Zoek.exe v5.0.0.0 Updated 02-June-2014 Tool run by Fabio en Kim on za 14/06/2014 at 23:20:47,13. Microsoft Windows 7 Home Premium 6.1.7600 x64 Running in: Normal Mode Internet Access Detected Launched: C:\Users\Fabio en Kim\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SQ2UKZ75\zoek.exe [Scan all users] [Script inserted] [Checkboxes used] ==== System Restore Info ====================== 14/06/2014 23:28:39 Zoek.exe System Restore Point Created Succesfully. ==== Empty Folders Check ====================== C:\PROGRA~2\MSXML 4.0 deleted successfully C:\PROGRA~2\WebSpades deleted successfully C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully C:\Program Files\log deleted successfully C:\PROGRA~3\374311380 deleted successfully C:\PROGRA~3\Babylon deleted successfully C:\PROGRA~3\Oracle deleted successfully C:\PROGRA~3\PlotSoft deleted successfully C:\Users\Fabio en Kim\AppData\Roaming\Google deleted successfully C:\Users\Fabio en Kim\AppData\Roaming\Nico Mak Computing deleted successfully C:\Users\Fabio en Kim\AppData\Roaming\TP deleted successfully C:\Users\Fabio en Kim\AppData\Roaming\WinRAR deleted successfully ==== Deleting CLSID Registry Keys ====================== HKEY_USERS\S-1-5-21-3483026535-1613976268-3221359994-1001\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} deleted successfully HKEY_USERS\S-1-5-21-3483026535-1613976268-3221359994-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} deleted successfully HKEY_USERS\S-1-5-21-3483026535-1613976268-3221359994-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE} deleted successfully HKEY_USERS\S-1-5-21-3483026535-1613976268-3221359994-1001\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A} deleted successfully HKEY_USERS\S-1-5-21-3483026535-1613976268-3221359994-1001\Software\Microsoft\Internet Explorer\SearchScopes\{d3f22a84-2a84-49eb-91e6-5dadaaf0165d} deleted successfully HKEY_USERS\S-1-5-21-3483026535-1613976268-3221359994-1001\Software\Microsoft\Internet Explorer\SearchScopes\{EB421E4D-12F0-47F2-8DA9-994685CD4E2B} deleted successfully ==== Deleting CLSID Registry Values ====================== ==== Running Processes ====================== C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\programdata\miniapp\sw-booster\SW-Booster.exe C:\Program Files (x86)\Google\Update\GoogleUpdate.exe C:\Program Files (x86)\Google\Update\1.3.23.9\GoogleCrashHandler.exe C:\Windows\SysWOW64\ezSharedSvcHost.exe C:\Windows\SysWOW64\svchost.exe C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe C:\PROGRA~2\MYWEBF~2\bar\1.bin\5abarsvc.exe C:\Program Files (x86)\Online Games Manager\ogmservice.exe C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_13_0_0_214_ActiveX.exe C:\Program Files (x86)\Internet Explorer\IELowutil.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe C:\Windows\SysWOW64\cmd.exe ==== Deleting Services ====================== ==== FireFox Fix ====================== ProfilePath: C:\Users\FABIOE~1\AppData\Roaming\Mozilla\Firefox\Profiles\draogfpj.default-1382538325605 ---- Lines WebSearch removed from prefs.js ---- user_pref("browser.search.defaulturl", "http://websearch.searchsun.info/?pid=724&r=2014/05/02&hid=18133215223256189933&lg=EN&cc=BE&l=1&q="); ---- Lines mindspark removed from prefs.js ---- user_pref("extensions.toolbar.mindspark._paMembers_.BUTTON_STRUCTURE", "[{\"b\":221359831,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221359832, user_pref("extensions.toolbar.mindspark._paMembers_.firstKnownVersion", "6.33.3.52561"); user_pref("extensions.toolbar.mindspark._paMembers_.homepage", "http://home.tb.ask.com/index.jhtml?ptb=8CE7565D-5258-484C-9B68-FDCFC2189B1B&n=780bf79c user_pref("extensions.toolbar.mindspark._paMembers_.initialized", true); user_pref("extensions.toolbar.mindspark._paMembers_.installation.contextKey", ""); user_pref("extensions.toolbar.mindspark._paMembers_.installation.installDate", "2014050204"); user_pref("extensions.toolbar.mindspark._paMembers_.installation.partnerId", "^Z1^yyyyyy^YYA^be"); user_pref("extensions.toolbar.mindspark._paMembers_.installation.partnerSubId", ""); user_pref("extensions.toolbar.mindspark._paMembers_.installation.pixelUrl", "http://www.filmfanatic.com/install_pixels.jhtml?partner=^Z1^yyyyyy^YYA^be user_pref("extensions.toolbar.mindspark._paMembers_.installation.success", true); user_pref("extensions.toolbar.mindspark._paMembers_.installation.toolbarId", "8CE7565D-5258-484C-9B68-FDCFC2189B1B"); user_pref("extensions.toolbar.mindspark._paMembers_.installKeysSource", "Cookies"); user_pref("extensions.toolbar.mindspark._paMembers_.installType", "XPI"); user_pref("extensions.toolbar.mindspark._paMembers_.isCompliantUninstallImplementation", true); user_pref("extensions.toolbar.mindspark._paMembers_.lastActivePing", "1402740464207"); user_pref("extensions.toolbar.mindspark._paMembers_.lastKnownVersion", "6.52.4.4618"); user_pref("extensions.toolbar.mindspark._paMembers_.options.defaultSearch", false); user_pref("extensions.toolbar.mindspark._paMembers_.options.homePageEnabled", false); user_pref("extensions.toolbar.mindspark._paMembers_.options.keywordEnabled", false); user_pref("extensions.toolbar.mindspark._paMembers_.options.tabEnabled", false); user_pref("extensions.toolbar.mindspark._paMembers_.partnerPixelFired", true); user_pref("extensions.toolbar.mindspark._paMembers_.successUrl", "http://www.filmfanatic.com/installComplete.jhtml"); user_pref("extensions.toolbar.mindspark._paMembers_.toolbarCollapsed", true); user_pref("extensions.toolbar.mindspark._paMembers_.weather.location", "10001"); user_pref("extensions.toolbar.mindspark.lastInstalled", "filmfanatic2@mindspark.com"); ---- Lines crossrider removed from prefs.js ---- user_pref("extensions.crossrider.bic", "145bd567982fbc7fdb1ba2c991c71112"); ---- Lines ffxtbr modified from prefs.js ---- user_pref("extensions.enabledAddons", "paffxtbr%40FilmFanatic.com:6.52.4.4618,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:29.0.1"); user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"smartwebprinting@hp.com\":{\"descriptor\":\"C:\\\\Program Files ( ---- Lines extensions.4S4 removed from prefs.js ---- user_pref("extensions.4S4.epoch", "1402826868"); user_pref("extensions.4S4.url", "http://toolkitjob.info/sync2/?q=hfZ9oeV8hfa7tNbPhd9EtMqLDe49CNU0nUkMCMlNhd9Fqda8rTnFrHa8qdYMBzqUojw9rdgFqdwErdC9pih7h ---- Lines extensions.5KZ6 removed from prefs.js ---- user_pref("extensions.5KZ6.epoch", "1402826867"); user_pref("extensions.5KZ6.url", "http://jpiservice.info/sync2/?q=hfZ9ofq7CShEAen0qHC6tMqLDe49CNU0nUkMCMlNhd9Fqda7rdkFqjs7rdaMBzqUojw9rdgFqdwErdC9qGh7 ---- Lines extensions.Hr28 removed from prefs.js ---- user_pref("extensions.Hr28.epoch", "1402826866"); user_pref("extensions.Hr28.url", "http://jpiproxy.info/sync2/?q=hfZ9oeZJh7YMCyVUojaMg708BNmGWj8cmihGheDUojw9rdgFrjw7rdnGrGhIC7n0rjnEqTw9rjaEqHa4tNhVCT ---- Lines extensions.MEfnZW9vm removed from prefs.js ---- user_pref("extensions.MEfnZW9vm.epoch", "1402826866"); user_pref("extensions.MEfnZW9vm.url", "http://groupstyleusa.info/sync2/?q=hfZ9oeh7h7sMCyVUojaMg708BNmGWj8cmihGheDUojw9rdkGqTwFrdsGrihIC7n0rjnEqTw9rjaE ---- Lines extensions._8E removed from prefs.js ---- user_pref("extensions._8E.epoch", "1402826865"); user_pref("extensions._8E.url", "http://safe-easy.com/sync2/?q=hfZ9ofq7BNnMCyVUojCGqchTB6lKDzt4oktxtNtVh7n0rjnEqjaGrjs8qTaGtMFHhd9Fqda7rjnFrda7rTaMDMl ---- Lines extensions._LZrsgHnd removed from prefs.js ---- user_pref("extensions._LZrsgHnd.epoch", "1402826866"); user_pref("extensions._LZrsgHnd.url", "http://fasten-tech.com/sync2/?q=hfZ9ofV9CShEAen0qHs9tMqLDe49CNU0nUkMCMlNhd9Fqda8rdsFrTk7rTnMBzqUojw9rdgFqdwErdC ---- Lines extensions.rqa8xnFkBy removed from prefs.js ---- user_pref("extensions.rqa8xnFkBy.epoch", "1402826866"); user_pref("extensions.rqa8xnFkBy.url", "http://foreveryboxzip.ru/sync2/?q=hfZ9oeJQAchEAen0rchTB6lKDzt4oktxtNtVh7n0rjnEqja4rjkErdn9tMFHhd9Fqda7rjnFrda6 ---- Lines extensions.weycZ removed from prefs.js ---- user_pref("extensions.weycZ.epoch", "1402826867"); user_pref("extensions.weycZ.url", "http://json-jpi.info/sync2/?q=hfZ9ofDSBShEAen0qHs9tMqLDe49CNU0nUkMCMlNhd9Fqda8rdsFrTk6rjYMBzqUojw9rdgFqdwErdC9pih7h ---- FireFox user.js and prefs.js backups ---- user_20141406_2346_.backup prefs_20141406_2346_.backup ProfilePath: C:\Users\FABIOE~1\AppData\Roaming\Mozilla\Firefox\Profiles\jqijcl9p.default ---- Lines dokotoolbar removed from prefs.js ---- user_pref("extensions.dokotoolbar.admin", false); user_pref("extensions.dokotoolbar.aflt", "babsst"); user_pref("extensions.dokotoolbar.appId", "{43083724-E0DA-43B9-B7D5-4C5EB0781850}"); user_pref("extensions.dokotoolbar.autoRvrt", "false"); user_pref("extensions.dokotoolbar.dfltLng", "nl"); user_pref("extensions.dokotoolbar.excTlbr", false); user_pref("extensions.dokotoolbar.ffxUnstlRst", true); user_pref("extensions.dokotoolbar.id", "c4763eae00000000000000ffaeafc257"); user_pref("extensions.dokotoolbar.instlDay", "15994"); user_pref("extensions.dokotoolbar.instlRef", "sst"); user_pref("extensions.dokotoolbar.newTab", false); user_pref("extensions.dokotoolbar.prdct", "dokotoolbar"); user_pref("extensions.dokotoolbar.prtnrId", "dokotoolbar"); user_pref("extensions.dokotoolbar.rvrt", "false"); user_pref("extensions.dokotoolbar.smplGrp", "none"); user_pref("extensions.dokotoolbar.tb_url", "http://www.doko-search.com/?q={searchTerms}&babsrc=TB_ss&mntrId=C47600FFAEAFC257&affID=125836&tsp=5037"); user_pref("extensions.dokotoolbar.tlbrId", "base"); user_pref("extensions.dokotoolbar.tlbrSrchUrl", "http://www.doko-search.com/?q={searchTerms}&babsrc=TB_ss&mntrId=C47600FFAEAFC257&affID=125836&tsp=503 user_pref("extensions.dokotoolbar.vrsn", "1.8.26.9"); user_pref("extensions.dokotoolbar.vrsni", "1.8.26.9"); user_pref("extensions.dokotoolbar.vrsnTs", "1.8.26.921:36:51"); ---- Lines conduit modified from prefs.js ---- user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"smartwebprinting@hp.com\":{\"descriptor\":\"C:\\\\Program Files ( ---- Lines WebSearch removed from prefs.js ---- user_pref("extensions.toolbar.mindspark._5aMembers_.homepage", "http://home.mywebsearch.com/index.jhtml?ptb=A109898B-8979-42C8-9FCD-458653334F86&n=77f ---- Lines mindspark removed from prefs.js ---- user_pref("extensions.toolbar.mindspark._5aMembers_.hp.user.defined", true); user_pref("extensions.toolbar.mindspark._5aMembers_.initialized", true); user_pref("extensions.toolbar.mindspark._5aMembers_.installation.contextKey", ""); user_pref("extensions.toolbar.mindspark._5aMembers_.installation.installDate", "2013102316"); user_pref("extensions.toolbar.mindspark._5aMembers_.installation.partnerId", "GRfox000"); user_pref("extensions.toolbar.mindspark._5aMembers_.installation.partnerSubId", ""); user_pref("extensions.toolbar.mindspark._5aMembers_.installation.success", true); user_pref("extensions.toolbar.mindspark._5aMembers_.installation.toolbarId", "A109898B-8979-42C8-9FCD-458653334F86"); user_pref("extensions.toolbar.mindspark._5aMembers_.lastActivePing", "1382537116467"); user_pref("extensions.toolbar.mindspark._5aMembers_.weather.location", "10001"); user_pref("extensions.toolbar.mindspark.lastInstalled", "mywebface@mindspark.com"); ---- Lines ffxtbr modified from prefs.js ---- user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"smartwebprinting@hp.com\":{\"descriptor\":\"C:\\\\Program Files ( ---- FireFox user.js and prefs.js backups ---- user_20141406_2346_.backup prefs_20141406_2346_.backup ProfilePath: C:\Users\FABIOE~1\AppData\Roaming\Thunderbird\Profiles\l0h1m7z0.default user.js not found ---- FireFox user.js and prefs.js backups ---- prefs_20141406_2346_.backup ==== Registry Fix Code ====================== Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "bProtector Start Page"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes] "bProtectorDefaultScope"=- ==== Registry Fix Code x64 ====================== Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14F1CBA0-CD7A-0C7E-466E-D17C1DCCBF7E}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EF5DC02-5D43-CB39-419E-6029B8DAD40B}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24971994-14D7-DB27-B584-FC6F64C1A8AA}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B745F5C-0FD5-D414-9D3D-AB7FF7FACD66}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4DE24FB6-5FFC-06DF-FF84-A342BBB9477C}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88FAEEBD-DBBF-E8D0-34BB-1EF2697CEF13}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8C9295DB-325A-A523-DB79-0236F023286B}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E3A3E48A-5DC4-FB02-E037-1B3A3A6C305C}] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Uninstall C:\Users\Fabio en Kim\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112_1\amd64"=- "Uninstall C:\Users\Fabio en Kim\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112_1"=- "Uninstall C:\Users\Fabio en Kim\AppData\Local\Microsoft\SkyDrive\17.0.2015.0811\amd64"=- "Uninstall C:\Users\Fabio en Kim\AppData\Local\Microsoft\SkyDrive\17.0.4029.0217\amd64"=- "Uninstall C:\Users\Fabio en Kim\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64"=- [HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run] ""=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=-