbar\Plugins\fixdamage.exe
2014-11-10 16:36:28 405E11DD1024625E4ABB8925F3C3CBDA 14439144 ----a-w- C:\Users\Brian Hays\Downloads\mbar-1.08.0.1001.exe
2014-11-10 08:28:54 78BDCC72BEE314FA1715E2D7617757B3 2116096 ----a-w- C:\Users\Brian Hays\Desktop\FRST64.exe
2014-11-09 20:23:00 6504113C2218667814D4F54847BA046A 2140160 ----a-w- C:\Users\Brian Hays\Downloads\adwcleaner_4.101.exe
2014-11-09 07:18:38 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\Brian Hays\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-09 03:39:58 EA11B5C84321B89C4CE7C5EED3602C2A 1706808 ----a-w- C:\Users\Brian Hays\Desktop\JRT_NEW.exe
2014-11-08 16:01:03 037B1E7798960E0420003D05BB577EE6 33280 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\rundll32.exe
2014-11-08 16:01:02 0BDAE865738D27A4D84D50591C8C9D2D 860488 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\Lymduyelvzw.exe
2014-11-08 16:01:01 30A9BA6BDB2927E3E222629880BF03DE 1912136 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\delegate_execute.exe
2014-11-08 16:01:01 007E8B07E512FDA381C0BED5CF8BA6E6 1936712 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\nacl64.exe
2014-11-06 19:02:50 500CC0E1FFC86DF9E32A46D584E21280 8617472 ----a-w- C:\lw23\Programs\lawwin.exe
=== C: other files ==
2014-11-09 09:23:31 F669A9BF8C17C190FAB2E034D9BCF4A8 2580945 ----a-w- C:\My RoboForm Data.zip
2014-11-09 07:20:14 26C43960C99EE861A5D0EDC4DCF3B1C3 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-09 07:19:45 95EF63A7827D4E3A229CBBCB42619E93 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-11-09 07:19:45 5C3669B71657F22E67A1D4BD49D2CBE7 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-11-09 07:19:45 3540DDFAC8A076B983F86EB2A79D8FBD 96472 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-08 16:01:01 D2F6A1B11344D9AC7BCFB75900D4ADE1 23668 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\youtube.crx
2014-11-08 16:01:01 8AD223868AB9974F7746D0227730A0CC 26392 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\search.crx
2014-11-08 16:01:01 71E1283B8440F6264CEC99DF9AD81F5B 25561 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\drive.crx
2014-11-08 16:01:01 2E2E328E5BF6BE61203164B3E9EA8094 24040 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\gmail.crx
2014-11-08 16:01:01 2C71C49F991095A1848624907BACBB08 4578 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\docs.crx
==== Startup Registry Enabled ======================
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"
[HKEY_USERS\S-1-5-21-1315959649-3742310553-3276613495-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe"
"ApplePhotoStreams"="C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe"
"com.apple.dav.bookmarks.daemon"="C:\Program Files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe"
"Google Update"="C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe /c"
"ISUSPM"="C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler"
"AppleIEDAV"="C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe"
"Amazon Music"="C:\Users\Brian Hays\AppData\Local\Amazon Music\Amazon Music Helper.exe"
"Codejock Update"="C:\Program Files (x86)\Codejock Software\ActiveX\Xtreme SuitePro ActiveX v16.3.1\CodejockAlert.exe /AutoRun"
"GoToMeeting"="C:\Program Files (x86)\Citrix\GoToMeeting\1468\g2mstart.exe /Trigger RunAtLogon"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Application Restart #0"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:A16E240E-E348-4200-8BE2-579D61CFBB5B"
"Application Restart #2"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:B38FDDF6-6046-4b04-BABC-C58D64ECE1D7"
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Application Restart #0"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:A16E240E-E348-4200-8BE2-579D61CFBB5B"
"Application Restart #2"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:B38FDDF6-6046-4b04-BABC-C58D64ECE1D7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe /DelayServices"
"googletalk"="C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart"
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"ISUSPM"="C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler"
"DNS7reminder"="C:\Program Files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe -r C:\ProgramData\Nuance\NaturallySpeaking12\Ereg.ini"
"HP Software Update"="C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe"
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe"
"ApplePhotoStreams"="C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe"
"com.apple.dav.bookmarks.daemon"="C:\Program Files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe"
"Google Update"="C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe /c"
"ISUSPM"="C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler"
"AppleIEDAV"="C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe"
"Amazon Music"="C:\Users\Brian Hays\AppData\Local\Amazon Music\Amazon Music Helper.exe"
"Codejock Update"="C:\Program Files (x86)\Codejock Software\ActiveX\Xtreme SuitePro ActiveX v16.3.1\CodejockAlert.exe /AutoRun"
"GoToMeeting"="C:\Program Files (x86)\Citrix\GoToMeeting\1468\g2mstart.exe /Trigger RunAtLogon"
==== Startup Registry Enabled x64 ======================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s"
"MSC"="C:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey"
"NvBackend"="C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
==== Task Scheduler Jobs ======================
C:\Windows\tasks\Adobe Flash Player Updater.job --a------ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [09/24/2014 05:46 AM]
C:\Windows\tasks\G2MUpdateTask-S-1-5-21-1315959649-3742310553-3276613495-1000.job --a------ C:\Program Files (x86)\Citrix\GoToMeeting\1865\g2mupdate.exe [10/29/2014 01:07 PM]
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000Core.job --a------ C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe [05/29/2013 09:07 AM]
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000UA.job --a------ C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe [05/29/2013 09:07 AM]
==== Other Scheduled Tasks ======================
"C:\Windows\SysNative\tasks\Adobe Flash Player Updater" [C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe]
"C:\Windows\SysNative\tasks\Amazon Music Helper" [C:\Users\Brian Hays\AppData\Local\Amazon Music\Amazon Music Helper.exe]
"C:\Windows\SysNative\tasks\G2MUpdateTask-S-1-5-21-1315959649-3742310553-3276613495-1000" [C:\Program Files (x86)\Citrix\GoToMeeting\1865\g2mupdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000Core" [C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000UA" [C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\{F4AD976A-66F4-D4E7-AEBF-3A4AF39440D5}" [C:\Windows\system32\regsvr32.exe]
"C:\Windows\SysNative\tasks\Apple\AppleSoftwareUpdate" [C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe]
"C:\Windows\SysNative\tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask" [%systemroot%\system32\sc.exe start osppsvc]
==== Firefox Extensions Registry ======================
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"http://my.refdesk.com/"
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://my.refdesk.com/"
==== All HKCU SearchScopes ======================
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
{DDD3917F-AA2F-4A0F-AF36-0FE51B3B35AC} Google Url="http://www.google.com/search?q={sea...ource}&ie={inputEncoding?}&oe={outputEncoding?}"
==== Empty IE Cache ======================
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AQ6VPJWU will be deleted at reboot
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L3NTTSUB will be deleted at reboot
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VB39285H will be deleted at reboot
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XRBFRXII will be deleted at reboot
==== Empty FireFox Cache ======================
No FireFox Profiles found
==== Empty Chrome Cache ======================
C:\Users\Brian Hays\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
==== Empty All Flash Cache ======================
Flash Cache Emptied Successfully
==== Empty All Java Cache ======================
No Java Cache Found
==== C:\zoek_backup content ======================
C:\zoek_backup (files=20 folders=20 66165361 bytes)
==== Empty Temp Folders ======================
C:\Users\Brian Hays\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Hays\AppData\Local\Temp emptied successfully
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
==== After Reboot ======================
==== Empty Temp Folders ======================
C:\Windows\Temp successfully emptied
C:\Users\BRIANH~1\AppData\Local\Temp successfully emptied
==== Empty Recycle Bin ======================
C:\$RECYCLE.BIN successfully emptied
==== Deleting Files / Folders ======================
"C:\Users\Brian Hays\AppData\Roaming\????" not deleted
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AQ6VPJWU" not found
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L3NTTSUB" not found
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VB39285H" not found
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XRBFRXII" not found
==== EOF on Tue 11/11/2014 at 23:29:21.52 ======================
Zoek.exe v5.0.0.0 Updated 11-November-2014
Tool run by Brian Hays on Tue 11/11/2014 at 23:14:30.71.
Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Brian Hays\Downloads\zoek.exe [Scan all users] [Script inserted]
==== System Restore Info ======================
11/11/2014 11:15:17 PM Zoek.exe System Restore Point Created Succesfully.
==== Deleting CLSID Registry Keys ======================
==== Deleting CLSID Registry Values ======================
==== Deleting Services ======================
==== Deleting Files \ Folders ======================
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted
C:\abacuslaw2013.exe deleted
C:\PROGRA~3\Package Cache deleted
C:\windows\SysNative\tasks\WinZip Job-WorkBackup deleted
C:\Windows\tasks\WinZip Job-WorkBackup.job deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
"C:\Users\Brian Hays\AppData\Roaming\????" not deleted
"C:\Users\Brian Hays\AppData\Roaming\Help" deleted
"C:\Users\Brian Hays\AppData\Roaming\webex" deleted
==== Files Recently Created / Modified ======================
====== C:\Windows ====
====== C:\Users\BRIANH~1\AppData\Local\Temp ====
====== Java Cache =====
====== C:\Windows\SysWOW64 =====
====== C:\Windows\SysWOW64\drivers =====
====== C:\Windows\Sysnative =====
====== C:\Windows\Sysnative\drivers =====
2014-11-09 07:20:14 26C43960C99EE861A5D0EDC4DCF3B1C3 129752 ----a-w- C:\Windows\Sysnative\drivers\MBAMSwissArmy.sys
2014-11-09 07:19:45 95EF63A7827D4E3A229CBBCB42619E93 63704 ----a-w- C:\Windows\Sysnative\drivers\mwac.sys
2014-11-09 07:19:45 5C3669B71657F22E67A1D4BD49D2CBE7 25816 ----a-w- C:\Windows\Sysnative\drivers\mbam.sys
2014-11-09 07:19:45 3540DDFAC8A076B983F86EB2A79D8FBD 96472 ----a-w- C:\Windows\Sysnative\drivers\mbamchameleon.sys
2014-10-15 03:57:38 FE571E088C2D83619D2D48D4E961BF41 212480 ----a-w- C:\Windows\Sysnative\drivers\rdpwd.sys
2014-10-15 03:57:38 E232A3B43A894BB327FC161529BD9ED1 39936 ----a-w- C:\Windows\Sysnative\drivers\tssecsrv.sys
====== C:\Windows\Tasks ======
2014-11-06 19:55:27 8F94877C4EF34E2232E455D4B4CC9B6C 3858 ----a-w- C:\Windows\Sysnative\Tasks\{F4AD976A-66F4-D4E7-AEBF-3A4AF39440D5}
====== C:\Windows\Temp ======
======= C:\Program Files =====
======= C:\PROGRA~2 =====
2014-10-18 17:38:36 -------- d-----w- C:\PROGRA~2\Hewlett-Packard
======= C: =====
2014-11-09 09:23:31 F669A9BF8C17C190FAB2E034D9BCF4A8 2580945 ----a-w- C:\My RoboForm Data.zip
2014-10-16 18:26:00 627B0245E004197E03F71F5C93543E3D 42 ----a-w- C:\bh.ini
2014-10-16 18:26:00 00914039B2C4F0D5411BB2B88E783F3C 42 ----a-w- C:\bh.BAK
====== C:\Users\Brian Hays\AppData\Roaming ======
2014-11-11 19:12:54 -------- d-----w- C:\Users\Brian Hays\AppData\Roaming\Mozilla
2014-10-18 17:38:40 -------- d-----w- C:\Users\Brian Hays\AppData\Local\Hewlett-Packard
====== C:\Users\Brian Hays ======
2014-11-10 16:36:28 405E11DD1024625E4ABB8925F3C3CBDA 14439144 ----a-w- C:\Users\Brian Hays\Downloads\mbar-1.08.0.1001.exe
2014-11-10 08:28:54 78BDCC72BEE314FA1715E2D7617757B3 2116096 ----a-w- C:\Users\Brian Hays\Desktop\FRST64.exe
2014-11-10 00:26:57 -------- d-----w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AI RoboForm
2014-11-09 20:23:00 6504113C2218667814D4F54847BA046A 2140160 ----a-w- C:\Users\Brian Hays\Downloads\adwcleaner_4.101.exe
2014-11-09 07:18:38 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\Brian Hays\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-09 03:39:58 EA11B5C84321B89C4CE7C5EED3602C2A 1706808 ----a-w- C:\Users\Brian Hays\Desktop\JRT_NEW.exe
====== C: exe-files ==
2014-11-11 09:05:07 821E577AB0B119278BD1940FEF224DDA 51080 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateBroker.exe
2014-11-11 09:05:07 4067DC9EA0640485F1CF395427FD5E9B 51080 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe
2014-11-11 09:05:07 27DC334376EE08A0962E6367E23D3CBA 880272 ----a-w- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateSetup.exe
2014-11-11 09:04:59 976D5F35A058340DA2C160CEC4063C4B 230792 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleCrashHandler.exe
2014-11-11 09:04:59 26E37D5EAC3F1CF66587183AB348168C 114568 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateComRegisterShell64.exe
2014-11-11 09:04:59 047556104954A72A2222FFF169166EEE 285064 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleCrashHandler64.exe
2014-11-11 09:04:55 51508F0C2476177E50C31B0BBFBF1BDB 107912 ----atw- C:\Users\Brian Hays\AppData\Local\Google\Update\1.3.25.5\GoogleUpdate.exe
2014-11-11 09:04:53 27DC334376EE08A0962E6367E23D3CBA 880272 ----a-w- C:\Users\Brian Hays\AppData\Local\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.25.5\GoogleUpdateSetup.exe
2014-11-10 16:38:06 3CADE61FCDF50CC17ECB7664220E31DC 54072 ----a-w- C:\Users\Brian Hays\Desktop\mbar\mbamdor.exe
2014-11-10 16:38:06 0A4EC663BF58FB4290674679FD075F58 1211192 ----a-w- C:\Users\Brian Hays\Desktop\mbar\mbar.exe
2014-11-10 16:38:03 C68AA07C443FB26A44E17A6649EE1D3C 821560 ----a-w- C:\Users\Brian Hays\Desktop\mbar\Plugins\fixdamage.exe
2014-11-10 16:36:28 405E11DD1024625E4ABB8925F3C3CBDA 14439144 ----a-w- C:\Users\Brian Hays\Downloads\mbar-1.08.0.1001.exe
2014-11-10 08:28:54 78BDCC72BEE314FA1715E2D7617757B3 2116096 ----a-w- C:\Users\Brian Hays\Desktop\FRST64.exe
2014-11-09 20:23:00 6504113C2218667814D4F54847BA046A 2140160 ----a-w- C:\Users\Brian Hays\Downloads\adwcleaner_4.101.exe
2014-11-09 07:18:38 33398D340008A0577507FCA7FD443622 19828376 ----a-w- C:\Users\Brian Hays\Downloads\mbam-setup-2.0.3.1025.exe
2014-11-09 03:39:58 EA11B5C84321B89C4CE7C5EED3602C2A 1706808 ----a-w- C:\Users\Brian Hays\Desktop\JRT_NEW.exe
2014-11-08 16:01:03 037B1E7798960E0420003D05BB577EE6 33280 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\rundll32.exe
2014-11-08 16:01:02 0BDAE865738D27A4D84D50591C8C9D2D 860488 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\Lymduyelvzw.exe
2014-11-08 16:01:01 30A9BA6BDB2927E3E222629880BF03DE 1912136 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\delegate_execute.exe
2014-11-08 16:01:01 007E8B07E512FDA381C0BED5CF8BA6E6 1936712 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\nacl64.exe
2014-11-06 19:02:50 500CC0E1FFC86DF9E32A46D584E21280 8617472 ----a-w- C:\lw23\Programs\lawwin.exe
=== C: other files ==
2014-11-09 09:23:31 F669A9BF8C17C190FAB2E034D9BCF4A8 2580945 ----a-w- C:\My RoboForm Data.zip
2014-11-09 07:20:14 26C43960C99EE861A5D0EDC4DCF3B1C3 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-09 07:19:45 95EF63A7827D4E3A229CBBCB42619E93 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-11-09 07:19:45 5C3669B71657F22E67A1D4BD49D2CBE7 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-11-09 07:19:45 3540DDFAC8A076B983F86EB2A79D8FBD 96472 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-08 16:01:01 D2F6A1B11344D9AC7BCFB75900D4ADE1 23668 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\youtube.crx
2014-11-08 16:01:01 8AD223868AB9974F7746D0227730A0CC 26392 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\search.crx
2014-11-08 16:01:01 71E1283B8440F6264CEC99DF9AD81F5B 25561 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\drive.crx
2014-11-08 16:01:01 2E2E328E5BF6BE61203164B3E9EA8094 24040 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\gmail.crx
2014-11-08 16:01:01 2C71C49F991095A1848624907BACBB08 4578 ----a-w- C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl\Tzdobur\36.0.1985.143\default_apps\docs.crx
==== Startup Registry Enabled ======================
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"
[HKEY_USERS\S-1-5-21-1315959649-3742310553-3276613495-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe"
"ApplePhotoStreams"="C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe"
"com.apple.dav.bookmarks.daemon"="C:\Program Files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe"
"Google Update"="C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe /c"
"ISUSPM"="C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler"
"AppleIEDAV"="C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe"
"Amazon Music"="C:\Users\Brian Hays\AppData\Local\Amazon Music\Amazon Music Helper.exe"
"Codejock Update"="C:\Program Files (x86)\Codejock Software\ActiveX\Xtreme SuitePro ActiveX v16.3.1\CodejockAlert.exe /AutoRun"
"GoToMeeting"="C:\Program Files (x86)\Citrix\GoToMeeting\1468\g2mstart.exe /Trigger RunAtLogon"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Application Restart #0"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:A16E240E-E348-4200-8BE2-579D61CFBB5B"
"Application Restart #2"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:B38FDDF6-6046-4b04-BABC-C58D64ECE1D7"
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"mctadmin"="C:\Windows\System32\mctadmin.exe"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Application Restart #0"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:A16E240E-E348-4200-8BE2-579D61CFBB5B"
"Application Restart #2"="C:\Program Files (x86)\ASUS\GPU Tweak\Monitor.exe min /RestartByRestartManager:B38FDDF6-6046-4b04-BABC-C58D64ECE1D7"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe /DelayServices"
"googletalk"="C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart"
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"ISUSPM"="C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler"
"DNS7reminder"="C:\Program Files (x86)\Nuance\NaturallySpeaking12\Ereg\Ereg.exe -r C:\ProgramData\Nuance\NaturallySpeaking12\Ereg.ini"
"HP Software Update"="C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe"
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe"
"ApplePhotoStreams"="C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe"
"com.apple.dav.bookmarks.daemon"="C:\Program Files (x86)\Common Files\Apple\Internet Services\BookmarkDAV_client.exe"
"Google Update"="C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe /c"
"ISUSPM"="C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler"
"AppleIEDAV"="C:\Program Files (x86)\Common Files\Apple\Internet Services\AppleIEDAV.exe"
"Amazon Music"="C:\Users\Brian Hays\AppData\Local\Amazon Music\Amazon Music Helper.exe"
"Codejock Update"="C:\Program Files (x86)\Codejock Software\ActiveX\Xtreme SuitePro ActiveX v16.3.1\CodejockAlert.exe /AutoRun"
"GoToMeeting"="C:\Program Files (x86)\Citrix\GoToMeeting\1468\g2mstart.exe /Trigger RunAtLogon"
==== Startup Registry Enabled x64 ======================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s"
"MSC"="C:\Program Files\Microsoft Security Client\msseces.exe -hide -runkey"
"NvBackend"="C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
==== Task Scheduler Jobs ======================
C:\Windows\tasks\Adobe Flash Player Updater.job --a------ C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [09/24/2014 05:46 AM]
C:\Windows\tasks\G2MUpdateTask-S-1-5-21-1315959649-3742310553-3276613495-1000.job --a------ C:\Program Files (x86)\Citrix\GoToMeeting\1865\g2mupdate.exe [10/29/2014 01:07 PM]
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000Core.job --a------ C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe [05/29/2013 09:07 AM]
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000UA.job --a------ C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe [05/29/2013 09:07 AM]
==== Other Scheduled Tasks ======================
"C:\Windows\SysNative\tasks\Adobe Flash Player Updater" [C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe]
"C:\Windows\SysNative\tasks\Amazon Music Helper" [C:\Users\Brian Hays\AppData\Local\Amazon Music\Amazon Music Helper.exe]
"C:\Windows\SysNative\tasks\G2MUpdateTask-S-1-5-21-1315959649-3742310553-3276613495-1000" [C:\Program Files (x86)\Citrix\GoToMeeting\1865\g2mupdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000Core" [C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\GoogleUpdateTaskUserS-1-5-21-1315959649-3742310553-3276613495-1000UA" [C:\Users\Brian Hays\AppData\Local\Google\Update\GoogleUpdate.exe]
"C:\Windows\SysNative\tasks\{F4AD976A-66F4-D4E7-AEBF-3A4AF39440D5}" [C:\Windows\system32\regsvr32.exe]
"C:\Windows\SysNative\tasks\Apple\AppleSoftwareUpdate" [C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe]
"C:\Windows\SysNative\tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask" [%systemroot%\system32\sc.exe start osppsvc]
==== Firefox Extensions Registry ======================
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"http://my.refdesk.com/"
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://my.refdesk.com/"
==== All HKCU SearchScopes ======================
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
{DDD3917F-AA2F-4A0F-AF36-0FE51B3B35AC} Google Url="http://www.google.com/search?q={sea...ource}&ie={inputEncoding?}&oe={outputEncoding?}"
==== Empty IE Cache ======================
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AQ6VPJWU will be deleted at reboot
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L3NTTSUB will be deleted at reboot
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VB39285H will be deleted at reboot
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XRBFRXII will be deleted at reboot
==== Empty FireFox Cache ======================
No FireFox Profiles found
==== Empty Chrome Cache ======================
C:\Users\Brian Hays\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
==== Empty All Flash Cache ======================
Flash Cache Emptied Successfully
==== Empty All Java Cache ======================
No Java Cache Found
==== C:\zoek_backup content ======================
C:\zoek_backup (files=20 folders=20 66165361 bytes)
==== Empty Temp Folders ======================
C:\Users\Brian Hays\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Hays\AppData\Local\Temp emptied successfully
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
==== After Reboot ======================
==== Empty Temp Folders ======================
C:\Windows\Temp successfully emptied
C:\Users\BRIANH~1\AppData\Local\Temp successfully emptied
==== Empty Recycle Bin ======================
C:\$RECYCLE.BIN successfully emptied
==== Deleting Files / Folders ======================
"C:\Users\Brian Hays\AppData\Roaming\????" not deleted
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AQ6VPJWU" not found
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L3NTTSUB" not found
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VB39285H" not found
"C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XRBFRXII" not found
==== EOF on Tue 11/11/2014 at 23:29:21.52 ======================
- Apr 24, 2014
- 3,395
Re-run zoek and run this script:
Code:
C:\bh.ini;f
C:\bh.BAK;f
C:\Users\Brian Hays\AppData\Roaming\????;fs
C:\Users\Brian Hays\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5;fs
C:\Users\Brian Hays\AppData\LocalLow\EmieUserList\yzfdkpfyryl;fs
emptyfolderscheck;delete
autoclean;
emptyalltemp;
emptyclsid;OK, results from zoek with that 9-line script attached.
History shows no hits; TaskMgr has one instance of dllhost up but I'm not seeing any others jumping in.
Thanks,
History shows no hits; TaskMgr has one instance of dllhost up but I'm not seeing any others jumping in.
Thanks,
- Apr 24, 2014
- 3,395
Download DelFix by Xplode and save it to your desktop.
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Cheers
- Run the tool by right click on the
icon and Run as administrator option.
- Make sure that these ones are checked:
- Remove disinfection tools
- Purge system restore
- Reset system settings
- Push Run and wait until the tool completes his work.
- All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Cheers
Similar threads
- Locked
- Locked
