Malwarebytes not detecting possible Trojan

[Doirse]

Hello --

 

I am a  malwarebytes premium owner, and also have Symantec Endpoint Protection.  Starting a few weeks ago Symantec started catching a series of files with a "risk" of Trojan.Gen.2, and PUA.Wajam.  At first it was only catching one or two files every few days, but a few days ago it started catching dozens (close to a hundred) of files a day.  I have run full scans using both Symantec and Malwarebytes Anti-malware premium running the computer in both regular mode and safe mode, but neither program has detected anything (and all databases are up to date).

 

Following the instructions here (https://forums.malwarebytes.org/index.php?/topic/9573-im-infected-what-do-i-do-now/) I downloaded and ran the Farbar Recovery Scan Tool.  The output of the FRST and Addition files are pasted below.  Please let m know if you need any additional information, and thank you in advance for any help!!

 

(NOTE:  I tried to copy/paste the contents of FRST and Addition directly into this post, per the instructions in the link above, but received an error message that the post is too long.  Both files are now attached to the post)

 

Addition.txt

FRST.txt

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

---

Multiple Resident Protection warning!

Always have one (and no more than one!) AntiVirus program! In this case having more of them will not provide you with better protection - instead they may cause slowness, lock-ups and even mark another ones as harmful, leading to leave your system unstable and even damaged. Please choose only one from the listed below to stay with and uninstall the others:

• Symantec Endpoint Protecton
• Microsoft Security Essentials

Uninstallation procedure:

• Press the + R on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for each uninstalled entry, right-click it and select Uninstall.

This should be done until any other steps will be taken.

---

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:

  createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns >>"%temp%\log.txt";b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)
• Post its content into your next reply.

[Doirse]

Hi TwinHeadedEagle --

 

thank you for your help, and I understand there are limits to what is possible!  Regarding the first two steps:

 

1. Multiple Resident Protection warning!

- I uninstalled Microsoft Security Essentials

 

2. Scan with ZOEK

- this step failed:

 

I was able to download and save the file.  I right-clicked and selected 'Run As Administrator', then got a warning from Symantec about a user trying run as administrator, which I accepted, but then got the following error:

 

"wget.exe - Bad Image

 

C: Users\Dan\AppData\Local\Temp\PROPSYS.dll is either not designed to run on Windows or it contains an error.  Try installing the program again using the original installation media or contact your system administrator or the software vendor for support."

[Doirse]

I tried running ZOEK again as administrator and I got the same symantec warning, but it opened this time.  Should I go ahead and execute the script from above or wait for further instructions?

[TwinHeadedEagle]

Can you disable Symantec while running Zoek? They are known to block majority of removal tools with no legit reason.

[Doirse]

Can you disable Symantec while running Zoek? They are known to block majority of removal tools with no legit reason.

 

I just disabled Symantec and tried to 'run as administrator', but I got the same "wget.exe - bad image" as I did the first try.

[Doirse]

Despite the error message, Zoek still launched.  Should I go ahead and execute the script?

[TwinHeadedEagle]

Yes, please do it.

[Doirse]

After about 30 seconds I got the following error message:

 

'Das21 has stopped working' Check online for a solution and close the program, or close the program

 

Problem signature:

  Problem Event Name: CLR20r3

  Problem Signature 01: das_21.exe

  Problem Signature 02: 2.1.0.4

  Problem Signature 03: 540c90b2

  Problem Signature 04: mscorlib

  Problem Signature 05: 4.0.30319.18444

  Problem Signature 06: 52717d7e

  Problem Signature 07: 314

  Problem Signature 08: 22

  Problem Signature 09: System.ArgumentOutOfRange

  OS Version: 6.1.7601.2.1.0.768.3

  Locale ID: 1033

  Additional Information 1: b82e

  Additional Information 2: b82ecfa40b678ebbe9bf12b812067c8e

  Additional Information 3: 2b50

  Additional Information 4: 2b5015aeb373f04dd73f4ef380361938

 

Read our privacy statement online:

  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

 

If the online privacy statement is not available, please read our privacy statement offline:

  C:\Windows\system32\en-US\erofflps.txt

 

I waited another hour and Zoek did not finish.  Should I stop it and restart, or do something else?

[TwinHeadedEagle]

Can you restart your PC and try again?

[Doirse]

it worked!  Here are the results:

 

 

Zoek.exe v5.0.0.0 Updated 04-May-2015

Tool run by Dan on Sun 08/23/2015 at 17:49:01.71.

Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64

Running in: Normal Mode Internet Access Detected

Launched: C:\Users\Dan\Documents\Malwarebytes Forum Help\Zoek\zoek.exe [scan all users] [script inserted] 

 

==== Older Logs ======================

 

C:\zoek-results2015-08-23-205229.log 440 bytes

 

==== System Restore Info ======================

 

8/23/2015 5:56:35 PM Zoek.exe System Restore Point Created Successfully.

 

==== Empty Folders Check ======================

 

C:\Program Files\Symantec deleted successfully

C:\Users\Dan\AppData\Roaming\uTorrent deleted successfully

C:\Users\Dan\AppData\Local\EmieBrowserModeList deleted successfully

C:\Users\Dan\AppData\Local\EmieSiteList deleted successfully

C:\Users\Dan\AppData\Local\EmieUserList deleted successfully

C:\Users\Kenzie\AppData\Local\EmieBrowserModeList deleted successfully

C:\Users\Kenzie\AppData\Local\EmieSiteList deleted successfully

C:\Users\Kenzie\AppData\Local\EmieUserList deleted successfully

 

==== Deleting CLSID Registry Keys ======================

 

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{49C84E3A-71F5-4745-9DF9-3B3EA8AE8661} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{176F224F-07BF-4F3B-9899-C0E4A86B33D9} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1CB06EBA-16CD-4C5C-857B-D0C819AAADCD} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{707CBDE1-6D68-442E-94C4-C3DE1A3DA88B} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{CFA2D85B-BF9E-4DA6-A6F8-ED9A3D351364} deleted successfully

 

==== Deleting CLSID Registry Values ======================

 

 

==== Deleting Services ======================

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSUService deleted successfully

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SSUService deleted successfully

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\splashtopremoteservice deleted successfully

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\splashtopremoteservice deleted successfully

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\splashtopremoteservice deleted successfully

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\splashtopremoteservice deleted successfully

 

==== FireFox Fix ======================

 

ProfilePath: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\t4nvzln2.default

 

user.js not found

---- FireFox user.js and prefs.js backups ---- 

 

prefs_20150823_0619_.backup

 

ProfilePath: C:\Users\Eli\AppData\Roaming\Mozilla\Firefox\Profiles\wo8d1qr0.default

 

user.js not found

---- Lines search.com removed from prefs.js ----

user_pref("capability.policy.maonoscript.sites", "abcmouse.com addons.mozilla.org adobe.com adobedtm.com adobetag.com afx.ms ajax.aspnetcdn.com ajax.g

---- FireFox user.js and prefs.js backups ---- 

 

prefs_20150823_0619_.backup

 

ProfilePath: C:\Users\Kenzie\AppData\Roaming\Mozilla\Firefox\Profiles\8uhd0ujz.default

 

user.js not found

---- FireFox user.js and prefs.js backups ---- 

 

prefs_20150823_0619_.backup

 

ProfilePath: C:\Users\Sofia\AppData\Roaming\Mozilla\Firefox\Profiles\2v0ogqa6.default

 

user.js not found

---- Lines isearch removed from prefs.js ----

user_pref("weboftrust.search.avg.url", "^http(s)?\\:\\/\\/isearch\\.avg\\.com\\/search\\?");

---- Lines ask.com removed from prefs.js ----

user_pref("weboftrust.search.ask.display", "Ask.com Web Search");

---- Lines offers removed from prefs.js ----

user_pref("weboftrust.category.301", "{\"name\":\"301\",\"group\":\"4\",\"text\":\"Online tracking\",\"description\":\"Based on your experience the si

---- FireFox user.js and prefs.js backups ---- 

 

prefs_20150823_0619_.backup

 

==== Batch Command(s) Run By Tool======================

 

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.

 

Sucessfully reset the Winsock Catalog.

You must restart the computer in order to complete the reset.

 

 

==== Deleting Files \ Folders ======================

 

C:\windows\SysNative\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} deleted

C:\PROGRA~2\The Weather Channel deleted

C:\PROGRA~2\Splashtop deleted

C:\install.exe deleted

C:\PROGRA~3\Splashtop deleted

C:\PROGRA~3\InstallMate deleted

C:\PROGRA~3\Package Cache deleted

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services deleted

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\lavasoft\WebCompanion deleted

C:\windows\SysNative\GroupPolicy\Machine deleted

C:\windows\SysNative\GroupPolicy\User deleted

C:\windows\SysNative\GroupPolicy\gpt.ini deleted

C:\Windows\SysWOW64\LavasoftTcpService.dll deleted

C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini deleted

C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\t4nvzln2.default\extensions\trash\https-everywhere@eff.org deleted

C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\t4nvzln2.default\extensions\firefox@ghostery.com.xpi deleted

C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\t4nvzln2.default\jetpack deleted

C:\Users\Eli\AppData\Roaming\Mozilla\Firefox\Profiles\wo8d1qr0.default\extensions\firefox@ghostery.com.xpi deleted

C:\Users\Eli\AppData\Roaming\Mozilla\Firefox\Profiles\wo8d1qr0.default\jetpack deleted

C:\Users\Eli\AppData\Roaming\Mozilla\Firefox\Profiles\wo8d1qr0.default\extensions\staged deleted

C:\Users\Sofia\AppData\Roaming\Mozilla\Firefox\Profiles\2v0ogqa6.default\extensions\firefox@ghostery.com.xpi deleted

C:\Users\Sofia\AppData\Roaming\Mozilla\Firefox\Profiles\2v0ogqa6.default\jetpack deleted

C:\Users\Sofia\AppData\Roaming\Mozilla\Firefox\Profiles\2v0ogqa6.default\extensions\staged deleted

"C:\Windows\Installer\dfeef74.msi" deleted

"C:\Windows\Installer\4a3565.msi" deleted

"C:\PROGRA~3\Browser Manager" deleted

"C:\PROGRA~3\Browser Manager" deleted

 

==== Firefox Start and Search pages ======================

 

ProfilePath: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\t4nvzln2.default

user_pref("browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/");

user_pref("browser.search.defaultenginename", "Bing");

user_pref("browser.search.defaultenginename.US", "Google");

user_pref("browser.search.selectedEngine", "Bing");

 

ProfilePath: C:\Users\Eli\AppData\Roaming\Mozilla\Firefox\Profiles\wo8d1qr0.default

user_pref("browser.search.defaultenginename", "Google");

 

ProfilePath: C:\Users\Kenzie\AppData\Roaming\Mozilla\Firefox\Profiles\8uhd0ujz.default

user_pref("browser.search.defaultenginename.US", "Taplika");

 

ProfilePath: C:\Users\Sofia\AppData\Roaming\Mozilla\Firefox\Profiles\2v0ogqa6.default

user_pref("browser.search.defaultenginename", "Google");

 

==== Firefox Extensions Registry ======================

 

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]

"{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}"="C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext" [09/28/2013 10:29 AM]

 

==== Firefox Extensions ======================

 

ProfilePath: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\t4nvzln2.default

- HTTPS-Everywhere - %ProfilePath%\extensions\https-everywhere@eff.org

- Undetermined - %ProfilePath%\extensions\trash

- WOT - %ProfilePath%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

- BetterPrivacy em:version1.68.1-signed em:type2 em:creatorGreg Yardley version 0.2 www.yardley.ca em:descriptionquot - %ProfilePath%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi

 

ProfilePath: C:\Users\Eli\AppData\Roaming\Mozilla\Firefox\Profiles\wo8d1qr0.default

- HTTPS-Everywhere - %ProfilePath%\extensions\https-everywhere@eff.org

- WOT - %ProfilePath%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

- BetterPrivacy em:version1.68.1-signed em:type2 em:creatorGreg Yardley version 0.2 www.yardley.ca em:descriptionquot - %ProfilePath%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi

 

ProfilePath: C:\Users\Sofia\AppData\Roaming\Mozilla\Firefox\Profiles\2v0ogqa6.default

- WOT - %ProfilePath%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

- BetterPrivacy - %ProfilePath%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi

 

AppDir: C:\Program Files (x86)\Mozilla Firefox

- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

- TrueSuite Website Logon - %AppDir%\distribution\bundles\websitelogon@truesuite.com

 

==== Firefox Plugins ======================

 

Profilepath: C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\t4nvzln2.default

F8CB60A5ACA5D73807ECBD9942A8BCB7 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll - RealDownloader Plugin

96B3689320E9B16EDF38B7A5001C35F0 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll - RealNetworks RealDownloader HTML5VideoShim Plug-In (32-bit)

EAC427FEF96A13058C1ACD17C38966CF - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll - RealNetworks RealDownloader PepperFlashVideoShim Plug-In (32-bit)

BE126CB7049E89ED6F3038016668B502 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll - RealNetworks RealDownloader Chrome Background Extension Plug-In (32-bit)

878208C8141EFEF1EBFF14A779B8EC0E - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll - Shockwave for Director / Shockwave for Director

EC55112EDB2CE5BC2BFCACDB9C2150F4 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll - Shockwave Flash

FBF151BDF3156D1FEFD5E992D89D65CC - C:\Users\Dan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player

 

 

==== Chromium Look ======================

 

Google Chrome Version: 44.0.2403.157

 

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions

idhngdhcfkoamngbedgpaokgjbnpdiji - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx[08/14/2013 03:24 PM]

kanflfepiobnpjbljmngfgegijhdpljm - C:\Program Files (x86)\HP SimplePass\tschrome.crx[04/01/2013 02:25 AM]

 

RealDownloader - Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji

Website Logon - Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm

Chrome Hotword Shared Module - Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

RealDownloader - Eli\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji

Website Logon - Eli\AppData\Local\Google\Chrome\User Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm

Chrome Hotword Shared Module - Eli\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

Website Logon - Kenzie\AppData\Local\Google\Chrome\User Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm

Chrome Hotword Shared Module - Kenzie\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

RealDownloader - Sofia\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji

Website Logon - Sofia\AppData\Local\Google\Chrome\User Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm

Chrome Hotword Shared Module - Sofia\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

 

==== Chromium Startpages ======================

 

C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Preferences

/[*.]docs.google.com:443,*":{"setting":1},"https://[*.]mail.google.com:443,*":{"setting":1},"https://[*.]www.khanacademy.org:443,*":{"setting":1},"https://[*.]www.play-i.com:443,*":{"setting":1}},"geolocation":{"http://local.fedex.com:80,http://local.fedex.com:80":{"last_used":1435529761.130781,"setting":1},"http://nym1.ib.adnxs.com:80,http://summonerswar.wikia.com:80":{"setting":2},"http://summonerswar.wikia.com:80,http://summonerswar.wikia.com:80":{"setting":2},"http://www.fandango.com:80,http://www.fandango.com:80":{"last_used":1433431675.987794,"setting":1},"http://www.hrblock.com:80,http://www.hrblock.com:80":{"setting":1},"http://www.lendmarkfinancial.com:80,http://www.lendmarkfinancial.com:80":{"setting":1},"http://www.where-am-i.net:80,http://www.where-am-i.net:80":{"setting":2},"http://www.whitepages.com:80,http://www.whitepages.com:80":{"setting":1},"https://cater.panerabread.com:443,https://cater.panerabread.com:443":{"last_used":1439230286.518764,"setting":1},"https://delivery1.panerabread.com:443,https://delivery1.panerabread.com:443":{"last_used":1438527954.305611,"setting":1}},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{"https://www.abcmouse.com:443,*":{"setting":2}},"media_stream_mic":{"https://www.abcmouse.com:443,*":{"setting":2},"https://www.google.com:443,*":{"setting":1}},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{"https://womanfreebies.com:443,*":{"setting":2}},"plugins":{"[*.]www.java.com,*":{"setting":1},"https://[*.]goive.state.gov:443,*":{"setting":1}},"popups":{"[*.]healthplans.kaiserpermanente.org,*":{"setting":1},"[*.]www.bbt.com,*":{"setting":1},"[*.]www.quora.com,*":{"setting":1},"https://[*.]www.americanfunds.com:443,*":{"setting":1},"https://[*.]www.employeeexpress.gov:443,*":{"setting":1}},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{"[*.]codecombat.com,*":{"fullscreen":1},"[*.]healthplans.kaiserpermanente.org,*":{"popups":1},"[*.]minecraft-seeds.net,*":{"fullscreen":1},"[*.]minecraft-seeds.org,*":{"fullscreen":1},"[*.]www.bbt.com,*":{"popups":1},"[*.]www.funnyordie.com,*":{"fullscreen":1},"[*.]www.java.com,*":{"plugins":1},"[*.]www.quora.com,*":{"popups":1},"[*.]www.youthdigital.com,*":{"fullscreen":1},"[*.]www.youtube.com,*":{"fullscreen":1},"http://nym1.ib.adnxs.com:80,http://summonerswar.wikia.com:80":{"geolocation":2},"http://summonerswar.wikia.com:80,http://summonerswar.wikia.com:80":{"geolocation":2},"http://www.amazon.com:80,http://www.amazon.com:80":{"fullscreen":1},"http://www.hrblock.com:80,http://www.hrblock.com:80":{"geolocation":1,"last_used":{"geolocation":1424227068.797826}},"http://www.lendmarkfinancial.com:80,http://www.lendmarkfinancial.com:80":{"geolocation":1,"last_used":{"geolocation":1420052795.519944}},"http://www.netflix.com:80,http://www.netflix.com:80":{"fullscreen":1},"http://www.where-am-i.net:80,http://www.where-am-i.net:80":{"geolocation":2},"http://www.whitepages.com:80,http://www.whitepages.com:80":{"geolocation":1},"https://[*.]docs.google.com:443,*":{"fullscreen":1},"https://[*.]goive.state.gov:443,*":{"plugins":1},"https://[*.]mail.google.com:443,*":{"fullscreen":1},"https://[*.]www.americanfunds.com:443,*":{"popups":1},"https://[*.]www.employeeexpress.gov:443,*":{"popups":1},"https://[*.]www.khanacademy.org:443,*":{"fullscreen":1},"https://[*.]www.play-i.com:443,*":{"fullscreen":1},"https://www.abcmouse.com:443,*":{"media-stream-camera":2,"media-stream-mic":2},"https://www.google.com:443,*":{"media-stream-mic":1}},"pref_version":1},"exit_type":"Crashed","exited_cleanly":true,"gaia_info_picture_url":"https://lh3.googleusercontent.com/-XdUIqdMkCWA/AAAAAAAAAAI/AAAAAAAAAAA/4252rscbv5M/s256-c/photo.jpg","gaia_info_update_time":"13084815836342297","icon_version":3,"managed_user_id":"","migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"Firstuser","password_manager_groups_for_domains":[4,null,null,null,null,null,5],"per_host_zoom_levels":{}},"protection":{"macs":{}},"reverse_autologin":{"enabled":false},"savefile":{"default_directory":"C:\\Users\\Dan\\Documents\\Malwarebytes Forum Help","type":1},"selectfile":{"last_directory":"C:\\Users\\Dan\\Desktop"},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13035781135962829"},"settings":{"privacy":{"drm_salt":"6B6540A192E6B65A69F583D01079DF02FA3BC1ADF1A903DA94924AC73B71E1D8"}},"spellcheck":{"dictionary":"en-US"},"sync":{"app_settings":true,"apps":true,"autofill":true,"autofill_profile":true,"bookmarks":true,"dictionary":true,"encryption_bootstrap_token":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAPj4OHOyOm0u4Hp5PPNUAQwAAAAACAAAAAAAQZgAAAAEAACAAAAC9wlFfyy6QElquT/kBkeMOq31PhN9HK/cZJBYYpgVRvQAAAAAOgAAAAAIAACAAAAB7sg8EaQCHv7O+BbDXiK7it+Ga8qhQv+mrxGSsfEPIIkAAAAAZMnaEwP9gj9UUkknI3ocD5nXwv5BgIas6zsOXlVW0VZAUBaDgw+M/8hBA3PrAPzTe27VewzhqP+LQ+ER/5EIZQAAAAN3gADx/F0J/DuK5t/AtFBnthJGbw/iHRlNnBPfZ8XdeXf3+ZaY5GV3gjRdlq1nIZ1D/iHLNVBRlZ+qKzmoP/8g=","extension_settings":true,"extensions":true,"favicon_images":true,"favicon_tracking":true,"has_setup_completed":true,"history_delete_directives":true,"keystore_encryption_bootstrap_token":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAPj4OHOyOm0u4Hp5PPNUAQwAAAAACAAAAAAAQZgAAAAEAACAAAAB6mC9GMOdVLK6oQvRbICwGC3ozKr01dpYLlH/Pbwu67QAAAAAOgAAAAAIAACAAAACTsw1RJ8L0+RarMw/RWr/weplK4bu/6kVkTNoX7aoxD1AAAACx8QPOMXX00TUgcIVWTsVtWEE+TGrm5u/VOGkEhgupgcKkPhDU/t79tcgsN6yAxWcuBnmgTdXXuK+KgohaLV0SFKt2tcpTZYAE3X5QKLOf1EAAAAAMGeU5qtnl/SSWXB8kENL0PsgCxmUg0IZmO0arJANEsK7BVs0yONCNfn75FFHmjUPT7Uvh839tAjU1th4Ugp/i","last_synced_time":"13035764306780873","managed_users":true,"passwords":true,"preferences":true,"priority_preferences":true,"search_engines":false,"session_sync_guid":"session_syncmkG4YtW+W6yl+fmbmm/Ttg==","sessions":true,"suppress_start":true,"synced_notifications":true,"tabs":true,"themes":true,"typed_urls":true},"sync_promo":{"show_on_first_run_allowed":false},"synced_notification":{"enabled_sending_services":["Google+"],"first_run":false,"initialized_sending_services":["Google+"]},"translate_accepted_count":{"de":0,"es":0,"nl":1,"pl":1,"pt":0,"ru":0,"tr":0,"zh-TW":1},"translate_blocked_languages":[],"translate_denied_count":{"de":7,"es":7,"nl":0,"pl":0,"pt":1,"ru":1,"tr":1},"translate_denied_count_for_language":{"zh-TW":0},"translate_last_denied_time":1430750872667.275,"translate_site_blacklist":["www.chess.com"],"translate_whitelists":{},"zerosuggest":{"cachedresults":""}}

_installed_by_default":false},"pjkljhegncpnkpknbcohdijeoejaedia":{"ack_external":true,"active_permissions":{"api":["notifications"],"manifest_permissions":[]},"app_launcher_ordinal":"x","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["notifications"],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13072046962410947","lastpingday":"13084786799271976","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"https://mail.google.com/mail/ca"},"urls":["*://mail.google.com/mail/ca"]},"current_locale":"en_US","default_locale":"en","description":"Fast,searchable email with less spam.","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCuGglK43iAz3J9BEYK/Mz6ZhloIMMDqQSAaf3vJt4eHbTbSDsu4WdQ9dQDRcKlg8nwQdePBt0C3PSUBtiSNSS37Z3qEGfS7LCju3h6pI1Yr9MQtxw+jUa7kXXIS09VV73pEFUT/F7c6Qe8L5ZxgAcBvXBh1Fie63qb02I9XQ/CQIDAQAB","manifest_version":2,"name":"Gmail","options_page":"https://mail.google.com/mail/ca/#settings","permissions":["notifications"],"update_url":"http://clients2.google.com/service/update2/crx","version":"8.1"},"page_ordinal":"n","path":"pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false}}},"google":{"services":{"account_id":"forbesdan@gmail.com","last_username":"forbes.dan@gmail.com"}},"homepage":"http://google.com/","homepage_is_newtabpage":false,"pinned_tabs":[],"protection":{"macs":{"browser":{"show_home_button":"E2F2CD0B82A8D7F6E5A9FE1180C2B9AC214753C35B986A81A96CB50EAFC70E80"},"default_search_provider":{"keyword":"C5D8901DA41BA779167E24B73A68F7218D8BB19D3533B70D17DFA046F8AB420F","name":"E4295FCF4EC1EA51622DA73196739ED1F05CCFEAC09F799F4F7F5F8791C9CB75","search_url":"5B6DDF30669BC9485AABD37005596BAB1BF764B561535689577F913AB0C7A3E3"},"default_search_provider_data":{"template_url_data":"62895C4B5B3167660EFCD68AAE333BE7EAFB064FD4AC172F0FFF419F0F6F7492"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":"0EF1884914431788C74843DB1267724A7FB49171ECE3B1039AE14AF5AD14E8A2","aohghmighlieiainnegkcijnfilokake":"E65ACC65BF2E1EC604C2DEC5DD7346E539FD75AFDD79335076E4B9BCD277CA87","apdfllckaahabafndbhieahigkjlhalf":"4FE03E5CA8404E99A98D443169BACCC65D43D257A19B4CBB42E20AF9CB810609","bepbmhgboaologfdajaanbcjmnhjmhfn":"4AD5ECBE269C9CA81167F81FA7C186948BA7244C61AF5492B3E57E7C333D16DA","blpcfgokakmgnkcojhhkbfbldkacnbeo":"970923CB4F17E11A689E1DA229EBC51FA5DA93B968EF231E8D636F3BE6FE5A1A","coobgpohoikkiipiblmjeljniedjpjpf":"9BE760D69D7D8EB7052DA9FFF37CD56EC35BEF8ACAF3D12142CC541F035C9817","dnhpdliibojhegemfjheidglijccjfmc":"C72BF297C6E705C8306716DD887BD5DC064AE9BBF878B0DF484682AC0A5DC551","eemcgdkfndhakfknompkggombfjjjeno":"7A19C913676965BEFAA778D7B9FAD47B53D84AC9983E6C0A775D2FEED02A7CD5","ennkphjdgehloodpbhlhldgbnhmacadg":"12DD2535B76CEA31F727337A0042CE27D2172D892AE52A1977A10AA159931D5D","gfdkimpbcpahaombhbimeihdjnejgicl":"05421D111530D8F2841F53C9A89866FF6618E47F6302D8C2671C47A28F60F955","idhngdhcfkoamngbedgpaokgjbnpdiji":"9D70BDDE614CB35AE55E4BEA69C34B80239EF4B2885E9D8244D5FD6AAEE64EB9","kanflfepiobnpjbljmngfgegijhdpljm":"D4D9EF733BD1A263E7C8E1AB6DB372DDA617C1F38B7E5D6AC2D02859CA2E3391","kmendfapggjehodndflmmgagdbamhnfd":"88DDDAFB5C9C25F4DF30976C07F2316D2AF801C1D44CB957AEBBC20C0BE06652","lccekmodgklaepjeofjdjpbminllajkg":"45FD9C777A6A67E137019472A66770270AAEBCD10CEBFA0C6EACDD28E7796E10","lfkjojacgdjkninepeghaamnapdjmlfn":"BED1C64CF97CAB8142E9CD2219E14F4C8922FC46905E34C65303B6846DE8A987","mfehgcgbbipciphmccgaenjidiccnmng":"A51BA2F4139C95D34C198A4B78E973D5EE83D80882A008A1EE3F2B32BCE43BA8","mgndgikekgjfcpckkfioiadnlibdjbkf":"85CB7356FA11B0B6AD15A0F2051151239740BC06A03283977ECCB021E8B48DC1","mhjfbmdgcfjbbpaeojofohoefgiehjai":"0320220960776B9A1289C43E79114F96A5BA5CBEB390B85A08834149CE22323E","nbpagnldghgfoolbancepceaanlmhfmd":"D677C6205B807560E6BB26F49054F84E14971D14A454218AA21669503D135736","neajdppkdcdipfabeoofebfddakdcjhd":"B7CF74A9AE5B3D45707CE589A67A81F645317A32E9988C31B8DAA33D3F0117C2","nkeimhogjdpnpccoofpliimaahmaaome":"2C8866B3DB3952C2C0A2AECD9592874D07F10355E19BBA1415EDB2724CF808C8","nmmhkkegccagdldgiimedpiccmgmieda":"B0C6F520B5A14295CBBD2366DBF4BE0365DA17676F2E381E3CC6B318AD3FCC73","pafkbggdmjlpgkdkcbjmhmfcdpncadgh":"593F62E2C2162B7053DF6CA6A1EB59FF6D198EC4391C881EE5161C4C86A06E09","pjkljhegncpnkpknbcohdijeoejaedia":"BC74BB0CDEA7CF1BA23ADEB367D35FEEBDA21B24C2DB7824EDC3C1B154700AA8"}},"google":{"services":{"account_id":"7AE84A5D99A4FEB754FFB22D352E9A15AACA08E27AE144E9E2810629814C6751","last_username":"AAF4977E18A6C525DAFC1295E9167805D1FC7857A74822E0060C8D6571D090F6","username":"61C9A97E12CA448C30C8213F0FA428F9A6293285490A05428ED8B7425A28C755"}},"homepage":"4E43D8BFCD40805656608AB4B86893C8B935404FF553EA33971396CC3EC5A5E6","homepage_is_newtabpage":"3978F8F355338FBFFD428BB58F8D538E40670EE8DA38A0ADEEE819208E0155B7","pinned_tabs":"5A8E617E1ACACBB38B6415E9D3795665D0649E8EC0EB71BA2EA57A66A3FE6365","prefs":{"preference_reset_time":"252B4F20169E69C386D6B60E9FAC5638A84D5835113F38FFF8FB9B7F46CD7A0F"},"profile":{"reset_prompt_memento":"476C16A07881601FA4E39D969543E973826DEEAE8BD7B0FFBE9D7C83F3E72CF9"},"safebrowsing":{"incidents_sent":"C5E30941C894824EDE608F91980CEC3DA06D1A328FB7139F4F10C41F6BA64C81"},"search_provider_overrides":"BDA1C5B5D5CB31F22E08224DB0B9973D2E4CB5240C87947C9A4A4F6E804B05F8","session":{"restore_on_startup":"A1E42F203B6476AC3CFACA54AF9495C3716ADEB64414F16B8746B88F0D4F62A8","startup_urls":"B8CAED94BEDF59DB627027BE517DBC5FA20274F982CEB500A2F5BF77734555C0"},"software_reporter":{"prompt_reason":"2FE9003E79065E34AED1DBC17BA7E912E221866E4D86843C87618A64B60EF43D","prompt_seed":"724029119BD7E7F3B9582E8942D2DE1E607C43FF3A26290E924B07022646DBEC","prompt_version":"480C6CA0BE0E474DBC0CEF02413293EDC7480CFF60F0DFC3E6865771AB74685A"},"sync":{"remaining_rollback_tries":"B47387FD7A0675521E137AB7A782057BE3FA193236313CAE9528E86BE2993852"}},"super_mac":"F2344B1F73495B271B3186BE7457E155CFD23A1C7BD74AE1370A1F38FAF2A2C5"},"session":{"restore_on_startup":4,"startup_urls":["http://www.google.com/"]},"sync":{"remaining_rollback_tries":0}}

 

C:\Users\Eli\AppData\Local\Google\Chrome\User Data\Default\Preferences

"},"first_run_tabs":["http://www.google.com/","http://welcome_page],"gcm":{"check_time":"13083482217259907"},"hotword":{"previous_language":"en-US"},"http_original_content_length":"8009235","http_received_content_length":"8009235","intl":{"accept_languages":"en-US,en"},"invalidator":{"client_id":"mJ8xGnhh+LbNw9m+sUYk3A=="},"media":{"device_id_salt":"Onngir1Q+B1kDGVb2WEoRw=="},"net":{"http_server_properties":{"servers":{"accounts.google.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"ad.doubleclick.net:443":{"supports_spdy":true},"apis.google.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":89,"6":0},"supports_spdy":true},"chrome.google.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"clients1.google.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100},"supports_spdy":true},"clients2.google.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"clients2.googleusercontent.com:443":{"settings":{"4":100,"5":18,"6":1},"supports_spdy":true},"clients4.google.com:443":{"supports_spdy":true},"cm.g.doubleclick.net:443":{"supports_spdy":true},"csi.gstatic.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"developer.android.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":22,"6":5},"supports_spdy":true},"fonts.googleapis.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"fonts.gstatic.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":83,"6":0},"supports_spdy":true},"googleads.g.doubleclick.net:443":{"supports_spdy":true},"i.ytimg.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"lh3.googleusercontent.com:443":{"supports_spdy":true},"oauth.googleusercontent.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":40,"6":0},"supports_spdy":true},"pagead2.googlesyndication.com:443":{"supports_spdy":true},"partner.googleadservices.com:443":{"supports_spdy":true},"pubads.g.doubleclick.net:443":{"supports_spdy":true},"s.ytimg.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":26,"6":0},"supports_spdy":true},"ssl.google-analytics.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"ssl.gstatic.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"tools.google.com:80":{"alternative_service":[{"port":80,"probability":0.02,"protocol_str":"quic"}]},"tpc.googlesyndication.com:443":{"supports_spdy":true},"www.google.com:443":{"settings":{"4":100,"5":56,"6":0},"supports_spdy":true},"www.googleapis.com:443":{"settings":{"4":100},"supports_spdy":true},"www.googletagservices.com:443":{"supports_spdy":true},"www.gstatic.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":23,"6":0},"supports_spdy":true},"www.youtube-nocookie.com:443":{"supports_spdy":true},"www.youtube.com:443":{"alternative_service":[{"port":443,"probability":0.02,"protocol_str":"quic"}],"settings":{"4":100,"5":32,"6":0},"supports_spdy":true},"yt3.ggpht.com:443":{"supports_spdy":true}},"version":3}},"plugins":{"migrated_to_pepper_flash":true,"plugins_list":[],"removed_old_component_pepper_flash_settings":true},"profile":{"avatar_index":26,"content_settings":{"clear_on_exit_migrated":true,"exceptions":{"app_banner":{},"auto_select_certificate":{},"automatic_downloads":{},"cookies":{},"fullscreen":{},"geolocation":{},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{},"plugins":{},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{},"pref_version":1},"exit_type":"Normal","exited_cleanly":true,"icon_version":3,"managed_user_id":"","migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"Firstuser","per_host_zoom_levels":{}},"protection":{"macs":{}},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13065462615423662"},"sync_promo":{"show_on_first_run_allowed":false},"translate_blocked_languages":["en"],"translate_whitelists":{}}

/#settings","permissions":["notifications"],"update_url":"http://clients2.google.com/service/update2/crx","version":"8.1"},"page_ordinal":"n","path":"pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false}}},"homepage":"http://www.google.com/","homepage_is_newtabpage":false,"pinned_tabs":[],"protection":{"macs":{"browser":{"show_home_button":"971B682F5B223B9F1D6029809213D9AD725D7E5007647B988ADEFA4E8E9D314A"},"default_search_provider":{"keyword":"C5D8901DA41BA779167E24B73A68F7218D8BB19D3533B70D17DFA046F8AB420F","name":"E4295FCF4EC1EA51622DA73196739ED1F05CCFEAC09F799F4F7F5F8791C9CB75","search_url":"5B6DDF30669BC9485AABD37005596BAB1BF764B561535689577F913AB0C7A3E3"},"default_search_provider_data":{"template_url_data":"8895AE09F758390BA9F760EE6CA2744063E3B9886C26995727D23A04F873364E"},"extensions":{"settings":{"aapocclcgogkmnckokdopfmhonfmgoek":"105DA86AB0D4A6B4E9B0262251428A97D929DF13F71EA75454E7117D5644460A","ahfgeienlihckogmohjhadlkjgocpleb":"9F71323C937212224453905256DF18D85F7DB70F65A5E28A479E47FC1BC1AD9D","aohghmighlieiainnegkcijnfilokake":"EEEDA21C706A671EF3CAF4F9BC1F45BB3AE1FBBC0EF3B3C81F6852B3109AEC63","apdfllckaahabafndbhieahigkjlhalf":"50058E40C3606DDF1C323FCF2ED2E08B6B8D9AC605EAFF221A927B968BBF9FE2","blpcfgokakmgnkcojhhkbfbldkacnbeo":"40254E2967B07EB0D039E1A6866A70BB2EFFCEB4C924AF018FA8A17153C3399A","coobgpohoikkiipiblmjeljniedjpjpf":"EEC971FF338C494868EFA5911B0811C209B48A5E4CD4A097B537EB71CF704786","dnhpdliibojhegemfjheidglijccjfmc":"24D4F2BE24EA44E4372895CFD1B3215A27DE66BAED3E9945643A0EED3C3724C4","eemcgdkfndhakfknompkggombfjjjeno":"7EC3C999D3B1AC44C51C2E519100B40969F49FEA1B474923DDBE794961A118DA","ennkphjdgehloodpbhlhldgbnhmacadg":"0DF6DF758214548D37828B2ADEB5369072F5ECA50941F71F6F9404BF872207F0","felcaaldnbdncclmgdcncolpebgiejap":"0A850C3815A8A795E2052387931605F09B04697E56F3D64D341A5B2041D65EF3","gfdkimpbcpahaombhbimeihdjnejgicl":"BD24D624F4314DB56C9CD53F9DB52F06AF671A00ED603B70E573DEE7BCE6C982","idhngdhcfkoamngbedgpaokgjbnpdiji":"B505AE3AEE3A83ED921475919AAB5E12A9EDE5A0C2B5510457A270648CA631EA","kanflfepiobnpjbljmngfgegijhdpljm":"C89DDDBC8E667602B20C7C96F6AABF33727BB2F2A0EB46800E2E57757892226B","kmendfapggjehodndflmmgagdbamhnfd":"6946CD5DBF0D89B0273B8A2DB462B3706EE65062F63341555DD1382C94B3CEB6","lccekmodgklaepjeofjdjpbminllajkg":"21C67A10A4CA1BA9B6EF1906E39AFB4E9D5BE93BCBBC44BE338DA16DF61479E3","mfehgcgbbipciphmccgaenjidiccnmng":"04A0EA056D582C2984235C7236C10EA252A5C52537CBA5C47295896CFA3E194A","mgndgikekgjfcpckkfioiadnlibdjbkf":"E9F145D08A6DF0B09B4AF4FF952DFF7746D6D567DD391B308AC4F2B308336049","mhjfbmdgcfjbbpaeojofohoefgiehjai":"98B8FDE88B0D31F8D57DB5639C0EE374893CFFC96D905CC2A2D394E5C341A322","nbpagnldghgfoolbancepceaanlmhfmd":"09DC63B0A38B349CCFE356F73FE97DAD9D4D1D099448CB50C5FE95EC0DE0C61F","neajdppkdcdipfabeoofebfddakdcjhd":"A01E1809EC455B62C49214B9CC4054080195C5D8B0717B8667ED304EFE818F26","nkeimhogjdpnpccoofpliimaahmaaome":"0371B3F69F51A290EF16CB8DF51B1E57E4AEBDAEAD652E2E418251E3CE828114","nmmhkkegccagdldgiimedpiccmgmieda":"1B33443633F8803AF34549C24A9486F1F3037529B59822AE181CA1C14652B1B2","pafkbggdmjlpgkdkcbjmhmfcdpncadgh":"8C7DF6DF64BA911E5D7745D73FDCCCAA8FB685ED6AD895938720553DE68EFDCD","pjkljhegncpnkpknbcohdijeoejaedia":"475BBBF9B91B5185FBA1986C205EA047F89CC52A234B5BA0EDDD276DB0BD5B03"}},"google":{"services":{"account_id":"764CE4F081EEC4DD21A9A7441EA261DD0C2D17557811BEBE605545EDB3063361","last_username":"A8F93EED686EDE7C4A18BC118ACF480FD02393E6E9794BDD22682DBDB66F3E7B","username":"61C9A97E12CA448C30C8213F0FA428F9A6293285490A05428ED8B7425A28C755"}},"homepage":"FB3C9264FC930EA28C5B35C47D124F16007F051AB3D07A6E9B474CBC1062B8C7","homepage_is_newtabpage":"3978F8F355338FBFFD428BB58F8D538E40670EE8DA38A0ADEEE819208E0155B7","pinned_tabs":"5A8E617E1ACACBB38B6415E9D3795665D0649E8EC0EB71BA2EA57A66A3FE6365","prefs":{"preference_reset_time":"252B4F20169E69C386D6B60E9FAC5638A84D5835113F38FFF8FB9B7F46CD7A0F"},"profile":{"reset_prompt_memento":"476C16A07881601FA4E39D969543E973826DEEAE8BD7B0FFBE9D7C83F3E72CF9"},"safebrowsing":{"incidents_sent":"C5E30941C894824EDE608F91980CEC3DA06D1A328FB7139F4F10C41F6BA64C81"},"search_provider_overrides":"BDA1C5B5D5CB31F22E08224DB0B9973D2E4CB5240C87947C9A4A4F6E804B05F8","session":{"restore_on_startup":"A1E42F203B6476AC3CFACA54AF9495C3716ADEB64414F16B8746B88F0D4F62A8","startup_urls":"B8CAED94BEDF59DB627027BE517DBC5FA20274F982CEB500A2F5BF77734555C0"},"software_reporter":{"prompt_reason":"2FE9003E79065E34AED1DBC17BA7E912E221866E4D86843C87618A64B60EF43D","prompt_seed":"724029119BD7E7F3B9582E8942D2DE1E607C43FF3A26290E924B07022646DBEC","prompt_version":"480C6CA0BE0E474DBC0CEF02413293EDC7480CFF60F0DFC3E6865771AB74685A"},"sync":{"remaining_rollback_tries":"9DC246F551D30F0AE492C65DC79E6C7CC2BB7EC8B113EA0A626283FCF372F370"}},"super_mac":"6785DF6C8955F3BAE866FEF3F21420E1FDD722A603B2153BAEC848D0CE0CFED9"},"session":{"restore_on_startup":4,"startup_urls":["http://www.google.com/"]}}

 

C:\Users\Kenzie\AppData\Local\Google\Chrome\User Data\Default\Preferences

":0.0,"protocol_str":"quic"}]},"www.googletagservices.com:443":{"alternative_service":[{"port":443,"probability":1.0,"protocol_str":"quic"}],"supports_spdy":true},"www.googletagservices.com:80":{"alternative_service":[{"port":80,"probability":1.0,"protocol_str":"quic"}],"network_stats":{"srtt":24668}},"www.gstatic.com:443":{"supports_spdy":true},"www.gstatic.com:80":{"alternative_service":[{"port":80,"probability":0.0,"protocol_str":"quic"}]},"www.snapengage.com:80":{"alternative_service":[{"port":80,"probability":0.0,"protocol_str":"quic"}]},"www.youtube-nocookie.com:443":{"supports_spdy":true},"www.youtube.com:443":{"network_stats":{"srtt":14148},"supports_spdy":true},"www.youtube.com:80":{"alternative_service":[{"port":80,"probability":0.0,"protocol_str":"quic"}]},"yt3.ggpht.com:443":{"alternative_service":[{"port":443,"probability":1.0,"protocol_str":"quic"}],"network_stats":{"srtt":22221},"supports_spdy":true}},"supports_quic":{"address":"192.168.1.3","used_quic":true},"version":3}},"ntp":{"most_visited_blacklist":{"33cd9685e229e892f001e9d4919d8050":null,"3f6994566631652026b4a65a31b004bf":null,"4af571948e263e5aba1122ae11868a46":null,"5328f533f0718fcbbd126539709b54b0":null,"6606cb5d43ebdb66c83929f7dd5a9afb":null,"898c4487f341b7b2fc76890863c9a2a9":null,"9e15907eb83fb80b4fa48aa8b370a2b0":null,"aa03064eaa2952afaeb4a8fcefb0c96c":null,"c8e0afd1da1d9e29511240861f795a5a":null,"dfb5de169fe91aa31f0c860c2b552b1c":null,"e21723e6bc30a790312c9deec16bfa2e":null,"eacc8c3ad0b50bd698ef8752d5ee24b6":null,"eb6564f3c3eee111933da30d5c678971":null,"ed1a1fedbb2a5897c24ed0819a8a2ca8":null}},"password_bubble":{"nopes":0},"plugins":{"migrated_to_pepper_flash":true,"plugins_list":[],"removed_old_component_pepper_flash_settings":true},"profile":{"avatar_index":26,"content_settings":{"clear_on_exit_migrated":true,"exceptions":{"app_banner":{},"auto_select_certificate":{},"automatic_downloads":{},"cookies":{},"fullscreen":{"https://www.youtube.com:443,https://www.youtube.com:443":{"setting":1}},"geolocation":{},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{},"plugins":{},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{"https://www.youtube.com:443,https://www.youtube.com:443":{"fullscreen":1}},"pref_version":1},"exit_type":"Normal","exited_cleanly":true,"icon_version":3,"managed_user_id":"","migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"Firstuser","per_host_zoom_levels":{}},"protection":{"macs":{}},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13065460984607678"},"sync_promo":{"show_on_first_run_allowed":false},"translate_blocked_languages":["en"],"translate_whitelists":{}}

browsing":{"incidents_sent":"C5E30941C894824EDE608F91980CEC3DA06D1A328FB7139F4F10C41F6BA64C81"},"search_provider_overrides":"BDA1C5B5D5CB31F22E08224DB0B9973D2E4CB5240C87947C9A4A4F6E804B05F8","session":{"restore_on_startup":"A1E42F203B6476AC3CFACA54AF9495C3716ADEB64414F16B8746B88F0D4F62A8","startup_urls":"B8CAED94BEDF59DB627027BE517DBC5FA20274F982CEB500A2F5BF77734555C0"},"software_reporter":{"prompt_reason":"2FE9003E79065E34AED1DBC17BA7E912E221866E4D86843C87618A64B60EF43D","prompt_seed":"724029119BD7E7F3B9582E8942D2DE1E607C43FF3A26290E924B07022646DBEC","prompt_version":"480C6CA0BE0E474DBC0CEF02413293EDC7480CFF60F0DFC3E6865771AB74685A"},"sync":{"remaining_rollback_tries":"9DC246F551D30F0AE492C65DC79E6C7CC2BB7EC8B113EA0A626283FCF372F370"}},"super_mac":"576AB894030639EB89C86BB4C69E8E9B765E80CEE069CF0F951F10C827AC24F4"},"session":{"restore_on_startup":4,"startup_urls":["http://www.google.com/]}}

 

C:\Users\Sofia\AppData\Local\Google\Chrome\User Data\Default\Preferences

\":\"A5\",\"height_microns\":210000,\"name\":\"ISO_A5\",\"vendor_id\":\"11\",\"width_microns\":148000},{\"custom_display_name\":\"B5 (JIS)\",\"height_microns\":257000,\"name\":\"JIS_B5\",\"vendor_id\":\"13\",\"width_microns\":182000},{\"custom_display_name\":\"Envelope #10\",\"height_microns\":241300,\"name\":\"NA_NUMBER_10\",\"vendor_id\":\"20\",\"width_microns\":104700},{\"custom_display_name\":\"Envelope DL\",\"height_microns\":220000,\"name\":\"ISO_DL\",\"vendor_id\":\"27\",\"width_microns\":110000},{\"custom_display_name\":\"Envelope C5\",\"height_microns\":229000,\"name\":\"ISO_C5\",\"vendor_id\":\"28\",\"width_microns\":162000},{\"custom_display_name\":\"Envelope C6\",\"height_microns\":162000,\"name\":\"ISO_C6\",\"vendor_id\":\"31\",\"width_microns\":114000},{\"custom_display_name\":\"Envelope Monarch\",\"height_microns\":190500,\"name\":\"NA_MONARCH\",\"vendor_id\":\"37\",\"width_microns\":98400},{\"custom_display_name\":\"Japanese Postcard\",\"height_microns\":148000,\"name\":\"JPN_HAGAKI\",\"vendor_id\":\"43\",\"width_microns\":100000},{\"custom_display_name\":\"A6\",\"height_microns\":148000,\"name\":\"ISO_A6\",\"vendor_id\":\"70\",\"width_microns\":105000},{\"custom_display_name\":\"Japanese Envelope Chou #3\",\"height_microns\":235000,\"name\":\"JPN_CHOU3\",\"vendor_id\":\"73\",\"width_microns\":120000},{\"custom_display_name\":\"Japanese Envelope Chou #4\",\"height_microns\":205000,\"name\":\"JPN_CHOU4\",\"vendor_id\":\"74\",\"width_microns\":90000},{\"custom_display_name\":\"4x6in.\",\"height_microns\":152400,\"name\":\"NA_INDEX_4X6\",\"vendor_id\":\"172\",\"width_microns\":101600},{\"custom_display_name\":\"5x7in.\",\"height_microns\":177800,\"name\":\"NA_5X7\",\"vendor_id\":\"173\",\"width_microns\":127000},{\"custom_display_name\":\"6x8in.\",\"height_microns\":203200,\"name\":\"NA_INDEX_4X6_EXT\",\"vendor_id\":\"174\",\"width_microns\":152400},{\"custom_display_name\":\"L\",\"height_microns\":127000,\"vendor_id\":\"175\",\"width_microns\":88900},{\"custom_display_name\":\"8x10in.\",\"height_microns\":254000,\"name\":\"NA_GOVT_LETTER\",\"vendor_id\":\"176\",\"width_microns\":203200},{\"custom_display_name\":\"Ofuku hagaki\",\"height_microns\":199900,\"name\":\"JPN_OUFUKU\",\"vendor_id\":\"180\",\"width_microns\":147900},{\"custom_display_name\":\"Card envelope\",\"height_microns\":152400,\"vendor_id\":\"181\",\"width_microns\":111200},{\"custom_display_name\":\"Envelope A2\",\"height_microns\":145900,\"name\":\"JPN_CHOU2\",\"vendor_id\":\"182\",\"width_microns\":110900},{\"custom_display_name\":\"3x5in.\",\"height_microns\":127000,\"name\":\"NA_INDEX_3X5\",\"vendor_id\":\"183\",\"width_microns\":76200},{\"custom_display_name\":\"Index card 5x8in.\",\"height_microns\":203200,\"name\":\"NA_INDEX_5X8\",\"vendor_id\":\"186\",\"width_microns\":127000},{\"custom_display_name\":\"8.5x13in.\",\"height_microns\":330200,\"name\":\"JIS_EXEC\",\"vendor_id\":\"187\",\"width_microns\":215900},{\"custom_display_name\":\"Index Card A4\",\"height_microns\":296900,\"name\":\"ISO_A4\",\"vendor_id\":\"189\",\"width_microns\":210000},{\"custom_display_name\":\"Edge-to-Edge A4\",\"height_microns\":296900,\"name\":\"ISO_A4\",\"vendor_id\":\"190\",\"width_microns\":209900}]},\"page_orientation\":{\"option\":[{\"is_default\":true,\"type\":\"PORTRAIT\"},{\"type\":\"LANDSCAPE\"},{\"type\":\"AUTO\"}]},\"supported_content_type\":[{\"content_type\":\"application/pdf\"}]},\"version\":\"1.0\"},\"selectedDestinationName\":\"HPOfficeJet\",\"dpi\":{\"horizontal_dpi\":300,\"is_default\":true,\"vertical_dpi\":300},\"mediaSize\":{\"custom_display_name\":\"Letter\",\"height_microns\":279400,\"is_default\":true,\"name\":\"NA_LETTER\",\"vendor_id\":\"1\",\"width_microns\":215900},\"customMargins\":null,\"vendorOptions\":{},\"marginsType\":0,\"selectedDestinationExtensionId\":\"\",\"selectedDestinationExtensionName\":\"\"}","savePath":"C:\\Users\\Sofia\\Documents\\sofia's outlook"}},"profile":{"avatar_index":26,"content_settings":{"clear_on_exit_migrated":true,"exceptions":{"app_banner":{},"auto_select_certificate":{},"automatic_downloads":{},"cookies":{},"fullscreen":{"http://www.netflix.com:80,http://www.netflix.com:80":{"setting":1},"https://[*.]www.khanacademy.org:443,*":{"setting":1},"https://[*.]www.youtube.com:443,*":{"setting":1}},"geolocation":{},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{"http://www.chess.com:80,*":{"setting":2}},"plugins":{"*,*":{"per_resource":{"google-chrome-pdf":1}}},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{"*,*":{"per_plugin":{"google-chrome-pdf":1}},"http://www.netflix.com:80,http://www.netflix.com:80":{"fullscreen":1},"https://[*.]www.khanacademy.org:443,*":{"fullscreen":1},"https://[*.]www.youtube.com:443,*":{"fullscreen":1}},"plugin_whitelist":{"google-chrome-pdf":true},"pref_version":1},"exit_type":"Normal","exited_cleanly":true,"icon_version":3,"managed_user_id":"","migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"Firstuser","per_host_zoom_levels":{}},"protection":{"macs":{}},"savefile":{"default_directory":"C:\\Users\\Sofia\\Desktop","type":1},"selectfile":{"last_directory":"C:\\Users\\Sofia\\Pictures"},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13065411560196582"},"sync_promo":{"show_on_first_run_allowed":false},"translate_accepted_count":{"ru":0},"translate_blocked_languages":["en"],"translate_denied_count_for_language":{"ru":2},"translate_last_denied_time_for_language":{"ru":1438452527696.288},"translate_too_often_denied_for_language":{"ru":true},"translate_whitelists":{},"zerosuggest":{"cachedresults":""}}

 

 

==== Set IE to Default ======================

 

Old Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Search Page"="http://www.google.com"

"Search Bar"="http://www.google.com/ie"

"Default_Search_URL"="http://www.google.com/ie"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

@="http://www.google.com/search?q=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]

"SearchAssistant"="http://www.google.com/ie"

"Default_Search_URL"="http://www.google.com/ie"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]

"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}] not found

 

New Values:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]

"(Default)"="http://search.msn.com/results.asp?q=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]

"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"

"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]

"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

 

==== All HKCU SearchScopes ======================

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes

{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

{2fa28606-de77-4029-af96-b231e3b8f827} Unknown  Url="Not_Found"

{70680C6F-42B4-41F0-B502-5705A178396B} Unknown  Url="Not_Found"

{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465} Unknown  Url="Not_Found"

{b7fca997-d0fb-4fe0-8afd-255e89cf9671} Unknown  Url="Not_Found"

{BDA270D6-3191-4497-A7EC-E7E0050339CF} Unknown  Url="Not_Found"

{d43b3890-80c7-4010-a95d-1e77b5924dc3} Unknown  Url="Not_Found"

{D944BB61-2E34-4DBF-A683-47E505C587DC} Unknown  Url="Not_Found"

 

==== Deleting CLSID Registry Keys ======================

 

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{70680C6F-42B4-41F0-B502-5705A178396B} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{BDA270D6-3191-4497-A7EC-E7E0050339CF} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3} deleted successfully

HKEY_USERS\S-1-5-21-3430297952-1085673760-3040505545-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2465} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{BDA270D6-3191-4497-A7EC-E7E0050339CF} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BDA270D6-3191-4497-A7EC-E7E0050339CF} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} deleted successfully

 

==== Deleting CLSID Registry Values ======================

 

 

==== Deleting Registry Keys ======================

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\358CA8E5BB5699C40AE9918B81151EC4 deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\69A9FA1138D6B3C4D8BC61AEA253E8F3 deleted successfully

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{BAF9C5CC-17DE-4111-813B-392187D4D793} deleted successfully

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5E8AC853-65BB-4C99-A09E-19B81851E14C} deleted successfully

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater deleted successfully

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{11AF9A96-6D83-4C3B-8DCB-16EA2A358E3F} deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\358CA8E5BB5699C40AE9918B81151EC4 deleted successfully

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\69A9FA1138D6B3C4D8BC61AEA253E8F3 deleted successfully

 

==== Empty IE Cache ======================

 

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Dan\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Users\Dan\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Eli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Eli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Users\Kenzie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Kenzie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Users\Sofia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Users\Sofia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully

C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

 

==== Empty FireFox Cache ======================

 

C:\Users\Dan\AppData\Local\Mozilla\Firefox\Profiles\t4nvzln2.default\cache2 emptied successfully

C:\Users\Eli\AppData\Local\Mozilla\Firefox\Profiles\wo8d1qr0.default\cache2 emptied successfully

C:\Users\Kenzie\AppData\Local\Mozilla\Firefox\Profiles\8uhd0ujz.default\cache2 emptied successfully

C:\Users\Sofia\AppData\Local\Mozilla\Firefox\Profiles\2v0ogqa6.default\cache2 emptied successfully

 

==== Empty Chrome Cache ======================

 

C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

C:\Users\Eli\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

C:\Users\Kenzie\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

C:\Users\Sofia\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

 

==== Empty All Flash Cache ======================

 

Flash Cache Emptied Successfully

 

==== Empty All Java Cache ======================

 

Java Cache cleared successfully

 

==== C:\zoek_backup content ======================

 

C:\zoek_backup (files=796 folders=259 217527909 bytes)

 

==== Empty Temp Folders ======================

 

C:\Users\Dan\AppData\Local\Temp will be emptied at reboot

C:\Users\Default\AppData\Local\Temp emptied successfully

C:\Users\Default User\AppData\Local\Temp emptied successfully

C:\Users\Eli\AppData\Local\Temp emptied successfully

C:\Users\Kenzie\AppData\Local\Temp emptied successfully

C:\Users\Sofia\AppData\Local\Temp will be emptied at reboot

C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully

C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully

C:\Windows\Temp will be emptied at reboot

 

==== After Reboot ======================

 

==== Empty Temp Folders ======================

 

C:\Windows\Temp successfully emptied

C:\Users\Dan\AppData\Local\Temp successfully emptied

 

==== Empty Recycle Bin ======================

 

C:\$RECYCLE.BIN successfully emptied

 

==== Deleting Files / Folders ======================

 

"C:\Users\Sofia\AppData\Local\Temp\scoped_dir_5020_11801" not deleted

 

==== EOF on Sun 08/23/2015 at 18:35:29.75 ======================

[TwinHeadedEagle]

Good. How is your PC behaving now?

[Doirse]

So far so good -- Symantec has not detected anything all day!!

[TwinHeadedEagle]

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:

MUST READ - security tips:

• Computer Security - a short guide to staying safer online.

• Simple and easy ways to keep your computer safe and secure on the Internet

• How Malware Spreads - How did I get infected

MUST READ - general maintenance:

• What to do if your Computer is running slowly?

The Importance of Software Updating:

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

• How to configure and use Automatic Updates in Windows
• How to update Java
• How to update Adobe Reader

Recommended additional software:

CCleaner - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run.
• The program will run for a few seconds and display a notepad report. You do not need to attach it.

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix

Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.

If you're happy with the help provided and/or wish to show your appreciation for the assistance you received, then you can consider a donation:

Thank you!

Stay safe,

TwinHeadedEagle

[Doirse]

I installed a Java update this morning but made no other changes to the system, and this afternoon Symantec caught nearly 100 files suspected of being Trojans

[TwinHeadedEagle]

Can you make a ScreenShot of detection?

[Doirse]

[Doirse]

the time/date stamp shows all of these happening this morning between 4:06am and 4:21am, while nobody was on the computer.

[TwinHeadedEagle]

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Doirse]

Addition.txtFRST.txt

 

here you go

[TwinHeadedEagle]

PC seems clean, I do not see signs of infection.

[Doirse]

So this puts me right back where I started!  Symantec caught another five this morning (again at 4:20am).  Malwarebytes isn't detecting it, and the other tools we tried here didn't detect it...  Any suggestions for what I can try next?

[TwinHeadedEagle]

Let's see:

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

---

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Cleaning.
• Your PC should reboot now.
• After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

fixlist.txt

[Doirse]

Fixlog.txtI just ran FRST with the fixlist file (fixlog is attached), and am now running the second tool.  

 

 

[Doirse]

Here are the results from adwcleaner:

 

# AdwCleaner v5.004 - Logfile created 27/08/2015 at 20:55:35

# Updated 26/08/2015 by Xplode

# Database : 2015-08-25.1 [server]

# Operating system : Windows 7 Home Premium Service Pack 1 (x64)

# Username : Dan - DAN_LAPTOP

# Running from : C:\Users\Dan\Documents\Malwarebytes Forum Help\AdwCleaner.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

 

***** [ Files ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

 

***** [ Web browsers ] *****

 

[-] [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider_Data] Deleted : 

[-] [C:\Users\Sofia\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com

[-] [C:\Users\Sofia\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com

[-] [C:\Users\Kenzie\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com

[-] [C:\Users\Kenzie\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com

[-] [C:\Users\Eli\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com

[-] [C:\Users\Eli\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com

 

*************************

 

:: Winsock settings cleared

 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1586 bytes] ##########