Author Topic: [Resolved - K] Police Report Malware  (Read 5686 times)

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #15 on: August 07, 2015, 01:59:07 PM »
If there are no safe mode options available then maybe a repair install of Windows XP is the only option we have left, see if you can understand the following instructions. Also before taking this option be aware that as XP is no longer supported updates are no longer available.....

I dont want you to do a recovery or full install but a repair install and see if that gets you up and running.

1.Place your XP CD in the tray and re-boot, you should see the following image as it boots:



When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD. If you do not see that image you will have to change the boot order in the bios..

2.Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.

3.Do NOT choose the option to press R to use the Recovery Console.

4.In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.

5.Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.

6.Follow the instructions on the screen to complete Setup.

This will install your OS over the top of the original, No data should be lost that way.

Obviously some updates will be lost, possibly even a full service pack depending on the version of the CD you have...

If necessary we can still get SP3 (service pack 3) from here: http://windows.microsoft.com/en-gb/windows/service-packs-download#sptabs=xp

Tell me your thoughts, is this an option you will try?

Thank you,

Kevin...

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #16 on: August 09, 2015, 02:02:56 PM »
Hi Kevin.

Sorry it took me a little while to get back to you, had a couple extra work issues come up I had to deal with. Well, I decided that before i ran a repair install, I'd give Kaspersky one more try. So I went to boot from the disc, and of course the first thing I get is the Kaspersky splash screen. But then it clears, and my machine proceeds to finish booting in regular Windows....this time with no white screen. So while I was in, I ran scans with MBAM and with AVG. They found nothing. I did a second normal reboot and it works fine. So, even though I had issues initially with the rescue disc, it must have actually worked. No idea why that initial Win reboot still had the issue, but the second reboot did it. Is there anything else I need to run or possibly pull up any reports you need to look at? I appreciate the help.

Chip

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #17 on: August 09, 2015, 02:27:04 PM »
Hiya Chip,

Well good news at last, I was surprised when Kaspersky 10 seemed to have failed as i`ve used it successfully many times against the infection you had.. Probably a good idea to run a couple of diagnostic scans to see what remains on your system...

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Next,

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.
Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Let me see those logs...

Cheers,

Kevin...

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #18 on: August 09, 2015, 02:33:18 PM »
Thanks Kevin,

I know Kaspersky is a great program and it kind of surprised me as well. I have used Farbar before. I need to go into work so I'll hit it all tomorrow and get the logs to you. Thanks again.

Chip

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #19 on: August 09, 2015, 03:12:55 PM »
Thanks for the update, post logs whenever you`re ready..... :)1
« Last Edit: August 10, 2015, 12:15:41 PM by kevinf80 »

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #20 on: August 09, 2015, 04:44:21 PM »
Hi Kevin, had a few minutes. here's the FRST stuff:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:09-08-2015
Ran by Owner (administrator) on OWNER-3904C3CFA (09-08-2015 18:25:22)
Running from C:\Documents and Settings\Owner\desktop
Loaded Profiles: Owner (Available Profiles: Owner & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
(Carbonite, Inc.) C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
() C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
(Sony Corporation) C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgidsagent.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2006-02-09] (ATI Technologies, Inc.)
HKLM\...\Run: [Carbonite Backup] => C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1056976 2014-06-27] (Carbonite, Inc.)
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\Run: [GUDelayStartup] => C:\Program Files\Glary Utilities 5\StartupManager.exe [37152 2014-05-14] (Glarysoft Ltd)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
BootExecute: autocheck autochk *  BootDefrag.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-117609710-1801674531-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:5577
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-117609710-1801674531-725345543-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKU\S-1-5-21-117609710-1801674531-725345543-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files\AVG\AVG2012\avgdtiex.dll [2012-10-15] (AVG Technologies CZ, s.r.o.)
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.)
BHO: DriveLetterAccess -> {5CA3D70E-1895-11CF-8E15-001234567890} -> C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13] (Sonic Solutions)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-02-26] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-02-26] (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll [2012-03-27] (AVG Technologies CZ, s.r.o.)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{61D028E3-200A-4392-904E-EDE5C5179C05}: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2q7p36am.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-22] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1214154.dll [2014-11-07] (Adobe Systems, Inc.)
FF Plugin: @canon.com/EPPEX -> C:\Program Files\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2011-10-17] (Google)
FF Plugin: @java.com/DTPlugin,version=10.15.2 -> C:\WINDOWS\system32\npDeployJava1.dll [2013-02-26] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.15.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-02-26] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2014-06-04] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [No File]
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll [2014-06-04] (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-12-18] (Adobe Systems Inc.)
FF Plugin: nuance.com/DragonRIAPlugin -> C:\PROGRA~1\Nuance\NATURA~1\Program\npDgnRia.dll [2013-10-15] (Nuance Communications Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2012-12-18] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2014-06-04] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll [2012-12-07] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll [2014-06-04] (RealPlayer)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-02-22]
FF HKLM\...\Firefox\Extensions: [jid0-lmZNVK7a82O8cufhdfB9dUDfA2w@jetpack] - C:\Program Files\Nuance\NaturallySpeaking12\Program\ffShim.xpi
FF Extension: Dragon NaturallySpeaking Rich Internet Application Support - C:\Program Files\Nuance\NaturallySpeaking12\Program\ffShim.xpi [2013-10-15]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-06-04]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack
FF Extension: AVG Do Not Track - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack [2012-09-27]
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4 [2012-03-17]
FF HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\Firefox\Extensions: [{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26}] - C:\Documents and Settings\Owner\Local Settings\Application Data\{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26}
FF Extension: Mozilla Safe Browsing - C:\Documents and Settings\Owner\Local Settings\Application Data\{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26} [2012-07-21]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-13]
CHR Extension: (Google Docs) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-13]
CHR Extension: (Google Drive) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-20]
CHR Extension: (YouTube) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-13]
CHR Extension: (Google Search) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-13]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-13]
CHR Extension: (RealDownloader) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2014-10-13]
CHR Extension: (Dragon NaturallySpeaking Rich Internet Application Support) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mikhcaiakabeeokmenglcdebplfdjicn [2014-10-13]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-13]
CHR Extension: (Gmail) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-13]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [mikhcaiakabeeokmenglcdebplfdjicn] - C:\Program Files\Nuance\NaturallySpeaking12\Program\chromeShim.crx [2013-10-15]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
R2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [5058256 2014-06-27] (Carbonite, Inc. (www.carbonite.com))
S3 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [311184 2013-10-15] (Nuance Communications, Inc.)
R2 ehRecvr; C:\WINDOWS\eHome\ehRecvr.exe [194560 2004-08-10] (Microsoft Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [170912 2013-02-26] (Oracle Corporation)
S3 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [395640 2014-05-06] (Eastman Kodak Company)
S3 Kodak AiO Status Monitor Service; C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [780152 2013-12-11] (Eastman Kodak Company)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 MHN; C:\WINDOWS\System32\mhn.dll [85504 2004-08-10] (Microsoft Corporation) [File not signed]
R2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
R2 PMBDeviceInfoProvider; C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [459832 2012-02-15] (Sony Corporation)
S3 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-01-10] (Secunia)
S4 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-01-10] (Secunia)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [25920 1998-11-12] (Adaptec)
R3 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\WINDOWS\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [301920 2012-08-24] (AVG Technologies CZ, s.r.o.)
S3 AX88772; C:\WINDOWS\System32\DRIVERS\ax88772.sys [17920 2004-08-05] (ASIX Electronics Corp.) [File not signed]
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2005-03-22] (Adaptec, Inc.) [File not signed]
R0 drvmcdb; C:\WINDOWS\System32\drivers\drvmcdb.sys [87136 2004-08-04] (Sonic Solutions) [File not signed]
R2 drvnddm; C:\WINDOWS\System32\drivers\drvnddm.sys [40544 2004-08-13] (Sonic Solutions) [File not signed]
R0 GUBootStartup; C:\WINDOWS\System32\drivers\GUBootStartup.sys [17088 2014-05-15] (Glarysoft Ltd)
S3 htcusbnet; C:\WINDOWS\System32\DRIVERS\htcusbnet.sys [128512 2010-12-15] (HTC Corporation)
R3 IntelC51; C:\WINDOWS\System32\DRIVERS\IntelC51.sys [1339776 2005-05-06] (Intel Corporation)
R3 IntelC52; C:\WINDOWS\System32\DRIVERS\IntelC52.sys [618880 2006-03-01] (Intel Corporation)
R3 IntelC53; C:\WINDOWS\System32\DRIVERS\IntelC53.sys [47360 2005-05-06] (Intel Corporation)
R0 Lbd; C:\WINDOWS\System32\DRIVERS\Lbd.sys [64288 2010-07-23] (Lavasoft AB)
R2 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [121560 2015-06-18] (Malwarebytes Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [98520 2015-08-09] (Malwarebytes Corporation)
S3 MHNDRV; C:\WINDOWS\System32\DRIVERS\mhndrv.sys [11008 2004-08-10] (Microsoft Corporation) [File not signed]
R3 mohfilt; C:\WINDOWS\System32\DRIVERS\mohfilt.sys [36880 2005-05-06] (Intel Corporation)
R3 MxlW2k; C:\WINDOWS\system32\Drivers\MxlW2k.sys [28276 2010-09-09] (MusicMatch, Inc.) [File not signed]
R3 P17; C:\WINDOWS\System32\drivers\P17.sys [1127936 2007-06-15] (Creative Technology Ltd.)
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
R1 sscdbhk5; C:\WINDOWS\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions) [File not signed]
R1 ssrtln; C:\WINDOWS\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions) [File not signed]
R2 tfsnboio; C:\WINDOWS\System32\dla\tfsnboio.sys [25723 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsncofs; C:\WINDOWS\System32\dla\tfsncofs.sys [34843 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsndrct; C:\WINDOWS\System32\dla\tfsndrct.sys [4123 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsndres; C:\WINDOWS\System32\dla\tfsndres.sys [2239 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnifs; C:\WINDOWS\System32\dla\tfsnifs.sys [86202 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnopio; C:\WINDOWS\System32\dla\tfsnopio.sys [14715 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnpool; C:\WINDOWS\System32\dla\tfsnpool.sys [6363 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnudf; C:\WINDOWS\System32\dla\tfsnudf.sys [98714 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnudfa; C:\WINDOWS\System32\dla\tfsnudfa.sys [100603 2004-08-13] (Sonic Solutions) [File not signed]
S0 BootDefragDriver; System32\drivers\BootDefragDriver.sys [X]
S0 Cdr4vsd; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-09 18:25 - 2015-08-09 18:26 - 00022703 _____ C:\Documents and Settings\Owner\desktop\FRST.txt
2015-08-09 18:24 - 2015-08-09 18:24 - 01674752 _____ (Farbar) C:\Documents and Settings\Owner\desktop\FRST.exe
2015-08-07 04:14 - 2015-08-07 06:56 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-08-06 20:51 - 2015-08-07 01:34 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2015-07-24 19:01 - 2015-07-24 19:03 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJMIG
2015-07-24 18:59 - 2015-07-24 19:00 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJScan
2015-07-24 18:16 - 2015-07-24 18:16 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Canon Printer
2015-07-24 18:13 - 2015-07-24 18:13 - 00003698 _____ C:\Documents and Settings\Owner\desktop\PSA Passwords.eml
2015-07-24 15:41 - 2015-07-24 15:41 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJFAX
2015-07-24 15:41 - 2012-05-25 09:21 - 00103936 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLU.dll
2015-07-24 15:40 - 2012-09-21 09:33 - 00321024 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLL.dll
2015-07-24 15:40 - 2012-05-25 09:20 - 00263168 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLC.dll
2015-07-24 15:40 - 2012-05-25 09:20 - 00096768 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLI.dll
2015-07-24 15:40 - 2012-05-15 15:58 - 00098048 _____ C:\WINDOWS\system32\CNC176BD.TBL
2015-07-24 15:40 - 2008-08-25 18:02 - 00015872 _____ (CANON INC.) C:\WINDOWS\system32\CNHMCA.dll
2015-07-24 15:39 - 2015-07-24 15:39 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX920 series User Registration
2015-07-24 15:25 - 2015-07-24 15:25 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX920 series Manual
2015-07-24 06:22 - 2015-07-24 06:22 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJEGV
2015-07-24 06:20 - 2015-07-24 06:20 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJQuickMenu
2015-07-24 06:13 - 2015-07-24 06:13 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Canon Easy-WebPrint EX
2015-07-24 06:12 - 2015-07-24 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CanonIJWSpt
2015-07-24 05:59 - 2012-09-21 05:00 - 00258560 _____ (CANON INC.) C:\WINDOWS\system32\CNCALBL.DLL
2015-07-24 05:58 - 2015-07-24 05:58 - 00000000 ___HD C:\Program Files\CanonBJ
2015-07-24 05:58 - 2012-09-20 05:00 - 00315904 _____ (CANON INC.) C:\WINDOWS\system32\CNMLMBL.DLL
2015-07-24 05:57 - 2015-07-24 05:57 - 00000000 ____D C:\WINDOWS\system32\STRING
2015-07-24 05:57 - 2012-07-31 04:47 - 00366592 _____ (CANON INC.) C:\WINDOWS\system32\CNMNPPM.DLL
2015-07-24 05:57 - 2012-07-31 04:47 - 00035840 _____ (CANON INC.) C:\WINDOWS\system32\CNMNPUI.DLL
2015-07-24 05:56 - 2015-07-24 05:56 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJETV
2015-07-20 14:53 - 2015-07-20 14:53 - 00088683 _____ C:\Documents and Settings\Owner\desktop\May 28 Seniority List-1.xlsx
2015-07-17 03:05 - 2012-11-03 14:07 - 00205975 _____ C:\Documents and Settings\Owner\desktop\CooksIllustrated_com Customer Service.mht
2015-07-11 14:29 - 2015-07-11 14:29 - 00000000 __SHD C:\found.001
2015-07-10 23:11 - 2015-07-10 23:13 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Pics Unsorted

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-09 18:26 - 2012-03-17 02:45 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\temp
2015-08-09 18:25 - 2014-07-17 03:58 - 00000000 ____D C:\FRST
2015-08-09 15:43 - 2015-04-08 15:42 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-08-09 15:41 - 2010-05-11 11:29 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-08-09 15:41 - 2010-05-11 11:29 - 00000048 _____ C:\WINDOWS\wiaservc.log
2015-08-09 15:40 - 2010-05-11 15:58 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-08-09 15:39 - 2015-04-08 15:41 - 00000777 _____ C:\Documents and Settings\All Users\desktop\Malwarebytes Anti-Malware.lnk
2015-08-09 15:39 - 2015-04-08 15:41 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-09 15:39 - 2015-04-08 15:41 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-09 15:39 - 2014-09-03 15:23 - 00256596 _____ C:\WINDOWS\WindowsUpdate.log
2015-08-09 15:39 - 2010-05-11 15:58 - 00032648 _____ C:\WINDOWS\SchedLgU.Txt
2015-08-09 15:39 - 2010-05-11 15:58 - 00000178 ___SH C:\Documents and Settings\Owner\ntuser.ini
2015-08-09 07:38 - 2011-04-13 02:18 - 00000000 ____D C:\WINDOWS\system32\Drivers\AVG
2015-08-09 07:05 - 2004-08-10 08:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2015-08-06 21:08 - 2011-06-21 23:07 - 00000000 ____D C:\Documents and Settings\Administrator
2015-08-06 21:08 - 2010-05-11 15:58 - 00000000 ____D C:\Documents and Settings\Owner
2015-08-06 21:08 - 2010-05-11 15:55 - 00000000 __SHD C:\Documents and Settings\NetworkService
2015-08-06 20:52 - 2010-05-11 15:58 - 00000000 __SHD C:\Documents and Settings\LocalService
2015-08-03 12:36 - 2014-05-15 16:35 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\DiskDefrag
2015-07-28 23:00 - 2010-05-11 15:47 - 00000000 ____D C:\WINDOWS\Registration
2015-07-26 16:30 - 2010-05-12 09:08 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\media cbs
2015-07-24 19:00 - 2010-10-21 00:01 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Canon
2015-07-24 16:21 - 2015-03-30 14:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
2015-07-24 16:21 - 2015-01-02 18:08 - 00160136 _____ C:\WINDOWS\setupapi.log
2015-07-24 15:42 - 2010-06-07 11:03 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon Utilities
2015-07-24 15:42 - 2010-06-07 11:00 - 00000000 ____D C:\Program Files\Canon
2015-07-24 15:41 - 2010-05-11 11:20 - 00000000 ____D C:\WINDOWS\twain_32
2015-07-24 15:41 - 2010-05-11 11:20 - 00000000 ____D C:\WINDOWS\Media
2015-07-24 07:13 - 2012-03-17 23:11 - 01907950 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-117609710-1801674531-725345543-1003-0.dat
2015-07-24 07:13 - 2012-03-17 23:11 - 00170798 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-07-23 02:23 - 2015-01-28 04:19 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Aviation
2015-07-22 18:50 - 2010-05-19 13:06 - 00000116 _____ C:\WINDOWS\NeroDigital.ini
2015-07-15 06:15 - 2012-03-19 04:15 - 00000308 _____ C:\Documents and Settings\Owner\My Documents\spider.sav
2015-07-10 23:37 - 2013-01-28 04:36 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Funny Pics

==================== Files in the root of some directories =======

2012-12-04 02:32 - 2012-12-04 02:32 - 0751078 _____ () C:\Documents and Settings\Owner\Application Data\1.bmp
2015-03-17 17:37 - 2015-03-17 17:37 - 0000049 _____ () C:\Documents and Settings\Owner\Application Data\232.txt
2015-03-17 17:36 - 2015-03-17 17:36 - 0000048 _____ () C:\Documents and Settings\Owner\Application Data\292.txt
2015-03-17 17:26 - 2015-03-17 17:36 - 0000003 _____ () C:\Documents and Settings\Owner\Application Data\rgsuseropened.txt
2011-12-16 20:14 - 2011-12-16 20:14 - 0000000 _____ () C:\Documents and Settings\Owner\Application Data\xfFRj.txt
2010-05-19 13:03 - 2015-04-26 00:11 - 0218112 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-23 17:44 - 2013-01-23 17:44 - 0026900 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\dt.dat
2010-07-12 00:53 - 2010-07-12 00:53 - 0000128 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat

Some files in TEMP:
====================
C:\Documents and Settings\Owner\Local Settings\temp\MSETUP4.EXE
C:\Documents and Settings\Owner\Local Settings\temp\uninstall.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #21 on: August 09, 2015, 04:47:40 PM »
And here's the FSS

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #22 on: August 10, 2015, 02:32:41 PM »
Thanks for those logs, before I progress can you clarify one point. Are you aware of the following proxy running in Internet Explorer?

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:5577

Thanks...

Kevin..

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #23 on: August 11, 2015, 04:18:40 AM »
Actually, I was not. I pretty never use IE anyway. Just have it as a backup.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #24 on: August 11, 2015, 03:05:01 PM »
Thanks for the update/info, .default proxies are often difficult to remove, is a better option to run a reg fix....

Please follow these instructions carefully:

Open Notepad, check the Format Menu and make sure Word Wrap is NOT selected. Then copy and paste the following from inside the code box to Notepad:

Code: [Select]
Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings"=-
"DefaultConnectionSettings"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=-
"ProxyServer"=-


Next, Click on the File Menu, then Save As ... and click on the drop down menu to change the file type to All Files.

Next navigate to your desktop, and enter the file name fixme.reg, and click Save.

You should now find a new file on your desktop named fixme.reg. Double click on fixme.reg. You will get a warning,
agree to the merge, and then a message the file has been merged will immediately pop up.

Then reboot.

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.
'Could not load DDA driver'

  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

  • Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....
Next,

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt. Where n in the scan reference number
Next,

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

Post those logs, also let me know if there are any remaining issues or concerns...

Thanks,

Kevin....

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #25 on: August 12, 2015, 02:38:00 PM »
Thanks Kevin. I have had Malwarebytes Premium and AVG on my system for some time. Granted, one part of the MBAM active protection is not functioning (MBAM is still trying to figure out why). Anyway, Ill get to all this and get back to you as soon as i do. Thanks.

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #26 on: August 12, 2015, 03:37:17 PM »
Thanks for the update, if you have trouble with Malwarebytes go for a clean install, full instructions at the following link:

https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/

Thanks....

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #27 on: August 12, 2015, 04:02:45 PM »
Thanks Kevin, I had a few minutes to get started and I have a few questions. I'm not clear what I'm supposed to do on the desktop. I was able to paste the text into notepad, change file type to all and save it to the desktop. But when I double click, I get no messages about merging. Re-reading it, it looks before that you want me to enter a file name on the desktop. But I can't do that without having someplace/something to assign it to, such as a new folder. And am I saving that notepad pad file directly to the desktop? I'm a bit confused, although that's not hard to do. Thanks,

Chip

Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7656
Re: [Resolved - K] Police Report Malware
« Reply #28 on: August 12, 2015, 04:51:37 PM »
I`ve made up and attached the file for you, is a zip file "fixme.zip" Extract that zip file to your Desktop, will now be named "fixme.reg"
Double click on that file, agree to the merge, a message the file has been merged will immediately pop up.

Offline chipmeister

  • Bronze Member
  • Posts: 183
Re: [Resolved - K] Police Report Malware
« Reply #29 on: August 13, 2015, 02:27:38 AM »
Thanks Kevin,

I extracted it and it automatically put the extracted file in a folder on the desktop. i double clicked the file in the folder and it asked me if i wanted to add the information to the registry (nothing about merging). Is that the same thing?

 

Click Here