1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Wife's computer hijacked

Discussion in 'Virus & Other Malware Removal' started by WendyM, Feb 8, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    Sorry for the profile confusion, cristobal03 here. Wendy accidentally clicked a download button off sourceforge this morning and now here machine is definitely hijacked. RunOnce.exe is hanging the startup sequence, and all the browsers now show taplika.com as the home page. Search results are returning through a Yahoo! look-alike. This one seems non-trivial, so I'd appreciate assistance, much thanks. Here's the sysinfo:

    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit
    Processor: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz, Intel64 Family 6 Model 26 Stepping 5
    Processor Count: 8
    RAM: 6135 Mb
    Graphics Card: NVIDIA GeForce GTX 460, 1024 Mb
    Hard Drives: C: Total - 152524 MB, Free - 78926 MB; D: Total - 1907726 MB, Free - 1801020 MB;
    Motherboard: ASUSTeK Computer INC., P6T6 WS REVOLUTION
    Antivirus: Microsoft Security Essentials, Updated and Enabled
     
  2. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    Hi WendyM/crystobal03,
    (If necessary, download this to a flash and transfer it to the desktop of the hijacked machine to run it.)
    -----------------------------------------------------------
    Download and Run the Farbar Scan Tool
    • Download FRST64 and save to your Desktop.
    • Double click Frst64.exe to launch it.
    • FRST64 will start to run.
      • When the tool opens click Yes to disclaimer.
      • Press the Scan button.
      • When finished scanning, 2 logs will open on your Desktop, FRST.txt and Addition.txt
      • Please post them in your next reply.
    If you lose track of them, they will be saved in the same location as FRST64.exe
    Feel free to use separate replies if it's more convenient.

    askey127
     
  3. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    FRST.txt:



    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
    Ran by Wendy (administrator) on CHARLIE on 09-02-2015 14:10:00
    Running from C:\Users\Wendy\Desktop
    Loaded Profiles: Wendy (Available profiles: Wendy & UpdatusUser & Landon)
    Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
    (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (DeviceVM) C:\ASUS.SYS\config\DVMExportService.exe
    (Microsoft Corporation) C:\Windows\System32\msiexec.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\Six Engine\SixEngine.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
    (Microsoft Corporation) C:\Program Files\Zune\ZuneLauncher.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
    (Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
    (CANON INC.) C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
    (Apple Inc.) D:\Program Files (x86)\iTunes\iTunesHelper.exe
    (Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\TurboV\TurboV.exe
    (Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    (Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
    HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
    HKLM\...\Run: [SoundMAX] => C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe [3866624 2009-05-18] (Analog Devices, Inc.)
    HKLM-x32\...\Run: [IJNetworkScanUtility] => C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] => D:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
    HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2009-06-05] (Analog Devices, Inc.)
    HKLM-x32\...\Run: [TurboV] => C:\Program Files\ASUS\TurboV\TurboV.exe [5665280 2009-11-19] (ASUSTeK Computer Inc.)
    HKLM-x32\...\Run: [Acrobat Assistant 7.0] => C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [483328 2004-12-14] (Adobe Systems Inc.)
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
    HKLM-x32\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {096d79b6-b27f-11e2-b5c9-bcaec54497a8} - H:\LaunchU3.exe
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {96ccee42-97ee-11e1-aed0-bcaec54497a8} - G:\TL-Bootstrap.exe
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe ()

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://taplika.com/?f=1&a=tlk_ggfc_...G0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    SearchScopes: HKLM -> {589B893E-773C-4941-88C2-0DCC718E621C} URL =
    SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> DefaultScope {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO-x32: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    Toolbar: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    DPF: HKLM-x32 {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} https://webvpn.treasurer.ca.gov/+CSCOL+/csvrloader32.cab
    DPF: HKLM-x32 {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} https://webvpn.treasurer.ca.gov/CACHE/sdesktop/install/binaries/instweb.cab
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
    StartMenuInternet: IEXPLORE.EXE - iexplore.exe

    FireFox:
    ========
    FF ProfilePath: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default
    FF DefaultSearchEngine: Taplika
    FF SelectedSearchEngine: Taplika
    FF Homepage: hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF user.js: detected! => C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\user.js
    FF SearchPlugin: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml
    FF Extension: Adblock Plus - C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-04-07]
    StartMenuInternet: FIREFOX.EXE - firefox.exe

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    CHR StartupUrls: Default -> "hxxp://taplika.com/?f=7&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    CHR DefaultSearchKeyword: Default -> taplika.com
    CHR DefaultSearchURL: Default -> http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
    CHR Profile: C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Docs) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-17]
    CHR Extension: (Google Drive) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-17]
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
    CHR Extension: (YouTube) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-17]
    CHR Extension: (Google Search) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-17]
    CHR Extension: (Google Wallet) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-17]
    CHR Extension: (Gmail) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-17]
    CHR HKLM\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
    CHR HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
    CHR HKLM-x32\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
    StartMenuInternet: Google Chrome - chrome.exe

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2009-06-05] (Andrea Electronics Corporation)
    R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-08-19] (ASUSTeK Computer Inc.) [File not signed]
    R2 DvmMDES; C:\ASUS.SYS\config\DVMExportService.exe [294912 2009-04-10] (DeviceVM) [File not signed]
    R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
    R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-03] ()
    R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
    R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
    R0 mv61xx; C:\Windows\System32\DRIVERS\mv61xx.sys [179752 2009-08-05] (Marvell Semiconductor, Inc.)
    R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-09 14:10 - 2015-02-09 14:10 - 00015632 _____ () C:\Users\Wendy\Desktop\FRST.txt
    2015-02-09 14:09 - 2015-02-09 14:10 - 00000000 ____D () C:\FRST
    2015-02-09 14:09 - 2015-02-09 14:08 - 02132992 _____ (Farbar) C:\Users\Wendy\Desktop\FRST64.exe
    2015-02-08 10:24 - 2015-02-08 10:24 - 00011224 _____ () C:\Users\Wendy\Downloads\hijackthis.log
    2015-02-08 10:23 - 2015-02-08 10:23 - 00388608 _____ (Trend Micro Inc.) C:\Users\Wendy\Downloads\HijackThis.exe
    2015-02-08 10:10 - 2015-02-08 10:10 - 00509440 _____ (Tech Support Guy System) C:\Users\Wendy\Downloads\SysInfo.exe
    2015-02-08 10:08 - 2015-02-09 14:08 - 00000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
    2015-02-08 09:20 - 2015-02-08 09:20 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\KeePass
    2015-02-08 09:13 - 2015-02-08 09:13 - 00001103 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass.lnk
    2015-02-08 09:13 - 2015-02-08 09:13 - 00000000 ____D () C:\Program Files (x86)\KeePass Password Safe
    2015-02-08 09:12 - 2015-02-08 09:13 - 01942105 _____ (Dominik Reichl ) C:\Users\Wendy\Downloads\KeePass-1.28-Setup.exe
    2015-02-08 09:10 - 2015-02-08 09:10 - 00000000 ____D () C:\ProgramData\c6c8997c00002766
    2015-02-08 09:08 - 2015-02-09 14:08 - 00000290 _____ () C:\Windows\Tasks\Taplika.job
    2015-02-08 09:08 - 2015-02-08 09:10 - 00000000 ____D () C:\Users\Wendy\AppData\Local\Taplika
    2015-02-08 09:08 - 2015-02-08 09:09 - 00003230 _____ () C:\Windows\System32\Tasks\Digital Sites
    2015-02-08 09:08 - 2015-02-08 09:09 - 00000292 _____ () C:\Windows\Tasks\Digital Sites.job
    2015-02-08 09:08 - 2015-02-08 09:08 - 00003228 _____ () C:\Windows\System32\Tasks\Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\WSE_Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\DigitalSites
    2015-02-08 09:07 - 2015-02-08 09:07 - 00783834 _____ (%VENDOR%) C:\Users\Wendy\Downloads\FileOpenerSetup.exe
    2015-02-07 07:56 - 2015-02-07 07:56 - 00116178 _____ () C:\Users\Wendy\Downloads\food (18).xlsx
    2015-02-06 16:54 - 2015-02-06 16:54 - 00032078 _____ () C:\Users\Wendy\Downloads\stuff (25).xlsx
    2015-01-29 19:19 - 2015-01-29 19:19 - 00111772 _____ () C:\Users\Wendy\Downloads\food (17).xlsx
    2015-01-29 19:18 - 2015-01-29 19:18 - 00032666 _____ () C:\Users\Wendy\Downloads\stuff (24).xlsx
    2015-01-23 17:59 - 2015-01-23 17:59 - 00111773 _____ () C:\Users\Wendy\Downloads\food (16).xlsx
    2015-01-23 16:46 - 2015-01-23 16:46 - 00032215 _____ () C:\Users\Wendy\Downloads\stuff (23).xlsx
    2015-01-20 06:20 - 2014-12-18 19:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
    2015-01-20 06:20 - 2014-12-18 17:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
    2015-01-20 06:20 - 2014-12-12 21:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2015-01-20 06:20 - 2014-12-12 19:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2015-01-20 06:20 - 2014-12-11 21:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
    2015-01-20 06:20 - 2014-12-11 21:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
    2015-01-20 06:20 - 2014-12-11 21:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
    2015-01-20 06:20 - 2014-12-11 21:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
    2015-01-20 06:20 - 2014-12-11 21:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2015-01-20 06:20 - 2014-12-11 21:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2015-01-20 06:20 - 2014-12-11 21:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
    2015-01-20 06:20 - 2014-12-11 09:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
    2015-01-20 06:20 - 2014-12-05 20:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
    2015-01-20 06:20 - 2014-12-05 19:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
    2015-01-20 06:20 - 2014-12-05 19:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
    2015-01-20 06:20 - 2012-10-03 09:44 - 00216576 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
    2015-01-20 06:20 - 2012-10-03 09:44 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
    2015-01-17 20:59 - 2015-01-17 20:59 - 00111551 _____ () C:\Users\Wendy\Downloads\food (15).xlsx
    2015-01-15 22:45 - 2015-01-15 22:45 - 00063609 _____ () C:\Users\Wendy\Downloads\money (16).xlsx
    2015-01-15 19:07 - 2015-01-15 19:07 - 00031501 _____ () C:\Users\Wendy\Downloads\stuff (22).xlsx
    2015-01-14 21:12 - 2015-01-14 21:12 - 00029667 _____ () C:\Users\Wendy\Downloads\summit_expense_budget.xlsx
    2015-01-10 08:37 - 2015-01-10 08:37 - 00111263 _____ () C:\Users\Wendy\Downloads\food (14).xlsx
    2015-01-10 08:05 - 2015-01-10 08:05 - 00030791 _____ () C:\Users\Wendy\Downloads\stuff (21).xlsx

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-09 14:09 - 2012-04-06 17:46 - 01492835 _____ () C:\Windows\WindowsUpdate.log
    2015-02-09 14:08 - 2009-07-13 21:13 - 00726444 _____ () C:\Windows\system32\PerfStringBackup.INI
    2015-02-09 14:07 - 2009-07-13 20:51 - 00108309 _____ () C:\Windows\setupact.log
    2015-02-09 14:06 - 2014-01-17 08:19 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-02-09 14:05 - 2012-04-06 19:11 - 00000000 ____D () C:\ProgramData\NVIDIA
    2015-02-09 14:05 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-02-08 10:18 - 2012-09-18 18:21 - 00000177 ____H () C:\dvmexp.idx
    2015-02-08 10:13 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-02-08 10:13 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-02-08 10:11 - 2012-04-06 21:42 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-02-08 09:21 - 2010-11-20 19:47 - 00010144 _____ () C:\Windows\PFRO.log
    2015-02-08 09:11 - 2012-10-21 19:07 - 00113148 _____ () C:\Users\Wendy\Desktop\food.xlsx
    2015-02-08 09:11 - 2012-04-07 08:40 - 00029788 _____ () C:\Users\Wendy\Desktop\stuff.xlsx
    2015-02-08 09:08 - 2014-01-17 08:21 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
    2015-02-08 08:26 - 2014-01-17 08:19 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-02-05 06:08 - 2012-04-06 21:42 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-02-05 06:08 - 2012-04-06 21:42 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-02-05 06:08 - 2012-04-06 21:42 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2015-02-03 18:21 - 2014-01-17 08:19 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
    2015-02-03 18:21 - 2014-01-17 08:19 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
    2015-01-20 06:23 - 2013-11-18 06:37 - 00000000 ____D () C:\Windows\system32\MRT
    2015-01-20 06:20 - 2012-04-06 18:39 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2015-01-20 06:14 - 2012-06-17 19:02 - 00062039 _____ () C:\Users\Wendy\Desktop\money.xlsx

    ==================== Files in the root of some directories =======

    2015-02-08 10:08 - 2015-02-09 14:08 - 0000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
    2012-09-19 09:20 - 2013-02-02 13:15 - 0004096 _____ () C:\Users\Wendy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-04-07 00:17 - 2012-04-07 00:17 - 0007605 _____ () C:\Users\Wendy\AppData\Local\Resmon.ResmonCfg
    2014-02-02 09:10 - 2014-02-02 09:10 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

    Some content of TEMP:
    ====================
    C:\Users\Wendy\AppData\Local\Temp\converter.exe
    C:\Users\Wendy\AppData\Local\Temp\CSDJavaInstaller.dll
    C:\Users\Wendy\AppData\Local\Temp\cstub.exe
    C:\Users\Wendy\AppData\Local\Temp\csvrelay32.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrelay64.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader32.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader64.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrxul32.dll
    C:\Users\Wendy\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\optprosetup.exe
    C:\Users\Wendy\AppData\Local\Temp\ose00000.exe
    C:\Users\Wendy\AppData\Local\Temp\_is5134.exe


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-02-03 19:57

    ==================== End Of Log ============================
     
  4. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    Addition.txt



    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-02-2015
    Ran by Wendy at 2015-02-09 14:10:22
    Running from C:\Users\Wendy\Desktop
    Boot Mode: Normal
    ==========================================================


    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
    AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Adobe Acrobat 7.0 Professional - English, Fran├žais, Deutsch (HKLM-x32\...\Adobe Acrobat 7.0 Professional - English, Fran├žais, Deutsch - V) (Version: 7.0.0 - Adobe Systems)
    Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
    Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
    Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
    Apple Application Support (HKLM-x32\...\{122ADF8C-DDA1-480C-9936-C88F2825B265}) (Version: 2.1.9 - Apple Inc.)
    Apple Mobile Device Support (HKLM\...\{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}) (Version: 5.2.0.6 - Apple Inc.)
    Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
    Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
    Canon IJ Network Scan Utility (HKLM-x32\...\Canon_IJ_Network_Scan_UTILITY) (Version: - )
    Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: - )
    Canon MG5200 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG5200_series) (Version: - )
    Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version: - )
    CoH Subscriber Beta (HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\NCsoft-CoHBeta) (Version: - NCsoft)
    CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
    EPU-6 Engine (HKLM-x32\...\{56B83336-FBC1-4C46-8613-90A9E3B440D6}) (Version: 1.03.02 - )
    Express Gate (HKLM-x32\...\{99AD9D6D-A456-49EE-8360-F22EE7AA1272}) (Version: 1.4.10.3 - DeviceVM, Inc.)
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
    Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
    Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
    Host OpenAL (ADI) (HKLM-x32\...\Host OpenAL (ADI)) (Version: - )
    iTunes (HKLM\...\{840A3BAA-4C68-4581-9C7A-6F8D6CF531B9}) (Version: 10.6.3.25 - Apple Inc.)
    Java 7 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.510 - Oracle)
    JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
    KeePass Password Safe 1.28 (HKLM-x32\...\KeePass Password Safe_is1) (Version: 1.28 - Dominik Reichl)
    marvell 61xx (HKLM-x32\...\mv61xxDriver) (Version: 1.2.0.7100 - Marvell)
    Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
    Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
    Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
    Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Mozilla Firefox 30.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 30.0 (x86 en-US)) (Version: 30.0 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
    NVIDIA 3D Vision Controller Driver 296.10 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 296.10 - NVIDIA Corporation)
    NVIDIA 3D Vision Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 311.06 - NVIDIA Corporation)
    NVIDIA Graphics Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
    NVIDIA HD Audio Driver 1.3.12.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.12.0 - NVIDIA Corporation)
    NVIDIA PhysX System Software 9.12.0213 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0213 - NVIDIA Corporation)
    NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
    Path of Exile (HKLM-x32\...\{90A4562F-D4A1-4B65-906D-41F236CF6902}) (Version: 0.9.12.19242 - Grinding Gear Games)
    Realtek 8136 8168 8169 Ethernet Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0005 - Realtek)
    SoundMAX (HKLM-x32\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.2.6585 - Analog Devices)
    TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
    TurboV (HKLM-x32\...\{A31951C5-DCD8-4DFE-A525-CFC701F54792}) (Version: 1.02.02 - )
    Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
    Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)

    ==================== Custom CLSID (selected items): ==========================

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


    ==================== Restore Points =========================

    09-01-2015 22:13:49 Windows Update
    13-01-2015 18:17:59 Windows Update
    17-01-2015 07:18:35 Windows Update
    20-01-2015 06:20:17 Windows Update
    24-01-2015 07:36:49 Windows Update
    27-01-2015 19:54:08 Windows Update
    30-01-2015 20:08:30 Windows Update
    03-02-2015 18:31:02 Windows Update
    06-02-2015 19:21:26 Windows Update

    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

    ==================== Scheduled Tasks (whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

    Task: {01CA898F-1CC1-463B-8274-75C640BC61FC} - System32\Tasks\CohNoUac => D:\Program Files\NCSoft\Launcher\NCLauncher.exe [2012-07-22] (NCSoft)
    Task: {07F93A40-114A-4A39-8294-B390862ADC69} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-05] (Adobe Systems Incorporated)
    Task: {145D8540-47A2-443C-BF94-53A33CB25252} - System32\Tasks\Digital Sites => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
    Task: {365C209A-7068-4220-8320-D71BF42CE6A3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
    Task: {4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC} - System32\Tasks\Taplika => C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\UpdateTask.exe [2015-02-08] () <==== ATTENTION
    Task: {4E06F925-D66C-4594-9E9E-1093F44838E8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-17] (Google Inc.)
    Task: {979A6B1D-F713-40E5-83F6-4BF1C0325F3D} - System32\Tasks\CohBetaNoUac => D:\Program Files\NCSoft\Launcher\NCLauncher.exe [2012-07-22] (NCSoft)
    Task: {B0716E53-DF8A-42FE-B306-17919FFE5616} - System32\Tasks\ASUS\ASUS SIX Engine => C:\Program Files\ASUS\Six Engine\SixEngine.exe [2009-11-26] (ASUSTeK Computer Inc.)
    Task: {F1EF18E2-048E-4BF2-848E-BED481C0EBD9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-17] (Google Inc.)
    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\Taplika.job => C:\Users\Wendy\AppData\Roaming\Taplika\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

    ==================== Loaded Modules (whitelisted) ==============

    2012-11-07 17:48 - 2012-10-04 19:49 - 00087152 _____ () C:\Windows\System32\cpwmon64.dll
    2012-05-30 19:06 - 2012-05-30 19:06 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
    2012-05-30 19:06 - 2012-05-30 19:06 - 01242512 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
    2012-09-18 17:53 - 2009-04-22 19:20 - 00179712 _____ () C:\Program Files\ASUS\Six Engine\ASUSSERVICE.DLL
    2012-09-18 17:53 - 2009-08-27 18:41 - 00565248 _____ () C:\Program Files\ASUS\Six Engine\pngio.dll
    2012-09-18 17:53 - 2009-08-27 18:41 - 00053248 _____ () C:\Program Files\ASUS\Six Engine\AsSpindownTimeout.dll
    2012-09-18 17:53 - 2008-12-10 19:27 - 00565248 _____ () C:\Program Files\ASUS\TurboV\pngio.dll
    2012-09-18 17:53 - 2009-10-26 13:52 - 00135680 _____ () C:\Program Files\ASUS\TurboV\TVOCLIB.DLL

    ==================== Alternate Data Streams (whitelisted) =========

    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


    ==================== Safe Mode (whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== EXE Association (whitelisted) ===============

    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION!

    ==================== Other Registry Areas =====================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Wendy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)


    ==================== Accounts: =============================

    Administrator (S-1-5-21-2245909474-2214454975-146711961-500 - Administrator - Disabled)
    Guest (S-1-5-21-2245909474-2214454975-146711961-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-2245909474-2214454975-146711961-1002 - Limited - Enabled)
    Landon (S-1-5-21-2245909474-2214454975-146711961-1004 - Limited - Enabled) => C:\Users\Landon
    UpdatusUser (S-1-5-21-2245909474-2214454975-146711961-1003 - Limited - Enabled) => C:\Users\UpdatusUser
    Wendy (S-1-5-21-2245909474-2214454975-146711961-1001 - Administrator - Enabled) => C:\Users\Wendy

    ==================== Faulty Device Manager Devices =============

    Name: RAID Controller
    Description: RAID Controller
    Class Guid:
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (02/09/2015 02:07:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (02/08/2015 10:21:42 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (02/08/2015 10:07:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (02/08/2015 09:59:13 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (02/08/2015 09:28:50 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (02/08/2015 09:08:51 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: uninstaller.exe, version: 0.0.0.0, time stamp: 0x2a425e19
    Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
    Exception code: 0xc0000005
    Fault offset: 0x0002df0b
    Faulting process id: 0x1ad8
    Faulting application start time: 0xuninstaller.exe0
    Faulting application path: uninstaller.exe1
    Faulting module path: uninstaller.exe2
    Report Id: uninstaller.exe3

    Error: (02/07/2015 00:39:05 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 8237

    Error: (02/07/2015 00:39:05 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 8237

    Error: (02/07/2015 00:39:05 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (02/06/2015 06:10:47 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 5991


    System errors:
    =============
    Error: (02/09/2015 02:08:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The NVIDIA Update Service Daemon service failed to start due to the following error:
    %%1069

    Error: (02/09/2015 02:08:00 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
    Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:
    %%1330

    To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

    Error: (02/08/2015 10:28:36 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
    Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.191.4348.0

    Update Source: %NT AUTHORITY59

    Update Stage: 4.6.0305.00

    Source Path: 4.6.0305.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

    Error: (02/08/2015 10:28:36 AM) (Source: DCOM) (EventID: 10005) (User: )
    Description: 1084wuauserv{E60687F7-01A1-40AA-86AC-DB1CBF673334}

    Error: (02/08/2015 10:26:44 AM) (Source: DCOM) (EventID: 10005) (User: )
    Description: 1068BITS{4991D34B-80A1-4291-83B6-3328366B9097}

    Error: (02/08/2015 10:20:27 AM) (Source: DCOM) (EventID: 10005) (User: )
    Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

    Error: (02/08/2015 10:20:26 AM) (Source: DCOM) (EventID: 10005) (User: )
    Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

    Error: (02/08/2015 10:20:25 AM) (Source: DCOM) (EventID: 10005) (User: )
    Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error: (02/08/2015 10:20:20 AM) (Source: DCOM) (EventID: 10005) (User: )
    Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

    Error: (02/08/2015 10:20:10 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
    Description: The following boot-start or system-start driver(s) failed to load:
    AsIO
    discache
    MpFilter
    spldr
    Wanarpv6


    Microsoft Office Sessions:
    =========================
    Error: (01/31/2015 04:14:17 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
    Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6713.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 110623 seconds with 240 seconds of active time. This session ended with a crash.


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz
    Percentage of memory in use: 36%
    Total physical RAM: 6135.12 MB
    Available physical RAM: 3910.25 MB
    Total Pagefile: 12268.42 MB
    Available Pagefile: 9924.46 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.82 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:148.95 GB) (Free:76.74 GB) NTFS
    Drive d: (DataDrive) (Fixed) (Total:1863.01 GB) (Free:1758.81 GB) NTFS
    Drive f: (FIXER) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 5867890F)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 9DACBE37)
    Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1.9 GB) (Disk ID: 026C93EB)
    Partition 1: (Active) - (Size=1.9 GB) - (Type=0B)

    ==================== End Of Log ============================
     
  5. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    WendyM,
    Be aware that Adobe Acrobat Pro 7 is VERY vulnerable to infections, especially if you allow internet PDF's to be opened by that program.
    Best to check every online PDF by right clicking and scanning with AV before using that program.
    I didn't recommend removing it, but I'm biting my lip.
    ------------------------------------------------
    Remove Programs Using Control Panel
    From Start, Control Panel, click on Programs and Features
    Click this Entry,if it exists, choose Uninstall, and give permission to Continue:

    Java 7 Update 51

    Take extra care in answering questions posed by any Uninstaller.
    -----------------------------------------------------------
    REBOOT (RESTART) Your Machine
    --------------------------------------------------------
    Run A Fix With FRST
    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
    (Both on the Desktop is OK, or both in the same folder elsewhere)

    Run FRST64 and press the Fix button just once and wait. DO NOT PRESS THE SCAN BUTTON.
    If for some reason the tool needs a restart, please make sure you let the system restart normally.
    The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
    When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply.

    askey127
     

    Attached Files:

  6. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    Fixlog.txt



    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
    Ran by Wendy at 2015-02-09 16:26:28 Run:1
    Running from C:\Users\Wendy\Desktop
    Loaded Profiles: Wendy (Available profiles: Wendy & UpdatusUser & Landon)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    Task: {145D8540-47A2-443C-BF94-53A33CB25252} - System32\Tasks\Digital Sites => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
    Task: {4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC} - System32\Tasks\Taplika => C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\UpdateTask.exe [2015-02-08] () <==== ATTENTION
    Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
    Task: C:\Windows\Tasks\Taplika.job => C:\Users\Wendy\AppData\Roaming\Taplika\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION!
    HKLM-x32\...\Run: [Acrobat Assistant 7.0] => C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [483328 2004-12-14] (Adobe Systems Inc.)
    HKLM-x32\...\Run: [] => [X]
    BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO-x32: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    C:\Users\Wendy\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
    C:\Users\Wendy\AppData\Local\Temp\CSDJavaInstaller.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader32.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader64.dll

    *****************

    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{145D8540-47A2-443C-BF94-53A33CB25252}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{145D8540-47A2-443C-BF94-53A33CB25252}" => Key deleted successfully.
    C:\Windows\System32\Tasks\Digital Sites => Moved successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Digital Sites" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC}" => Key deleted successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC}" => Key deleted successfully.
    C:\Windows\System32\Tasks\Taplika => Moved successfully.
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Taplika" => Key deleted successfully.
    C:\Windows\Tasks\Digital Sites.job => Moved successfully.
    C:\Windows\Tasks\Taplika.job => Moved successfully.
    "HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Classes\exefile" => Key deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Acrobat Assistant 7.0 => value deleted successfully.
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" => Key Deleted successfully.
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
    "HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => Key deleted successfully.
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}" => Key deleted successfully.
    "HKCR\Wow6432Node\CLSID\{AE7CD045-E861-484f-8273-0445EE161910}" => Key deleted successfully.
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
    "HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
    "HKCR\Wow6432Node\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" => Key deleted successfully.
    HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.51.2 => Key not found.
    C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll not found.
    HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2 => Key not found.
    C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll not found.
    C:\Users\Wendy\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Wendy\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Wendy\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Wendy\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Wendy\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Wendy\AppData\Local\Temp\CSDJavaInstaller.dll => Moved successfully.
    C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader32.dll => Moved successfully.
    C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader64.dll => Moved successfully.

    ==== End of Fixlog 16:26:29 ====
     
  7. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    WendyM,
    Good so far.
    Let's run another couple scans to see if there are any leftovers.
    -----------------------------------------------------------
    Run a New Scan With the Farbar Scan Tool
    • Double click FRST64.exe on your desktop to launch it.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • When finished scanning, a new version of the log FRST.txt will be saved on your Desktop and opened in Notepad.
    • Please post the contents in your next reply.
    ---------------------------------------------
    Please download SystemLook from the link below and save it to your Desktop.
    Download Mirror #1 (64-bit)
    • Double-click SystemLook_x64.exe to run it. OK the User Account Control.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *taplika*
      :folderfind
      *taplika*
      :regfind
      taplika
      
    • Click the Look button to start the scan.
      Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The results log can also be found on your Desktop, entitled SystemLook.txt

    askey127
     
  8. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    FRST.txt:

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
    Running from C:\Users\Wendy\Desktop
    Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
    (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (DeviceVM) C:\ASUS.SYS\config\DVMExportService.exe
    (Microsoft Corporation) C:\Windows\System32\msiexec.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\Six Engine\SixEngine.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\runonce.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    (Microsoft Corporation) C:\Program Files\Zune\ZuneLauncher.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
    (Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
    (CANON INC.) C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
    (Apple Inc.) D:\Program Files (x86)\iTunes\iTunesHelper.exe
    (Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
    (ASUSTeK Computer Inc.) C:\Program Files\ASUS\TurboV\TurboV.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
    HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
    HKLM\...\Run: [SoundMAX] => C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe [3866624 2009-05-18] (Analog Devices, Inc.)
    HKLM-x32\...\Run: [IJNetworkScanUtility] => C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] => D:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
    HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2009-06-05] (Analog Devices, Inc.)
    HKLM-x32\...\Run: [TurboV] => C:\Program Files\ASUS\TurboV\TurboV.exe [5665280 2009-11-19] (ASUSTeK Computer Inc.)
    HKLM-x32\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {096d79b6-b27f-11e2-b5c9-bcaec54497a8} - H:\LaunchU3.exe
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {96ccee42-97ee-11e1-aed0-bcaec54497a8} - G:\TL-Bootstrap.exe
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe ()

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://taplika.com/?f=1&a=tlk_ggfc_...G0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    SearchScopes: HKLM -> {589B893E-773C-4941-88C2-0DCC718E621C} URL =
    SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> DefaultScope {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    Toolbar: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    DPF: HKLM-x32 {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} https://webvpn.treasurer.ca.gov/+CSCOL+/csvrloader32.cab
    DPF: HKLM-x32 {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} https://webvpn.treasurer.ca.gov/CACHE/sdesktop/install/binaries/instweb.cab
    Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
    StartMenuInternet: IEXPLORE.EXE - iexplore.exe

    FireFox:
    ========
    FF ProfilePath: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default
    FF DefaultSearchEngine: Taplika
    FF SelectedSearchEngine: Taplika
    FF Homepage: hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF user.js: detected! => C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\user.js
    FF SearchPlugin: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml
    FF Extension: Adblock Plus - C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-04-07]
    StartMenuInternet: FIREFOX.EXE - firefox.exe

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    CHR StartupUrls: Default -> "hxxp://taplika.com/?f=7&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    CHR DefaultSearchKeyword: Default -> taplika.com
    CHR DefaultSearchURL: Default -> http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
    CHR Profile: C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Docs) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-17]
    CHR Extension: (Google Drive) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-17]
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
    CHR Extension: (YouTube) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-17]
    CHR Extension: (Google Search) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-17]
    CHR Extension: (Google Wallet) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-17]
    CHR Extension: (Gmail) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-17]
    CHR HKLM\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
    CHR HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
    CHR HKLM-x32\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
    StartMenuInternet: Google Chrome - chrome.exe

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2009-06-05] (Andrea Electronics Corporation)
    R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-08-19] (ASUSTeK Computer Inc.) [File not signed]
    R2 DvmMDES; C:\ASUS.SYS\config\DVMExportService.exe [294912 2009-04-10] (DeviceVM) [File not signed]
    R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
    R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-03] ()
    R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
    R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
    R0 mv61xx; C:\Windows\System32\DRIVERS\mv61xx.sys [179752 2009-08-05] (Marvell Semiconductor, Inc.)
    R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-09 14:10 - 2015-02-09 18:36 - 00014395 _____ () C:\Users\Wendy\Desktop\FRST.txt
    2015-02-09 14:10 - 2015-02-09 14:10 - 00018618 _____ () C:\Users\Wendy\Desktop\Addition.txt
    2015-02-09 14:09 - 2015-02-09 18:36 - 00000000 ____D () C:\FRST
    2015-02-09 14:09 - 2015-02-09 14:08 - 02132992 _____ (Farbar) C:\Users\Wendy\Desktop\FRST64.exe
    2015-02-08 10:24 - 2015-02-08 10:24 - 00011224 _____ () C:\Users\Wendy\Downloads\hijackthis.log
    2015-02-08 10:23 - 2015-02-08 10:23 - 00388608 _____ (Trend Micro Inc.) C:\Users\Wendy\Downloads\HijackThis.exe
    2015-02-08 10:10 - 2015-02-08 10:10 - 00509440 _____ (Tech Support Guy System) C:\Users\Wendy\Downloads\SysInfo.exe
    2015-02-08 10:08 - 2015-02-09 14:08 - 00000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
    2015-02-08 09:20 - 2015-02-08 09:20 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\KeePass
    2015-02-08 09:13 - 2015-02-08 09:13 - 00001103 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass.lnk
    2015-02-08 09:13 - 2015-02-08 09:13 - 00000000 ____D () C:\Program Files (x86)\KeePass Password Safe
    2015-02-08 09:12 - 2015-02-08 09:13 - 01942105 _____ (Dominik Reichl ) C:\Users\Wendy\Downloads\KeePass-1.28-Setup.exe
    2015-02-08 09:10 - 2015-02-08 09:10 - 00000000 ____D () C:\ProgramData\c6c8997c00002766
    2015-02-08 09:08 - 2015-02-08 09:10 - 00000000 ____D () C:\Users\Wendy\AppData\Local\Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\WSE_Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\DigitalSites
    2015-02-08 09:07 - 2015-02-08 09:07 - 00783834 _____ (%VENDOR%) C:\Users\Wendy\Downloads\FileOpenerSetup.exe
    2015-02-07 07:56 - 2015-02-07 07:56 - 00116178 _____ () C:\Users\Wendy\Downloads\food (18).xlsx
    2015-02-06 16:54 - 2015-02-06 16:54 - 00032078 _____ () C:\Users\Wendy\Downloads\stuff (25).xlsx
    2015-01-29 19:19 - 2015-01-29 19:19 - 00111772 _____ () C:\Users\Wendy\Downloads\food (17).xlsx
    2015-01-29 19:18 - 2015-01-29 19:18 - 00032666 _____ () C:\Users\Wendy\Downloads\stuff (24).xlsx
    2015-01-23 17:59 - 2015-01-23 17:59 - 00111773 _____ () C:\Users\Wendy\Downloads\food (16).xlsx
    2015-01-23 16:46 - 2015-01-23 16:46 - 00032215 _____ () C:\Users\Wendy\Downloads\stuff (23).xlsx
    2015-01-20 06:20 - 2014-12-18 19:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
    2015-01-20 06:20 - 2014-12-18 17:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
    2015-01-20 06:20 - 2014-12-12 21:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2015-01-20 06:20 - 2014-12-12 19:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2015-01-20 06:20 - 2014-12-11 21:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
    2015-01-20 06:20 - 2014-12-11 21:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
    2015-01-20 06:20 - 2014-12-11 21:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
    2015-01-20 06:20 - 2014-12-11 21:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
    2015-01-20 06:20 - 2014-12-11 21:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2015-01-20 06:20 - 2014-12-11 21:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2015-01-20 06:20 - 2014-12-11 21:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
    2015-01-20 06:20 - 2014-12-11 09:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
    2015-01-20 06:20 - 2014-12-05 20:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
    2015-01-20 06:20 - 2014-12-05 19:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
    2015-01-20 06:20 - 2014-12-05 19:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
    2015-01-20 06:20 - 2012-10-03 09:44 - 00216576 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
    2015-01-20 06:20 - 2012-10-03 09:44 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
    2015-01-17 20:59 - 2015-01-17 20:59 - 00111551 _____ () C:\Users\Wendy\Downloads\food (15).xlsx
    2015-01-15 22:45 - 2015-01-15 22:45 - 00063609 _____ () C:\Users\Wendy\Downloads\money (16).xlsx
    2015-01-15 19:07 - 2015-01-15 19:07 - 00031501 _____ () C:\Users\Wendy\Downloads\stuff (22).xlsx
    2015-01-14 21:12 - 2015-01-14 21:12 - 00029667 _____ () C:\Users\Wendy\Downloads\summit_expense_budget.xlsx
    2015-01-10 08:37 - 2015-01-10 08:37 - 00111263 _____ () C:\Users\Wendy\Downloads\food (14).xlsx
    2015-01-10 08:05 - 2015-01-10 08:05 - 00030791 _____ () C:\Users\Wendy\Downloads\stuff (21).xlsx

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-02-09 18:33 - 2014-01-17 08:19 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-02-09 18:33 - 2012-04-06 19:11 - 00000000 ____D () C:\ProgramData\NVIDIA
    2015-02-09 18:33 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-02-09 18:33 - 2009-07-13 20:51 - 00108477 _____ () C:\Windows\setupact.log
    2015-02-09 16:29 - 2012-09-18 18:21 - 00000177 ____H () C:\dvmexp.idx
    2015-02-09 16:29 - 2012-04-06 17:46 - 01532208 _____ () C:\Windows\WindowsUpdate.log
    2015-02-09 16:29 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-02-09 16:29 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-02-09 16:26 - 2014-01-17 08:19 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-02-09 14:11 - 2012-04-06 21:42 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2015-02-09 14:10 - 2009-07-13 21:13 - 00726444 _____ () C:\Windows\system32\PerfStringBackup.INI
    2015-02-08 09:21 - 2010-11-20 19:47 - 00010144 _____ () C:\Windows\PFRO.log
    2015-02-08 09:11 - 2012-10-21 19:07 - 00113148 _____ () C:\Users\Wendy\Desktop\food.xlsx
    2015-02-08 09:11 - 2012-04-07 08:40 - 00029788 _____ () C:\Users\Wendy\Desktop\stuff.xlsx
    2015-02-08 09:08 - 2014-01-17 08:21 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
    2015-02-05 06:08 - 2012-04-06 21:42 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-02-05 06:08 - 2012-04-06 21:42 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2015-02-05 06:08 - 2012-04-06 21:42 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
    2015-02-03 18:21 - 2014-01-17 08:19 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
    2015-02-03 18:21 - 2014-01-17 08:19 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
    2015-01-20 06:23 - 2013-11-18 06:37 - 00000000 ____D () C:\Windows\system32\MRT
    2015-01-20 06:20 - 2012-04-06 18:39 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2015-01-20 06:14 - 2012-06-17 19:02 - 00062039 _____ () C:\Users\Wendy\Desktop\money.xlsx

    ==================== Files in the root of some directories =======

    2015-02-08 10:08 - 2015-02-09 14:08 - 0000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
    2012-09-19 09:20 - 2013-02-02 13:15 - 0004096 _____ () C:\Users\Wendy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-04-07 00:17 - 2012-04-07 00:17 - 0007605 _____ () C:\Users\Wendy\AppData\Local\Resmon.ResmonCfg
    2014-02-02 09:10 - 2014-02-02 09:10 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

    Some content of TEMP:
    ====================
    C:\Users\Wendy\AppData\Local\Temp\converter.exe
    C:\Users\Wendy\AppData\Local\Temp\cstub.exe
    C:\Users\Wendy\AppData\Local\Temp\csvrelay32.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrelay64.dll
    C:\Users\Wendy\AppData\Local\Temp\csvrxul32.dll
    C:\Users\Wendy\AppData\Local\Temp\optprosetup.exe
    C:\Users\Wendy\AppData\Local\Temp\ose00000.exe
    C:\Users\Wendy\AppData\Local\Temp\_is5134.exe


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2015-02-03 19:57

    ==================== End Of Log ============================
     
  9. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    SystemLook.txt:

    SystemLook 04.09.10 by jpshortstuff
    Log created at 18:48 on 09/02/2015 by Wendy
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "*taplika*"
    C:\FRST\Quarantine\C\Windows\System32\Tasks\Taplika.xBAD --a---- 3228 bytes [17:08 08/02/2015] [17:08 08/02/2015] 2C992BBCBFAFAC56B6DDBC63FA2F2395
    C:\FRST\Quarantine\C\Windows\Tasks\Taplika.job.xBAD --a---- 290 bytes [17:08 08/02/2015] [22:08 09/02/2015] D16E21F5E7CAB24B06B85C7002A7C8B5
    C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYW3JVPN\Taplika16x16[1].ico --a---- 1150 bytes [17:20 08/02/2015] [17:20 08/02/2015] 9407ADB543BB4EED6648A70CE43A7CAA
    C:\Users\Wendy\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\AJ6Q1KSN\taplika[1].xml --a---- 13 bytes [17:20 08/02/2015] [17:20 08/02/2015] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
    C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml --a---- 2787 bytes [18:08 08/02/2015] [18:08 08/02/2015] C8701A9D700FB20E08C735D042FBEC7B

    ========== folderfind ==========

    Searching for "*taplika*"
    C:\Users\Wendy\AppData\Local\Taplika d------ [17:08 08/02/2015]
    C:\Users\Wendy\AppData\Roaming\Taplika d------ [17:08 08/02/2015]
    C:\Users\Wendy\AppData\Roaming\WSE_Taplika d------ [17:08 08/02/2015]

    ========== regfind ==========

    Searching for "taplika"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Start Page"="http://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "URL"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "TopResultURLFallback"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "FaviconPath"="C:\Program Files (x86)\WSE_Taplika\\FavIcon.ico"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    @="Taplika"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "DisplayName"="Taplika"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Taplika"="C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat""
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Taplika Browser]
    [HKEY_CURRENT_USER\Software\Taplika Browser]
    "UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
    [HKEY_CURRENT_USER\Software\Taplika Browser]
    "InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
    "AppPath"="C:\Program Files (x86)\WSE_Taplika\\"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
    "Taplika"="C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat""
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main]
    "Start Page"="http://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "URL"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "TopResultURLFallback"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "FaviconPath"="C:\Program Files (x86)\WSE_Taplika\\FavIcon.ico"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    @="Taplika"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
    "DisplayName"="Taplika"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Taplika"="C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat""
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
    "UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
    "InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""

    -= EOF =-
     
  10. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    WendyM,
    --------------------------------------------------------
    Run A Fix With FRST
    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
    (Both on the Desktop is OK, or both in the same folder elsewhere)

    Run FRST64 and press the Fix button just once and wait. DO NOT PRESS THE SCAN BUTTON.
    If for some reason the tool needs a restart, please make sure you let the system restart normally.
    The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
    When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply.

    askey127
     

    Attached Files:

  11. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    Fixlog.txt:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
    Ran by Wendy at 2015-02-10 06:10:21 Run:2
    Running from C:\Users\Wendy\Desktop
    Loaded Profiles: Wendy (Available profiles: Wendy & UpdatusUser & Landon)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    HKLM-x32\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://taplika.com/?f=1&a=tlk_ggfc_1...1560535032&ir=
    SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> DefaultScope {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C 0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1Cz utCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0D tGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0 EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032 &ir=
    SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C 0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1Cz utCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0D tGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0 EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032 &ir=
    FF DefaultSearchEngine: Taplika
    FF SelectedSearchEngine: Taplika
    FF Homepage: hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0 CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V 1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAt A0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz 0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    FF SearchPlugin: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\se archplugins\Taplika.xml
    CHR HomePage: Default -> hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0 CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V 1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAt A0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz 0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
    CHR StartupUrls: Default -> "hxxp://taplika.com/?f=7&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0 CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V 1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAt A0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz 0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
    CHR DefaultSearchKeyword: Default -> taplika.com
    CHR DefaultSearchURL: Default -> http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C 0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1Cz utCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0D tGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0 EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032 &ir=
    2015-02-08 09:08 - 2015-02-08 09:10 - 00000000 ____D () C:\Users\Wendy\AppData\Local\Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\WSE_Taplika
    2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\Taplika


    *****************

    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Taplika => value deleted successfully.
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Taplika => value deleted successfully.
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
    HKU\S-1-5-21-2245909474-2214454975-146711961-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
    "HKU\S-1-5-21-2245909474-2214454975-146711961-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}" => Key deleted successfully.
    HKCR\CLSID\{BD2C78A5-3532-496F-826A-B07106B145CC} => Key not found.
    Firefox DefaultSearchEngine deleted successfully.
    Firefox SelectedSearchEngine deleted successfully.
    Firefox homepage deleted successfully.
    "C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\se archplugins\Taplika.xml" => not found.
    Chrome HomePage deleted successfully.
    Chrome StartupUrls deleted successfully.
    Chrome DefaultSearchKeyword deleted successfully.
    Chrome DefaultSearchURL deleted successfully.
    C:\Users\Wendy\AppData\Local\Taplika => Moved successfully.
    C:\Users\Wendy\AppData\Roaming\WSE_Taplika => Moved successfully.
    C:\Users\Wendy\AppData\Roaming\Taplika => Moved successfully.

    ==== End of Fixlog 06:10:22 ====
     
  12. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    WendyM,
    Good.

    Let's run SystemLook again:
    ---------------------------------------------
    • Double-click SystemLook_x64.exe to run it. OK the User Account Control.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *taplika*
      :folderfind
      *taplika*
      :regfind
      taplika
      
    • Click the Look button to start the scan.
      Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The results log can also be found on your Desktop, entitled SystemLook.txt
     
  13. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    SystemLook.txt





    SystemLook 04.09.10 by jpshortstuff
    Log created at 13:27 on 10/02/2015 by Wendy
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "*taplika*"
    C:\FRST\Quarantine\C\Windows\System32\Tasks\Taplika.xBAD --a---- 3228 bytes [17:08 08/02/2015] [17:08 08/02/2015] 2C992BBCBFAFAC56B6DDBC63FA2F2395
    C:\FRST\Quarantine\C\Windows\Tasks\Taplika.job.xBAD --a---- 290 bytes [17:08 08/02/2015] [22:08 09/02/2015] D16E21F5E7CAB24B06B85C7002A7C8B5
    C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYW3JVPN\Taplika16x16[1].ico --a---- 1150 bytes [17:20 08/02/2015] [17:20 08/02/2015] 9407ADB543BB4EED6648A70CE43A7CAA
    C:\Users\Wendy\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\AJ6Q1KSN\taplika[1].xml --a---- 13 bytes [17:20 08/02/2015] [17:20 08/02/2015] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
    C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml --a---- 2787 bytes [18:08 08/02/2015] [18:08 08/02/2015] C8701A9D700FB20E08C735D042FBEC7B

    ========== folderfind ==========

    Searching for "*taplika*"
    C:\FRST\Quarantine\C\Users\Wendy\AppData\Local\Taplika d------ [17:08 08/02/2015]
    C:\FRST\Quarantine\C\Users\Wendy\AppData\Roaming\Taplika d------ [17:08 08/02/2015]
    C:\FRST\Quarantine\C\Users\Wendy\AppData\Roaming\WSE_Taplika d------ [17:08 08/02/2015]

    ========== regfind ==========

    Searching for "taplika"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_CURRENT_USER\Software\Taplika Browser]
    [HKEY_CURRENT_USER\Software\Taplika Browser]
    "UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
    [HKEY_CURRENT_USER\Software\Taplika Browser]
    "InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
    "AppPath"="C:\Program Files (x86)\WSE_Taplika\\"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
    "Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
    "UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
    "InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""

    -= EOF =-
     
  14. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    WendyM,
    Home stretch here:
    ---------------------------------------------
    Download the OTL Scanner
    Please download OTL.exe by OldTimer and save it to your desktop.
    ----------------------------------------------
    Perform a Custom Fix with OTL
    Right click OTL on your desktop, and choose "Run as administrator" to open it.
    • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code:
      :Commands
      [CREATERESTOREPOINT]
      
      :Reg
      [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
      "Progid"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
      "Progid"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
      "Progid"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
      "Progid"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
      "Progid"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
      "Progid"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
      "Progid"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
      "Progid"=-
      [-HKEY_CURRENT_USER\Software\Taplika Browser]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
      "AppPath"=-
      [-HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserC hoice]
      "Progid"=-
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\User Choice]
      "Progid"=-
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\Use rChoice]
      "Progid"=-
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserC hoice]
      "Progid"=-
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\Use rChoice]
      "Progid"=-
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\User Choice]
      "Progid"=-
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\Use rChoice]
      "Progid"=-
      [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\Us erChoice]
      "Progid"=-
      [-HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
      
      :Files
      ipconfig /flushdns /c
      
      :Commands
      [EMPTYTEMP]
      
    • Then click the Run Fix button at the top. DO NOT CLICK Run Scan
    • Let the program run unhindered, and click to allow the Reboot when it is done.
      When the computer Reboots, and you start your usual account, a Notepad text file will appear.
    • That is the FIX log file. Copy the contents of that file and post it in your next reply.
      It will also be available and named by timestamp here: C:\_OTL\Moved Files\mmddyyyy_hhmmss.log

    Then tell me how it's running.
    askey127
     
  15. WendyM

    WendyM Retired Trusted Advisor Thread Starter

    Joined:
    Jun 27, 2003
    Messages:
    4,042
    FIX log file:




    All processes killed
    ========== COMMANDS ==========
    Restore point Set: OTL Restore Point
    ========== REGISTRY ==========
    Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com\ deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\\Progid deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\\Progid deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice\\Progid deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice\\Progid deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice\\Progid deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\\Progid deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\\Progid deleted successfully.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\\Progid deleted successfully.
    Registry key HKEY_CURRENT_USER\Software\Taplika Browser\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\\AppPath deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com\ not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserC hoice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\User Choice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\Use rChoice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserC hoice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\Use rChoice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\User Choice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\Use rChoice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\Us erChoice not found.
    Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser\ not found.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Wendy\Desktop\cmd.bat deleted successfully.
    C:\Users\Wendy\Desktop\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Landon
    ->Temp folder emptied: 1011785 bytes
    ->Temporary Internet Files folder emptied: 6263468 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 598 bytes

    User: Public

    User: UpdatusUser
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Wendy
    ->Temp folder emptied: 391364300 bytes
    ->Temporary Internet Files folder emptied: 527257150 bytes
    ->Java cache emptied: 1658827 bytes
    ->FireFox cache emptied: 429397855 bytes
    ->Google Chrome cache emptied: 434037821 bytes
    ->Flash cache emptied: 74448 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 683848657 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 43274757 bytes
    RecycleBin emptied: 2873786506 bytes

    Total Files Cleaned = 5,142.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 02102015_151946

    Files\Folders moved on Reboot...
    C:\Users\Wendy\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1142710

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice