1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Possible Parasitic Malware?

Discussion in 'Virus & Other Malware Removal' started by UpHill, May 18, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    Hello, I think I might have a really tricky malware infection. I noticed a while back that I was having a lot more processor activity on my computer then I do when everything is healthy so I set up my task manager and watched things while I read. After the computer had been inactive for a while I looked up and noticed that the Blender 3D game engine player was running as a background process. As far as I know this is not suppose to happen. I uninstalled Blender and Nvidia's Shadow Player in case that was also being abused but I'm still getting a lot of background activity and general weirdness.

    I was using Essets Internet Security Package and the time and since my subscription was about to expire I installed Kaspersky but that didn't find a thing so I installed Norton. That didn't seem to find anything a first but when I updated it the program immediately flagged and deleted the OctaneRender, IndigoRender, and Purebasic installer programs (it didn't seem to have any problem with the installed programs). There were a few other installers that were also flagged.

    I'm still having a lot of activity. conhost.exe and Windows Interrupt processes are usually the most active things. I might have seen a run32dll.exe process at one time but my memory is bad so I can't say for sure. At any rate, there doesn't seem to be any sign of it now.

    Here is my SysInfo readout....

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Home Premium, 64 bit
    Processor: AMD Athlon(tm) II X2 245 Processor, AMD64 Family 16 Model 6 Stepping 3
    Processor Count: 2
    RAM: 4094 Mb
    Graphics Card: NVIDIA GeForce GTX 750 Ti, -2048 Mb
    Hard Drives: C: Total - 462756 MB, Free - 356377 MB;
    Motherboard: Dell Inc., 04GJJT
    Antivirus: Norton Internet Security, Updated and Enabled

    Thanks
     
  2. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    Hi UpHill,
    Starting out with ESET and ending up with Norton may not have been the best of decisions.
    ESET is the best paid Antivirus you can get. Everything else is a step down.
    You may be expecting too much from an antivirus. They do not detect all adware (and are not supposed to).

    Anyway, here we go.
    -----------------------------------------------------------
    Download and Run the Farbar Scan Tool
    • Download FRST64 and save to your Desktop.
    • Double click Frst64.exe to launch it.
    • FRST64 will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press the Scan button.
      • When finished scanning, 2 logs will open on your Desktop, FRST.txt and Addition.txt
      • Please post them in your next reply.
    If you lose track of them, they will be saved in the same location as FRST64.exe
    Feel free to use separate replies if it's more convenient.

    askey127
     
  3. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    Hi Askey, thanks for your reply.

    I agree, Esset is good software and I may end up going back to them.

    I don't have time to follow your instructions tonight but I'll get straight to it Saturday night.

    P.S. Just as an FYI I've had another problem that's been plaguing me for years that may or may not be related. I have a desktop.ini file that keeps trying to save itself to any writeable CD I run in my CD player. If you want I can post the contents of it when I come back Saturday.
     
  4. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    I'm having a bit of trouble as Norton is identifying your program as Malware and is deleting it. I'm going to try something and get back to you.
     
  5. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    Ok, that didn't work. Norton is still identifying FRST64 as a virus and is deleting it on download. Do you have any suggestions?
     
  6. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    Norton is sometimes brain dead about other antimalware tools.
    Try this:
    DISABLE NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a [​IMG]sign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of an hour or so (this assures no interference with the download)
    • click "Ok."
    • a popup will warn that protection will now be disabled.
    Norton Antivirus Guard is now disabled.

    Then you should be able to download and run FRST64.
    It usually doesn't have a problem with it except the download process itself.
    Let me know if it doesn't work.
     
    Last edited: May 24, 2015
  7. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    I'm not sure that I feel comfortable turning off the antivirus. Could I maybe use something else? Norton seems to be happy with HijackThis. Or maybe something else.
     
  8. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    We do this all the time. Norton is the only antivirus that objects to FRST64.exe.

    All others are smart enough to recognize the Farbar Recovery Scan Tool correctly.
    Right after you do the scan with FRST64, and you post the logs, you can turn Norton back on.
    That makes this a Very low risk operation
    HijackThis doesn't work properly with 64-bit machines.
    I've been doing this for a long time. You can trust what I ask you to do, but it's your call.

    Are you able to download OTL.exe from here: http://oldtimer.geekstogo.com/OTL.exe and save it ?
     
  9. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    Yes I was able to download oldtimer. Yay! I did try to create an exception in Norton for FRST64 but it seems to create a catch 22...apparently you have to already have the file on the disk in order to create an exception? Bah-humbug.

    Anyway, here is the readout from old timer.------------------------------------------------------------

    OTL logfile created on: 5/25/2015 11:15:39 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Misce\OldT
    64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    4.00 Gb Total Physical Memory | 2.41 Gb Available Physical Memory | 60.24% Memory free
    8.00 Gb Paging File | 6.12 Gb Available in Paging File | 76.49% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
    Drive C: | 451.91 Gb Total Space | 348.25 Gb Free Space | 77.06% Space Free | Partition Type: NTFS

    Computer Name: WENDY-PC | User Name: Wendy | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2015/05/25 23:14:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Misce\OldT\OTL.exe
    PRC - [2015/04/27 20:07:36 | 000,812,872 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    PRC - [2015/04/01 23:41:24 | 003,509,000 | ---- | M] (Datpol) -- C:\Program Files (x86)\SpyShelter Premium\SpyShelter.exe
    PRC - [2015/04/01 23:41:06 | 000,044,032 | ---- | M] (Datpol) -- C:\Program Files (x86)\SpyShelter Premium\SpyShelterSrv.exe
    PRC - [2015/03/07 00:42:49 | 000,276,336 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\nis.exe
    PRC - [2015/03/05 02:43:28 | 000,042,808 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\conathst.exe
    PRC - [2013/12/17 16:07:16 | 000,411,936 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    PRC - [2013/12/09 20:22:32 | 002,279,712 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
    PRC - [2013/12/09 20:21:14 | 001,494,304 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
    PRC - [2009/08/27 17:09:10 | 001,253,376 | ---- | M] (MAGIX AG) -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
    PRC - [2009/08/21 15:44:52 | 002,281,488 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\UI.exe
    PRC - [2009/07/13 19:14:15 | 000,301,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\cmd.exe
    PRC - [2009/05/14 17:07:14 | 000,759,048 | ---- | M] (ABBYY) -- C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe


    ========== Modules (No Company Name) ==========

    MOD - [2015/04/27 20:07:35 | 014,980,424 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\PepperFlash\pepflashplayer.dll
    MOD - [2015/04/27 20:07:34 | 001,252,680 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\libglesv2.dll
    MOD - [2015/04/27 20:07:33 | 000,080,712 | ---- | M] () -- C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\libegl.dll
    MOD - [2009/08/21 15:44:52 | 002,281,488 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\UI.exe
    MOD - [2009/04/06 15:27:32 | 000,032,768 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\dllMultiLanguage.dll
    MOD - [2009/04/06 15:27:26 | 000,098,304 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\dllPublicFunc.dll
    MOD - [2009/01/05 20:12:12 | 000,159,744 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\dllCommonCtrl.dll
    MOD - [2007/12/06 10:24:26 | 001,167,360 | ---- | M] () -- C:\Program Files (x86)\Medialink\MWN-USB150N\acAuth.dll


    ========== Services (SafeList) ==========

    SRV:64bit: - [2015/05/11 21:22:26 | 000,127,752 | ---- | M] (SurfRight B.V.) [Auto | Running] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
    SRV:64bit: - [2015/02/28 01:45:54 | 002,967,552 | ---- | M] (Side Effects Software Inc.) [Auto | Running] -- C:\Windows\SysNative\sesinetd.exe -- (HoudiniLicenseServer)
    SRV:64bit: - [2015/02/28 01:37:32 | 002,936,832 | ---- | M] (Side Effects Software Inc.) [Auto | Running] -- C:\Windows\SysNative\hserver.exe -- (HoudiniServer)
    SRV:64bit: - [2013/12/09 20:20:28 | 015,129,376 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe -- (NvStreamSvc)
    SRV:64bit: - [2011/05/05 14:36:05 | 000,022,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe -- (DAZContentManagementService)
    SRV:64bit: - [2011/04/20 02:04:20 | 000,203,776 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
    SRV:64bit: - [2010/09/22 18:10:10 | 000,057,184 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
    SRV:64bit: - [2009/07/13 19:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2015/04/14 09:36:30 | 001,080,120 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2015/04/01 23:41:06 | 000,044,032 | ---- | M] (Datpol) [Auto | Running] -- C:\Program Files (x86)\SpyShelter Premium\SpyShelterSrv.exe -- (SpyShelterSrv)
    SRV - [2015/03/07 00:42:49 | 000,276,336 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\NIS.exe -- (NIS)
    SRV - [2013/12/17 16:07:16 | 000,411,936 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe -- (Stereo Service)
    SRV - [2013/12/09 20:21:14 | 001,494,304 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe -- (NvNetworkService)
    SRV - [2011/01/28 15:27:48 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
    SRV - [2010/03/18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
    SRV - [2009/08/27 17:09:10 | 001,253,376 | ---- | M] (MAGIX AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs)
    SRV - [2009/08/24 22:16:12 | 000,544,768 | ---- | M] (mst software GmbH, Germany) [On_Demand | Stopped] -- C:\Program Files (x86)\Ashampoo\Ashampoo WinOptimizer 9\DfSdkS64.exe -- (DfSdkS)
    SRV - [2009/06/10 15:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
    SRV - [2009/05/14 17:07:14 | 000,759,048 | ---- | M] (ABBYY) [Auto | Running] -- C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe -- (ABBYY.Licensing.FineReader.Sprint.9.0)
    SRV - [2009/04/28 21:21:52 | 000,436,736 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\ACFXAU64.dll -- (AcfXAudioService)
    SRV - [2008/08/07 11:10:02 | 003,276,800 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)


    ========== Driver Services (SafeList) ==========

    DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys -- (NvStreamKms)
    DRV:64bit: - [2015/04/30 10:36:18 | 000,177,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
    DRV:64bit: - [2015/04/14 09:37:56 | 000,063,704 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
    DRV:64bit: - [2015/04/14 09:37:42 | 000,025,816 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
    DRV:64bit: - [2014/08/25 20:26:58 | 000,593,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symnets.sys -- (SymNetS)
    DRV:64bit: - [2014/08/25 20:26:57 | 001,148,120 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symefa64.sys -- (SymEFA)
    DRV:64bit: - [2014/08/25 20:20:22 | 000,876,248 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtsp64.sys -- (SRTSP)
    DRV:64bit: - [2014/08/25 20:20:22 | 000,037,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtspx64.sys -- (SRTSPX)
    DRV:64bit: - [2014/08/06 13:48:16 | 000,266,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\ironx64.sys -- (SymIRON)
    DRV:64bit: - [2014/02/20 17:14:34 | 000,162,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\ccsetx64.sys -- (ccSet_NIS)
    DRV:64bit: - [2013/12/05 02:42:30 | 000,039,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvvad64v.sys -- (nvvad_WaveExtensible)
    DRV:64bit: - [2013/10/09 16:30:02 | 000,197,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvhda64v.sys -- (NVHDA)
    DRV:64bit: - [2013/08/06 23:08:03 | 000,078,936 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\SymIMV.sys -- (SymIM)
    DRV:64bit: - [2013/07/31 21:19:50 | 000,493,656 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symds64.sys -- (SymDS)
    DRV:64bit: - [2013/03/31 18:32:04 | 000,082,600 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_sata.sys -- (amd_sata)
    DRV:64bit: - [2013/03/31 18:32:04 | 000,042,664 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amd_xata.sys -- (amd_xata)
    DRV:64bit: - [2012/03/01 00:54:38 | 000,022,896 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
    DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
    DRV:64bit: - [2011/04/20 02:44:50 | 009,319,936 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
    DRV:64bit: - [2011/04/20 01:22:34 | 000,306,176 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
    DRV:64bit: - [2011/03/11 00:22:41 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
    DRV:64bit: - [2011/03/11 00:22:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
    DRV:64bit: - [2010/03/19 03:00:00 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
    DRV:64bit: - [2009/10/01 00:34:30 | 000,121,872 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
    DRV:64bit: - [2009/09/01 23:26:18 | 000,123,008 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ACFVA64.sys -- (acfva)
    DRV:64bit: - [2009/08/06 06:43:58 | 000,320,040 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\k57nd60a.sys -- (k57nd60a)
    DRV:64bit: - [2009/07/13 19:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
    DRV:64bit: - [2009/07/13 19:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
    DRV:64bit: - [2009/07/13 19:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
    DRV:64bit: - [2009/07/13 19:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
    DRV:64bit: - [2009/07/13 18:10:49 | 000,024,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\MODEMCSA.sys -- (MODEMCSA)
    DRV:64bit: - [2009/07/13 18:06:32 | 000,032,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbser.sys -- (usbser)
    DRV:64bit: - [2009/06/10 14:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
    DRV:64bit: - [2009/06/10 14:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
    DRV:64bit: - [2009/06/10 14:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
    DRV:64bit: - [2009/06/10 14:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
    DRV:64bit: - [2009/05/05 12:00:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie)
    DRV:64bit: - [2009/04/28 21:21:44 | 000,034,944 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ACFDCP64.sys -- (dgcfltr)
    DRV:64bit: - [2009/04/28 21:21:36 | 000,010,240 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\ACFXAU64.sys -- (XAudio)
    DRV:64bit: - [2009/03/03 14:24:28 | 000,870,400 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28ux.sys -- (netr28ux)
    DRV:64bit: - [2007/03/15 02:08:46 | 000,017,024 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\ACFSDK64.sys -- (mdmxsdk)
    DRV:64bit: - [2006/11/01 12:51:00 | 000,151,656 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WimFltr.sys -- (WimFltr)
    DRV - [2015/05/23 20:36:54 | 000,684,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.0.0.100\Definitions\IPSDefs\20150522.001\IDSviA64.sys -- (IDSVia64)
    DRV - [2015/05/01 12:04:13 | 001,639,128 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.0.0.100\Definitions\BASHDefs\20150519.001\BHDrvx64.sys -- (BHDrvx64)
    DRV - [2015/04/30 18:32:08 | 002,137,304 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.0.0.100\Definitions\VirusDefs\20150525.001\ex64.sys -- (NAVEX15)
    DRV - [2015/04/30 18:32:08 | 000,142,640 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
    DRV - [2015/04/30 18:32:08 | 000,129,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Norton Internet Security\NortonData\21.0.0.100\Definitions\VirusDefs\20150525.001\eng64.sys -- (NAVENG)
    DRV - [2015/04/30 18:32:07 | 000,487,216 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
    DRV - [2015/04/01 23:42:00 | 000,422,152 | ---- | M] (SpyShelter) [Kernel | System | Running] -- C:\Program Files (x86)\SpyShelter Premium\SpyShelter.sys -- (Spyshelter)
    DRV - [2009/07/13 19:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {8EA20934-9493-4EB5-8912-3FB2B8D47265}
    IE:64bit: - HKLM\..\SearchScopes\{8EA20934-9493-4EB5-8912-3FB2B8D47265}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    IE - HKLM\..\SearchScopes,DefaultScope = {6E032BB4-282D-4148-91BC-D55BF2FE5267}
    IE - HKLM\..\SearchScopes\{6E032BB4-282D-4148-91BC-D55BF2FE5267}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
    IE - HKCU\..\SearchScopes,DefaultScope = {6E032BB4-282D-4148-91BC-D55BF2FE5267}
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


    ========== FireFox ==========

    FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
    FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVision: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@nvidia.com/3DVisionStreaming: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)

    64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\PROGRAM FILES\ESET\ESET SMART SECURITY\MOZILLA THUNDERBIRD
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.0.0.100\coFFPlgn\ [2015/05/25 23:12:01 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

    [2011/04/19 21:19:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wendy\AppData\Roaming\Mozilla\Extensions
    [2011/04/19 21:19:57 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Wendy\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

    ========== Chrome ==========

    CHR - default_search_provider: ()
    CHR - default_search_provider: search_url =
    CHR - default_search_provider: suggest_url =
    CHR - plugin: Error reading preferences file
    CHR - Extension: No name found = C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\
    CHR - Extension: No name found = C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0\
    CHR - Extension: No name found = C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
    CHR - Extension: No name found = C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
    CHR - Extension: No name found = C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

    O1 HOSTS File: ([2009/06/10 15:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
    O2:64bit: - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.7.0.11\coieplg.dll (Symantec Corporation)
    O2:64bit: - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
    O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\coieplg.dll (Symantec Corporation)
    O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\ips\ipsbho.dll (Symantec Corporation)
    O3:64bit: - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.7.0.11\coieplg.dll (Symantec Corporation)
    O3:64bit: - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files (x86)\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\coieplg.dll (Symantec Corporation)
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4:64bit: - HKLM..\Run: [NvBackend] C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe (NVIDIA Corporation)
    O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
    O4:64bit: - HKLM..\Run: [SpyShelter] C:\Program Files (x86)\SpyShelter Premium\SpyShelter.exe (Datpol)
    O4 - HKLM..\Run: [Malwarebytes Anti-Exploit] C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe File not found
    O4 - HKLM..\Run: [TrayServer] C:\Program Files (x86)\MAGIX\Movie_Edit_Pro_MX\Trayserver_EN.exe (MAGIX AG)
    O4 - HKCU..\Run: [EPSON WorkForce 320 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGJA.EXE /FU "C:\Users\Wendy\AppData\Local\Temp\E_S143B.tmp" /EF "HKCU" File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileAssociate = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
    O1364bit: - gopher Prefix: missing
    O13 - gopher Prefix: missing
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{82F03D7B-899D-43AA-BA53-4E2FFCFD590E}: DhcpNameServer = 192.168.0.1
    O18:64bit: - Protocol\Handler\livecall - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\msnim - No CLSID value found
    O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
    O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
    O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
    O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found
    O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O34 - HKLM BootExecute: (bootdelete)
    O35:64bit: - HKLM\..comfile [open] -- "%1" %*
    O35:64bit: - HKLM\..exefile [open] -- "%1" %*
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
    O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2015/05/22 14:02:57 | 000,043,272 | ---- | C] (Datpol) -- C:\Windows\SysNative\SpyShelterShellExt.dll
    [2015/05/22 14:02:57 | 000,034,568 | ---- | C] (Datpol) -- C:\Windows\SysWow64\SpyShelterShellExt.dll
    [2015/05/22 14:02:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SpyShelter
    [2015/05/22 14:02:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SpyShelter Premium
    [2015/05/22 14:02:56 | 000,000,000 | ---D | C] -- C:\Users\Wendy\AppData\Roaming\SpyShelter
    [2015/05/22 13:57:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes Anti-Exploit
    [2015/05/20 23:26:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    [2015/05/20 23:26:47 | 000,107,736 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
    [2015/05/20 23:26:47 | 000,063,704 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mwac.sys
    [2015/05/20 23:26:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware
    [2015/05/15 18:50:24 | 005,503,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
    [2015/05/15 18:50:24 | 003,963,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
    [2015/05/15 18:50:24 | 003,908,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
    [2015/05/13 13:21:01 | 000,000,000 | ---D | C] -- C:\InstallationFolder
    [2015/05/11 21:43:46 | 000,000,000 | ---D | C] -- C:\ProgramData\SecTaskMan
    [2015/05/11 21:43:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Security Task Manager
    [2015/05/11 12:29:58 | 000,000,000 | ---D | C] -- C:\Program Files\Blender Foundation
    [2015/05/08 15:00:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Xojo
    [2015/05/08 14:59:23 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Xojo
    [2015/05/05 12:50:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Side Effects Software
    [2015/05/05 12:27:54 | 000,000,000 | ---D | C] -- C:\Program Files\OTOY
    [2015/05/03 22:44:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
    [2015/05/01 13:17:49 | 000,078,936 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SymIMV.sys
    [2015/05/01 12:29:51 | 000,000,000 | ---D | C] -- C:\Users\Wendy\Documents\3D-CoatV3
    [2015/05/01 12:28:42 | 000,000,000 | ---D | C] -- C:\Users\Wendy\Documents\3D-CoatV4
    [2015/05/01 12:27:47 | 000,000,000 | ---D | C] -- C:\Users\Wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\3d-Coat-V4
    [2015/05/01 12:27:47 | 000,000,000 | ---D | C] -- C:\Program Files\3D-Coat-V4
    [2015/04/30 18:45:34 | 001,148,120 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symefa64.sys
    [2015/04/30 18:45:34 | 000,876,248 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtsp64.sys
    [2015/04/30 18:45:34 | 000,593,112 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symnets.sys
    [2015/04/30 18:45:34 | 000,493,656 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symds64.sys
    [2015/04/30 18:45:34 | 000,266,968 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\ironx64.sys
    [2015/04/30 18:45:34 | 000,162,392 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\ccsetx64.sys
    [2015/04/30 18:45:34 | 000,037,592 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtspx64.sys
    [2015/04/30 18:45:34 | 000,023,568 | R--- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symelam.sys
    [2015/04/30 18:45:27 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NISx64\1507000.00B
    [2015/04/30 10:36:19 | 000,177,752 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
    [2015/04/30 10:36:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
    [2015/04/30 10:35:44 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\NISx64
    [2015/04/30 10:35:42 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
    [2015/04/30 10:35:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Norton Internet Security
    [2015/04/30 10:34:36 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\NortonInstaller
    [2015/04/26 21:08:57 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\%Report%
    [2015/04/26 21:02:51 | 000,000,000 | ---D | C] -- C:\Users\Wendy\AppData\Local\Marmoset Toolbag
    [2015/04/26 19:59:15 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\%Data%
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2015/05/25 23:17:56 | 000,014,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2015/05/25 23:17:56 | 000,014,240 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2015/05/25 23:10:55 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2015/05/25 23:10:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2015/05/25 23:10:42 | 3220,418,560 | -HS- | M] () -- C:\hiberfil.sys
    [2015/05/25 22:47:51 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2015/05/24 16:23:49 | 000,000,012 | ---- | M] () -- C:\ProgramData\.glInit02.dat
    [2015/05/15 19:06:41 | 000,007,618 | ---- | M] () -- C:\Users\Wendy\AppData\Local\Resmon.ResmonCfg
    [2015/05/15 18:51:04 | 002,239,738 | ---- | M] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\Cat.DB
    [2015/05/14 05:02:05 | 000,158,890 | ---- | M] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\VT20150514.004
    [2015/05/11 11:55:54 | 720,295,595 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2015/05/03 22:52:42 | 000,002,245 | ---- | M] () -- C:\Users\Wendy\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2015/05/03 22:44:33 | 000,002,221 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
    [2015/04/30 18:47:14 | 000,002,463 | ---- | M] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
    [2015/04/30 10:36:19 | 000,008,222 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
    [2015/04/30 10:36:18 | 000,177,752 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
    [2015/04/30 10:36:18 | 000,000,854 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2015/05/15 18:44:43 | 000,158,890 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\VT20150514.004
    [2015/05/11 21:43:41 | 000,001,124 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spy Protector.lnk
    [2015/05/11 21:43:41 | 000,001,113 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager.lnk
    [2015/05/03 22:44:33 | 000,002,245 | ---- | C] () -- C:\Users\Wendy\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
    [2015/05/03 22:44:33 | 000,002,221 | ---- | C] () -- C:\Users\Public\Desktop\Google Chrome.lnk
    [2015/05/03 22:42:51 | 000,000,896 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2015/05/03 22:42:50 | 000,000,892 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2015/04/30 18:46:24 | 002,239,738 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\Cat.DB
    [2015/04/30 18:45:34 | 000,009,939 | R--- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symelam64.cat
    [2015/04/30 18:45:34 | 000,008,202 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\ccsetx64.cat
    [2015/04/30 18:45:34 | 000,008,194 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symefa64.cat
    [2015/04/30 18:45:34 | 000,008,192 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symnet64.cat
    [2015/04/30 18:45:34 | 000,008,188 | R--- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symds64.cat
    [2015/04/30 18:45:34 | 000,008,188 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtspx64.cat
    [2015/04/30 18:45:34 | 000,008,184 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtsp64.cat
    [2015/04/30 18:45:34 | 000,008,184 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\iron.cat
    [2015/04/30 18:45:34 | 000,003,433 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symefa.inf
    [2015/04/30 18:45:34 | 000,002,852 | R--- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symds.inf
    [2015/04/30 18:45:34 | 000,001,440 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symnet.inf
    [2015/04/30 18:45:34 | 000,001,437 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtsp64.inf
    [2015/04/30 18:45:34 | 000,001,420 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\srtspx64.inf
    [2015/04/30 18:45:34 | 000,001,098 | R--- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symelam.inf
    [2015/04/30 18:45:34 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\ccsetx64.inf
    [2015/04/30 18:45:34 | 000,000,767 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\iron.inf
    [2015/04/30 18:45:27 | 000,030,068 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\symvtcer.dat
    [2015/04/30 18:45:27 | 000,000,172 | ---- | C] () -- C:\Windows\SysNative\drivers\NISx64\1507000.00B\isolate.ini
    [2015/04/30 10:36:19 | 000,008,222 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
    [2015/04/30 10:36:19 | 000,000,854 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
    [2015/04/30 10:36:12 | 000,002,463 | ---- | C] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
    [2015/04/21 18:22:36 | 000,000,022 | ---- | C] () -- C:\Users\Wendy\.guerilla.conf
    [2015/03/17 13:09:52 | 000,000,012 | ---- | C] () -- C:\ProgramData\.glInit02.dat
    [2014/11/24 00:31:11 | 000,314,656 | ---- | C] () -- C:\Windows\SysWow64\NvIFROpenGL.dll
    [2013/09/04 14:50:43 | 000,000,085 | ---- | C] () -- C:\Windows\wininit.ini
    [2012/09/14 15:35:16 | 000,000,632 | RHS- | C] () -- C:\Users\Wendy\ntuser.pol
    [2011/03/21 01:28:16 | 000,007,618 | ---- | C] () -- C:\Users\Wendy\AppData\Local\Resmon.ResmonCfg

    ========== ZeroAccess Check ==========

    [2009/07/13 22:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

    [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
    "" = C:\Windows\SysNative\shell32.dll -- [2012/06/08 23:30:56 | 014,165,504 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 22:46:56 | 012,868,608 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 19:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 19:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
    "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 19:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:2CB9631F

    < End of report >
     
  10. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    Uphill,
    ------------------------------------------------
    Remove Programs Using Control Panel
    From Start, Control Panel, click on Programs and Features
    Click each Entry, as follows, one by one, if it exists, choose Uninstall, and give permission to Continue:

    DAZ 3D
    MAGIX
    Movie Edit Pro

    Take extra care in answering questions posed by any Uninstaller.
    -----------------------------------------------------------
    REBOOT (RESTART) Your Machine
    ----------------------------------------------
    Perform a Custom Fix with OTL
    Right click OTL on your desktop, and choose "Run as administrator" to open it.
    • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code:
      :Commands
      [CREATERESTOREPOINT]
      
      :OTL
      SRV:64bit: - [2011/05/05 14:36:05 | 000,022,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe -- (DAZContentManagementService)
      SRV - [2009/08/27 17:09:10 | 001,253,376 | ---- | M] (MAGIX AG) [Auto | Running] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe -- (Fabs)
      SRV - [2008/08/07 11:10:02 | 003,276,800 | ---- | M] (MAGIX®) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe -- (FirebirdServerMAGIXInstance)
      O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
      O4 - HKLM..\Run: [TrayServer] C:\Program Files (x86)\MAGIX\Movie_Edit_Pro_MX\Trayserver_EN.exe (MAGIX AG)
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
      O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      
      :Files
      C:\Program Files\DAZ 3D
      C:\Program Files (x86)\MAGIX
      C:\Program Files (x86)\Common Files\MAGIX Services
      ipconfig /flushdns /c
      
      :Commands
      [PURITY]
      [emptyjava]
      [emptyflash] 
      [EMPTYTEMP]
      
    • Then click the Run Fix button at the top. DO NOT CLICK Run Scan
    • Let the program run unhindered, and click to allow the Reboot when it is done.
      When the computer Reboots, and you start your usual account, a Notepad text file will appear.
    • That is the FIX log file. Copy the contents of that file and post it in your next reply.
      It will also be available and named by timestamp here: C:\_OTL\Moved Files\mmddyyyy_hhmmss.log
    ----------------------------------------------
    After posting the Resulting log, Please Rescan as follows:
    Open OTL again and click the Quick Scan button. Post the new log it produces, OTL.txt, in a separate reply.

    askey127
     
  11. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    Thanks, I got back late today from school so I will work on it tomorrow.

    I'm not surprised that Daz is in the doghouse because I've gotten a virus off of them before but I am surprised about MAGIX Movie Editor. Aren't they a fairly reputable company?
     
  12. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
  13. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    Unfortunately I did pay for it which makes me an unhappy camper if it is adware. I did go ahead and unstall it and it was really balky. Then, the first time or two I loaded my admin account it took forever to load. Everything seems pretty happy right now though.

    I also uninstalled some the the related software so there were some failures when I ran OldTimer.
    There is a lot less activity now but there is still some and I saw that file - rundll32.exe briefly again for the first time in a while. Is that a ligit file? I see a lot of conflicting advice on the internet.

    Here is my log files. Just as an explanation...I do have a lot of user files but I'm the only one (that I know) using this computer. I'm trying to sandbox stuff to prevent problems. Especially when I'm trying to learn how to program.

    --------------------------

    All processes killed
    ========== COMMANDS ==========
    Restore point Set: OTL Restore Point
    ========== OTL ==========
    Error: No service named DAZContentManagementService was found to stop!
    Service\Driver key DAZContentManagementService not found.
    File C:\Program Files\DAZ 3D\Content Management Service\ContentManagementServer.exe not found.
    Error: No service named Fabs was found to stop!
    Service\Driver key Fabs not found.
    File C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe not found.
    Error: No service named FirebirdServerMAGIXInstance was found to stop!
    Service\Driver key FirebirdServerMAGIXInstance not found.
    File C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe not found.
    ========== FILES ==========
    C:\Program Files\DAZ 3D\DAZStudio4\shaders\omnifreaker\surface folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\shaders\omnifreaker\displacement folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\shaders\omnifreaker folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\shaders folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\scripts\support\omnifreaker\shaderDefinitions\surface folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\scripts\support\omnifreaker\shaderDefinitions\displacement folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\scripts\support\omnifreaker\shaderDefinitions folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\scripts\support\omnifreaker\rendertime folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\scripts\support\omnifreaker folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\scripts\support folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\scripts folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\resources\RunOnce folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4\resources folder moved successfully.
    C:\Program Files\DAZ 3D\DAZStudio4 folder moved successfully.
    C:\Program Files\DAZ 3D folder moved successfully.
    File\Folder C:\Program Files (x86)\MAGIX not found.
    File\Folder C:\Program Files (x86)\Common Files\MAGIX Services not found.
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Misce\OldT\cmd.bat deleted successfully.
    C:\Misce\OldT\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYJAVA]

    User: All Users

    User: Bus

    User: Default

    User: Default User

    User: Dld

    User: Eml

    User: Inl

    User: Ma

    User: Mda

    User: Msc

    User: Ntr

    User: Prg

    User: Public

    User: ScB

    User: ScD

    User: ScR

    User: Ups

    User: Vm

    User: Wendy

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Bus

    User: Default

    User: Default User

    User: Dld

    User: Eml

    User: Inl

    User: Ma
    ->Flash cache emptied: 719 bytes

    User: Mda

    User: Msc

    User: Ntr

    User: Prg

    User: Public

    User: ScB

    User: ScD

    User: ScR

    User: Ups

    User: Vm

    User: Wendy
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYTEMP]

    User: All Users

    User: Bus
    ->Temp folder emptied: 32799 bytes
    ->Temporary Internet Files folder emptied: 140384 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Dld
    ->Temp folder emptied: 1164244 bytes
    ->Temporary Internet Files folder emptied: 157125 bytes
    ->Google Chrome cache emptied: 24270885 bytes

    User: Eml
    ->Temp folder emptied: 35371 bytes
    ->Temporary Internet Files folder emptied: 144610 bytes
    ->Google Chrome cache emptied: 819568 bytes

    User: Inl
    ->Temp folder emptied: 127674 bytes
    ->Temporary Internet Files folder emptied: 144462 bytes
    ->Google Chrome cache emptied: 856432 bytes

    User: Ma
    ->Temp folder emptied: 612281018 bytes
    ->Temporary Internet Files folder emptied: 50189563 bytes
    ->Flash cache emptied: 0 bytes

    User: Mda
    ->Temp folder emptied: 7735749 bytes
    ->Temporary Internet Files folder emptied: 170211 bytes
    ->Google Chrome cache emptied: 856432 bytes

    User: Msc
    ->Temp folder emptied: 22319021 bytes
    ->Temporary Internet Files folder emptied: 167183 bytes
    ->Google Chrome cache emptied: 856432 bytes

    User: Ntr
    ->Temp folder emptied: 64066 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Prg
    ->Temp folder emptied: 2422641 bytes
    ->Temporary Internet Files folder emptied: 144462 bytes
    ->Google Chrome cache emptied: 6161814 bytes

    User: Public

    User: ScB
    ->Temp folder emptied: 35371 bytes
    ->Temporary Internet Files folder emptied: 144720 bytes
    ->Google Chrome cache emptied: 52273977 bytes

    User: ScD
    ->Temp folder emptied: 35371 bytes
    ->Temporary Internet Files folder emptied: 1561701 bytes
    ->Google Chrome cache emptied: 819568 bytes

    User: ScR
    ->Temp folder emptied: 65872 bytes
    ->Temporary Internet Files folder emptied: 143568 bytes
    ->FireFox cache emptied: 15979303 bytes
    ->Google Chrome cache emptied: 7638634 bytes

    User: Ups
    ->Temp folder emptied: 95457 bytes
    ->Temporary Internet Files folder emptied: 144462 bytes
    ->Google Chrome cache emptied: 856432 bytes

    User: Vm
    ->Temp folder emptied: 4533200 bytes
    ->Temporary Internet Files folder emptied: 272080 bytes

    User: Wendy
    ->Temp folder emptied: 6858106 bytes
    ->Temporary Internet Files folder emptied: 115492 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 10656992 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
    RecycleBin emptied: 1053 bytes

    Total Files Cleaned = 795.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 05272015_151739

    Files\Folders moved on Reboot...

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
    Last edited: May 27, 2015
  14. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    Uphill,
    rundll32.exe is a legitimate file from Microsoft, and part of the Operating System.
    It is a command line utility and can be used by the system to load a .dll file into memory.
    This can be done by any sort of program. That's why it shows up a lot in discussions of malware.
    The exact .dll being called is more important than the rundll32.exe file itself.
    The rundll32.exe file itself has been corrupted on occasion by malware.

    You can contact MAGIX, and then decide if you want to re-install the movie editor.

    ---------------------------------------------------------------
    Avoiding Unwanted Adware
    There are a few seriously important tips to avoid unwanted adware.
    Adware purveyors are getting more devious and unethical, so you have to be more diligent.

    • Don't click on the Sidebars of Websites
      The items on the sides of websites may be enticing, but they are all advertising, and one click could download unwanted adware onto your machine.

    • Never agree to download anything, if prompted to do so while Online.
      that goes for, "Your codec/browser/flash... needs to be updated to do this, blah, blah.."
      or "you need to first download the xyz.. program to do what you want".
      It's OK to download updates if prompted by legitimate suppliers, when the machine boots, while not yet online.

    • Don't download anything from sites known for adware bundling.
      For any online downloads, best avoid using CNET, Download.com, BrotherSoft, or Softonic
      They package their own "downloaders" and, without notice, deliver serious adware in addition to the desired free programs.
      Unfortunately, the results may be disastrous for your machine.
      FileHippo, MajorGeeks and Softpedia have been better, so far, as sources for downloading software.
      The website of any program's original author is best of all.
      You can Google any Freeware program by typing <program name> adware to see what comes up.

    • Avoid Using P2P file sharing programs
      This includes µTorrent, Bearshare, BitComet, Bittorrent, Azureus, Frostwire, Vuze, Shareaza, Bitlord.
      The Unethical have "planted" thousands upon thousands of infections and Adware items in the shared torrent files.

    Let me know how it's going.
    askey127
     
    Last edited: May 28, 2015
  15. UpHill

    UpHill Thread Starter

    Joined:
    Apr 30, 2015
    Messages:
    11
    My computer does seem to be running a lot better but there is still a bit of weirdness that has me concerned.

    Norton has been putting up a popup asking me if I want to install various forms of protection for Chrome. There are two accounts that I have used to buy things at various times and in those two accounts Norton will not put up that popup so I can install the vulnerability protection. Those are the only two accounts that this happens with (that I am aware of). sigh. Do you know how to trigger Norton to do this manually?

    I haven't tested the computer yet to see if it's still trying to install a desktop.ini file on my CD's so I will try that tomorrow.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1148471

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice