My c drive free space keeps going down [Solved/Closed]

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Jan 30, 2013 at 01:03 PM - Latest reply: sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen
- Feb 10, 2013 at 01:58 AM
Hello,

please i need help :(

my c drive size keeps going down fast
even without downloading or putting anything on the drive
i think it a virus
+
i checked and it is not because i have restore point

so it nothing on the drive i think it a virus
please i need every help i can get :(



See more 

43 replies

Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Jan 30, 2013 at 04:34 PM
1
Thank you
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a system log.

1. Open this link and download ZHPDiag2 :

http://telechargement.zebulon.fr/telecharger-zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message. Once installed, click on the "hardhat" icon, it allows to change the language.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

the tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix at the next step).

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on the screwdriver icon and ensure all of the items are checked.

6. Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

7. Close ZHPDiag.

8. To transmit the report, click on this link :

http://www.speedyshare.com/

9. Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the url and post it here.

Best regards

Ambucias
Moderator /Security Contributor

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Jan 31, 2013 at 04:36 AM
1
Thank you
Please, did you download ZHP Diag version I recommended or did you use the one you had ? You must use the link I gave in this thread and click on "téléchargez" to download.

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Jan 31, 2013 at 01:21 PM
but i did :(
i pressed FTP Zebulon.fr N°1 and it started downloading because there was no téléchargez
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Jan 31, 2013 at 06:16 PM
1
Thank you
Okay

Please be patient. Nicolas Coolman is presently in Europe. I will contact him now and I will get back to you.

In the meantime, just looking at the HJT log, it looks as if you have adware and possibly a Trojan Horse. I can't be 100% sure as HJT is a minimal report.

1. Please download and run the following tool:

http://general-changelog-team.fr/en/downloads/viewdownload/20-outils-de-xplode/2-adwcleaner

2. Download, install and run Malwarebyte which you can find on this site:

http://ccm.net/download/download-105-malwarebyt es-anti-malware

Ensure you make an update.

Boot your computer in safemode

Please request a FULL system scan, which may take from 20 minutes to hours. Do not interfere no matter how long in takes. The creators of Malwarebyte recommend that while the tool is running that you go do something else, such as watching a rerun of Gone with the Wind or read Tolstoy's War and Peace.

If Malwarebyte restarts your system, launch it again to finish the Full scan.

When the scan is completed, delete all items found.

3. Tell me if your machine is running better.

Take care untill tomorrow as I must attend to my family.

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 1, 2013 at 06:30 PM
ok so i did everything u told me to do
and worked for like 15 minutes then the drive size started going down again
so i repeated the same steps but the size went down even more :( :(
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 2, 2013 at 05:19 AM
1
Thank you
Hi

The ZHP Diag overflow error has been fixed.

Please go to this site for download:

http://telechargement.zebulon.fr/telecharger-zhpdiag.html

Click on ftp://zebulon.fr/no1

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 2, 2013 at 12:34 PM
iam sooo sooo sooo sorry
but still it didn't work :( :(
sorry
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 2, 2013 at 05:47 PM
1
Thank you
Okay,

I looked at your HJT log again, there are some indications that your system is infected by a Trojan Horse which may Hyjack your system.

There are also some spyware tool bars.

Unfortunately, I can't prescribe the specific method or remedy because I cannot identify the virus as ZHP would have permitted me to do.

I have one alternative and that is the following tool which is to be used only once and removed from your computer:

To keep your system safe, you must follow the instructions hereunder to the letter:

1. Download Combofix to your desktop.

http://www.bleepingcomputer.com/download/combofix/

(click on the download @ bleeping computer button)

2.Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.

Good luck

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 4, 2013 at 08:16 AM
OK , so i guess it still didn't work I did every thing u told me to do
& yesterday i also tried to empty some of my data that i didn't need on c drive
and i had 1.95 GB free now it 1.70 !!! and it keeps going down by the hour !!!

i totally understand if u want to give up , u gave soo many solutions after all .
but any way that was the log of combo fix in case u can find anything not normal and again i can understand if u ran out of solution
thanks for your amazing help :)
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 4, 2013 at 08:17 AM
HERE IS THE REPORT :)



==============================================================



ComboFix 13-02-03.03 - NEW LAP 02/03/2013 23:29:01.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1256.20.1033.18.3894.2566 [GMT 2:00]
Running from: c:\users\NEW LAP\Downloads\Programs\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Jufsoft\BadCopy\UNWISE.EXE
c:\program files (x86)\WinRAR\setup.s
c:\programdata\continuetosave
c:\programdata\continuetosave\5102d20712b85.dll
c:\programdata\continuetosave\5102d20712b85.tlb
c:\programdata\continuetosave\5103bf7fd4df6.dll
c:\programdata\continuetosave\5103bf7fd4df6.tlb
c:\programdata\continuetosave\data\continuetosave.dat
c:\programdata\continuetosave\settings.ini
c:\programdata\continuetosave\uninstall.exe
c:\programdata\Download and Sa
c:\programdata\Download and Sa\50599ca0c08bc.html
c:\programdata\Download and Sa\50599ca0c08f5.js
c:\programdata\Download and Sa\ccacbfmcdkcapbhjhkcfbaoimiipidhf.crx
c:\programdata\Download and Sa\data\50599ca0c08f5.js
c:\programdata\Download and Sa\data\jsondb.js
c:\programdata\Download and Sa\settings.ini
c:\programdata\Download and Sa\uninstall.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Download and Sa
c:\programdata\Microsoft\Windows\Start Menu\Programs\Download and Sa\Download and Sa.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Download and Sa\Uninstall.lnk
c:\users\NEW LAP\AppData\Local\016132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\110142152012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\121162152012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1217132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1254142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1416172052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1417142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1420132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1549132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1658132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1718152052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\19172052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\1943132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\2128132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\2129142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\2137132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\2153132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\216142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\2413132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\261142152012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\2633132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\277162052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\2950132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3019152052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3118142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3159132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3338132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3344132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3430142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\357132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\357142152012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3624142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3654132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3923152052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\3925132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\422132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\436132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\443172052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\450142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4514132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4526142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4534132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4545132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4811172052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4814142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4839132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\4923132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\5020152052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\5055132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\5231142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\547132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\5529132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\622152052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\633142052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\642132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\725152052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\827132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\852132052012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Local\93132152012HrZ4oKI.exe
c:\users\NEW LAP\AppData\Roaming\111.dat
c:\windows\PFRO.log
c:\windows\SysWow64\asw7B97.tmp
c:\users\NEW LAP\AppData\Local\Temp\3546116\1209864.exe . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\advdis.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\avlib.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\avpgs.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\avpgui.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\avs.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\avspm.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\avzkrnl.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\avzscan.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\base64.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\base64p.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\basegui.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\arkmon.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\avengine.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\avpcure.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\kavbase.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\kavsys.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\kjim.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\klavemu.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\mark.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\pbs.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\qscan.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bases\vlns.kdl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\bl.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\btdisk.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\btimages.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\buffer.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\clldr.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\crpthlpr.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\dbghelp.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\deflate.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\diffs.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\dmap.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\dtreg.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\filemap.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\fsdrvplg.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\fssync.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\hashmd5.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\hashsha1.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\icheck3.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\inflate.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\inifile.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\kldw.exe . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\klsrlsvc.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\mailmsg.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\mdb.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\mdmap.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\memmng.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\memmodsc.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\memscan.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\minizip.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\mkavio.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\msoe.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\msvcm80.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\msvcp80.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\msvcr80.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\ndetect.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\netdtls.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\nfio.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\ntfsstrm.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\ods.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\params.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\passdmap.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\prloader.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\procmon.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\propmap.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\proxydet.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\prremote.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\prseqio.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\prtransp.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\prutil.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\pxstub.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\qb.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\quantum.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\regmap.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\report.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\reportdb.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\resip.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\schedule.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\sfdb.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\stat.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\stdcomp.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\stenum2.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\superio.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\syswatch.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\thpimpl.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\timer.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\tm.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\uniarc.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\updater.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\urlflt.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\ushata.dll . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\volenum.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\wdiskio.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\winreg.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\wmihlpr.ppl . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\x64\wmi64.exe . . . . Failed to delete
c:\users\NEW LAP\AppData\Local\Temp\3546116\xorio.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\1209864.exe . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\advdis.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\avlib.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\avpgs.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\avpgui.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\avs.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\avspm.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\avzkrnl.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\avzscan.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\base64.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\base64p.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\basegui.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\arkmon.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\avengine.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\avpcure.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\kavbase.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\kavsys.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\kjim.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\klavemu.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\mark.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\pbs.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\qscan.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bases\vlns.kdl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\bl.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\btdisk.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\btimages.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\buffer.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\clldr.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\crpthlpr.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\dbghelp.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\deflate.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\diffs.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\dmap.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\dtreg.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\filemap.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\fsdrvplg.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\fssync.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\hashmd5.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\hashsha1.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\icheck3.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\inflate.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\inifile.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\kldw.exe . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\klsrlsvc.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\mailmsg.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\mdb.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\mdmap.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\memmng.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\memmodsc.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\memscan.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\minizip.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\mkavio.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\msoe.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\msvcm80.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\msvcp80.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\msvcr80.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\ndetect.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\netdtls.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\nfio.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\ntfsstrm.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\ods.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\params.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\passdmap.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\prloader.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\procmon.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\propmap.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\proxydet.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\prremote.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\prseqio.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\prtransp.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\prutil.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\pxstub.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\qb.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\quantum.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\regmap.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\report.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\reportdb.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\resip.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\schedule.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\sfdb.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\stat.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\stdcomp.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\stenum2.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\superio.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\syswatch.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\thpimpl.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\timer.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\tm.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\uniarc.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\updater.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\urlflt.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\ushata.dll . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\volenum.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\wdiskio.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\winreg.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\wmihlpr.ppl . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\x64\wmi64.exe . . . . Failed to delete
c:\users\NEWLAP~1\AppData\Local\Temp\3546116\xorio.ppl . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2013-01-03 to 2013-02-03 )))))))))))))))))))))))))))))))
.
.
2013-02-03 21:40 . 2013-02-03 21:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-02-03 09:09 . 2013-02-03 09:09 -------- d-----w- c:\program files (x86)\Bigasoft
2013-02-03 00:00 . 2013-02-03 00:00 -------- d-----w- c:\users\NEW LAP\AppData\Roaming\Funmoods
2013-02-02 20:19 . 2013-02-02 20:19 -------- d-----w- c:\users\NEW LAP\AppData\Roaming\Publish Providers
2013-02-02 17:23 . 2013-02-02 17:28 -------- d-----w- c:\program files (x86)\ZHPDiag
2013-02-02 02:16 . 2013-02-02 02:16 -------- d-----w- c:\users\NEW LAP\AppData\Local\Sony
2013-02-02 02:14 . 2013-02-02 02:14 -------- d-----w- c:\programdata\Sony
2013-02-02 02:14 . 2013-02-02 02:14 -------- d-----w- c:\program files (x86)\Sony
2013-02-02 02:12 . 2013-02-02 20:19 -------- d-----w- c:\users\NEW LAP\AppData\Roaming\Sony
2013-02-01 20:24 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D07376FE-A66D-4EE3-A4A9-4255654EBCD3}\mpengine.dll
2013-02-01 14:48 . 2013-02-01 14:48 -------- d-----w- c:\users\NEW LAP\AppData\Roaming\Malwarebytes
2013-02-01 14:48 . 2013-02-01 14:48 -------- d-----w- c:\programdata\Malwarebytes
2013-02-01 14:48 . 2013-02-01 14:59 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-02-01 14:48 . 2012-12-14 14:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-01 03:28 . 2013-02-01 03:28 -------- d-----w- c:\users\NEW LAP\AppData\Local\Macromedia
2013-02-01 00:56 . 2013-02-01 00:56 -------- d-----w- c:\programdata\McAfee
2013-01-31 02:36 . 2008-07-19 14:30 94392 ----a-w- c:\windows\system32\AvastSS.scr
2013-01-31 02:36 . 2004-01-09 10:13 380928 ----a-w- c:\windows\SysWow64\actskin4.ocx
2013-01-31 02:36 . 2003-03-18 21:20 1060864 ----a-w- c:\windows\SysWow64\MFC71.dll
2013-01-30 03:06 . 2012-10-30 22:51 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-30 03:06 . 2012-10-30 22:51 370288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-30 03:05 . 2012-10-15 15:59 54072 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-01-30 03:05 . 2012-10-30 22:51 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-30 03:05 . 2012-10-30 22:51 984144 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-30 03:05 . 2012-10-30 22:51 71600 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-01-30 03:05 . 2012-10-30 22:50 285328 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-30 03:04 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-30 03:04 . 2012-10-30 22:50 227648 ------w- c:\windows\SysWow64\aswBoot.exe
2013-01-30 03:03 . 2013-01-30 03:03 -------- d-----w- c:\programdata\AVAST Software
2013-01-30 03:03 . 2013-01-30 03:03 -------- d-----w- c:\program files\AVAST Software
2013-01-29 01:01 . 2012-12-16 15:31 67599240 ----a-w- c:\windows\system32\MRT.exe
2013-01-29 00:35 . 2013-02-02 17:29 -------- d-----w- C:\ZHP
2013-01-28 21:14 . 2013-01-28 21:14 -------- d-----w- c:\programdata\Kaspersky Lab
2013-01-28 00:06 . 2013-01-28 00:06 -------- d-----w- c:\program files (x86)\BrowseToSave
2013-01-27 16:40 . 2013-01-28 20:34 -------- d-----w- c:\programdata\Avira
2013-01-27 15:07 . 2012-06-12 02:27 556632 ----a-w- c:\windows\system32\drivers\1209864drv.sys
2013-01-27 15:07 . 2012-06-12 02:27 460888 ----a-w- c:\windows\system32\drivers\80973076.sys
2013-01-26 11:12 . 2013-01-26 11:12 -------- d-----w- c:\programdata\BetterSoft
2013-01-25 18:19 . 2013-01-26 11:13 -------- d-----w- c:\program files (x86)\SimpleSpeedy
2013-01-25 18:19 . 2013-01-25 18:19 -------- d-----w- c:\programdata\ClickIT
2013-01-25 18:19 . 2013-01-27 21:53 -------- d-----w- c:\program files (x86)\ContinueToSave
2013-01-25 16:14 . 2013-01-25 16:14 -------- d-----w- c:\users\NEW LAP\AppData\Roaming\Smadav
2013-01-25 16:13 . 2013-01-27 15:53 -------- d-----w- C:\[Smad-Cage]
2013-01-22 19:43 . 2013-02-01 19:52 -------- d-----w- c:\program files (x86)\AutorunRemover
2013-01-19 04:46 . 2013-01-19 04:46 74703 ----a-w- c:\windows\SysWow64\mfc45.dll
2013-01-19 04:46 . 2013-01-22 18:04 -------- d-----w- c:\programdata\iolo
2013-01-16 09:19 . 2013-01-16 09:19 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
2013-01-09 12:14 . 2012-11-09 05:45 750592 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 12:14 . 2012-11-09 04:43 492032 ----a-w- c:\windows\SysWow64\win32spl.dll
2013-01-09 12:03 . 2012-11-30 05:45 362496 ----a-w- c:\windows\system32\wow64win.dll
2013-01-08 10:55 . 2013-01-08 11:04 -------- d-----w- c:\program files (x86)\GoforFiles
2013-01-08 10:55 . 2013-01-08 10:55 -------- d-----w- c:\users\NEW LAP\AppData\Roaming\GoforFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-01 17:42 . 2012-05-22 19:14 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-01 17:42 . 2012-05-18 21:41 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-01-16 23:28 . 2010-11-21 03:27 273840 ------w- c:\windows\system32\MpSigStub.exe
2012-12-28 16:37 . 2012-12-28 16:37 56320 ----a-w- c:\windows\SysWow64\LM20.DLL
2012-12-16 17:11 . 2012-12-25 01:02 46080 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 14:45 . 2012-12-25 01:02 367616 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13 . 2012-12-25 01:02 295424 ----a-w- c:\windows\SysWow64\atmfd.dll
2012-12-16 14:13 . 2012-12-25 01:02 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2012-11-30 04:45 . 2013-01-09 12:03 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2012-11-14 07:06 . 2012-12-13 13:54 17811968 ----a-w- c:\windows\system32\mshtml.dll
2012-11-14 06:32 . 2012-12-13 13:54 10925568 ----a-w- c:\windows\system32\ieframe.dll
2012-11-14 06:11 . 2012-12-13 13:54 2312704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 06:04 . 2012-12-13 13:54 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-11-14 06:04 . 2012-12-13 13:54 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 06:02 . 2012-12-13 13:54 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 06:02 . 2012-12-13 13:54 237056 ----a-w- c:\windows\system32\url.dll
2012-11-14 05:59 . 2012-12-13 13:54 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-11-14 05:58 . 2012-12-13 13:54 816640 ----a-w- c:\windows\system32\jscript.dll
2012-11-14 05:57 . 2012-12-13 13:54 599040 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 05:57 . 2012-12-13 13:54 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 05:55 . 2012-12-13 13:54 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-11-14 05:55 . 2012-12-13 13:54 729088 ----a-w- c:\windows\system32\msfeeds.dll
2012-11-14 05:53 . 2012-12-13 13:54 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-11-14 05:52 . 2012-12-13 13:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-14 05:46 . 2012-12-13 13:54 248320 ----a-w- c:\windows\system32\ieui.dll
2012-11-14 02:09 . 2012-12-13 13:54 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-11-14 01:58 . 2012-12-13 13:54 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-11-14 01:57 . 2012-12-13 13:54 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-11-14 01:49 . 2012-12-13 13:54 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-11-14 01:48 . 2012-12-13 13:54 420864 ----a-w- c:\windows\SysWow64\vbscript.dll
2012-11-14 01:44 . 2012-12-13 13:54 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-11-09 05:45 . 2012-12-12 17:40 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-09 04:42 . 2012-12-12 17:40 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2012-05-18 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2012-05-18 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{C11CBDA9-6702-469E-9CE1-64E3971A6B44}]
2012-06-28 01:55 253752 ----a-w- c:\program files (x86)\PC Antivirus\pf.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM?RT-Protection"="c:\program files (x86)\Smadav\SM?RTP.exe" [?]
"Messenger (Yahoo!)"="c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe" [2012-06-28 6591800]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2010-09-29 3249504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-06-28 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2012-06-28 30040]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"avast!"="d:\pro3\ashDisp.exe" [2008-07-19 78008]
.
c:\users\NEW LAP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
2YourFace_Updater.lnk - c:\users\NEW LAP\AppData\Roaming\2YourFace\Updater.exe [N/A]
_uninst_19877396.lnk - c:\users\NEW LAP\AppData\Local\Temp\_uninst_19877396.bat [N/A]
_uninst_88572010.lnk - c:\users\NEW LAP\AppData\Local\Temp\_uninst_88572010.bat [N/A]
_uninst_96203273.lnk - c:\users\NEW LAP\AppData\Local\Temp\_uninst_96203273.bat [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 71168]
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-11-04 133632]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys [2009-11-04 114304]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 20992]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2011-02-15 335464]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-21 88960]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 34816]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 117248]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-04-25 52736]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-05-18 1255736]
S0 25696085;25696085;c:\windows\system32\DRIVERS\25696085.sys [2012-06-12 460888]
S0 28348720;28348720;c:\windows\system32\DRIVERS\28348720.sys [2012-06-12 460888]
S0 53615091;53615091;c:\windows\system32\DRIVERS\53615091.sys [2012-06-12 460888]
S0 80973076;80973076;c:\windows\system32\DRIVERS\80973076.sys [2012-06-12 460888]
S1 1209864drv;1209864drv;c:\windows\system32\DRIVERS\1209864drv.sys [2012-06-12 556632]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 71600]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2010-09-29 91936]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 VMCService;Vodafone Mobile Connect Service;c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2010-01-19 9216]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-02-17 428136]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-01 19:44 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-22 17:42]
.
2013-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-25 04:22]
.
2013-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-25 04:22]
.
2013-02-03 c:\windows\Tasks\schedule!1143840799.job
- c:\programdata\BetterSoft\ContinueToSave\ContinueToSave.exe [2013-01-26 19:58]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2008-03-31 21:14 80976 ----a-w- d:\pro3\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2010-09-29 20:53 99128 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-11-29 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-11-29 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-11-29 417304]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.fr/
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files (x86)\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\
FF - prefs.js: browser.search.defaulturl -
FF - ExtSQL: 2013-01-30 05:50; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: 2013-02-01 16:51; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=vsl&cd=2XzuyEtN2Y1L1QzuyByE0D0EtB0BtCzzyCtCyDtC0BtB0F0FtN0D0Tzu0CtAzyzytN1L2XzutBtFtBtFtCtFyEyBzztN1L1Czu1L1G1B2Z1I0R1P1Ozu2X1B1I&cr=1574208291&ir=
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Funmoods
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=vsl&cd=2XzuyEtN2Y1L1QzuyByE0D0EtB0BtCzzyCtCyDtC0BtB0F0FtN0D0Tzu0CtAzyzytN1L2XzutBtFtBtFtCtFyEyBzztN1L1Czu1L1G1B2Z1I0R1P1Ozu2X1B1I&cr=1574208291&ir=
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=vsl&cd=2XzuyEtN2Y1L1QzuyByE0D0EtB0BtCzzyCtCyDtC0BtB0F0FtN0D0Tzu0CtAzyzytN1L2XzutBtFtBtFtCtFyEyBzztN1L1Czu1L1G1B2Z1I0R1P1Ozu2X1B1I&cr=1574208291&ir=&q=
FF - user.js: extensions.funmoods.id - 74DE2B186151B2FF
FF - user.js: extensions.funmoods.instlDay - 15739
FF - user.js: extensions.funmoods.vrsn - 1.8.4.0
FF - user.js: extensions.funmoods.vrsni - 1.8.4.0
FF - user.js: extensions.funmoods_i.vrsnTs - 1.8.4.02:0:56
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - vsl
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef -
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.appId - {EA28B360-05E0-4F93-8150-02891F1D8D3C}
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods_i.hmpg - true
FF - user.js: extensions.irspeeddial.aflt - vsl
FF - user.js: extensions.irspeeddial.instlRef -
FF - user.js: extensions.irspeeddial.cr - 1574208291
FF - user.js: extensions.irspeeddial.cd - 2XzuyEtN2Y1L1QzuyByE0D0EtB0BtCzzyCtCyDtC0BtB0F0FtN0D0Tzu0CtAzyzytN1L2XzutBtFtBtFtCtFyEyBzztN1L1Czu1L1G1B2Z1I0R1P1Ozu2X1B1I
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{91995B91-F882-09B5-C92E-CA24A9A108EA} - c:\programdata\continuetosave\5103bf7fd4df6.dll
BHO-{AA4A53E2-F20C-761A-2F19-C1FEBA21E5AD} - c:\programdata\continuetosave\5102d20712b85.dll
Wow6432Node-HKCU-Run-DLD.EXE - c:\program files (x86)\Download Direct\DLD.exe
Wow6432Node-HKCU-Run-Optimizer Pro - c:\program files (x86)\Optimizer Pro\OptProLauncher.exe
Wow6432Node-HKCU-Run-Hostprozess f=r Windows-Tasks - c:\users\NEW LAP\AppData\Roaming\Driver.exe
Wow6432Node-HKLM-Run-ArcSoft Connection Service - c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
Wow6432Node-HKLM-Run-PC Antivirus - c:\program files (x86)\PC Antivirus\PCAntivirus.exe
Wow6432Node-HKLM-Run-MobileConnect - c:\program files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
Wow6432Node-HKLM-Run-AutorunRemover.exe - c:\program files (x86)\AutorunRemover\AutorunRemover.exe
HKLM-Run-AutoRunExterminator - c:\users\NEW LAP\AppData\Local\Temp\Rar$EX00.740\AutoRunExterminator.exe
AddRemove-7-Zip - c:\program files (x86)\7-Zip\Uninstall.exe
AddRemove-Adobe_f6203f42fc049f762bd88baa6920a29 - c:\program files (x86)\Common Files\Adobe\Installers\f6203f42fc049f762bd88baa6920a29\Setup.exe
AddRemove-BadCopy Pro - c:\progra~2\Jufsoft\BadCopy\UNWISE.EXE
AddRemove-Cake Shop 2_is1 - c:\program files (x86)\GirlGamesForFree.net\Cake Shop 2\unins000.exe
AddRemove-Optimizer Pro_is1 - c:\program files (x86)\Optimizer Pro\unins000.exe
AddRemove-SP_e14dcdfa - c:\program files (x86)\ContinueToSave\uninstall.exe
AddRemove-VLC media player - c:\program files (x86)\VideoLAN\VLC\uninstall.exe
AddRemove-Yahoo! Messenger - c:\progra~2\Yahoo!\MESSEN~1\UNWISE.EXE
AddRemove-{20E7BC40-33F6-4A81-9D52-B58349326206} - c:\programdata\Download and Sa\uninstall.exe
AddRemove-{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF} - c:\program files (x86)\InstallShield Installation Information\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}\setup.exe
AddRemove-{C1C6816E-CBB3-A748-85F9-A8B47B68985B} - c:\programdata\continuetosave\uninstall.exe
AddRemove-{C3A32068-8AB1-4327-BB16-BED9C6219DC7} - c:\program files (x86)\InstallShield Installation Information\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}\Setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1437678433-53100757-4044471284-1000_Classes\Wow6432Node\CLSID\{228a2f46-94f2-4894-9fff-98e00d85ff8a}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000021
"Therad"=dword:00000006
.
[HKEY_USERS\S-1-5-21-1437678433-53100757-4044471284-1000_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):ca,b3,e1,e9,38,7a,94,99,8a,44,7d,66,da,d5,48,6b,2f,3d,5d,8c,e4,
8c,79,c9,14,d2,6c,ff,b0,1b,63,57,5f,e4,9c,35,b9,f6,9c,c8,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1437678433-53100757-4044471284-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):6e,47,c3,e5,33,60,65,9a,f7,7c,ff,ab,89,86,f7,bc,80,c9,ed,0c,73,
fe,23,c2,e4,dc,b8,b2,a6,e0,92,d5,30,cb,99,c5,1a,6f,d7,dd,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1437678433-53100757-4044471284-1000_Classes\Wow6432Node\CLSID\{feaa79a4-5c2e-4518-8344-d4e657d38139}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000162
"Therad"=dword:00000001
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
d:\pro3\aswUpdSv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
.
**************************************************************************
.
Completion time: 2013-02-03 23:50:46 - machine was rebooted
ComboFix-quarantined-files.txt 2013-02-03 21:50
.
Pre-Run: 763,281,408 bytes free
Post-Run: 1,494,564,864 bytes free
.
- - End Of File - - 47A29F1649B7A07E20701F09EB924FD1


================================================================
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 4, 2013 at 04:31 PM
1
Thank you
Hi,

Looks like could not delete everything it wanted to delete.

The creator of ZHP Diag told me today that the 047 overflow error is due to the numbers of items.

This time, please open ZHP Diag, click on the Eyedropper (options) click on check all but uncheck Export key (047).

Click on the magnifying glass to generate a report.

Upload the report on Speedyshare and post the url here.

Regards

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 4, 2013 at 07:16 PM
yaaaaaaay
it worked finally but i didn't paste it on the other ZH Diag , should i do it ??
anyway here is the scan report

http://www.speedy.sh/cCrdJ/ZHPDiag.txt

thanks :)
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 5, 2013 at 07:42 AM
1
Thank you
Hi Sarah

Thank you the ZHP Diag log which is much more detailed.

I have identified the cause of problem, there is a virus at your memory and a few other malware as well, such as Rogue Trojan Horse. The source of the infections comes from applications that you have downloaded and installed and mostly from using UTorrent, Bit Torrent, Peer2Peer.

The worst and the most dangerous malware are the applications for which did not have a license, cracks and key generator.

In order to be able to desinfect your machine, the cracked applications must be removed otherwise the very same viruses will return in an eternal loop.

Also, because I am a Kioskea Moderator and Security Contributor, I must uphold Kioskea's Charter and we can't help members who have illegal software.

However, I am willing to help you, if you delete the illegal software.

Please delete the following software as well as the ZHP Diag log. Once you have delete, produce another ZHP Diag log for me to verify that the software has been removed and upload it on Speedyshare.

C:\Documents and Settings\NEW LAP\AppData\Local\Opera\Opera\icons\crackedsoftwarespot.blogspot.com.idx

C:\Documents and Settings\NEW LAP\AppData\Roaming\uTorrent\Sony Vegas Pro 10 Keygen.rar.torrent

C:\Documents and Settings\NEW LAP\Downloads\Sony Vegas Pro 10 Keygen\Sony Vegas Pro 10 Keygen\Keygen.exe

C:\Users\NEW LAP\AppData\Roaming\uTorrent\Sony Vegas Pro 10 Keygen.rar.torrent

C:\Users\NEW LAP\Downloads\Sony Vegas Pro 10 Keygen\Sony Vegas Pro 10 Keygen\Keygen.exe

D:\run\Music&Video\DFX.Audio.Enhancer.v9.012.Winamp.Incl.CORE-Keygen_yallarab.com\íáÇÚÜÜÜÜÑÈ áÜÜßÜÜá ÇáÜÜÚÜÜÜÑÈ.url

C:\Documents and Settings\NEW LAP\AppData\Local\Opera\Opera\icons\http%3A%2F%2Fcrackedsoftwarespot.blogspot.com%2Ffavicon.png

C:\Documents and Settings\NEW LAP\Downloads\Sony Vegas Pro 10 Keygen\Sony Vegas Pro 10 Keygen\Keygen.exe

D:\Programmes\DFX Audio Enhancer v9.211 Plus\CORE\keygen iDFX.exe

D:\Programmes\Sobolsoft.USB.Flash.Drive.Data.Recovery.Software.v7.1.Incl.Keygen-UNiQUE.rar

D:\Programmes\Sobolsoft.USB.Flash.Drive.Data.Recovery.Software.v7.1.Incl.Keygen-UNiQUE_2.rar

D:\Programmes\sony vegas\Sony Vegas Pro 10 Keygen.rar

D:\run\Music&Video\DFX.Audio.Enhancer.v9.012.Winamp.Incl.CORE-Keygen_yallarab.com\60154068qx7.JPG

D:\run\Music&Video\DFX.Audio.Enhancer.v9.012.Winamp.Incl.CORE-Keygen_yallarab.com\CR-DX7WP.reg

D:\run\Music&Video\DFX.Audio.Enhancer.v9.012.Winamp.Incl.CORE-Keygen_yallarab.com\CR-DX7WP.reg

You must also ensure that the following applications are removed:

Sony Vegas Pro 10
Sobolsoft.USB.Flash.Drive.Data.Recovery.Software.v7
DFX.Audio.Enhancer.v9.012.

Once all of the above are removed from your computer, we shall be able to proceed with the virus clean-up.

Regards

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 5, 2013 at 09:02 AM
OK
So iam almost done
but here is the thing
i didn't find DFX or the Sobolsoft.USB.Flash.Drive.Data.Recovery.Software.v7
i even searched programs for them i guess i may have already un installed them
+
why do i have to remove sony vegas i removed the keygen
is sony vegas it self is A virus ??? or is it because illegal software

i don't have a problem in removing it but iam just curios

waiting for your answer :)
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 5, 2013 at 09:09 AM
ok so iam almost done
but here is the thing
Sobolsoft.USB.Flash.Drive.Data.Recovery.Software.v7
DFX.Audio.Enhancer.v9.012.

i didn't find them on my programs i even searched for them but maybe i have uninstalled them before

+

about sony vegas , why delete the software it self i mean is sony vegas A virus ,
or is it because it is illegal ??

i don't mind deleting it but just curious
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 5, 2013 at 05:45 PM
1
Thank you
ZHP Diag has created an icon called ZHP Fix

1. Open ZHP Fix

2. Copy the following lines

[MD5.2960400094498DAE47B36173286D76A0] - (.Unknown owner - Updater.) -- C:\ProgramData\BetterSoft\ContinueToSave\ContinueToSave.exe [348160] [PID.2288] => Infection LOP
O4 - HKLM\..\Run: [AutoRunExterminator] C:\Users\NEW LAP\AppData\Local\Temp\Rar$EX00.740\AutoRunExterminator.exe (.not file.) => Infection Rogue (Trojan.FakeAlert)
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\eBay.lnk . (...) -- C:\Users\NEW LAP\AppData\Roaming\Desktopicon\eBayShortcuts.exe (.not file.) => (Adware.ADON)
[MD5.00000000000000000000000000000000] [APT] [Funmoods] (...) -- C:\Users\NEW LAP\AppData\Roaming\Funmoods\UPDATE~1\UPDATE~1.exe (.not file.) => Infection PUP (PUP.Funmoods)
[MD5.2960400094498DAE47B36173286D76A0] [APT] [schedule!1143840799] (...) -- C:\ProgramData\BetterSoft\ContinueToSave\ContinueToSave.exe => Infection LOP
[HKCU\Software\1ClickDownload] => Infection BT (Adware.1ClickDownloader)
[HKCU\Software\Funmoods] => Infection PUP (PUP.Funmoods)
[HKCU\Software\InstallCore] => Infection PUP (Adware.InstallCore)
[HKCU\Software\SweetIM] => Infection PUP (PUP.SweetIM)
[HKLM\Software\Wow6432Node\InstallCore] => Infection PUP (Adware.InstallCore)
[HKLM\Software\Wow6432Node\SweetIM] => Infection PUP (PUP.SweetIM)
O43 - CFD: 11/11/2012 - 10:49:04 PM - [1.693] ----D C:\Program Files (x86)\~BabylonToolbar => Infection BT (Toolbar.Babylon)
O43 - CFD: 03/02/2013 - 02:00:58 AM - [0] ----D C:\Users\NEW LAP\AppData\Roaming\Funmoods => Infection PUP (PUP.Funmoods)
O69 - SBI: prefs.js [NEW LAP - b56b1pvf.default] user_pref("extensions.5058e8ab45e2d.scode", "(function(){try{if('aol.com,mail.google.com,premiumreports.info,search.babylon.com,se[...] => Infection BT (Toolbar.Babylon)
O87 - FAEL: "{33EFA98A-E5C9-4B39-B979-B66E87FF119F}" |In - Private - P6 - TRUE | .(...) -- C:\Users\NEW LAP\AppData\Roaming\2YourFace\Updater.exe (.not file.) => Infection BT (Adware.Agent)
O87 - FAEL: "{15C8A3CB-3420-416F-86F9-F152855C6A3E}" |In - Private - P17 - TRUE | .(...) -- C:\Users\NEW LAP\AppData\Roaming\2YourFace\Updater.exe (.not file.) => Infection BT (Adware.Agent)
O87 - FAEL: "{F45EACB1-9B10-4A00-84F3-E2E2E8857828}" |In - Private - P6 - TRUE | .(...) -- C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe (.not file.) => Infection PUP (PUP.SweetIM)
O87 - FAEL: "{D916D962-C91E-43A5-89CE-75BC3C28520B}" |In - Private - P17 - TRUE | .(...) -- C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe (.not file.) => Infection PUP (PUP.SweetIM)
[HKLM\Software\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}] => Infection PUP (Adware.Funmoods)
[HKLM\Software\Wow6432Node\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}] => Infection PUP (Adware.Funmoods)
[HKLM\Software\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}] => Infection BT (Adware.Downware)
[HKLM\Software\Wow6432Node\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}] => Infection BT (Adware.Downware)
[HKCU\Software\funmoods]

3. Using the clipboard button, paste the lines. You will see a "GO" button appear at the bottom.

4. Click on the go button and paste the report here,

5. Go in your control panel, add remove programmes. If you see any applications called "sweet IM, Continue to save, fun moods, Babylon, please remove them.

6. Rerun a full Malwarebyte scan. and post the report here.

7. Delete the ZHP Diag log, produce a new one and upload it on speedyshare.

The main memory eater is this application : ContinueToSave

Catch you tomorrow for a final clean-up and optimizing your system.

Regards

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 6, 2013 at 05:59 AM
1
Thank you
Thanks for the logs

You are running Windows 7 64 bit, did you have Vista on the computer before ?

You still have a memory issue which is bugging me. I must do a little research I will get back to you.

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 6, 2013 at 06:49 AM
no , it was always windows 7 never vista
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 6, 2013 at 04:09 PM
1
Thank you
Where did you buy your Windows 7 ?

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 7, 2013 at 05:19 AM
1
Thank you
Could you please uninstall the following programmes:

PC Antivirus
Search Assistant SimpleSpeedy 1.74

(they are useless and take space)

Also make a search for Kaspersky and delete all the items related to it.

Are you still loosing memory on your hard disk ?

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 7, 2013 at 11:53 AM
yes
yesterday my c drive was 2,25 and today it 1.92 !!!

+
ok i will delete the following software right now :)
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 7, 2013 at 04:32 PM
1
Thank you
Your hard disk's capacity is only 37 GB and you have lots of applications. The more stuff you download and save closer you will get to the critical point of no return. The difference between 2.25 and 1.92 is minimal if you used your computer.

You can now remove combofix, Malwarebyte and the rogue killer.

Delete all of your temporary files.

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 9, 2013 at 03:27 PM
ok
so that is completely normal right ??
but when should i get concerned
i mean when do i know the space going down isn't normal and it is the act of avirus ??

+
i also noticed that when i restart my comp space goes down more than when i restart it
so is that related ??
+ is there any antivirus that u recommend for me to use

and thank u sooo much for all your amazing help
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 9, 2013 at 03:42 PM
Oh , and one more question the " compress the drive " setting does it help reducing space falling down
Best answer
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 9, 2013 at 04:24 PM
1
Thank you
You may have a lot of programmes that automatically start when you start your computer. Many are not necessary. To find out what they are and prevent them from opening use this simple tool:

http://www.malwarebytes.org/products/startuplite/

Everyday you can run this cleaner to delete obsolete files and also clean your registry:

http://ccm.net/download/download-33-ccleaner

Last but not least, you will gain space by defragmenting your hard disk.

You will find the defragmenter in system tools.

Remember you are at the critical point.

You will know it's a virus when your machine starts acting weird and making faces at you !:-)

Good luck

Thank you, Ambucias 1

Something to say? Add comment

CCM has helped 1665 users this month

sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 10, 2013 at 01:58 AM
ok thank u soooo much
you are alife saver :)
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Jan 30, 2013 at 05:22 PM
0
Thank you
iam afraid i tried this software before but it didn't work
while scanning it stopped with a message "" module : 047 in overflow (999). please contact nicolas coolman "
don't really know what it means but it refused to resume

anyway thanks for trying to help :)
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Jan 30, 2013 at 05:32 PM
0
Thank you
Have you tried it from the link I gave you ? I don't think so !

Also, before you run it, try disabling your firewall.
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Jan 30, 2013 at 05:44 PM
Just click on "Téléchargez".
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Jan 30, 2013 at 06:33 PM
ok so idont know but i pressed this button called " hijack this" and all the sudden the scan resumed but it wasnt the same results as the one in the scan mode
so i really dont know what to do
anyway this the results that came from the hijack this
+ i also turned my firewall off but still refused to resume



========================================

Rapport de ZHPDiag v1.34.56 par Nicolas Coolman, Update du 27/01/2013
Run by NEW LAP at 31/01/2013 01:19:16 AM
Windows 7 Ultimate Edition, 64-bit Service Pack 1 (Build 7601)
State :
UAC : Deactivate by user

Boot mode: Normal (Normal boot)
Logged in as Administrator


---\\ Web Browser
MSIE: Internet Explorer v9.0.8112.16421
GCIE: Google Chrome v24.0.1312.56 (Defaut)
OPIE: Opera v11.61

---\\ Running Processes
[MD5.C13D08CF9D029507CD713AA730B7EE11].(.Tonec Inc..Internet Download Manager (IDM).) -- C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3249504] [PID.2436]
[MD5.4319CBF0F9A54B90810BBD305848C38D].(.Smadsoft.Smadav USB Antivirus & Additional Protectio.) -- C:\Program Files (x86)\Smadav\SM?RTP.exe [1552384] [PID.2444]
[MD5.901FD2C25D27AC8A2BF379ABB2BA21D1].(.ArcSoft Inc..ArcSoft Connect Daemon.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207360] [PID.2308]
[MD5.6E0BC8E65DCCEB1B2C709AA9A0B29042].(.Vodafone.MobileConnect.) -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe [2499584] [PID.3024]
[MD5.207B16FA69F61D1895F8D8532F587E4B].(.Tonec Inc..Internet Download Manager agent for click m.) -- C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe [263600] [PID.3292]
[MD5.1655CD48DBEFE1A872323590F2E5A157].(.Gretech Corp..GOM Player.) -- C:\Program Files (x86)\GRETECH\GomPlayer\GOM.exe [3886800] [PID.2888]
[MD5.B6A214BACD0C5BE45C4D093032DD884B].(...) -- C:\Program Files (x86)\WinRAR\WinRAR.exe [1037312] [PID.1788]
[MD5.ECE9413226D1C6778A9EE4DFC199C1D4].(.Google.Google Drive.) -- C:\Program Files (x86)\Google\Drive\googledrivesync.exe [16328976] [PID.5308]
[MD5.083649EF692A066880C9326020915AFE].(.AVAST Software.avast! Antivirus.) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe [4297136] [PID.5304]
[MD5.5035FDE5252EE59AFB56491DA6C15871].(.Mozilla Corporation.Nightly.) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe [918768] [PID.6764]
[MD5.6C64C51ADAF3B84AD5AFBE48157C4192].(.Mozilla Corporation.Plugin Container for Nightly.) -- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe [10992] [PID.4888]
[MD5.CC7001E619906A0FF78C162A0A39D5B7].(.Opera Software.Opera Internet Browser.) -- C:\Program Files (x86)\Opera\opera.exe [949104] [PID.7160]
[MD5.1655CD48DBEFE1A872323590F2E5A157].(.Gretech Corp..GOM Player.) -- C:\Program Files (x86)\GRETECH\GomPlayer\GOM.exe [3886800] [PID.2888]
[MD5.D69070BD054A95514BA1CC04C299AD3D].(.Nicolas Coolman.ZHPDiag.) -- C:\Program Files (x86)\ZHPDiag\ZHPDiag.exe [5620736] [PID.6152]
~ Scan Processes Running in 00mn AMs



---\\ Opera, Plugins,Start,Search (P1,B0,B1)
B0 - SPO: operaprefs.ini [NEW LAP] Home URL=http://home.girlgamesforfree.net/
B1 - OSP: search.ini [NEW LAP] URL=http://home.girlgamesforfree.net/results.php?category=web&s=%s
P1 - OPN:Opera Plugin Navigator . (.Microsoft Corporation - Office Plugin for Netscape Navigator.) -- C:\Program Files (x86)\Opera\Program\Plugins\NPOFF12.DLL
P1 - OPN:Opera Plugin Navigator . (.Microsoft Corporation - Office Plugin for Netscape Navigator.) -- C:\Program Files (x86)\Opera\Program\Plugins\NPOFF12.DLL
~ Scan Opera Browser in 00mn AMs



---\\ Google Chrome, Start,Search,Extensions (G0,G1,G2)
C:\Users\NEW LAP\AppData\Local\Google\Chrome\User Data\Default\Preferences
~ Scan Google Browser in 00mn AMs



---\\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3)
C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\prefs.js
C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\user.js
M3 - MFPP: Plugins - [NEW LAP] -- C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\searchplugins\askcom.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\searchplugins\avg-secure-search.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\searchplugins\babylon1.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\searchplugins\girlgamesforfree-search.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\searchplugins\sweetim.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Users\NEW LAP\AppData\Roaming\Mozilla\Firefox\Profiles\b56b1pvf.default\searchplugins\WebSearch.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\amazondotcom.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\babylon.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\bing.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\eBay.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\google.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\twitter.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\wikipedia.xml
M3 - MFPP: Plugins - [NEW LAP] -- C:\Program Files (x86)\Mozilla FireFox\searchplugins\yahoo.xml
M0 - MFSP: prefs.js [NEW LAP - b56b1pvf.default] http://search.avira.com
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\50599ca0c06f1@50599ca0c072b.com] [] Download and Sa v7.1 (.Dnsave.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\5102d207129f1@5102d20712a2a.com] [] continuetosave v3.9 (.continue to save.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\5103bf7fd4c67@5103bf7fd4ca0.com] [] continuetosave v3.9 (.continue to save.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\ffxtlbr@babylon.com] [] Babylon Toolbar v1.5.0 (.Babylon.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\jid1-gAPCqvBJZlKLRZ@jetpack] [] Instant Downloader v1.2.0 (.Web Technologies.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\paffxtbr@FilmFanatic.com] [] FilmFanatic v2.50.0.64922 (.Mindspark.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\toolbar@ask.com] [] Avira SearchFree Toolbar plus Web Protection v2.50.0.64922 (.Ask.com.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\{4858BA5F-D5EA-4A93-886A-12999903DC22}] [] GirlGamesForFree Toolbar v1.0.1 (.MyPlayCity, Inc..)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}] [dwhelper] DownloadHelper v4.9.13 (.Michel Gutierrez.)
M2 - MFEP: prefs.js [NEW LAP - b56b1pvf.default\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}] [] Flash and Video Download v1.26 (.Vicente Amor.)
P2 - FPN:Firefox Plugin Navigator . (.Microsoft Corporation - Office Plugin for Netscape Navigator.) -- C:\Program Files (x86)\Mozilla Firefox\Plugins\NPOFF12.DLL
P2 - FPN:Firefox Plugin Navigator . (.Adobe Systems Inc. - Adobe PDF Plug-In For Firefox and Netscape.) -- C:\Program Files (x86)\Mozilla Firefox\Plugins\nppdf32.dll
P2 - FPN:Firefox Plugin Navigator . (.RealNetworks, Inc. - RealPlayer(tm) LiveConnect-Enabled Plug-In.) -- C:\Program Files (x86)\Mozilla Firefox\Plugins\nppl3260.dll
P2 - FPN:Firefox Plugin Navigator . (.RealNetworks, Inc. - 6.0.12.448.) -- C:\Program Files (x86)\Mozilla Firefox\Plugins\nprpjplug.dll
P2 - FPN:Firefox Plugin Navigator . (.Nullsoft, Inc. - Winamp Application Detector.) -- C:\Program Files (x86)\Mozilla Firefox\Plugins\npwachk.dll
P2 - FPN: [HKLM] [@Microsoft.com/NpCtrl,version=1.0] - (. Microsoft Corporation - 5.1.10411.0.) -- C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
~ Scan Firefox Browser in 00mn AMs



---\\ Internet Explorer Extensions, Start, Search (R4,R3,R0,R1)
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.avira.com
R0 - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com
R0 - HKCU\SOFTWARE\Classes\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.girlgamesforfree.net
R0 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://websearch.simplespeedy.info
R1 - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:noadd-ons
R1 - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:securityrisk
R1 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main,Extensions Off Page = about:noadd-ons
R1 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main,Security Risk Page = about:securityrisk
R1 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs,Tabs = c:\program files (x86)\girlgamesforfree toolbar\fasttabs.html
R3 - URLSearchHook: (no name) [64Bits] - {00000000-6E41-4FD3-8538-502F5495E5FC} . (.Ask - Avira SearchFree Toolbar.) (5.15.13.33021) -- C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: (no name) [64Bits] - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} . (.Microsoft Corporation - Internet Browser.) (9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)) -- C:\Windows\SysWOW64\ieframe.dll
R4 - HKLM\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter,EnabledV8 = 1
R4 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\PhishingFilter,EnabledV8 = 1
~ Scan IE Browser in 00mn AMs



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Scan Proxy management in 00mn AMs



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\Windows\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\Windows\explorer.exe
F2 - REG:system.ini: VMApplet=C:\Windows\System32\SystemPropertiesPerformance.exe
~ Scan Keys in 00mn AMs



---\\ Browser Helper Objects (O2)
O2 - BHO: IDM Helper [64Bits] - {0055C089-8582-441B-A0BF-17B458C2A3A8} . (.Tonec Inc. - IDM BHO Module.) -- C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: C:\Users\NEW LAP\AppData\Roaming\2YourFace\bho.dll [64Bits] - {1185823F-F22F-4027-80E5-4F68ACD5DE5E} . (...) -- C:\Users\NEW LAP\AppData\Roaming\2YourFace\bho.dll
O2 - BHO: AcroIEHelperStub [64Bits] - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} . (.Adobe Systems Incorporated - Adobe PDF Helper for Internet Explorer.) -- C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper [64Bits] - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} . (.Microsoft Corporation - GrooveShellExtensions Module.) -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: avast! WebRep [64Bits] - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} . (.AVAST Software - avast! WebRep Plugin.) -- C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper [64Bits] - {9030D464-4C02-4ABF-8ECC-5164760863C6} . (.Microsoft Corp. - Microsoft® Windows Live ID Login Helper.) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: continuetosave [64Bits] - {91995B91-F882-09B5-C92E-CA24A9A108EA} . (...) -- C:\ProgramData\continuetosave\5103bf7fd4df6.dll
O2 - BHO: continuetosave [64Bits] - {AA4A53E2-F20C-761A-2F19-C1FEBA21E5AD} . (...) -- C:\ProgramData\continuetosave\5102d20712b85.dll
O2 - BHO: PC Antivirus Web Protection BHO [64Bits] - {C11CBDA9-6702-469E-9CE1-64E3971A6B44} . (.PC Antivirus Web Protection BHO - PC Antivirus Web Protection BHO.) -- C:\Program Files (x86)\PC Antivirus\pf.dll
O2 - BHO: Ask Toolbar BHO [64Bits] - {D4027C7F-154A-4066-A1AD-4243D8127440} . (.Ask - Avira SearchFree Toolbar.) -- C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
~ Scan BHO in 00mn AMs



---\\ Internet Explorer toolbars (O3)
O3 - Toolbar: (no name) [64Bits] - [HKLM]{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}
~ Scan Toolbar in 00mn AMs



---\\ Auto loading programs from Registry and folders (O4)
O4 - HKLM\..\Run: [IgfxTray] . (.Intel Corporation - igfxTray Module.) -- C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] . (.Intel Corporation - hkcmd Module.) -- C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] . (.Intel Corporation - persistence Module.) -- C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AutoRunExterminator] C:\Users\NEW LAP\AppData\Local\Temp\Rar$EX00.740\AutoRunExterminator.exe (.not file.)
O4 - HKCU\..\Run: [Messenger (Yahoo!)] . (.Yahoo! Inc. - Yahoo! Messenger.) -- C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
O4 - HKCU\..\Run: [Yahoo Messengger] C:\Windows\system32\SCVHSOT.exe (.not file.)
O4 - HKCU\..\Run: [DLD.EXE] C:\Program Files (x86)\Download Direct\DLD.exe (.not file.)
O4 - HKCU\..\Run: [Optimizer Pro] . (.PC Utilities Pro - Fix, clean, optimize your PC!.) -- C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
O4 - HKCU\..\Run: [IDMan] . (.Tonec Inc. - Internet Download Manager (IDM).) -- C:\Program Files (x86)\Internet Download Manager\IDMan.exe
O4 - HKCU\..\Run: [Hostprozess f=r Windows-Tasks] C:\Users\NEW LAP\AppData\Roaming\Driver.exe (.not file.)
O4 - HKCU\..\Run: [SM?RT-Protection] . (.Smadsoft - Smadav USB Antivirus & Additional Protectio.) -- C:\Program Files (x86)\Smadav\SM?RTP.exe
O4 - HKCU\..\Run: [Internal Configuration Serving State] C:\Users\NEW LAP\AppData\Roaming\sloka.exe (.not file.)
O4 - HKLM\..\Wow6432Node\Run: [ArcSoft Connection Service] . (.ArcSoft Inc. - ArcSoft Connect Daemon.) -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Wow6432Node\Run: [Adobe Reader Speed Launcher] . (.Adobe Systems Incorporated - Adobe Acrobat SpeedLauncher.) -- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe
O4 - HKLM\..\Wow6432Node\Run: [Adobe ARM] . (.Adobe Systems Incorporated - Adobe Reader and Acrobat Manager.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
O4 - HKLM\..\Wow6432Node\Run: [GrooveMonitor] . (.Microsoft Corporation - GrooveMonitor Utility.) -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Wow6432Node\Run: [PC Antivirus] C:\Program Files (x86)\PC Antivirus\PCAntivirus.exe (.not file.)
O4 - HKLM\..\Wow6432Node\Run: [MobileConnect] . (.Vodafone - MobileConnect.) -- C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
O4 - HKLM\..\Wow6432Node\Run: [Sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe (.not file.)
O4 - HKLM\..\Wow6432Node\Run: [AutorunRemover.exe] . (...) -- C:\Program Files (x86)\AutorunRemover\AutorunRemover.exe
O4 - HKLM\..\Wow6432Node\Run: [ApnUpdater] . (.Ask - Ask Updater.) -- C:\Program Files (x86)\Ask.com\Updater\Updater.exe
O4 - HKLM\..\Wow6432Node\Run: [avast] . (.AVAST Software - avast! Antivirus.) -- C:\Program Files\AVAST Software\Avast\avastUI.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [Messenger (Yahoo!)] . (.Yahoo! Inc. - Yahoo! Messenger.) -- C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [Yahoo Messengger] C:\Windows\system32\SCVHSOT.exe (.not file.)
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [DLD.EXE] C:\Program Files (x86)\Download Direct\DLD.exe (.not file.)
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [Optimizer Pro] . (.PC Utilities Pro - Fix, clean, optimize your PC!.) -- C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [IDMan] . (.Tonec Inc. - Internet Download Manager (IDM).) -- C:\Program Files (x86)\Internet Download Manager\IDMan.exe
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [Hostprozess f=r Windows-Tasks] C:\Users\NEW LAP\AppData\Roaming\Driver.exe (.not file.)
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [SM?RT-Protection] . (.Smadsoft - Smadav USB Antivirus & Additional Protectio.) -- C:\Program Files (x86)\Smadav\SM?RTP.exe
O4 - HKUS\S-1-5-21-1437678433-53100757-4044471284-1000\..\Run: [Internal Configuration Serving State] C:\Users\NEW LAP\AppData\Roaming\sloka.exe (.not file.)
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe
~ Scan Application in 00mn AMs



---\\ Other User Links (O4)
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk . (.Microsoft Corporation.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk . (.Microsoft Corporation.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MSN Webcam Recorder.lnk . (...) -- C:\Program Files (x86)\MSN Webcam Recorder\ml20gui.exe
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\eBay.lnk . (...) -- C:\Users\NEW LAP\AppData\Roaming\Desktopicon\eBayShortcuts.exe (.not file.)
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\GOM Player.lnk . (.Gretech Corp..) -- C:\Program Files (x86)\GRETECH\GomPlayer\GOM.EXE
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk . (.Google Inc..) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk . (.Microsoft Corporation.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Winamp.lnk . (.Nullsoft, Inc..) -- C:\Program Files (x86)\Winamp\winamp.exe
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk . (.Yahoo! Inc..) -- C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
O4 - Global Startup: C:\Users\NEW LAP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk . (...) -- C:\Program Files (x86)\uTorrent\uTorrent.exe (.not file.)
~ Scan Global Startup in 00mn AMs



---\\ IE Options icon not visible in Control Panel (O5)
O5 - control.ini: [HKLM\..\Control Panel] inetcpl.cpl=no
~ Scan IE Control Panel in 00mn AMs



---\\ Winsock hijacker (Layered Service Provider) (O10)
O10 - WLSP:\000000000001\Winsock LSP File . (.Microsoft Corporation - Network Location Awareness 2.) -- C:\Windows\system32\NLAapi.dll
O10 - WLSP:\000000000002\Winsock LSP File . (.Microsoft Corporation - E-mail Naming Shim Provider.) -- C:\Windows\system32\napinsp.dll
O10 - WLSP:\000000000003\Winsock LSP File . (.Microsoft Corporation - PNRP Name Space Provider.) -- C:\Windows\system32\pnrpnsp.dll
O10 - WLSP:\000000000004\Winsock LSP File . (.Microsoft Corporation - PNRP Name Space Provider.) -- C:\Windows\system32\pnrpnsp.dll
O10 - WLSP:\000000000005\Winsock LSP File . (.Microsoft Corporation - Microsoft Windows Sockets 2.0 Service Provider.) -- C:\Windows\system32\mswsock.dll
O10 - WLSP:\000000000006\Winsock LSP File . (.Microsoft Corporation - LDAP RnR Provider DLL.) -- C:\Windows\system32\winrnr.dll
O10 - WLSP:\000000000007\Winsock LSP File . (.Microsoft Corporation - Windows Sockets Helper DLL.) -- C:\Windows\system32\wshbth.dll
O10 - WLSP:\000000000008\Winsock LSP File . (.Microsoft Corp. - Microsoft® Windows Live ID Namespace Provider.) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.dll
O10 - WLSP:\000000000009\Winsock LSP File . (.Microsoft Corp. - Microsoft® Windows Live ID Namespace Provider.) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.dll
O10 - WLSP:\000000000010\Winsock LSP File . (.Apple Inc. - Bonjour Namespace Provider.) -- C:\Program Files (x86)\Bonjour\mdnsNSP.dll
~ Scan Winsock in 00mn AMs



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{45C4EBF4-067B-4E2F-8D4D-ED2A1E2EE39B}: DhcpNameServer = 163.121.128.134 212.103.160.18
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D9FA27-7518-40A4-8DDB-AE227EA35F3C}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{45C4EBF4-067B-4E2F-8D4D-ED2A1E2EE39B}: DhcpNameServer = 163.121.128.134 212.103.160.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{B2D9FA27-7518-40A4-8DDB-AE227EA35F3C}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{45C4EBF4-067B-4E2F-8D4D-ED2A1E2EE39B}: DhcpNameServer = 163.121.128.134 212.103.160.18
O17 - HKLM\System\CS2\Services\Tcpip\..\{B2D9FA27-7518-40A4-8DDB-AE227EA35F3C}: DhcpNameServer = 192.168.1.1
~ Scan Domain in 00mn AMs



---\\ Extra protocols (O18)
O18 - Handler: about [64Bits] - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Handler: cdl [64Bits] - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} . (.Microsoft Corporation - OLE32 Extensions for Win32.) -- C:\Windows\system32\urlmon.dll
O18 - Handler: dvd [64Bits] - {12D51199-0DB5-46FE-A120-47A3D7D937CC} . (.Microsoft Corporation - ActiveX control for streaming video.) -- C:\Windows\System32\msvidctl.dll
O18 - Handler: file [64Bits] - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} . (.Microsoft Corporation - OLE32 Extensions for Win32.) -- C:\Windows\system32\urlmon.dll
O18 - Handler: ftp [64Bits] - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} . (.Microsoft Corporation - OLE32 Extensions for Win32.) -- C:\Windows\system32\urlmon.dll
O18 - Handler: grooveLocalGWS [64Bits] - {88FED34C-F0CA-4636-A375-3CB6248B04CD} . (.Microsoft Corporation - GrooveSystemServices Module.) -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Handler: http [64Bits] - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} . (.Microsoft Corporation - OLE32 Extensions for Win32.) -- C:\Windows\system32\urlmon.dll
O18 - Handler: https [64Bits] - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} . (.Microsoft Corporation - OLE32 Extensions for Win32.) -- C:\Windows\system32\urlmon.dll
O18 - Handler: its [64Bits] - {9D148291-B9C8-11D0-A4CC-0000F80149F6} . (.Microsoft Corporation - Microsoft® InfoTech Storage System Library.) -- C:\Windows\System32\itss.dll
O18 - Handler: javascript [64Bits] - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Handler: livecall [64Bits] - {828030A1-22C1-4009-854F-8E305202313F} . (.Microsoft Corporation - Windows Live Messenger Protocol Handler Mod.) -- C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll
O18 - Handler: local [64Bits] - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} . (.Microsoft Corporation - OLE32 Extensions for Win32.) -- C:\Windows\system32\urlmon.dll
O18 - Handler: mailto [64Bits] - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Handler: mhtml [64Bits] - {05300401-BCBC-11d0-85E3-00C04FD85AB4} . (.Microsoft Corporation - Microsoft Internet Messaging API Resources.) -- C:\Windows\system32\inetcomm.dll
O18 - Handler: mk [64Bits] - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} . (.Microsoft Corporation - OLE32 Extensions for Win32.) -- C:\Windows\system32\urlmon.dll
O18 - Handler: ms-help [64Bits] - {314111c7-a502-11d2-bbca-00c04f8ec294} . (.Microsoft Corporation - Microsoft® Help Data Services Module.) -- C:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Handler: ms-its [64Bits] - {9D148291-B9C8-11D0-A4CC-0000F80149F6} . (.Microsoft Corporation - Microsoft® InfoTech Storage System Library.) -- C:\Windows\System32\itss.dll
O18 - Handler: msnim [64Bits] - {828030A1-22C1-4009-854F-8E305202313F} . (.Microsoft Corporation - Windows Live Messenger Protocol Handler Mod.) -- C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll
O18 - Handler: res [64Bits] - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Handler: skype4com [64Bits] - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} . (.Skype Technologies - Skype for COM API.) -- C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
O18 - Handler: tv [64Bits] - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} . (.Microsoft Corporation - ActiveX control for streaming video.) -- C:\Windows\System32\msvidctl.dll
O18 - Handler: vbscript [64Bits] - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Filter: application/octet-stream [64Bits] - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} . (.Microsoft Corporation - Microsoft .NET Runtime Execution Engine.) -- C:\Windows\System32\mscoree.dll
O18 - Filter: application/x-complus [64Bits] - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} . (.Microsoft Corporation - Microsoft .NET Runtime Execution Engine.) -- C:\Windows\System32\mscoree.dll
O18 - Filter: application/x-msdownload [64Bits] - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} . (.Microsoft Corporation - Microsoft .NET Runtime Execution Engine.) -- C:\Windows\System32\mscoree.dll
O18 - Filter: text/xml [64Bits] - {807563E5-5146-11D5-A672-00B0D022E945} . (.Microsoft Corporation - Microsoft Office XML MIME Filter.) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.dll
~ Scan Protocole Additionnel in 00mn AMs



---\\ AppInit_DLLs Registry value Autorun (O20)
O20 - Winlogon Notify: igfxcui . (.Intel Corporation - igfxdev Module.) -- C:\Windows\System32\igfxdev.dll
~ Scan Winlogon in 00mn AMs



---\\ ShellServiceObjectDelayLoad (O21)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
~ Scan SSODL in 00mn AMs



---\\ non Microsoft non disabled Windows XP/NT/2000 Services (O23)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) . (.ArcSoft Inc. - ArcSoft Connect Service.) - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: avast! Antivirus (avast! Antivirus) . (.AVAST Software - avast! Service.) - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: ???? Google Update (gupdate) (gupdate) . (.Google Inc. - Google Installer.) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Skype Updater (SkypeUpdate) . (.Skype Technologies - Skype Updater Service.) - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) . (.Vodafone - VMCService.) - C:\Program Files (x86)\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: (WMPNetworkSvc) . (...) - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (.not file.)
~ Scan Services in 00mn AMs



---\\ Windows Active Desktop Components & MHTML Editor (O24)
O24 - Default MHTML Editor: Last - .(...) - (.not file.)
~ Scan Desktop Component in 00mn AMs



End of the scan (291 lines in 03mn AMs)(0)
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Jan 31, 2013 at 04:28 PM
0
Thank you
What next. Did you get it downloaded ? What version is it ?
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Jan 31, 2013 at 05:20 PM
yes i downloaded it
v.1.34.56
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Jan 31, 2013 at 05:23 PM
0
Thank you
Did you install it and launched, clicked on the magnifying glass it after disabling your firewall ?

Is the software in French ? You can change the language to English if you wish with the configuration tool.
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Jan 31, 2013 at 05:55 PM
0
Thank you
yes i did all of that closed my firewall started the scan but still it refused to resume :(
it is in English
the message was " module: 047 in overflow (999) please contact nicolas coolman"
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 2, 2013 at 04:14 PM
0
Thank you
You mean that you got the overflow error again ?
sarah rock & roll 22 Posts Wednesday January 30, 2013Registration date February 10, 2013 Last seen - Feb 2, 2013 at 05:37 PM
yes :(
Ambucias 53303 Posts Monday February 1, 2010Registration dateModeratorStatus July 21, 2018 Last seen - Feb 5, 2013 at 06:15 AM
0
Thank you
Please wait for my analysis and instructions
1 2 Next

my c drive free space keeps going down - page 2