Wife's computer hijacked

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
Sorry for the profile confusion, cristobal03 here. Wendy accidentally clicked a download button off sourceforge this morning and now here machine is definitely hijacked. RunOnce.exe is hanging the startup sequence, and all the browsers now show taplika.com as the home page. Search results are returning through a Yahoo! look-alike. This one seems non-trivial, so I'd appreciate assistance, much thanks. Here's the sysinfo:

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz, Intel64 Family 6 Model 26 Stepping 5
Processor Count: 8
RAM: 6135 Mb
Graphics Card: NVIDIA GeForce GTX 460, 1024 Mb
Hard Drives: C: Total - 152524 MB, Free - 78926 MB; D: Total - 1907726 MB, Free - 1801020 MB;
Motherboard: ASUSTeK Computer INC., P6T6 WS REVOLUTION
Antivirus: Microsoft Security Essentials, Updated and Enabled
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
Hi WendyM/crystobal03,
(If necessary, download this to a flash and transfer it to the desktop of the hijacked machine to run it.)
-----------------------------------------------------------
Download and Run the Farbar Scan Tool
  • Download FRST64 and save to your Desktop.
  • Double click Frst64.exe to launch it.
  • FRST64 will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press the Scan button.
    • When finished scanning, 2 logs will open on your Desktop, FRST.txt and Addition.txt
    • Please post them in your next reply.
If you lose track of them, they will be saved in the same location as FRST64.exe
Feel free to use separate replies if it's more convenient.

askey127
 

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
FRST.txt:



Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
Ran by Wendy (administrator) on CHARLIE on 09-02-2015 14:10:00
Running from C:\Users\Wendy\Desktop
Loaded Profiles: Wendy (Available profiles: Wendy & UpdatusUser & Landon)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(DeviceVM) C:\ASUS.SYS\config\DVMExportService.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(ASUSTeK Computer Inc.) C:\Program Files\ASUS\Six Engine\SixEngine.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
(Microsoft Corporation) C:\Program Files\Zune\ZuneLauncher.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
(CANON INC.) C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
(Apple Inc.) D:\Program Files (x86)\iTunes\iTunesHelper.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(ASUSTeK Computer Inc.) C:\Program Files\ASUS\TurboV\TurboV.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\acrotray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [SoundMAX] => C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe [3866624 2009-05-18] (Analog Devices, Inc.)
HKLM-x32\...\Run: [IJNetworkScanUtility] => C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => D:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2009-06-05] (Analog Devices, Inc.)
HKLM-x32\...\Run: [TurboV] => C:\Program Files\ASUS\TurboV\TurboV.exe [5665280 2009-11-19] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Acrobat Assistant 7.0] => C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [483328 2004-12-14] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {096d79b6-b27f-11e2-b5c9-bcaec54497a8} - H:\LaunchU3.exe
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {96ccee42-97ee-11e1-aed0-bcaec54497a8} - G:\TL-Bootstrap.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://taplika.com/?f=1&a=tlk_ggfc_...G0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> {589B893E-773C-4941-88C2-0DCC718E621C} URL =
SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> DefaultScope {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
DPF: HKLM-x32 {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} https://webvpn.treasurer.ca.gov/+CSCOL+/csvrloader32.cab
DPF: HKLM-x32 {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} https://webvpn.treasurer.ca.gov/CACHE/sdesktop/install/binaries/instweb.cab
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default
FF DefaultSearchEngine: Taplika
FF SelectedSearchEngine: Taplika
FF Homepage: hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\user.js
FF SearchPlugin: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml
FF Extension: Adblock Plus - C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-04-07]
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR HomePage: Default -> hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
CHR StartupUrls: Default -> "hxxp://taplika.com/?f=7&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
CHR DefaultSearchKeyword: Default -> taplika.com
CHR DefaultSearchURL: Default -> http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Profile: C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-17]
CHR Extension: (Google Drive) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-17]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (YouTube) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-17]
CHR Extension: (Google Search) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-17]
CHR Extension: (Google Wallet) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-17]
CHR Extension: (Gmail) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-17]
CHR HKLM\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
CHR HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
CHR HKLM-x32\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
StartMenuInternet: Google Chrome - chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2009-06-05] (Andrea Electronics Corporation)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-08-19] (ASUSTeK Computer Inc.) [File not signed]
R2 DvmMDES; C:\ASUS.SYS\config\DVMExportService.exe [294912 2009-04-10] (DeviceVM) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-03] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
R0 mv61xx; C:\Windows\System32\DRIVERS\mv61xx.sys [179752 2009-08-05] (Marvell Semiconductor, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-09 14:10 - 2015-02-09 14:10 - 00015632 _____ () C:\Users\Wendy\Desktop\FRST.txt
2015-02-09 14:09 - 2015-02-09 14:10 - 00000000 ____D () C:\FRST
2015-02-09 14:09 - 2015-02-09 14:08 - 02132992 _____ (Farbar) C:\Users\Wendy\Desktop\FRST64.exe
2015-02-08 10:24 - 2015-02-08 10:24 - 00011224 _____ () C:\Users\Wendy\Downloads\hijackthis.log
2015-02-08 10:23 - 2015-02-08 10:23 - 00388608 _____ (Trend Micro Inc.) C:\Users\Wendy\Downloads\HijackThis.exe
2015-02-08 10:10 - 2015-02-08 10:10 - 00509440 _____ (Tech Support Guy System) C:\Users\Wendy\Downloads\SysInfo.exe
2015-02-08 10:08 - 2015-02-09 14:08 - 00000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
2015-02-08 09:20 - 2015-02-08 09:20 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\KeePass
2015-02-08 09:13 - 2015-02-08 09:13 - 00001103 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass.lnk
2015-02-08 09:13 - 2015-02-08 09:13 - 00000000 ____D () C:\Program Files (x86)\KeePass Password Safe
2015-02-08 09:12 - 2015-02-08 09:13 - 01942105 _____ (Dominik Reichl ) C:\Users\Wendy\Downloads\KeePass-1.28-Setup.exe
2015-02-08 09:10 - 2015-02-08 09:10 - 00000000 ____D () C:\ProgramData\c6c8997c00002766
2015-02-08 09:08 - 2015-02-09 14:08 - 00000290 _____ () C:\Windows\Tasks\Taplika.job
2015-02-08 09:08 - 2015-02-08 09:10 - 00000000 ____D () C:\Users\Wendy\AppData\Local\Taplika
2015-02-08 09:08 - 2015-02-08 09:09 - 00003230 _____ () C:\Windows\System32\Tasks\Digital Sites
2015-02-08 09:08 - 2015-02-08 09:09 - 00000292 _____ () C:\Windows\Tasks\Digital Sites.job
2015-02-08 09:08 - 2015-02-08 09:08 - 00003228 _____ () C:\Windows\System32\Tasks\Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\WSE_Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\DigitalSites
2015-02-08 09:07 - 2015-02-08 09:07 - 00783834 _____ (%VENDOR%) C:\Users\Wendy\Downloads\FileOpenerSetup.exe
2015-02-07 07:56 - 2015-02-07 07:56 - 00116178 _____ () C:\Users\Wendy\Downloads\food (18).xlsx
2015-02-06 16:54 - 2015-02-06 16:54 - 00032078 _____ () C:\Users\Wendy\Downloads\stuff (25).xlsx
2015-01-29 19:19 - 2015-01-29 19:19 - 00111772 _____ () C:\Users\Wendy\Downloads\food (17).xlsx
2015-01-29 19:18 - 2015-01-29 19:18 - 00032666 _____ () C:\Users\Wendy\Downloads\stuff (24).xlsx
2015-01-23 17:59 - 2015-01-23 17:59 - 00111773 _____ () C:\Users\Wendy\Downloads\food (16).xlsx
2015-01-23 16:46 - 2015-01-23 16:46 - 00032215 _____ () C:\Users\Wendy\Downloads\stuff (23).xlsx
2015-01-20 06:20 - 2014-12-18 19:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-20 06:20 - 2014-12-18 17:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-20 06:20 - 2014-12-12 21:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-01-20 06:20 - 2014-12-12 19:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-01-20 06:20 - 2014-12-11 21:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-20 06:20 - 2014-12-11 21:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-20 06:20 - 2014-12-11 21:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-20 06:20 - 2014-12-11 21:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-20 06:20 - 2014-12-11 21:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-20 06:20 - 2014-12-11 21:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-20 06:20 - 2014-12-11 21:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-20 06:20 - 2014-12-11 09:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-20 06:20 - 2014-12-05 20:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-20 06:20 - 2014-12-05 19:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-20 06:20 - 2014-12-05 19:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-20 06:20 - 2012-10-03 09:44 - 00216576 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-20 06:20 - 2012-10-03 09:44 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-01-17 20:59 - 2015-01-17 20:59 - 00111551 _____ () C:\Users\Wendy\Downloads\food (15).xlsx
2015-01-15 22:45 - 2015-01-15 22:45 - 00063609 _____ () C:\Users\Wendy\Downloads\money (16).xlsx
2015-01-15 19:07 - 2015-01-15 19:07 - 00031501 _____ () C:\Users\Wendy\Downloads\stuff (22).xlsx
2015-01-14 21:12 - 2015-01-14 21:12 - 00029667 _____ () C:\Users\Wendy\Downloads\summit_expense_budget.xlsx
2015-01-10 08:37 - 2015-01-10 08:37 - 00111263 _____ () C:\Users\Wendy\Downloads\food (14).xlsx
2015-01-10 08:05 - 2015-01-10 08:05 - 00030791 _____ () C:\Users\Wendy\Downloads\stuff (21).xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-09 14:09 - 2012-04-06 17:46 - 01492835 _____ () C:\Windows\WindowsUpdate.log
2015-02-09 14:08 - 2009-07-13 21:13 - 00726444 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-09 14:07 - 2009-07-13 20:51 - 00108309 _____ () C:\Windows\setupact.log
2015-02-09 14:06 - 2014-01-17 08:19 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-09 14:05 - 2012-04-06 19:11 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-09 14:05 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-08 10:18 - 2012-09-18 18:21 - 00000177 ____H () C:\dvmexp.idx
2015-02-08 10:13 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-08 10:13 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-08 10:11 - 2012-04-06 21:42 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-08 09:21 - 2010-11-20 19:47 - 00010144 _____ () C:\Windows\PFRO.log
2015-02-08 09:11 - 2012-10-21 19:07 - 00113148 _____ () C:\Users\Wendy\Desktop\food.xlsx
2015-02-08 09:11 - 2012-04-07 08:40 - 00029788 _____ () C:\Users\Wendy\Desktop\stuff.xlsx
2015-02-08 09:08 - 2014-01-17 08:21 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-08 08:26 - 2014-01-17 08:19 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-05 06:08 - 2012-04-06 21:42 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-05 06:08 - 2012-04-06 21:42 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-05 06:08 - 2012-04-06 21:42 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-03 18:21 - 2014-01-17 08:19 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-03 18:21 - 2014-01-17 08:19 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-20 06:23 - 2013-11-18 06:37 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-20 06:20 - 2012-04-06 18:39 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-20 06:14 - 2012-06-17 19:02 - 00062039 _____ () C:\Users\Wendy\Desktop\money.xlsx

==================== Files in the root of some directories =======

2015-02-08 10:08 - 2015-02-09 14:08 - 0000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
2012-09-19 09:20 - 2013-02-02 13:15 - 0004096 _____ () C:\Users\Wendy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-07 00:17 - 2012-04-07 00:17 - 0007605 _____ () C:\Users\Wendy\AppData\Local\Resmon.ResmonCfg
2014-02-02 09:10 - 2014-02-02 09:10 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Some content of TEMP:
====================
C:\Users\Wendy\AppData\Local\Temp\converter.exe
C:\Users\Wendy\AppData\Local\Temp\CSDJavaInstaller.dll
C:\Users\Wendy\AppData\Local\Temp\cstub.exe
C:\Users\Wendy\AppData\Local\Temp\csvrelay32.dll
C:\Users\Wendy\AppData\Local\Temp\csvrelay64.dll
C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader32.dll
C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader64.dll
C:\Users\Wendy\AppData\Local\Temp\csvrxul32.dll
C:\Users\Wendy\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\optprosetup.exe
C:\Users\Wendy\AppData\Local\Temp\ose00000.exe
C:\Users\Wendy\AppData\Local\Temp\_is5134.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-03 19:57

==================== End Of Log ============================
 

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
Addition.txt



Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-02-2015
Ran by Wendy at 2015-02-09 14:10:22
Running from C:\Users\Wendy\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat 7.0 Professional - English, Français, Deutsch (HKLM-x32\...\Adobe Acrobat 7.0 Professional - English, Français, Deutsch - V) (Version: 7.0.0 - Adobe Systems)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{122ADF8C-DDA1-480C-9936-C88F2825B265}) (Version: 2.1.9 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}) (Version: 5.2.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Canon IJ Network Scan Utility (HKLM-x32\...\Canon_IJ_Network_Scan_UTILITY) (Version: - )
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: - )
Canon MG5200 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG5200_series) (Version: - )
Canon MP Navigator EX 4.0 (HKLM-x32\...\MP Navigator EX 4.0) (Version: - )
CoH Subscriber Beta (HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\NCsoft-CoHBeta) (Version: - NCsoft)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
EPU-6 Engine (HKLM-x32\...\{56B83336-FBC1-4C46-8613-90A9E3B440D6}) (Version: 1.03.02 - )
Express Gate (HKLM-x32\...\{99AD9D6D-A456-49EE-8360-F22EE7AA1272}) (Version: 1.4.10.3 - DeviceVM, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Host OpenAL (ADI) (HKLM-x32\...\Host OpenAL (ADI)) (Version: - )
iTunes (HKLM\...\{840A3BAA-4C68-4581-9C7A-6F8D6CF531B9}) (Version: 10.6.3.25 - Apple Inc.)
Java 7 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.510 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
KeePass Password Safe 1.28 (HKLM-x32\...\KeePass Password Safe_is1) (Version: 1.28 - Dominik Reichl)
marvell 61xx (HKLM-x32\...\mv61xxDriver) (Version: 1.2.0.7100 - Marvell)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Mozilla Firefox 30.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 30.0 (x86 en-US)) (Version: 30.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
NVIDIA 3D Vision Controller Driver 296.10 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 296.10 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 311.06 - NVIDIA Corporation)
NVIDIA Graphics Driver 311.06 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 311.06 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.12.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.12.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.12.0213 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0213 - NVIDIA Corporation)
NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation)
Path of Exile (HKLM-x32\...\{90A4562F-D4A1-4B65-906D-41F236CF6902}) (Version: 0.9.12.19242 - Grinding Gear Games)
Realtek 8136 8168 8169 Ethernet Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0005 - Realtek)
SoundMAX (HKLM-x32\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.2.6585 - Analog Devices)
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboV (HKLM-x32\...\{A31951C5-DCD8-4DFE-A525-CFC701F54792}) (Version: 1.02.02 - )
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

09-01-2015 22:13:49 Windows Update
13-01-2015 18:17:59 Windows Update
17-01-2015 07:18:35 Windows Update
20-01-2015 06:20:17 Windows Update
24-01-2015 07:36:49 Windows Update
27-01-2015 19:54:08 Windows Update
30-01-2015 20:08:30 Windows Update
03-02-2015 18:31:02 Windows Update
06-02-2015 19:21:26 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {01CA898F-1CC1-463B-8274-75C640BC61FC} - System32\Tasks\CohNoUac => D:\Program Files\NCSoft\Launcher\NCLauncher.exe [2012-07-22] (NCSoft)
Task: {07F93A40-114A-4A39-8294-B390862ADC69} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-02-05] (Adobe Systems Incorporated)
Task: {145D8540-47A2-443C-BF94-53A33CB25252} - System32\Tasks\Digital Sites => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {365C209A-7068-4220-8320-D71BF42CE6A3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC} - System32\Tasks\Taplika => C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\UpdateTask.exe [2015-02-08] () <==== ATTENTION
Task: {4E06F925-D66C-4594-9E9E-1093F44838E8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-17] (Google Inc.)
Task: {979A6B1D-F713-40E5-83F6-4BF1C0325F3D} - System32\Tasks\CohBetaNoUac => D:\Program Files\NCSoft\Launcher\NCLauncher.exe [2012-07-22] (NCSoft)
Task: {B0716E53-DF8A-42FE-B306-17919FFE5616} - System32\Tasks\ASUS\ASUS SIX Engine => C:\Program Files\ASUS\Six Engine\SixEngine.exe [2009-11-26] (ASUSTeK Computer Inc.)
Task: {F1EF18E2-048E-4BF2-848E-BED481C0EBD9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-01-17] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Taplika.job => C:\Users\Wendy\AppData\Roaming\Taplika\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

==================== Loaded Modules (whitelisted) ==============

2012-11-07 17:48 - 2012-10-04 19:49 - 00087152 _____ () C:\Windows\System32\cpwmon64.dll
2012-05-30 19:06 - 2012-05-30 19:06 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2012-05-30 19:06 - 2012-05-30 19:06 - 01242512 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2012-09-18 17:53 - 2009-04-22 19:20 - 00179712 _____ () C:\Program Files\ASUS\Six Engine\ASUSSERVICE.DLL
2012-09-18 17:53 - 2009-08-27 18:41 - 00565248 _____ () C:\Program Files\ASUS\Six Engine\pngio.dll
2012-09-18 17:53 - 2009-08-27 18:41 - 00053248 _____ () C:\Program Files\ASUS\Six Engine\AsSpindownTimeout.dll
2012-09-18 17:53 - 2008-12-10 19:27 - 00565248 _____ () C:\Program Files\ASUS\TurboV\pngio.dll
2012-09-18 17:53 - 2009-10-26 13:52 - 00135680 _____ () C:\Program Files\ASUS\TurboV\TVOCLIB.DLL

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION!

==================== Other Registry Areas =====================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Wendy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-2245909474-2214454975-146711961-500 - Administrator - Disabled)
Guest (S-1-5-21-2245909474-2214454975-146711961-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2245909474-2214454975-146711961-1002 - Limited - Enabled)
Landon (S-1-5-21-2245909474-2214454975-146711961-1004 - Limited - Enabled) => C:\Users\Landon
UpdatusUser (S-1-5-21-2245909474-2214454975-146711961-1003 - Limited - Enabled) => C:\Users\UpdatusUser
Wendy (S-1-5-21-2245909474-2214454975-146711961-1001 - Administrator - Enabled) => C:\Users\Wendy

==================== Faulty Device Manager Devices =============

Name: RAID Controller
Description: RAID Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/09/2015 02:07:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/08/2015 10:21:42 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/08/2015 10:07:37 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/08/2015 09:59:13 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/08/2015 09:28:50 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/08/2015 09:08:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: uninstaller.exe, version: 0.0.0.0, time stamp: 0x2a425e19
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x0002df0b
Faulting process id: 0x1ad8
Faulting application start time: 0xuninstaller.exe0
Faulting application path: uninstaller.exe1
Faulting module path: uninstaller.exe2
Report Id: uninstaller.exe3

Error: (02/07/2015 00:39:05 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 8237

Error: (02/07/2015 00:39:05 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 8237

Error: (02/07/2015 00:39:05 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (02/06/2015 06:10:47 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5991


System errors:
=============
Error: (02/09/2015 02:08:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The NVIDIA Update Service Daemon service failed to start due to the following error:
%%1069

Error: (02/09/2015 02:08:00 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:
%%1330

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (02/08/2015 10:28:36 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.191.4348.0

Update Source: %NT AUTHORITY59

Update Stage: 4.6.0305.00

Source Path: 4.6.0305.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (02/08/2015 10:28:36 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084wuauserv{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (02/08/2015 10:26:44 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068BITS{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (02/08/2015 10:20:27 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (02/08/2015 10:20:26 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (02/08/2015 10:20:25 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (02/08/2015 10:20:20 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (02/08/2015 10:20:10 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AsIO
discache
MpFilter
spldr
Wanarpv6


Microsoft Office Sessions:
=========================
Error: (01/31/2015 04:14:17 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6713.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 110623 seconds with 240 seconds of active time. This session ended with a crash.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7 CPU 960 @ 3.20GHz
Percentage of memory in use: 36%
Total physical RAM: 6135.12 MB
Available physical RAM: 3910.25 MB
Total Pagefile: 12268.42 MB
Available Pagefile: 9924.46 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:148.95 GB) (Free:76.74 GB) NTFS
Drive d: (DataDrive) (Fixed) (Total:1863.01 GB) (Free:1758.81 GB) NTFS
Drive f: (FIXER) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 5867890F)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 9DACBE37)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1.9 GB) (Disk ID: 026C93EB)
Partition 1: (Active) - (Size=1.9 GB) - (Type=0B)

==================== End Of Log ============================
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
WendyM,
Be aware that Adobe Acrobat Pro 7 is VERY vulnerable to infections, especially if you allow internet PDF's to be opened by that program.
Best to check every online PDF by right clicking and scanning with AV before using that program.
I didn't recommend removing it, but I'm biting my lip.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Programs and Features
Click this Entry,if it exists, choose Uninstall, and give permission to Continue:

Java 7 Update 51

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
--------------------------------------------------------
Run A Fix With FRST
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
(Both on the Desktop is OK, or both in the same folder elsewhere)

Run FRST64 and press the Fix button just once and wait. DO NOT PRESS THE SCAN BUTTON.
If for some reason the tool needs a restart, please make sure you let the system restart normally.
The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply.

askey127
 

Attachments

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
Fixlog.txt



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
Ran by Wendy at 2015-02-09 16:26:28 Run:1
Running from C:\Users\Wendy\Desktop
Loaded Profiles: Wendy (Available profiles: Wendy & UpdatusUser & Landon)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Task: {145D8540-47A2-443C-BF94-53A33CB25252} - System32\Tasks\Digital Sites => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC} - System32\Tasks\Taplika => C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\UpdateTask.exe [2015-02-08] () <==== ATTENTION
Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Wendy\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\Taplika.job => C:\Users\Wendy\AppData\Roaming\Taplika\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Classes\exefile: "%1" %* <===== ATTENTION!
HKLM-x32\...\Run: [Acrobat Assistant 7.0] => C:\Program Files (x86)\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [483328 2004-12-14] (Adobe Systems Inc.)
HKLM-x32\...\Run: [] => [X]
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
C:\Users\Wendy\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
C:\Users\Wendy\AppData\Local\Temp\CSDJavaInstaller.dll
C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader32.dll
C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader64.dll

*****************

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{145D8540-47A2-443C-BF94-53A33CB25252}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{145D8540-47A2-443C-BF94-53A33CB25252}" => Key deleted successfully.
C:\Windows\System32\Tasks\Digital Sites => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Digital Sites" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4DEC4F11-1EE5-42E4-A4C7-31A4908A47FC}" => Key deleted successfully.
C:\Windows\System32\Tasks\Taplika => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Taplika" => Key deleted successfully.
C:\Windows\Tasks\Digital Sites.job => Moved successfully.
C:\Windows\Tasks\Taplika.job => Moved successfully.
"HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Classes\exefile" => Key deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Acrobat Assistant 7.0 => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" => Key Deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
"HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{AE7CD045-E861-484f-8273-0445EE161910}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
"HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" => Key deleted successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.51.2 => Key not found.
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2 => Key not found.
C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll not found.
C:\Users\Wendy\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wendy\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wendy\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wendy\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wendy\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe => Moved successfully.
C:\Users\Wendy\AppData\Local\Temp\CSDJavaInstaller.dll => Moved successfully.
C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader32.dll => Moved successfully.
C:\Users\Wendy\AppData\Local\Temp\csvrjavaloader64.dll => Moved successfully.

==== End of Fixlog 16:26:29 ====
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
WendyM,
Good so far.
Let's run another couple scans to see if there are any leftovers.
-----------------------------------------------------------
Run a New Scan With the Farbar Scan Tool
  • Double click FRST64.exe on your desktop to launch it.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • When finished scanning, a new version of the log FRST.txt will be saved on your Desktop and opened in Notepad.
  • Please post the contents in your next reply.
---------------------------------------------
Please download SystemLook from the link below and save it to your Desktop.
Download Mirror #1 (64-bit)
  • Double-click SystemLook_x64.exe to run it. OK the User Account Control.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    *taplika*
    :folderfind
    *taplika*
    :regfind
    taplika
  • Click the Look button to start the scan.
    Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The results log can also be found on your Desktop, entitled SystemLook.txt

askey127
 

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
Running from C:\Users\Wendy\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(DeviceVM) C:\ASUS.SYS\config\DVMExportService.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(ASUSTeK Computer Inc.) C:\Program Files\ASUS\Six Engine\SixEngine.exe
(Microsoft Corporation) C:\Windows\SysWOW64\runonce.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Program Files\Zune\ZuneLauncher.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
(CANON INC.) C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
(Apple Inc.) D:\Program Files (x86)\iTunes\iTunesHelper.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(ASUSTeK Computer Inc.) C:\Program Files\ASUS\TurboV\TurboV.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [SoundMAX] => C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe [3866624 2009-05-18] (Analog Devices, Inc.)
HKLM-x32\...\Run: [IJNetworkScanUtility] => C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [206240 2010-08-24] (CANON INC.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => D:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2009-06-05] (Analog Devices, Inc.)
HKLM-x32\...\Run: [TurboV] => C:\Program Files\ASUS\TurboV\TurboV.exe [5665280 2009-11-19] (ASUSTeK Computer Inc.)
HKLM-x32\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {096d79b6-b27f-11e2-b5c9-bcaec54497a8} - H:\LaunchU3.exe
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\MountPoints2: {96ccee42-97ee-11e1-aed0-bcaec54497a8} - G:\TL-Bootstrap.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
ShortcutTarget: Adobe Acrobat Speed Launcher.lnk -> C:\Windows\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://taplika.com/?f=1&a=tlk_ggfc_...G0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> {589B893E-773C-4941-88C2-0DCC718E621C} URL =
SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> DefaultScope {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
Toolbar: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
DPF: HKLM-x32 {2AB1C516-6654-4D3A-B3D6-2185BBCEB409} https://webvpn.treasurer.ca.gov/+CSCOL+/csvrloader32.cab
DPF: HKLM-x32 {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} https://webvpn.treasurer.ca.gov/CACHE/sdesktop/install/binaries/instweb.cab
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default
FF DefaultSearchEngine: Taplika
FF SelectedSearchEngine: Taplika
FF Homepage: hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_305.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\user.js
FF SearchPlugin: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml
FF Extension: Adblock Plus - C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-04-07]
StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR HomePage: Default -> hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
CHR StartupUrls: Default -> "hxxp://taplika.com/?f=7&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
CHR DefaultSearchKeyword: Default -> taplika.com
CHR DefaultSearchURL: Default -> http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR Profile: C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-17]
CHR Extension: (Google Drive) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-17]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (YouTube) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-17]
CHR Extension: (Google Search) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-17]
CHR Extension: (Google Wallet) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-17]
CHR Extension: (Gmail) - C:\Users\Wendy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-17]
CHR HKLM\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
CHR HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
CHR HKLM-x32\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - No Path
StartMenuInternet: Google Chrome - chrome.exe

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2009-06-05] (Andrea Electronics Corporation)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-08-19] (ASUSTeK Computer Inc.) [File not signed]
R2 DvmMDES; C:\ASUS.SYS\config\DVMExportService.exe [294912 2009-04-10] (DeviceVM) [File not signed]
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-03] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-15] ()
R0 mv61xx; C:\Windows\System32\DRIVERS\mv61xx.sys [179752 2009-08-05] (Marvell Semiconductor, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-09 14:10 - 2015-02-09 18:36 - 00014395 _____ () C:\Users\Wendy\Desktop\FRST.txt
2015-02-09 14:10 - 2015-02-09 14:10 - 00018618 _____ () C:\Users\Wendy\Desktop\Addition.txt
2015-02-09 14:09 - 2015-02-09 18:36 - 00000000 ____D () C:\FRST
2015-02-09 14:09 - 2015-02-09 14:08 - 02132992 _____ (Farbar) C:\Users\Wendy\Desktop\FRST64.exe
2015-02-08 10:24 - 2015-02-08 10:24 - 00011224 _____ () C:\Users\Wendy\Downloads\hijackthis.log
2015-02-08 10:23 - 2015-02-08 10:23 - 00388608 _____ (Trend Micro Inc.) C:\Users\Wendy\Downloads\HijackThis.exe
2015-02-08 10:10 - 2015-02-08 10:10 - 00509440 _____ (Tech Support Guy System) C:\Users\Wendy\Downloads\SysInfo.exe
2015-02-08 10:08 - 2015-02-09 14:08 - 00000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
2015-02-08 09:20 - 2015-02-08 09:20 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\KeePass
2015-02-08 09:13 - 2015-02-08 09:13 - 00001103 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass.lnk
2015-02-08 09:13 - 2015-02-08 09:13 - 00000000 ____D () C:\Program Files (x86)\KeePass Password Safe
2015-02-08 09:12 - 2015-02-08 09:13 - 01942105 _____ (Dominik Reichl ) C:\Users\Wendy\Downloads\KeePass-1.28-Setup.exe
2015-02-08 09:10 - 2015-02-08 09:10 - 00000000 ____D () C:\ProgramData\c6c8997c00002766
2015-02-08 09:08 - 2015-02-08 09:10 - 00000000 ____D () C:\Users\Wendy\AppData\Local\Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\WSE_Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\DigitalSites
2015-02-08 09:07 - 2015-02-08 09:07 - 00783834 _____ (%VENDOR%) C:\Users\Wendy\Downloads\FileOpenerSetup.exe
2015-02-07 07:56 - 2015-02-07 07:56 - 00116178 _____ () C:\Users\Wendy\Downloads\food (18).xlsx
2015-02-06 16:54 - 2015-02-06 16:54 - 00032078 _____ () C:\Users\Wendy\Downloads\stuff (25).xlsx
2015-01-29 19:19 - 2015-01-29 19:19 - 00111772 _____ () C:\Users\Wendy\Downloads\food (17).xlsx
2015-01-29 19:18 - 2015-01-29 19:18 - 00032666 _____ () C:\Users\Wendy\Downloads\stuff (24).xlsx
2015-01-23 17:59 - 2015-01-23 17:59 - 00111773 _____ () C:\Users\Wendy\Downloads\food (16).xlsx
2015-01-23 16:46 - 2015-01-23 16:46 - 00032215 _____ () C:\Users\Wendy\Downloads\stuff (23).xlsx
2015-01-20 06:20 - 2014-12-18 19:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-20 06:20 - 2014-12-18 17:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-20 06:20 - 2014-12-12 21:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-01-20 06:20 - 2014-12-12 19:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-01-20 06:20 - 2014-12-11 21:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-20 06:20 - 2014-12-11 21:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-20 06:20 - 2014-12-11 21:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-20 06:20 - 2014-12-11 21:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-20 06:20 - 2014-12-11 21:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-20 06:20 - 2014-12-11 21:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-20 06:20 - 2014-12-11 21:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-20 06:20 - 2014-12-11 09:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-20 06:20 - 2014-12-05 20:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-20 06:20 - 2014-12-05 19:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-20 06:20 - 2014-12-05 19:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-20 06:20 - 2012-10-03 09:44 - 00216576 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2015-01-20 06:20 - 2012-10-03 09:44 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2015-01-17 20:59 - 2015-01-17 20:59 - 00111551 _____ () C:\Users\Wendy\Downloads\food (15).xlsx
2015-01-15 22:45 - 2015-01-15 22:45 - 00063609 _____ () C:\Users\Wendy\Downloads\money (16).xlsx
2015-01-15 19:07 - 2015-01-15 19:07 - 00031501 _____ () C:\Users\Wendy\Downloads\stuff (22).xlsx
2015-01-14 21:12 - 2015-01-14 21:12 - 00029667 _____ () C:\Users\Wendy\Downloads\summit_expense_budget.xlsx
2015-01-10 08:37 - 2015-01-10 08:37 - 00111263 _____ () C:\Users\Wendy\Downloads\food (14).xlsx
2015-01-10 08:05 - 2015-01-10 08:05 - 00030791 _____ () C:\Users\Wendy\Downloads\stuff (21).xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-09 18:33 - 2014-01-17 08:19 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-09 18:33 - 2012-04-06 19:11 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-02-09 18:33 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-09 18:33 - 2009-07-13 20:51 - 00108477 _____ () C:\Windows\setupact.log
2015-02-09 16:29 - 2012-09-18 18:21 - 00000177 ____H () C:\dvmexp.idx
2015-02-09 16:29 - 2012-04-06 17:46 - 01532208 _____ () C:\Windows\WindowsUpdate.log
2015-02-09 16:29 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-09 16:29 - 2009-07-13 20:45 - 00021904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-09 16:26 - 2014-01-17 08:19 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-09 14:11 - 2012-04-06 21:42 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-09 14:10 - 2009-07-13 21:13 - 00726444 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-08 09:21 - 2010-11-20 19:47 - 00010144 _____ () C:\Windows\PFRO.log
2015-02-08 09:11 - 2012-10-21 19:07 - 00113148 _____ () C:\Users\Wendy\Desktop\food.xlsx
2015-02-08 09:11 - 2012-04-07 08:40 - 00029788 _____ () C:\Users\Wendy\Desktop\stuff.xlsx
2015-02-08 09:08 - 2014-01-17 08:21 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-05 06:08 - 2012-04-06 21:42 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-02-05 06:08 - 2012-04-06 21:42 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-05 06:08 - 2012-04-06 21:42 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-03 18:21 - 2014-01-17 08:19 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-03 18:21 - 2014-01-17 08:19 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-20 06:23 - 2013-11-18 06:37 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-20 06:20 - 2012-04-06 18:39 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-20 06:14 - 2012-06-17 19:02 - 00062039 _____ () C:\Users\Wendy\Desktop\money.xlsx

==================== Files in the root of some directories =======

2015-02-08 10:08 - 2015-02-09 14:08 - 0000058 _____ () C:\Users\Wendy\AppData\Roaming\WB.CFG
2012-09-19 09:20 - 2013-02-02 13:15 - 0004096 _____ () C:\Users\Wendy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-07 00:17 - 2012-04-07 00:17 - 0007605 _____ () C:\Users\Wendy\AppData\Local\Resmon.ResmonCfg
2014-02-02 09:10 - 2014-02-02 09:10 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Some content of TEMP:
====================
C:\Users\Wendy\AppData\Local\Temp\converter.exe
C:\Users\Wendy\AppData\Local\Temp\cstub.exe
C:\Users\Wendy\AppData\Local\Temp\csvrelay32.dll
C:\Users\Wendy\AppData\Local\Temp\csvrelay64.dll
C:\Users\Wendy\AppData\Local\Temp\csvrxul32.dll
C:\Users\Wendy\AppData\Local\Temp\optprosetup.exe
C:\Users\Wendy\AppData\Local\Temp\ose00000.exe
C:\Users\Wendy\AppData\Local\Temp\_is5134.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-03 19:57

==================== End Of Log ============================
 

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
SystemLook.txt:

SystemLook 04.09.10 by jpshortstuff
Log created at 18:48 on 09/02/2015 by Wendy
Administrator - Elevation successful

========== filefind ==========

Searching for "*taplika*"
C:\FRST\Quarantine\C\Windows\System32\Tasks\Taplika.xBAD --a---- 3228 bytes [17:08 08/02/2015] [17:08 08/02/2015] 2C992BBCBFAFAC56B6DDBC63FA2F2395
C:\FRST\Quarantine\C\Windows\Tasks\Taplika.job.xBAD --a---- 290 bytes [17:08 08/02/2015] [22:08 09/02/2015] D16E21F5E7CAB24B06B85C7002A7C8B5
C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYW3JVPN\Taplika16x16[1].ico --a---- 1150 bytes [17:20 08/02/2015] [17:20 08/02/2015] 9407ADB543BB4EED6648A70CE43A7CAA
C:\Users\Wendy\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\AJ6Q1KSN\taplika[1].xml --a---- 13 bytes [17:20 08/02/2015] [17:20 08/02/2015] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml --a---- 2787 bytes [18:08 08/02/2015] [18:08 08/02/2015] C8701A9D700FB20E08C735D042FBEC7B

========== folderfind ==========

Searching for "*taplika*"
C:\Users\Wendy\AppData\Local\Taplika d------ [17:08 08/02/2015]
C:\Users\Wendy\AppData\Roaming\Taplika d------ [17:08 08/02/2015]
C:\Users\Wendy\AppData\Roaming\WSE_Taplika d------ [17:08 08/02/2015]

========== regfind ==========

Searching for "taplika"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"URL"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"TopResultURLFallback"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"FaviconPath"="C:\Program Files (x86)\WSE_Taplika\\FavIcon.ico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
@="Taplika"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"DisplayName"="Taplika"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Taplika"="C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat""
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Taplika Browser]
[HKEY_CURRENT_USER\Software\Taplika Browser]
"UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
[HKEY_CURRENT_USER\Software\Taplika Browser]
"InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
"AppPath"="C:\Program Files (x86)\WSE_Taplika\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Taplika"="C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat""
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"URL"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"TopResultURLFallback"="http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"FaviconPath"="C:\Program Files (x86)\WSE_Taplika\\FavIcon.ico"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
@="Taplika"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}]
"DisplayName"="Taplika"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Taplika"="C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat""
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
"UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
"InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""

-= EOF =-
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
WendyM,
--------------------------------------------------------
Run A Fix With FRST
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both the program FRST64.exe and Fixlist.txt be in the same location, or the fix will not work.
(Both on the Desktop is OK, or both in the same folder elsewhere)

Run FRST64 and press the Fix button just once and wait. DO NOT PRESS THE SCAN BUTTON.
If for some reason the tool needs a restart, please make sure you let the system restart normally.
The tool may start automatically and complete its work after the system restart. Let the tool complete its run.
When finished, FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents in your reply.

askey127
 

Attachments

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
Fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
Ran by Wendy at 2015-02-10 06:10:21 Run:2
Running from C:\Users\Wendy\Desktop
Loaded Profiles: Wendy (Available profiles: Wendy & UpdatusUser & Landon)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM-x32\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\...\RunOnce: [Taplika] => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\Wendy\AppData\Roaming\Taplika\UpdateProc\bkup.dat"
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://taplika.com/?f=1&a=tlk_ggfc_1...1560535032&ir=
SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> DefaultScope {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C 0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1Cz utCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0D tGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0 EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032 &ir=
SearchScopes: HKU\S-1-5-21-2245909474-2214454975-146711961-1001 -> {BD2C78A5-3532-496F-826A-B07106B145CC} URL = http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C 0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1Cz utCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0D tGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0 EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032 &ir=
FF DefaultSearchEngine: Taplika
FF SelectedSearchEngine: Taplika
FF Homepage: hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0 CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V 1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAt A0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz 0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
FF SearchPlugin: C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\se archplugins\Taplika.xml
CHR HomePage: Default -> hxxp://taplika.com/?f=1&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0 CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V 1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAt A0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz 0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir=
CHR StartupUrls: Default -> "hxxp://taplika.com/?f=7&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C0A0E0CyDyEyEzyyB0AzzyCtBtA0 CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V 1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0DtGyDzz0AtDtGtAtD0DtDtA0EtAt A0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0EzztGzy0F0CtCtGyEyCtCzytGzz 0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032&ir="
CHR DefaultSearchKeyword: Default -> taplika.com
CHR DefaultSearchURL: Default -> http://taplika.com/results.php?f=4&q={searchTerms}&a=tlk_ggfc_15_06_ch&cd=2XzuyEtN2Y1L1Qzu0B0C 0A0E0CyDyEyEzyyB0AzzyCtBtA0CtN0D0Tzu0StCtCtAyEtN1L2XzutAtFyBtFtBtFtDtN1L1Cz utCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDzy0F0F0DtGyD0Czy0BtG0BtB0E0D tGyDzz0AtDtGtAtD0DtDtA0EtAtA0CtAyB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyD0E0B0FtCtD0 EzztGzy0F0CtCtGyEyCtCzytGzz0EzztAtG0CtDtDtAtB0DzyyEzzyD0AtD2Q&cr=1560535032 &ir=
2015-02-08 09:08 - 2015-02-08 09:10 - 00000000 ____D () C:\Users\Wendy\AppData\Local\Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\WSE_Taplika
2015-02-08 09:08 - 2015-02-08 09:08 - 00000000 ____D () C:\Users\Wendy\AppData\Roaming\Taplika


*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Taplika => value deleted successfully.
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Taplika => value deleted successfully.
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKU\S-1-5-21-2245909474-2214454975-146711961-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-2245909474-2214454975-146711961-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BD2C78A5-3532-496F-826A-B07106B145CC}" => Key deleted successfully.
HKCR\CLSID\{BD2C78A5-3532-496F-826A-B07106B145CC} => Key not found.
Firefox DefaultSearchEngine deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox homepage deleted successfully.
"C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\se archplugins\Taplika.xml" => not found.
Chrome HomePage deleted successfully.
Chrome StartupUrls deleted successfully.
Chrome DefaultSearchKeyword deleted successfully.
Chrome DefaultSearchURL deleted successfully.
C:\Users\Wendy\AppData\Local\Taplika => Moved successfully.
C:\Users\Wendy\AppData\Roaming\WSE_Taplika => Moved successfully.
C:\Users\Wendy\AppData\Roaming\Taplika => Moved successfully.

==== End of Fixlog 06:10:22 ====
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
WendyM,
Good.

Let's run SystemLook again:
---------------------------------------------
  • Double-click SystemLook_x64.exe to run it. OK the User Account Control.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    *taplika*
    :folderfind
    *taplika*
    :regfind
    taplika
  • Click the Look button to start the scan.
    Because of the Registry searches, the scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The results log can also be found on your Desktop, entitled SystemLook.txt
 

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
SystemLook.txt





SystemLook 04.09.10 by jpshortstuff
Log created at 13:27 on 10/02/2015 by Wendy
Administrator - Elevation successful

========== filefind ==========

Searching for "*taplika*"
C:\FRST\Quarantine\C\Windows\System32\Tasks\Taplika.xBAD --a---- 3228 bytes [17:08 08/02/2015] [17:08 08/02/2015] 2C992BBCBFAFAC56B6DDBC63FA2F2395
C:\FRST\Quarantine\C\Windows\Tasks\Taplika.job.xBAD --a---- 290 bytes [17:08 08/02/2015] [22:08 09/02/2015] D16E21F5E7CAB24B06B85C7002A7C8B5
C:\Users\Wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYW3JVPN\Taplika16x16[1].ico --a---- 1150 bytes [17:20 08/02/2015] [17:20 08/02/2015] 9407ADB543BB4EED6648A70CE43A7CAA
C:\Users\Wendy\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\AJ6Q1KSN\taplika[1].xml --a---- 13 bytes [17:20 08/02/2015] [17:20 08/02/2015] C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
C:\Users\Wendy\AppData\Roaming\Mozilla\Firefox\Profiles\g3ulx7ao.default\searchplugins\Taplika.xml --a---- 2787 bytes [18:08 08/02/2015] [18:08 08/02/2015] C8701A9D700FB20E08C735D042FBEC7B

========== folderfind ==========

Searching for "*taplika*"
C:\FRST\Quarantine\C\Users\Wendy\AppData\Local\Taplika d------ [17:08 08/02/2015]
C:\FRST\Quarantine\C\Users\Wendy\AppData\Roaming\Taplika d------ [17:08 08/02/2015]
C:\FRST\Quarantine\C\Users\Wendy\AppData\Roaming\WSE_Taplika d------ [17:08 08/02/2015]

========== regfind ==========

Searching for "taplika"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_CURRENT_USER\Software\Taplika Browser]
[HKEY_CURRENT_USER\Software\Taplika Browser]
"UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
[HKEY_CURRENT_USER\Software\Taplika Browser]
"InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
"AppPath"="C:\Program Files (x86)\WSE_Taplika\\"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid"="TaplikaHTML.X5GTAFURZDHGKLJIRYD3WDQS7E"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
"UninstallString"="C:\Users\Wendy\AppData\Local\Taplika\Application\31.0.1650.23\Installer\setup.exe"
[HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
"InstallerSuccessLaunchCmdLine"=""C:\Users\Wendy\AppData\Local\Taplika\Application\taplika.exe""

-= EOF =-
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
WendyM,
Home stretch here:
---------------------------------------------
Download the OTL Scanner
Please download OTL.exe by OldTimer and save it to your desktop.
----------------------------------------------
Perform a Custom Fix with OTL
Right click OTL on your desktop, and choose "Run as administrator" to open it.
  • In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
    Code:
    :Commands
    [CREATERESTOREPOINT]
    
    :Reg
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    "Progid"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    "Progid"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    "Progid"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    "Progid"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    "Progid"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
    "Progid"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
    "Progid"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
    "Progid"=-
    [-HKEY_CURRENT_USER\Software\Taplika Browser]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
    "AppPath"=-
    [-HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com]
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserC hoice]
    "Progid"=-
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\User Choice]
    "Progid"=-
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\Use rChoice]
    "Progid"=-
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserC hoice]
    "Progid"=-
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\Use rChoice]
    "Progid"=-
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\User Choice]
    "Progid"=-
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\Use rChoice]
    "Progid"=-
    [HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\Us erChoice]
    "Progid"=-
    [-HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser]
    
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [EMPTYTEMP]
  • Then click the Run Fix button at the top. DO NOT CLICK Run Scan
  • Let the program run unhindered, and click to allow the Reboot when it is done.
    When the computer Reboots, and you start your usual account, a Notepad text file will appear.
  • That is the FIX log file. Copy the contents of that file and post it in your next reply.
    It will also be available and named by timestamp here: C:\_OTL\Moved Files\mmddyyyy_hhmmss.log

Then tell me how it's running.
askey127
 

WendyM

Thread Starter
Retired Trusted Advisor
Joined
Jun 27, 2003
Messages
4,042
FIX log file:




All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\\Progid deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\\Progid deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice\\Progid deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice\\Progid deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice\\Progid deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\\Progid deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\\Progid deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\\Progid deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Taplika Browser\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\\AppPath deleted successfully.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\taplika.com\ not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserC hoice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\User Choice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\Use rChoice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserC hoice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\Use rChoice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\User Choice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\Use rChoice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\Us erChoice not found.
Registry key HKEY_USERS\S-1-5-21-2245909474-2214454975-146711961-1001\Software\Taplika Browser\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Wendy\Desktop\cmd.bat deleted successfully.
C:\Users\Wendy\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Landon
->Temp folder emptied: 1011785 bytes
->Temporary Internet Files folder emptied: 6263468 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 598 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Wendy
->Temp folder emptied: 391364300 bytes
->Temporary Internet Files folder emptied: 527257150 bytes
->Java cache emptied: 1658827 bytes
->FireFox cache emptied: 429397855 bytes
->Google Chrome cache emptied: 434037821 bytes
->Flash cache emptied: 74448 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 683848657 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 43274757 bytes
RecycleBin emptied: 2873786506 bytes

Total Files Cleaned = 5,142.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02102015_151946

Files\Folders moved on Reboot...
C:\Users\Wendy\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top