SpywareHammer.com

SpywareHammer Malware Removal Forums => Completed Malware and Rootkit Removal Topics => Topic started by: chipmeister on August 04, 2015, 01:17:01 AM

Title: [Resolved - K] Police Report Malware
Post by: chipmeister on August 04, 2015, 01:17:01 AM
Hi again Spywarehammer,

Went to boot up yesterday and about halfway in the process, got a completely white screen with a text input box and the words "?echo $submit?" and "Waiting payment" in the lower right corner. Could not do anything after that. Tried to reboot again and a little sooner in the process, I opened task manager and saw 'Police Report' in the applications tab. I ended the process but it came right back, eventually it ended up back at the white screen. I tried to reboot into safe mode but it wouldn't work. Actually, I have been unable to boot into safe mode under any circumstances for over a year. But, a little research seems to indicate that that is also something that occurs with this malware. Anyway, that's what I have and once again, could use a little assistance. I'm currently running XP SP3. Thanks.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 04, 2015, 05:18:02 AM
Hello chipmeister,

As you`ve opened this thread I assume you have access to another PC, if that is true see if you can create the following tool.....

Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

Stage 1

1. Download and Run http://www.ubcd4win.com/downloads.htm (http://www.ubcd4win.com/downloads.htm) Ultimate Boot CD for Windows

NOTES:

2. Insert your XP CD with either SP1/SP2/SP3 into the CD Rom drive


Make the following selections from the Main Screen that pops up:

Builder

Source:(path to Windows installation files)

Custom: (include files and folders from this directory)


Output: (C:\ubcd4win\BartPE)

Media output:


Please note: If your XP install disc is SP1 then please .....


This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

Also note: If you have a Dell XP install disc you will need to follow the instructions here:

http://www.ubcd4win.com/faq.htm#dell (http://www.ubcd4win.com/faq.htm#dell)


3. Click on the "Build" button


4. Burn your ISO file to CD

    Please see Here (http://www.ubcd4win.com/burn.htm) on how to burn an ISO to CD.

=====================================

Stage 2


Next, from your clean computer:

Download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool /) and save it to your flash drive.
Make sure to get the correct version for your system.
Now plug your flashdrive back into your sick computer and follow the next instructions:

=====================================

Stage 3

1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created


You should now have a desktop that looks like this:

(http://i121.photobucket.com/albums/o239/kevinf80/ud4bc.png)

===================================

Stage 4


Please copy and paste the log to your next reply.

Thanks,

Kevin...
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 05, 2015, 12:06:02 AM
Hi Kevin, thanks for picking this up. Having an issue with the link for the Ultimate Boot CD. First time I clicked it, it took me to: http://www.justseethis.com/?utm_source=534c103a66da43fc27000ecf&utm_medium=DNTX&utm_term=software&utm_campaign=US. The second time it went to: http://www.ubcd4win.com/downloads.htm which is the right URL but it's just a page with a domain for sale and a few ads. Any ideas? Also one question. I have an OLD Windows disk that they sent me once when I was having an issue (my computer did not ship with a disk). If I boot from that, is it going to wipe out anything I have (files etc.) or any windows updates I've loaded since that disc version? Just want to be sure I don't loose anything I can't reload, especially any of the XP security updates. Thanks for the help.

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 05, 2015, 01:23:03 PM
If you have a correct version of Windows XP cd you can run a repair install. Bbasically it installs over the top, no data, files, music, videos etc are lost. The only problem would be previous windows updates will be lost, also no chance of getting those as XP is not supported anymore...

The instructions I give to run FRST via UBCD is maybe the best option for now...

Try this link: http://www.ultimatebootcd.com/ (http://www.ultimatebootcd.com/) I`ve tried it, seems to be ok. The previous link was old hence the problems, never used this fix for XP for a very long time....

Thank you,

Kevin..
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 05, 2015, 08:14:11 PM
Hi kevin,
I was kind of afraid that i was going to lose those XP updates. Is this pretty much the only way to deal with this thing? Last night I was messing around and tried doing that ubcd4win.com site replacing .com with .org and did get to some mirror sites. I downloaded the program from a few but they wouldn't install. Said something about an 'MD5 Hash' problem. Anyway, I did download from the new link. I saved it to my desktop. When I click it, it doesn't give me any options to open or install in a folder. It immediately opens the disc burner and prompts me to burn it to disc. I also see your instructions later on discus creating an ISO image. The file I downloaded shows as 'ubcd535.iso' so is it possible this is already configured? It's just not matching up with your original instructions. I just want to be sure I'm doing this correctly. Thanks
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 06, 2015, 01:02:49 AM
Thanks for the reply and info, you`ve downloaded an ISO of UBCD ready to burn, that is not what we`re after. We need to d/l, save to desktop the .exe version of UBCD.
Run the .exe to install to the root of C:\ that action is the default folder setting. That process is straightforward, just accept each prompt as it appears...
From there we will build a bootable CD containing UBCD and Windows XP (sp1 or sp2 or sp3) it is essential that one of those service packs is on the XP cd, if not we would need to create a new XP cd with a service pack slipstreamed..

The executable version is available at the following link:

http://www.majorgeeks.com/files/details/ubcd4win.html (http://www.majorgeeks.com/files/details/ubcd4win.html)

Apologies regarding the links previously provided, they are quite old and obviously have changed.....

Cheers,

Kevin
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 06, 2015, 02:22:04 AM
Thanks Kevin. Actually, this is one of the sites I downloaded from last night that wouldn't install. I'm going to provide the exact text I got in the windows that opened. But first i wanted to check something. My Windows disc says Microsoft Window XP Media Center edition 2005 with Update Rollup 2. Not sure if Update Rollup 2 is same as Service Pack 2. I think they switched to Update vs. Sp at some point but I'm not sure. I got the disc about 6 years ago when I had some Windows files bung up. Dell sent it to me. Anyway, here's the info I got when I tried to install:
UBCD4WIN is a large file and it's not entirely uncommon to see an occasional corrupted or incomplete download which eventually results in having to start over later and maybe even a possibility of hairloss. The MD5 Hash of your UBCDWIN download can be verified for you now if you're connected to the internet. Do it?......I clicked yes and got a window with this:  Your download seems to be either corrupted or incomplete and UBCDWIN cannot be built. Please download it again (from a different mirror?) and try again. The MD5 Hash of your download is F83C81B5197F01DFD8CA00764474F453  it should be :<!DOCTYPE.

I actually downloaded and tried to install from 3 different mirrors and got these messages from all 3. Sorry I've got some big mysteries here. Thanks,  Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 06, 2015, 10:24:41 AM
I`ve tried all d/l from MajorGeeks myself, tried to install on all versions of windoows from Vista through to Windows 10, I get the same results. I guess that tool needs to be dumped....

As you have access to another PC see if yu can create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive.  It can also be run from a CD, just change to that option in the instructions…

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline (http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline) and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7/8 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD2.png)

In the new window accept the agreement:

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD2a.png)

In the new window select your USB Flash Drive, then select "Next"

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD3.png)

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD3a.png)

In the new window accept the formatting alert by selecting "Next"

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD3b.png)

Files will be Downloaded:

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD4.png)

Files will be processed and created

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD5.png)

Flash drive will be formatted and prepared

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD6.png)

Files will be added to the Flash Drive and the tool will be created.

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD7.png)

The procedure is finished and the Tool created, click on "Finish" to complete.

(http://i121.photobucket.com/albums/o239/kevinf80/Windows%20Defender%20Offline%20tool/WD8.png)

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required,  Use F12 as it boots, change options...
As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.
When complete do a full scan, deal with what it finds.
When finished, remove the USB stick then press the Esc key to boot into regular windows.
Navigate to the following file:

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

Open with notepad and copy and paste it into a reply.
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 06, 2015, 07:55:34 PM
Thanks Kevin,

I burned it to a disc (had one sitting here) and used it to boot the bad machine. I couldn't get the disc tray to open until I hit start but I dropped it in pretty fast. Program loaded and it defaulted to the quick scan which ran and found nothing. After that i ran the complete scan and it did find 3 items:
Ransom:win32/reveton.v
Trojan:win32/eyestye.B!CFG
Ransom:win32/TOBFY! mp3

I had it remove the items which it said was completed. ESC to reboot and when it did, the original white screen popped up. I manually shutdown and restarted. This time, the white screen popped up for a second then my full desktop came up (which it has not done since the problem) but only stayed up about 30 seconds and then the white screen came back. I did drop the disc back in, shut down and restarted from the the disc and am running the full scan again. So, something happened but then screen came up again. I'll let you know what the second scan does. Thanks
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 07, 2015, 12:32:54 AM
Hi Kevin,

the second full scan ran and it didn't find anything this time. But when I used ESC to reboot, I ended up with the original problem/white screen with payment text.           
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 07, 2015, 01:40:42 AM
Sorry Kevin. It wouldn't let me edit my previous post. I also wanted to mention that I was trying to open task manager to see if I could end the process. It had been only opening for a second then disappearing but this time it opened during shutdown which kept my desktop up while it was running shutdown. A window popped up saying it was trying to close MBAM (Malwarebytes). I waited to see what would happen so i did nothing and it wouldn't shutdown until I manually clicked end program. Interesting as I hadn't done anything to run it. Well, the very first time I was getting the white screen, I did have time to start a scan before the white screen took over but I have started/shutdown several times since then. I can't imagine it was related to that but did want mention it.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 07, 2015, 01:49:40 AM
If you want to close the current process select Alt - F4 keys together, I`m not sure if the Ransome screen is still the issue or not.
This type of infection "Revetron" is usually killed in one shot with Kaspersky 10 rescue CD, it means another tool to create but well worth trying...

Download Kaspersky Rescue Disk (iso) (http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso)


Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)

(http://2.bp.blogspot.com/-JBmRvambTqA/UA19J97XvPI/AAAAAAAACmY/kg-JQuEpCv4/s1600/krd5.jpg) If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter



When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.

Thank you,

Kevin..
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 07, 2015, 09:49:03 AM
Thanks Kevin,

Got it burned and ran it. All it found was a minor adware program. Rebooted and right back to the white screen. One thing, when I clicked on the WindowsUnlocker, a black screen opened with a bunch of stuff in it. I believe it was the Unlocker results but, the process only took a second or two so I'm not sure if it ran fully. After I did the scan and rebooted, I shut down but the only way I could do it was to hard shutdown with the power button as all I have is the white screen. I rebooted with the Rescue disc to try it one more time and when it got to the step of mounting the file, it gave me a warning saying the OS was shut down incorrectly and mounting the file may damage the file system. Gave me the option to continue, skip, or restart computer. I assume that last one would be a normal shutdown and reboot so I did it, but at the file mounting step, got the warning again. So, I don't know if that restart computer option executed a normal shutdown or not. Not sure where to go with it now.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 07, 2015, 11:58:27 AM
Can you boot to any of the safe mode options, start the PC and tap on the F8 key... Do you get any options?
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 07, 2015, 12:18:06 PM
Actually no. That's an issue I've had for a couple years. Cannot boot into any safe modes. Never could figure out why. But, I did read that this malware is also known for not being able to boot to safe anyway.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 07, 2015, 01:59:07 PM
If there are no safe mode options available then maybe a repair install of Windows XP is the only option we have left, see if you can understand the following instructions. Also before taking this option be aware that as XP is no longer supported updates are no longer available.....

I dont want you to do a recovery or full install but a repair install and see if that gets you up and running.

1.Place your XP CD in the tray and re-boot, you should see the following image as it boots:

(http://i121.photobucket.com/albums/o239/kevinf80/xp-setup-0-press-any-key-to.jpg)

When the Press any key to boot from CD message is displayed on your screen, press a key to start your computer from the Windows XP CD. If you do not see that image you will have to change the boot order in the bios..

2.Press ENTER when you see the message To setup Windows XP now, and then press ENTER displayed on the Welcome to Setup screen.

3.Do NOT choose the option to press R to use the Recovery Console.

4.In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.

5.Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.

6.Follow the instructions on the screen to complete Setup.

This will install your OS over the top of the original, No data should be lost that way.

Obviously some updates will be lost, possibly even a full service pack depending on the version of the CD you have...

If necessary we can still get SP3 (service pack 3) from here: http://windows.microsoft.com/en-gb/windows/service-packs-download#sptabs=xp (http://windows.microsoft.com/en-gb/windows/service-packs-download#sptabs=xp)

Tell me your thoughts, is this an option you will try?

Thank you,

Kevin...
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 09, 2015, 02:02:56 PM
Hi Kevin.

Sorry it took me a little while to get back to you, had a couple extra work issues come up I had to deal with. Well, I decided that before i ran a repair install, I'd give Kaspersky one more try. So I went to boot from the disc, and of course the first thing I get is the Kaspersky splash screen. But then it clears, and my machine proceeds to finish booting in regular Windows....this time with no white screen. So while I was in, I ran scans with MBAM and with AVG. They found nothing. I did a second normal reboot and it works fine. So, even though I had issues initially with the rescue disc, it must have actually worked. No idea why that initial Win reboot still had the issue, but the second reboot did it. Is there anything else I need to run or possibly pull up any reports you need to look at? I appreciate the help.

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 09, 2015, 02:27:04 PM
Hiya Chip,

Well good news at last, I was surprised when Kaspersky 10 seemed to have failed as i`ve used it successfully many times against the infection you had.. Probably a good idea to run a couple of diagnostic scans to see what remains on your system...

Download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Next,

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ (http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/) and run it on the computer with the issue.
Make sure the following options are checked:


Let me see those logs...

Cheers,

Kevin...
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 09, 2015, 02:33:18 PM
Thanks Kevin,

I know Kaspersky is a great program and it kind of surprised me as well. I have used Farbar before. I need to go into work so I'll hit it all tomorrow and get the logs to you. Thanks again.

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 09, 2015, 03:12:55 PM
Thanks for the update, post logs whenever you`re ready..... :)1
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 09, 2015, 04:44:21 PM
Hi Kevin, had a few minutes. here's the FRST stuff:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:09-08-2015
Ran by Owner (administrator) on OWNER-3904C3CFA (09-08-2015 18:25:22)
Running from C:\Documents and Settings\Owner\desktop
Loaded Profiles: Owner (Available Profiles: Owner & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
(Carbonite, Inc.) C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
() C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
(Sony Corporation) C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgidsagent.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2006-02-09] (ATI Technologies, Inc.)
HKLM\...\Run: [Carbonite Backup] => C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1056976 2014-06-27] (Carbonite, Inc.)
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\Run: [GUDelayStartup] => C:\Program Files\Glary Utilities 5\StartupManager.exe [37152 2014-05-14] (Glarysoft Ltd)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
BootExecute: autocheck autochk *  BootDefrag.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-117609710-1801674531-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:5577
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-117609710-1801674531-725345543-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKU\S-1-5-21-117609710-1801674531-725345543-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files\AVG\AVG2012\avgdtiex.dll [2012-10-15] (AVG Technologies CZ, s.r.o.)
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.)
BHO: DriveLetterAccess -> {5CA3D70E-1895-11CF-8E15-001234567890} -> C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13] (Sonic Solutions)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-02-26] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-02-26] (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll [2012-03-27] (AVG Technologies CZ, s.r.o.)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{61D028E3-200A-4392-904E-EDE5C5179C05}: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2q7p36am.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-22] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1214154.dll [2014-11-07] (Adobe Systems, Inc.)
FF Plugin: @canon.com/EPPEX -> C:\Program Files\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2011-10-17] (Google)
FF Plugin: @java.com/DTPlugin,version=10.15.2 -> C:\WINDOWS\system32\npDeployJava1.dll [2013-02-26] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.15.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-02-26] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2014-06-04] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [No File]
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll [2014-06-04] (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-12-18] (Adobe Systems Inc.)
FF Plugin: nuance.com/DragonRIAPlugin -> C:\PROGRA~1\Nuance\NATURA~1\Program\npDgnRia.dll [2013-10-15] (Nuance Communications Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2012-12-18] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2014-06-04] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll [2012-12-07] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll [2014-06-04] (RealPlayer)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-02-22]
FF HKLM\...\Firefox\Extensions: [jid0-lmZNVK7a82O8cufhdfB9dUDfA2w@jetpack] - C:\Program Files\Nuance\NaturallySpeaking12\Program\ffShim.xpi
FF Extension: Dragon NaturallySpeaking Rich Internet Application Support - C:\Program Files\Nuance\NaturallySpeaking12\Program\ffShim.xpi [2013-10-15]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-06-04]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack
FF Extension: AVG Do Not Track - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack [2012-09-27]
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4 [2012-03-17]
FF HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\Firefox\Extensions: [{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26}] - C:\Documents and Settings\Owner\Local Settings\Application Data\{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26}
FF Extension: Mozilla Safe Browsing - C:\Documents and Settings\Owner\Local Settings\Application Data\{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26} [2012-07-21]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-13]
CHR Extension: (Google Docs) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-13]
CHR Extension: (Google Drive) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-20]
CHR Extension: (YouTube) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-13]
CHR Extension: (Google Search) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-13]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-13]
CHR Extension: (RealDownloader) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2014-10-13]
CHR Extension: (Dragon NaturallySpeaking Rich Internet Application Support) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mikhcaiakabeeokmenglcdebplfdjicn [2014-10-13]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-13]
CHR Extension: (Gmail) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-13]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [mikhcaiakabeeokmenglcdebplfdjicn] - C:\Program Files\Nuance\NaturallySpeaking12\Program\chromeShim.crx [2013-10-15]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
R2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [5058256 2014-06-27] (Carbonite, Inc. (www.carbonite.com))
S3 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [311184 2013-10-15] (Nuance Communications, Inc.)
R2 ehRecvr; C:\WINDOWS\eHome\ehRecvr.exe [194560 2004-08-10] (Microsoft Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [170912 2013-02-26] (Oracle Corporation)
S3 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [395640 2014-05-06] (Eastman Kodak Company)
S3 Kodak AiO Status Monitor Service; C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [780152 2013-12-11] (Eastman Kodak Company)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 MHN; C:\WINDOWS\System32\mhn.dll [85504 2004-08-10] (Microsoft Corporation) [File not signed]
R2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
R2 PMBDeviceInfoProvider; C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [459832 2012-02-15] (Sony Corporation)
S3 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-01-10] (Secunia)
S4 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-01-10] (Secunia)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [25920 1998-11-12] (Adaptec)
R3 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\WINDOWS\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [301920 2012-08-24] (AVG Technologies CZ, s.r.o.)
S3 AX88772; C:\WINDOWS\System32\DRIVERS\ax88772.sys [17920 2004-08-05] (ASIX Electronics Corp.) [File not signed]
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2005-03-22] (Adaptec, Inc.) [File not signed]
R0 drvmcdb; C:\WINDOWS\System32\drivers\drvmcdb.sys [87136 2004-08-04] (Sonic Solutions) [File not signed]
R2 drvnddm; C:\WINDOWS\System32\drivers\drvnddm.sys [40544 2004-08-13] (Sonic Solutions) [File not signed]
R0 GUBootStartup; C:\WINDOWS\System32\drivers\GUBootStartup.sys [17088 2014-05-15] (Glarysoft Ltd)
S3 htcusbnet; C:\WINDOWS\System32\DRIVERS\htcusbnet.sys [128512 2010-12-15] (HTC Corporation)
R3 IntelC51; C:\WINDOWS\System32\DRIVERS\IntelC51.sys [1339776 2005-05-06] (Intel Corporation)
R3 IntelC52; C:\WINDOWS\System32\DRIVERS\IntelC52.sys [618880 2006-03-01] (Intel Corporation)
R3 IntelC53; C:\WINDOWS\System32\DRIVERS\IntelC53.sys [47360 2005-05-06] (Intel Corporation)
R0 Lbd; C:\WINDOWS\System32\DRIVERS\Lbd.sys [64288 2010-07-23] (Lavasoft AB)
R2 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [121560 2015-06-18] (Malwarebytes Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [98520 2015-08-09] (Malwarebytes Corporation)
S3 MHNDRV; C:\WINDOWS\System32\DRIVERS\mhndrv.sys [11008 2004-08-10] (Microsoft Corporation) [File not signed]
R3 mohfilt; C:\WINDOWS\System32\DRIVERS\mohfilt.sys [36880 2005-05-06] (Intel Corporation)
R3 MxlW2k; C:\WINDOWS\system32\Drivers\MxlW2k.sys [28276 2010-09-09] (MusicMatch, Inc.) [File not signed]
R3 P17; C:\WINDOWS\System32\drivers\P17.sys [1127936 2007-06-15] (Creative Technology Ltd.)
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
R1 sscdbhk5; C:\WINDOWS\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions) [File not signed]
R1 ssrtln; C:\WINDOWS\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions) [File not signed]
R2 tfsnboio; C:\WINDOWS\System32\dla\tfsnboio.sys [25723 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsncofs; C:\WINDOWS\System32\dla\tfsncofs.sys [34843 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsndrct; C:\WINDOWS\System32\dla\tfsndrct.sys [4123 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsndres; C:\WINDOWS\System32\dla\tfsndres.sys [2239 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnifs; C:\WINDOWS\System32\dla\tfsnifs.sys [86202 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnopio; C:\WINDOWS\System32\dla\tfsnopio.sys [14715 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnpool; C:\WINDOWS\System32\dla\tfsnpool.sys [6363 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnudf; C:\WINDOWS\System32\dla\tfsnudf.sys [98714 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnudfa; C:\WINDOWS\System32\dla\tfsnudfa.sys [100603 2004-08-13] (Sonic Solutions) [File not signed]
S0 BootDefragDriver; System32\drivers\BootDefragDriver.sys [X]
S0 Cdr4vsd; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-09 18:25 - 2015-08-09 18:26 - 00022703 _____ C:\Documents and Settings\Owner\desktop\FRST.txt
2015-08-09 18:24 - 2015-08-09 18:24 - 01674752 _____ (Farbar) C:\Documents and Settings\Owner\desktop\FRST.exe
2015-08-07 04:14 - 2015-08-07 06:56 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-08-06 20:51 - 2015-08-07 01:34 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2015-07-24 19:01 - 2015-07-24 19:03 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJMIG
2015-07-24 18:59 - 2015-07-24 19:00 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJScan
2015-07-24 18:16 - 2015-07-24 18:16 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Canon Printer
2015-07-24 18:13 - 2015-07-24 18:13 - 00003698 _____ C:\Documents and Settings\Owner\desktop\PSA Passwords.eml
2015-07-24 15:41 - 2015-07-24 15:41 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJFAX
2015-07-24 15:41 - 2012-05-25 09:21 - 00103936 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLU.dll
2015-07-24 15:40 - 2012-09-21 09:33 - 00321024 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLL.dll
2015-07-24 15:40 - 2012-05-25 09:20 - 00263168 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLC.dll
2015-07-24 15:40 - 2012-05-25 09:20 - 00096768 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLI.dll
2015-07-24 15:40 - 2012-05-15 15:58 - 00098048 _____ C:\WINDOWS\system32\CNC176BD.TBL
2015-07-24 15:40 - 2008-08-25 18:02 - 00015872 _____ (CANON INC.) C:\WINDOWS\system32\CNHMCA.dll
2015-07-24 15:39 - 2015-07-24 15:39 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX920 series User Registration
2015-07-24 15:25 - 2015-07-24 15:25 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX920 series Manual
2015-07-24 06:22 - 2015-07-24 06:22 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJEGV
2015-07-24 06:20 - 2015-07-24 06:20 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJQuickMenu
2015-07-24 06:13 - 2015-07-24 06:13 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Canon Easy-WebPrint EX
2015-07-24 06:12 - 2015-07-24 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CanonIJWSpt
2015-07-24 05:59 - 2012-09-21 05:00 - 00258560 _____ (CANON INC.) C:\WINDOWS\system32\CNCALBL.DLL
2015-07-24 05:58 - 2015-07-24 05:58 - 00000000 ___HD C:\Program Files\CanonBJ
2015-07-24 05:58 - 2012-09-20 05:00 - 00315904 _____ (CANON INC.) C:\WINDOWS\system32\CNMLMBL.DLL
2015-07-24 05:57 - 2015-07-24 05:57 - 00000000 ____D C:\WINDOWS\system32\STRING
2015-07-24 05:57 - 2012-07-31 04:47 - 00366592 _____ (CANON INC.) C:\WINDOWS\system32\CNMNPPM.DLL
2015-07-24 05:57 - 2012-07-31 04:47 - 00035840 _____ (CANON INC.) C:\WINDOWS\system32\CNMNPUI.DLL
2015-07-24 05:56 - 2015-07-24 05:56 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJETV
2015-07-20 14:53 - 2015-07-20 14:53 - 00088683 _____ C:\Documents and Settings\Owner\desktop\May 28 Seniority List-1.xlsx
2015-07-17 03:05 - 2012-11-03 14:07 - 00205975 _____ C:\Documents and Settings\Owner\desktop\CooksIllustrated_com Customer Service.mht
2015-07-11 14:29 - 2015-07-11 14:29 - 00000000 __SHD C:\found.001
2015-07-10 23:11 - 2015-07-10 23:13 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Pics Unsorted

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-09 18:26 - 2012-03-17 02:45 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\temp
2015-08-09 18:25 - 2014-07-17 03:58 - 00000000 ____D C:\FRST
2015-08-09 15:43 - 2015-04-08 15:42 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-08-09 15:41 - 2010-05-11 11:29 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-08-09 15:41 - 2010-05-11 11:29 - 00000048 _____ C:\WINDOWS\wiaservc.log
2015-08-09 15:40 - 2010-05-11 15:58 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-08-09 15:39 - 2015-04-08 15:41 - 00000777 _____ C:\Documents and Settings\All Users\desktop\Malwarebytes Anti-Malware.lnk
2015-08-09 15:39 - 2015-04-08 15:41 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-09 15:39 - 2015-04-08 15:41 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-09 15:39 - 2014-09-03 15:23 - 00256596 _____ C:\WINDOWS\WindowsUpdate.log
2015-08-09 15:39 - 2010-05-11 15:58 - 00032648 _____ C:\WINDOWS\SchedLgU.Txt
2015-08-09 15:39 - 2010-05-11 15:58 - 00000178 ___SH C:\Documents and Settings\Owner\ntuser.ini
2015-08-09 07:38 - 2011-04-13 02:18 - 00000000 ____D C:\WINDOWS\system32\Drivers\AVG
2015-08-09 07:05 - 2004-08-10 08:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2015-08-06 21:08 - 2011-06-21 23:07 - 00000000 ____D C:\Documents and Settings\Administrator
2015-08-06 21:08 - 2010-05-11 15:58 - 00000000 ____D C:\Documents and Settings\Owner
2015-08-06 21:08 - 2010-05-11 15:55 - 00000000 __SHD C:\Documents and Settings\NetworkService
2015-08-06 20:52 - 2010-05-11 15:58 - 00000000 __SHD C:\Documents and Settings\LocalService
2015-08-03 12:36 - 2014-05-15 16:35 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\DiskDefrag
2015-07-28 23:00 - 2010-05-11 15:47 - 00000000 ____D C:\WINDOWS\Registration
2015-07-26 16:30 - 2010-05-12 09:08 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\media cbs
2015-07-24 19:00 - 2010-10-21 00:01 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Canon
2015-07-24 16:21 - 2015-03-30 14:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
2015-07-24 16:21 - 2015-01-02 18:08 - 00160136 _____ C:\WINDOWS\setupapi.log
2015-07-24 15:42 - 2010-06-07 11:03 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon Utilities
2015-07-24 15:42 - 2010-06-07 11:00 - 00000000 ____D C:\Program Files\Canon
2015-07-24 15:41 - 2010-05-11 11:20 - 00000000 ____D C:\WINDOWS\twain_32
2015-07-24 15:41 - 2010-05-11 11:20 - 00000000 ____D C:\WINDOWS\Media
2015-07-24 07:13 - 2012-03-17 23:11 - 01907950 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-117609710-1801674531-725345543-1003-0.dat
2015-07-24 07:13 - 2012-03-17 23:11 - 00170798 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-07-23 02:23 - 2015-01-28 04:19 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Aviation
2015-07-22 18:50 - 2010-05-19 13:06 - 00000116 _____ C:\WINDOWS\NeroDigital.ini
2015-07-15 06:15 - 2012-03-19 04:15 - 00000308 _____ C:\Documents and Settings\Owner\My Documents\spider.sav
2015-07-10 23:37 - 2013-01-28 04:36 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Funny Pics

==================== Files in the root of some directories =======

2012-12-04 02:32 - 2012-12-04 02:32 - 0751078 _____ () C:\Documents and Settings\Owner\Application Data\1.bmp
2015-03-17 17:37 - 2015-03-17 17:37 - 0000049 _____ () C:\Documents and Settings\Owner\Application Data\232.txt
2015-03-17 17:36 - 2015-03-17 17:36 - 0000048 _____ () C:\Documents and Settings\Owner\Application Data\292.txt
2015-03-17 17:26 - 2015-03-17 17:36 - 0000003 _____ () C:\Documents and Settings\Owner\Application Data\rgsuseropened.txt
2011-12-16 20:14 - 2011-12-16 20:14 - 0000000 _____ () C:\Documents and Settings\Owner\Application Data\xfFRj.txt
2010-05-19 13:03 - 2015-04-26 00:11 - 0218112 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-23 17:44 - 2013-01-23 17:44 - 0026900 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\dt.dat
2010-07-12 00:53 - 2010-07-12 00:53 - 0000128 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat

Some files in TEMP:
====================
C:\Documents and Settings\Owner\Local Settings\temp\MSETUP4.EXE
C:\Documents and Settings\Owner\Local Settings\temp\uninstall.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 09, 2015, 04:47:40 PM
And here's the FSS
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 10, 2015, 02:32:41 PM
Thanks for those logs, before I progress can you clarify one point. Are you aware of the following proxy running in Internet Explorer?

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:5577

Thanks...

Kevin..
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 11, 2015, 04:18:40 AM
Actually, I was not. I pretty never use IE anyway. Just have it as a backup.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 11, 2015, 03:05:01 PM
Thanks for the update/info, .default proxies are often difficult to remove, is a better option to run a reg fix....

Please follow these instructions carefully:

Open Notepad, check the Format Menu and make sure Word Wrap is NOT selected. Then copy and paste the following from inside the code box to Notepad:

Code: [Select]
Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings"=-
"DefaultConnectionSettings"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=-
"ProxyServer"=-


Next, Click on the File Menu, then Save As ... and click on the drop down menu to change the file type to All Files.

Next navigate to your desktop, and enter the file name fixme.reg, and click Save.

You should now find a new file on your desktop named fixme.reg. Double click on fixme.reg. You will get a warning,
agree to the merge, and then a message the file has been merged will immediately pop up.

Then reboot.

Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.

'Could not load DDA driver'


To get the log from Malwarebytes do the following:



If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware (http://downloads.malwarebytes.org/file/mbam) to your desktop.
Next,

Download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) by Xplode onto your Desktop.

Next,

(http://imageshack.us/a/img841/7292/thisisujrt.gif) Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en (https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en)

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en (https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en)

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

Post those logs, also let me know if there are any remaining issues or concerns...

Thanks,

Kevin....
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 12, 2015, 02:38:00 PM
Thanks Kevin. I have had Malwarebytes Premium and AVG on my system for some time. Granted, one part of the MBAM active protection is not functioning (MBAM is still trying to figure out why). Anyway, Ill get to all this and get back to you as soon as i do. Thanks.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 12, 2015, 03:37:17 PM
Thanks for the update, if you have trouble with Malwarebytes go for a clean install, full instructions at the following link:

https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/ (https://forums.malwarebytes.org/index.php?/topic/146017-mbam-clean-removal-process-2x/)

Thanks....
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 12, 2015, 04:02:45 PM
Thanks Kevin, I had a few minutes to get started and I have a few questions. I'm not clear what I'm supposed to do on the desktop. I was able to paste the text into notepad, change file type to all and save it to the desktop. But when I double click, I get no messages about merging. Re-reading it, it looks before that you want me to enter a file name on the desktop. But I can't do that without having someplace/something to assign it to, such as a new folder. And am I saving that notepad pad file directly to the desktop? I'm a bit confused, although that's not hard to do. Thanks,

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 12, 2015, 04:51:37 PM
I`ve made up and attached the file for you, is a zip file "fixme.zip" Extract that zip file to your Desktop, will now be named "fixme.reg"
Double click on that file, agree to the merge, a message the file has been merged will immediately pop up.
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 13, 2015, 02:27:38 AM
Thanks Kevin,

I extracted it and it automatically put the extracted file in a folder on the desktop. i double clicked the file in the folder and it asked me if i wanted to add the information to the registry (nothing about merging). Is that the same thing?
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 13, 2015, 08:11:38 AM
Do not save to a folder, save direct to the Desktop, double click the reg file to run, accept what is prompted.

Cheers....


Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 13, 2015, 10:25:48 AM
Thanks, sorry to be a pain. that's just how it opened. Now to be a bigger pain, can you send me that attachment one more time? For some reason, it won't open from the thread. Thanks.

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 13, 2015, 12:51:47 PM
You`re not being a pain, zip file attached for you....
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 14, 2015, 01:11:42 AM
Thanks Kevin,
Okay, no matter how I try to transfer it from the thread, it shows up on my desktop as a folder titled fixme.zip. When I open the folder, inside is a file fixme.reg. So I dragged that to my desktop. Double clicking it gives me a window asking me if I want to add the information c:\documents and settings\owner\desktop\fixme.reg to the registry. However, if I right click it, a dropdown menu opens with merger as the only item in bold at the top. If I click it, I get that same window about adding the information. If I click yes, it says it has been successfully added to the registry. Is there a chance that's what we wanted to do, only vis a slightly different method? Thanks.

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 14, 2015, 01:56:57 AM
Actually, I think that fixme.zip folder is how my system moved zipped files. I got rid of my old unzipping program and am not too familiar with the new one yet. So I assume the fixme.reg is the thing we want. I didn't do anything to unzip it. Just did what I described above.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 14, 2015, 06:07:22 AM
Hiya Chips,

Continue on with the rest of the steps, we can check on the reg fix later.

Thank you,

Kevin
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 15, 2015, 01:26:59 AM
Hi Kevin,
Here is some of what I got. First, the MBAM log is pasted here and the fixlog.text is attached. I'll get to the rest shortly. Thanks.

Chip

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/14/2015
Scan Time: 9:02:26 PM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.14.06
Rootkit Database: v2015.08.06.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Disabled
Self-protection: Enabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 364585
Time Elapsed: 47 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 15, 2015, 07:09:19 AM
Thanks for the logs/update...
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 15, 2015, 09:22:51 PM
Hi Kevin: Here's the AdwCleaner and JRT logs. I tried to run the Windows tool as administrator. I actually had to right click through a few menus to get to it as it did come up with the administrator option initially. Unfortunately, it needs a password and to be honest, I probably haven't logged in as administrator for a number of years so I do not have that password handy. I'll see if I can find it.. Thanks.

# AdwCleaner v5.000 - Logfile created 15/08/2015 at 21:38:43
# Updated 14/08/2015 by Xplode
# Database : 2015-08-15.1 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Owner - OWNER-3904C3CFA
# Running from : C:\Documents and Settings\Owner\desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Documents and Settings\Owner\Application Data\FoxTab
[-] Folder Deleted : C:\Program Files\FoxTab

***** [ Files ] *****

[-] File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\yahoo.xml
[-] File Deleted : C:\Program Files\Pale Moon\browser\searchplugins\yahoo.xml

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
[-] Key Deleted : HKU\.DEFAULT\Software\IGearSettings

***** [ Web browsers ] *****

[-] [C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: Proxy settings cleared
:: Winsock settings cleared

*************************

C:\AdwCleaner[C2].txt - [1550 octets] - [15/08/2015 21:38:43]
C:\AdwCleaner[S2].txt - [1537 octets] - [15/08/2015 21:33:56]

########## EOF - C:\AdwCleaner[C2].txt - [1676 octets] ##########





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.6 (08.10.2015:1)
OS: Microsoft Windows XP x86
Ran by Owner on Sat 08/15/2015 at 21:48:49.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Documents and Settings\Owner\Application Data\mozilla\firefox\profiles\2q7p36am.default\minidumps [9 files]



~~~ Chrome


[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 08/15/2015 at 21:55:51.76
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 16, 2015, 01:26:59 AM
There will probably be no need to select "run as administrator" for XP, just double click on MRST. I do not see XP systems much at all nowadays, hence my c/r`s are set for Windows 7, 8, 8.1 and 10....

Thank you,

Kevin...
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 16, 2015, 02:05:38 AM
Hi Kevin,

Yes, I know XP is a dinosaur. In the near future I'm going to be replacing the machine and getting a new OS. Tough though because i do like the interface. Anyway, below is the Microsoft tool scan result. Enjoy your morning.

Chip
---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.27, August 2015 (build 5.27.11700.0)
Started On Sun Aug 16 03:44:01 2015

Engine: 1.1.11903.0
Signatures: 1.203.693.0

Results Summary:
----------------
No infection found.
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 16, 2015, 03:33:01 AM
Thanks for logs/update, continue please:

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....

If these logs are clean I guess we can clean up, obviously if there are any remaining issues or concerns please let me know....

Cheeers,

Kevin...
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 17, 2015, 02:55:41 AM
O.K. Kevin, here you go. Hope we're clear, Thanks again,

Chip


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:16-08-2015
Ran by Owner (administrator) on OWNER-3904C3CFA (17-08-2015 04:49:29)
Running from C:\Documents and Settings\Owner\desktop
Loaded Profiles: Owner (Available Profiles: Owner & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Carbonite, Inc.) C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
(Sony Corporation) C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgidsagent.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Microsoft Corporation) C:\Program Files\Outlook Express\msimn.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [344064 2006-02-09] (ATI Technologies, Inc.)
HKLM\...\Run: [Carbonite Backup] => C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [1056976 2014-06-27] (Carbonite, Inc.)
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\Run: [GUDelayStartup] => C:\Program Files\Glary Utilities 5\StartupManager.exe [37152 2014-05-14] (Glarysoft Ltd)
ShellIconOverlayIdentifiers: [Carbonite.Green] -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Partial] -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
ShellIconOverlayIdentifiers: [Carbonite.Yellow] -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll [2014-06-27] (Carbonite, Inc.)
BootExecute: autocheck autochk *  BootDefrag.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

SearchScopes: HKU\S-1-5-21-117609710-1801674531-725345543-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
SearchScopes: HKU\S-1-5-21-117609710-1801674531-725345543-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files\AVG\AVG2012\avgdtiex.dll [2012-10-15] (AVG Technologies CZ, s.r.o.)
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2015-02-23] (CANON INC.)
BHO: DriveLetterAccess -> {5CA3D70E-1895-11CF-8E15-001234567890} -> C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13] (Sonic Solutions)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-02-26] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-02-26] (Oracle Corporation)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2015-02-23] (CANON INC.)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll [2012-03-27] (AVG Technologies CZ, s.r.o.)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{61D028E3-200A-4392-904E-EDE5C5179C05}: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2q7p36am.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-22] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1214154.dll [2014-11-07] (Adobe Systems, Inc.)
FF Plugin: @canon.com/EPPEX -> C:\Program Files\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2011-10-17] (Google)
FF Plugin: @java.com/DTPlugin,version=10.15.2 -> C:\WINDOWS\system32\npDeployJava1.dll [2013-02-26] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.15.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-02-26] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2014-06-04] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [2013-08-14] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [No File]
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll [2014-06-04] (RealPlayer)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [2013-08-14] (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-12-18] (Adobe Systems Inc.)
FF Plugin: nuance.com/DragonRIAPlugin -> C:\PROGRA~1\Nuance\NATURA~1\Program\npDgnRia.dll [2013-10-15] (Nuance Communications Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2012-12-18] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2014-06-04] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2014-01-17] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll [2012-12-07] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll [2014-06-04] (RealPlayer)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-02-22]
FF HKLM\...\Firefox\Extensions: [jid0-lmZNVK7a82O8cufhdfB9dUDfA2w@jetpack] - C:\Program Files\Nuance\NaturallySpeaking12\Program\ffShim.xpi
FF Extension: Dragon NaturallySpeaking Rich Internet Application Support - C:\Program Files\Nuance\NaturallySpeaking12\Program\ffShim.xpi [2013-10-15]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-06-04]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack
FF Extension: AVG Do Not Track - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack [2012-09-27]
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4 [2012-03-17]
FF HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\Firefox\Extensions: [{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26}] - C:\Documents and Settings\Owner\Local Settings\Application Data\{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26}
FF Extension: Mozilla Safe Browsing - C:\Documents and Settings\Owner\Local Settings\Application Data\{BF1E8C08-D2E9-11E1-8270-B8AC6F996F26} [2012-07-21]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-13]
CHR Extension: (Google Docs) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-13]
CHR Extension: (Google Drive) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-13]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-20]
CHR Extension: (YouTube) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-13]
CHR Extension: (Google Search) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-13]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-13]
CHR Extension: (RealDownloader) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2014-10-13]
CHR Extension: (Dragon NaturallySpeaking Rich Internet Application Support) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mikhcaiakabeeokmenglcdebplfdjicn [2014-10-13]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-13]
CHR Extension: (Gmail) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-13]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [mikhcaiakabeeokmenglcdebplfdjicn] - C:\Program Files\Nuance\NaturallySpeaking12\Program\chromeShim.crx [2013-10-15]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [5174392 2012-11-02] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
R2 CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [5058256 2014-06-27] (Carbonite, Inc. (www.carbonite.com))
S3 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [311184 2013-10-15] (Nuance Communications, Inc.)
R2 ehRecvr; C:\WINDOWS\eHome\ehRecvr.exe [194560 2004-08-10] (Microsoft Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [170912 2013-02-26] (Oracle Corporation)
S3 Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe [395640 2014-05-06] (Eastman Kodak Company)
S3 Kodak AiO Status Monitor Service; C:\Program Files\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe [780152 2013-12-11] (Eastman Kodak Company)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 MHN; C:\WINDOWS\System32\mhn.dll [85504 2004-08-10] (Microsoft Corporation) [File not signed]
R2 PassThru Service; C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
R2 PMBDeviceInfoProvider; C:\Program Files\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [459832 2012-02-15] (Sony Corporation)
S3 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-01-10] (Secunia)
S4 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-01-10] (Secunia)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [25920 1998-11-12] (Adaptec)
R3 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\WINDOWS\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [301920 2012-08-24] (AVG Technologies CZ, s.r.o.)
S3 AX88772; C:\WINDOWS\System32\DRIVERS\ax88772.sys [17920 2004-08-05] (ASIX Electronics Corp.) [File not signed]
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2005-03-22] (Adaptec, Inc.) [File not signed]
R0 drvmcdb; C:\WINDOWS\System32\drivers\drvmcdb.sys [87136 2004-08-04] (Sonic Solutions) [File not signed]
R2 drvnddm; C:\WINDOWS\System32\drivers\drvnddm.sys [40544 2004-08-13] (Sonic Solutions) [File not signed]
R0 GUBootStartup; C:\WINDOWS\System32\drivers\GUBootStartup.sys [17088 2014-05-15] (Glarysoft Ltd)
S3 htcusbnet; C:\WINDOWS\System32\DRIVERS\htcusbnet.sys [128512 2010-12-15] (HTC Corporation)
R3 IntelC51; C:\WINDOWS\System32\DRIVERS\IntelC51.sys [1339776 2005-05-06] (Intel Corporation)
R3 IntelC52; C:\WINDOWS\System32\DRIVERS\IntelC52.sys [618880 2006-03-01] (Intel Corporation)
R3 IntelC53; C:\WINDOWS\System32\DRIVERS\IntelC53.sys [47360 2005-05-06] (Intel Corporation)
R2 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [121560 2015-06-18] (Malwarebytes Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [98520 2015-08-17] (Malwarebytes Corporation)
S3 MHNDRV; C:\WINDOWS\System32\DRIVERS\mhndrv.sys [11008 2004-08-10] (Microsoft Corporation) [File not signed]
R3 mohfilt; C:\WINDOWS\System32\DRIVERS\mohfilt.sys [36880 2005-05-06] (Intel Corporation)
R3 MxlW2k; C:\WINDOWS\system32\Drivers\MxlW2k.sys [28276 2010-09-09] (MusicMatch, Inc.) [File not signed]
R3 P17; C:\WINDOWS\System32\drivers\P17.sys [1127936 2007-06-15] (Creative Technology Ltd.)
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
R1 sscdbhk5; C:\WINDOWS\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions) [File not signed]
R1 ssrtln; C:\WINDOWS\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions) [File not signed]
R2 tfsnboio; C:\WINDOWS\System32\dla\tfsnboio.sys [25723 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsncofs; C:\WINDOWS\System32\dla\tfsncofs.sys [34843 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsndrct; C:\WINDOWS\System32\dla\tfsndrct.sys [4123 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsndres; C:\WINDOWS\System32\dla\tfsndres.sys [2239 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnifs; C:\WINDOWS\System32\dla\tfsnifs.sys [86202 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnopio; C:\WINDOWS\System32\dla\tfsnopio.sys [14715 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnpool; C:\WINDOWS\System32\dla\tfsnpool.sys [6363 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnudf; C:\WINDOWS\System32\dla\tfsnudf.sys [98714 2004-08-13] (Sonic Solutions) [File not signed]
R2 tfsnudfa; C:\WINDOWS\System32\dla\tfsnudfa.sys [100603 2004-08-13] (Sonic Solutions) [File not signed]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: MHN -> C:\Windows\System32\mhn.dll (Microsoft Corporation)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-17 04:49 - 2015-08-17 04:50 - 00022081 _____ C:\Documents and Settings\Owner\desktop\FRST.txt
2015-08-15 21:55 - 2015-08-15 21:55 - 00001358 _____ C:\Documents and Settings\Owner\desktop\JRT.txt
2015-08-15 21:42 - 2015-08-15 21:42 - 00001745 _____ C:\Documents and Settings\Owner\desktop\AdwCleaner[C2].txt
2015-08-15 21:38 - 2015-08-15 21:38 - 00001745 _____ C:\AdwCleaner[C2].txt
2015-08-15 21:33 - 2015-08-15 21:36 - 00001537 _____ C:\AdwCleaner[S2].txt
2015-08-15 21:20 - 2015-08-15 21:21 - 50075360 _____ (Microsoft Corporation) C:\Documents and Settings\Owner\desktop\Windows-KB890830-V5.27.exe
2015-08-15 21:19 - 2015-08-15 21:19 - 01563648 _____ C:\Documents and Settings\Owner\desktop\AdwCleaner.exe
2015-08-15 21:17 - 2015-08-15 21:17 - 01791580 _____ (Malwarebytes Corporation) C:\Documents and Settings\Owner\desktop\JRT.exe
2015-08-14 16:01 - 2015-08-17 04:48 - 00000000 ____D C:\Documents and Settings\Owner\desktop\FRST-OlderVersion
2015-08-14 03:02 - 2015-08-12 23:46 - 00000308 _____ C:\Documents and Settings\Owner\desktop\fixme.reg
2015-08-09 18:47 - 2015-08-09 18:47 - 00002628 _____ C:\Documents and Settings\Owner\desktop\FSS.txt
2015-08-09 18:46 - 2015-08-09 18:46 - 00899072 _____ (Farbar) C:\Documents and Settings\Owner\desktop\FSS.exe
2015-08-09 18:38 - 2015-08-17 04:49 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Virus Aug 2015
2015-08-09 18:24 - 2015-08-17 04:48 - 01676800 _____ (Farbar) C:\Documents and Settings\Owner\desktop\FRST.exe
2015-08-07 04:14 - 2015-08-07 06:56 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2015-08-06 20:51 - 2015-08-07 01:34 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2015-07-24 19:01 - 2015-07-24 19:03 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJMIG
2015-07-24 18:59 - 2015-07-24 19:00 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJScan
2015-07-24 18:16 - 2015-07-24 18:16 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Canon Printer
2015-07-24 18:13 - 2015-07-24 18:13 - 00003698 _____ C:\Documents and Settings\Owner\desktop\PSA Passwords.eml
2015-07-24 15:41 - 2015-07-24 15:41 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJFAX
2015-07-24 15:41 - 2012-05-25 09:21 - 00103936 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLU.dll
2015-07-24 15:40 - 2012-09-21 09:33 - 00321024 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLL.dll
2015-07-24 15:40 - 2012-05-25 09:20 - 00263168 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLC.dll
2015-07-24 15:40 - 2012-05-25 09:20 - 00096768 _____ (CANON INC.) C:\WINDOWS\system32\CNC_BLI.dll
2015-07-24 15:40 - 2012-05-15 15:58 - 00098048 _____ C:\WINDOWS\system32\CNC176BD.TBL
2015-07-24 15:40 - 2008-08-25 18:02 - 00015872 _____ (CANON INC.) C:\WINDOWS\system32\CNHMCA.dll
2015-07-24 15:39 - 2015-07-24 15:39 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX920 series User Registration
2015-07-24 15:25 - 2015-07-24 15:25 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon MX920 series Manual
2015-07-24 06:22 - 2015-07-24 06:22 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJEGV
2015-07-24 06:20 - 2015-07-24 06:20 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJQuickMenu
2015-07-24 06:13 - 2015-07-24 06:13 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Canon Easy-WebPrint EX
2015-07-24 06:12 - 2015-07-24 15:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CanonIJWSpt
2015-07-24 05:59 - 2012-09-21 05:00 - 00258560 _____ (CANON INC.) C:\WINDOWS\system32\CNCALBL.DLL
2015-07-24 05:58 - 2015-07-24 05:58 - 00000000 ___HD C:\Program Files\CanonBJ
2015-07-24 05:58 - 2012-09-20 05:00 - 00315904 _____ (CANON INC.) C:\WINDOWS\system32\CNMLMBL.DLL
2015-07-24 05:57 - 2015-07-24 05:57 - 00000000 ____D C:\WINDOWS\system32\STRING
2015-07-24 05:57 - 2012-07-31 04:47 - 00366592 _____ (CANON INC.) C:\WINDOWS\system32\CNMNPPM.DLL
2015-07-24 05:57 - 2012-07-31 04:47 - 00035840 _____ (CANON INC.) C:\WINDOWS\system32\CNMNPUI.DLL
2015-07-24 05:56 - 2015-07-24 05:56 - 00000000 ___HD C:\Documents and Settings\All Users\Application Data\CanonIJETV
2015-07-20 14:53 - 2015-07-20 14:53 - 00088683 _____ C:\Documents and Settings\Owner\desktop\May 28 Seniority List-1.xlsx

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-17 04:50 - 2014-07-17 03:58 - 00000000 ____D C:\FRST
2015-08-17 04:50 - 2012-03-17 02:45 - 00000000 ____D C:\Documents and Settings\Owner\Local Settings\temp
2015-08-17 04:30 - 2015-04-08 15:42 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-08-17 04:29 - 2010-05-11 15:58 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-08-17 04:29 - 2010-05-11 11:29 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-08-17 04:29 - 2010-05-11 11:29 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-08-17 04:29 - 2004-08-10 08:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2015-08-16 04:06 - 2014-09-03 15:23 - 00264944 _____ C:\WINDOWS\WindowsUpdate.log
2015-08-16 04:06 - 2010-05-11 15:58 - 00032648 _____ C:\WINDOWS\SchedLgU.Txt
2015-08-16 04:06 - 2010-05-11 15:58 - 00000178 ___SH C:\Documents and Settings\Owner\ntuser.ini
2015-08-15 23:24 - 2010-05-11 15:47 - 00000000 ____D C:\WINDOWS\Registration
2015-08-15 21:38 - 2014-07-21 16:43 - 00000000 ____D C:\AdwCleaner
2015-08-14 16:01 - 2012-03-17 02:45 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\temp
2015-08-14 04:07 - 2010-10-28 14:20 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\Realplayer Vids and Audio
2015-08-14 04:06 - 2010-05-12 09:34 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\Political
2015-08-13 06:03 - 2010-05-11 15:58 - 00000000 ____D C:\Documents and Settings\Owner
2015-08-13 04:23 - 2015-05-26 02:27 - 00000000 ____D C:\Documents and Settings\Owner\desktop\PSA
2015-08-09 15:39 - 2015-04-08 15:41 - 00000777 _____ C:\Documents and Settings\All Users\desktop\Malwarebytes Anti-Malware.lnk
2015-08-09 15:39 - 2015-04-08 15:41 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-09 15:39 - 2015-04-08 15:41 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-09 07:38 - 2011-04-13 02:18 - 00000000 ____D C:\WINDOWS\system32\Drivers\AVG
2015-08-06 21:08 - 2011-06-21 23:07 - 00000000 ____D C:\Documents and Settings\Administrator
2015-08-06 21:08 - 2010-05-11 15:55 - 00000000 __SHD C:\Documents and Settings\NetworkService
2015-08-06 20:52 - 2010-05-11 15:58 - 00000000 __SHD C:\Documents and Settings\LocalService
2015-08-03 12:36 - 2014-05-15 16:35 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\DiskDefrag
2015-07-28 11:01 - 2010-05-11 17:04 - 129304528 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-07-26 16:30 - 2010-05-12 09:08 - 00000000 ____D C:\Documents and Settings\Owner\My Documents\media cbs
2015-07-24 19:00 - 2010-10-21 00:01 - 00000000 ____D C:\Documents and Settings\Owner\Application Data\Canon
2015-07-24 16:21 - 2015-03-30 14:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
2015-07-24 16:21 - 2015-01-02 18:08 - 00160136 _____ C:\WINDOWS\setupapi.log
2015-07-24 15:42 - 2010-06-07 11:03 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon Utilities
2015-07-24 15:42 - 2010-06-07 11:00 - 00000000 ____D C:\Program Files\Canon
2015-07-24 15:41 - 2010-05-11 11:20 - 00000000 ____D C:\WINDOWS\twain_32
2015-07-24 15:41 - 2010-05-11 11:20 - 00000000 ____D C:\WINDOWS\Media
2015-07-24 07:13 - 2012-03-17 23:11 - 01907950 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-117609710-1801674531-725345543-1003-0.dat
2015-07-24 07:13 - 2012-03-17 23:11 - 00170798 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-07-23 02:23 - 2015-01-28 04:19 - 00000000 ____D C:\Documents and Settings\Owner\desktop\Aviation
2015-07-22 18:50 - 2010-05-19 13:06 - 00000116 _____ C:\WINDOWS\NeroDigital.ini

==================== Files in the root of some directories =======

2012-12-04 02:32 - 2012-12-04 02:32 - 0751078 _____ () C:\Documents and Settings\Owner\Application Data\1.bmp
2015-03-17 17:37 - 2015-03-17 17:37 - 0000049 _____ () C:\Documents and Settings\Owner\Application Data\232.txt
2015-03-17 17:36 - 2015-03-17 17:36 - 0000048 _____ () C:\Documents and Settings\Owner\Application Data\292.txt
2015-03-17 17:26 - 2015-03-17 17:36 - 0000003 _____ () C:\Documents and Settings\Owner\Application Data\rgsuseropened.txt
2011-12-16 20:14 - 2011-12-16 20:14 - 0000000 _____ () C:\Documents and Settings\Owner\Application Data\xfFRj.txt
2010-05-19 13:03 - 2015-04-26 00:11 - 0218112 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-01-23 17:44 - 2013-01-23 17:44 - 0026900 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\dt.dat
2010-07-12 00:53 - 2010-07-12 00:53 - 0000128 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat

Some files in TEMP:
====================
C:\Documents and Settings\Owner\Local Settings\temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================




Additional scan result of Farbar Recovery Scan Tool (x86) Version:16-08-2015
Ran by Owner (2015-08-17 04:51:50)
Running from C:\Documents and Settings\Owner\desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-117609710-1801674531-725345543-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-117609710-1801674531-725345543-1007 - Limited - Enabled)
Guest (S-1-5-21-117609710-1801674531-725345543-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-117609710-1801674531-725345543-1000 - Limited - Disabled)
Owner (S-1-5-21-117609710-1801674531-725345543-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Owner
SUPPORT_388945a0 (S-1-5-21-117609710-1801674531-725345543-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG Anti-Virus Free Edition 2012 (Enabled - Out of date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
AC3Filter 1.63b (HKLM\...\AC3Filter_is1) (Version: 1.63b - Alexander Vigovsky)
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.1.0.0 - Adobe Systems Incorporated)
Acrobat.com (Version: 2.1.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.5.0.880 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.01) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.01 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.4.154 - Adobe Systems, Inc.)
aioscnnr (Version: 7.6.13.10 - Your Company Name) Hidden
Apple Application Support (HKLM\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
ArcSoft PhotoImpression 4 (HKLM\...\{68D5CEF9-0DA8-47FE-B0EB-4CBFB5AAF662}) (Version:  - )
ArcSoft PhotoStudio 5.5 (HKLM\...\{85309D89-7BE9-4094-BB17-24999C6118FC}) (Version:  - ArcSoft)
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1014 - )
ATI Control Panel (HKLM\...\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}) (Version: 6.14.10.5183 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.23-060209a1-030546C-Dell - )
AVG 2012 (HKLM\...\AVG) (Version: 2012.1.2240 - AVG Technologies)
AVG 2012 (Version: 12.0.2221 - AVG Technologies) Hidden
AVG 2012 (Version: 12.0.4311 - AVG Technologies) Hidden
AVG 2012 (Version: 12.1.2240 - AVG Technologies) Hidden
Broadcom Gigabit Integrated Controller (Version: 7.53.02 - Broadcom) Hidden
Canon Easy-WebPrint EX (HKLM\...\Easy-WebPrint EX) (Version: 1.6.0.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MP Navigator 2.0 (HKLM\...\MP Navigator 2.0) (Version:  - )
Canon MP950 (HKLM\...\{00DD3B64-74A4-4be7-BAC4-934499C5E34C}) (Version:  - )
Canon MX920 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX920_series) (Version: 1.00 - Canon Inc.)
Canon MX920 series On-screen Manual (HKLM\...\Canon MX920 series On-screen Manual) (Version: 7.6.0 - Canon Inc.)
Canon MX920 series User Registration (HKLM\...\Canon MX920 series User Registration) (Version:  - Canon Inc.)
Canon My Image Garden (HKLM\...\Canon My Image Garden) (Version: 1.1.2 - Canon Inc.)
Canon My Image Garden Design Files (HKLM\...\Canon My Image Garden Design Files) (Version: 1.0.1 - Canon Inc.)
Canon My Printer (HKLM\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (HKLM\...\CanonQuickMenu) (Version: 2.1.0 - Canon Inc.)
Canon Speed Dial Utility (HKLM\...\Speed Dial Utility) (Version: 1.3.0 - Canon Inc.)
Canon Utilities Easy-PhotoPrint (HKLM\...\Easy-PhotoPrint) (Version:  - )
Carbonite (HKLM\...\Carbonite Backup) (Version: 5.5.5 build 4151  (Jun-27-2014) - Carbonite)
CardRecovery 5.30 (HKLM\...\{88D68A69-D247-466B-90DD-575F6BE16230}_is1) (Version:  - WinRecovery Software)
CCleaner (HKLM\...\CCleaner) (Version: 4.14 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CoolUtils Mail Viewer (HKLM\...\CoolUtils Mail Viewer_is1) (Version: 2.5 - Softplicity, Inc.)
Dragon NaturallySpeaking 12 (HKLM\...\{D5D422B9-6976-4E98-8DDF-9632CB515D7E}) (Version: 12.50.000 - Nuance Communications Inc.)
Easy-WebPrint (HKLM\...\Easy-WebPrint) (Version:  - )
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
essentials (Version: 7.8.0.0 - Eastman Kodak Company) Hidden
FLV to AVI WMV MPEG Free Converter 3.2.60 (HKLM\...\FLV to AVI WMV MPEG Free Converter_is1) (Version:  - )
Glary Utilities 5.0 (HKLM\...\Glary Utilities 5) (Version: 5.0.0.1 - Glarysoft Ltd)
GoldWave v5.56 (HKLM\...\GoldWave v5.56) (Version:  - )
Golf 2003 (HKLM\...\Golf 2003) (Version:  - )
Google Chrome (HKLM\...\Google Chrome) (Version: 40.0.2214.115 - Google Inc.)
Google Earth (HKLM\...\{5A3C1721-F8ED-11E0-8AFB-B8AC6F97B88E}) (Version: 6.1.0.5001 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
HTC BMP USB Driver (HKLM\...\{31A559C1-9E4D-423B-9DD3-34A6C5398752}) (Version: 1.0.5375 - HTC)
HTC Driver Installer (HKLM\...\{4CEEE5D0-F905-4688-B9F9-ECC710507796}) (Version: 4.0.1.001 - HTC Corporation)
HTC Sync (HKLM\...\{B78CFC07-B623-4995-ADCC-B2B4D59D083A}) (Version: 3.3.21 - HTC Corporation)
iBid (HKLM\...\{B019715B-FBD4-41AB-805D-71C05A7D9807}) (Version: 3.0 - Codeglory)
iBid (HKLM\...\iBid) (Version: 2.6.1.0 - Not Yet Determined)
Intel(R) 537EP V9x DF PCI Modem (HKLM\...\Intel(R) 537EP V9x DF PCI Modem) (Version:  - )
Intel(R) Processor ID Utility (HKLM\...\{A92A4DB0-CD37-42D1-BE1D-603D53C24328}) (Version: 4.80.0000 - Intel(R) Corporation)
IPTInstaller (HKLM\...\{08208143-777D-4A06-BB54-71BF0AD1BB70}) (Version: 4.0.8 - HTC)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.32 - Irfan Skiljan)
Java 7 Update 15 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217015FF}) (Version: 7.0.150 - Oracle)
Kodak AIO Printer (Version: 7.8.1.0 - Eastman Kodak Company) Hidden
KODAK AiO Software (HKLM\...\{E0F274B7-592B-4669-8FB8-8D9825A09858}) (Version: 7.8.5.2 - Eastman Kodak Company)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
MasterCook 6: Deluxe Edition (HKLM\...\MasterCook 6: Deluxe Edition) (Version:  - )
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Excel Viewer (HKLM\...\{95120000-003F-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 28.0 (x86 en-US) (HKLM\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
MWSnap 3 (HKLM\...\MWSnap 3) (Version: 3.0.0.74 - Mirek Wojtowicz)
MyFreeCodec (HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\MyFreeCodec) (Version:  - )
Nero Suite (HKLM\...\NeroMultiInstaller!UninstallKey) (Version:  - )
ocr (Version: 6.2.3.50 - Eastman Kodak Company) Hidden
OmniPage SE 2.0 (HKLM\...\{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}) (Version: 2.00.0004 - ScanSoft, Inc.)
OVT Scanner (HKLM\...\{A746CE98-A755-4AD7-B4B8-346DC74CDECD}) (Version: 1.00.0000 - OVT)
Paint.NET v3.5.11 (HKLM\...\{72EF03F5-0507-4861-9A44-D99FD4C41417}) (Version: 3.61.0 - dotPDN LLC)
Pale Moon 24.6.2 (x86 en-US) (HKLM\...\Pale Moon 24.6.2 (x86 en-US)) (Version: 24.6.2 - Moonchild Productions)
Planetairum Gold (HKLM\...\Planetairum Gold) (Version:  - )
PlayMemories Home (HKLM\...\{E03CD71A-F595-49DF-9ADC-0CFC93B1B211}) (Version: 6.0.02.14151 - Sony Corporation)
PowerDVD 5.5 (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version:  - )
PreReq (Version: 6.2.4.0 - Eastman Kodak Company) Hidden
PrintProjects (HKLM\...\PrintProjects) (Version: 1.0.0.9282 - RocketLife Inc.)
Quick Startup 2.8.0.718 (HKLM\...\Quick Startup_is1) (Version:  - GlarySoft.com)
QuickTime (HKLM\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
RealDownloader (Version: 1.3.3 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden
Samsung Kies3 (HKLM\...\InstallShield_{88547073-C566-4895-9005-EBE98EA3F7C7}) (Version: 3.2.14055.3 - Samsung Electronics Co., Ltd.)
Samsung Kies3 (Version: 3.2.14055.3 - Samsung Electronics Co., Ltd.) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.24.999 - SAMSUNG Electronics Co., Ltd.)
Seagate Manager Installer (HKLM\...\InstallShield_{2A30052B-831C-41D3-8044-3C0388066350}) (Version: 2.01.0600 - Seagate)
Secunia PSI (2.0.0.3001) (HKLM\...\Secunia PSI) (Version:  - )
Sonic DLA (HKLM\...\{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}) (Version: 4.95 - Sonic Solutions)
Sonic MyDVD (HKLM\...\{21657574-BD54-48A2-9450-EB03B2C7FC29}) (Version: 5.3.0 - Sonic Solutions)
Sonic RecordNow! (HKLM\...\{9541FED0-327F-4DF0-8B96-EF57EF622F19}) (Version: 7.3 - Sonic Solutions)
Sonic Update Manager (HKLM\...\{09DA4F91-2A09-4232-AB8C-6BC740096DE3}) (Version: 2.9 - Sonic Solutions)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TextMaker Viewer (HKLM\...\TextMaker Viewer) (Version:  - SoftMaker Software GmbH)
TurboTax 2010 (HKLM\...\TurboTax 2010) (Version:  - Intuit, Inc)
TurboTax 2011 (HKLM\...\TurboTax 2011) (Version:  - Intuit, Inc)
TurboTax 2012 (HKLM\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2014 (HKLM\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
Unlocker 1.9.1 (HKLM\...\Unlocker) (Version: 1.9.1 - Cedrick Collomb)
Veoh Web Player (HKLM\...\Veoh Web Player Beta) (Version: 1.1.7.1176 - Veoh Networks, Inc.)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
VLC media player 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Winamp (HKLM\...\Winamp) (Version: 5.581  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-117609710-1801674531-725345543-1003\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinX Free FLV to MPEG Converter 4.1.10 (HKLM\...\WinX Free FLV to MPEG Converter_is1) (Version:  - Digiarty Software,Inc.)
WModem Driver Installer (HKLM\...\HTC_WModemDriver) (Version: 2.0.6.9 - HTC)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-117609710-1801674531-725345543-1003_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)

==================== Restore Points =========================

15-08-2015 06:04:36 System Checkpoint
15-08-2015 21:48:57 JRT Pre-Junkware Removal
17-08-2015 04:44:33 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-03-13 01:47 - 2014-07-21 21:07 - 00000000 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GlaryInitialize 5.job => C:\Program Files\Glary Utilities 5\Initialize.exe

==================== Loaded Modules (Whitelisted) ==============

2014-04-03 04:42 - 2004-08-10 07:00 - 00268288 _____ () C:\WINDOWS\system32\sbe.dll
2004-08-10 07:00 - 2013-01-02 02:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll
2004-08-10 07:00 - 2008-04-14 06:41 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2004-08-10 07:00 - 2008-04-14 06:42 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2013-06-22 18:14 - 2012-12-07 17:26 - 00167424 _____ () C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
2014-08-02 01:53 - 2014-03-15 04:40 - 03642480 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\60332688.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\90921399.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\60332688.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\90921399.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-117609710-1801674531-725345543-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 192.168.1.1
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: CanonQuickMenu => C:\Program Files\Canon\Quick Menu\CNQMMAIN.EXE /logon
MSCONFIG\startupreg: Conime => %windir%\system32\conime.exe
MSCONFIG\startupreg: GUDelayStartup => "C:\Program Files\Glary Utilities 5\StartupManager.exe" -delayrun
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSCONFIG\startupreg: TkBellExe => "C:\Program Files\Real\RealPlayer\update\realsched.exe"  -osboot

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe] => Enabled:WebKit
StandardProfile\AuthorizedApplications: [C:\Program Files\FrostWire\FrostWire.exe] => Disabled:FrostWire
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Disabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe] => Enabled:Kodak.AiO.HomeCenter
StandardProfile\AuthorizedApplications: [C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe] => Enabled:Kodak.AiO.Statistics
StandardProfile\AuthorizedApplications: [C:\Program Files\Kodak\AiO\Center\NetworkPrinterDiscovery.exe] => Enabled:Kodak.AiO.SetupUtility
StandardProfile\AuthorizedApplications: [C:\Program Files\Kodak\AiO\Firmware\KodakAiOUpdater.exe] => Enabled:Kodak.AiO.FwUpdater
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe] => Enabled:Kodak.AiO.Installer
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe] => :LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server
StandardProfile\GloballyOpenPorts: [51001:TCP] => Enabled:Dragon Smart Phone Server
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [9322:TCP] => Enabled:EKDiscovery
StandardProfile\GloballyOpenPorts: [5353:UDP] => Enabled:Bonjour Port 5353

==================== Faulty Device Manager Devices =============

Name: RADEON X300 Series Secondary
Description: RADEON X300 Series Secondary
Class Guid:  TI Technologies Inc.
Manufacturer: ATI Technologies Inc.
Service: ati2mtag
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/15/2015 04:17:32 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 28.0.0.5186, faulting module mozalloc.dll, version 28.0.0.5186, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (03/15/2015 04:17:23 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application acrord32.exe, version 11.0.1.36, faulting module msvcr100.dll, version 10.0.40219.325, fault address 0x00002008.
Processing media-specific event for [acrord32.exe!ws!]

Error: (03/01/2015 06:17:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 28.0.0.5186, faulting module mozalloc.dll, version 28.0.0.5186, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (02/11/2015 03:23:32 AM) (Source: VSS) (EventID: 12298) (User: )
Description: Volume Shadow Copy Service error: The I/O writes cannot be held during the shadow copy creation period on volume C:\.
The volume index in the shadow copy set is 0. Error details: Flush[0x00000000], Release[0x8000ffff], OnRun[0x00000000].

Error: (02/11/2015 03:23:32 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(000001DC,0x0053c030,00039D10,0,00038D08,4096,[0]).  hr = 0x80070057.

Error: (02/11/2015 03:23:32 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(000001DC,0x0053c010,00039D10,0,00038D08,4096,[0]).  hr = 0x80070057.

Error: (01/17/2015 05:08:56 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80080005.

Error: (12/13/2014 09:09:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application acrord32.exe, version 11.0.1.36, faulting module msvcr100.dll, version 10.0.40219.325, fault address 0x00002008.
Processing media-specific event for [acrord32.exe!ws!]

Error: (11/15/2014 06:46:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 28.0.0.5186, faulting module mozalloc.dll, version 28.0.0.5186, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (11/15/2014 06:45:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 28.0.0.5186, faulting module mozalloc.dll, version 28.0.0.5186, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]


System errors:
=============
Error: (08/17/2015 04:30:42 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (08/15/2015 09:49:37 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The PMBDeviceInfoProvider service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/15/2015 09:49:37 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Internet Pass-Through Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (08/15/2015 09:49:36 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/15/2015 09:49:35 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/15/2015 09:49:35 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/15/2015 09:49:35 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The CarboniteService service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/15/2015 09:49:35 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Media Center Receiver Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (08/15/2015 09:49:34 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The AVG WatchDog service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (08/15/2015 09:38:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The COM+ System Application service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.


Microsoft Office:
=========================
Error: (08/15/2015 04:17:32 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe28.0.0.5186mozalloc.dll28.0.0.51860000119c

Error: (03/15/2015 04:17:23 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: acrord32.exe11.0.1.36msvcr100.dll10.0.40219.32500002008

Error: (03/01/2015 06:17:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe28.0.0.5186mozalloc.dll28.0.0.51860000119c

Error: (02/11/2015 03:23:32 AM) (Source: VSS) (EventID: 12298) (User: )
Description: C:\00x000000000x8000ffff0x00000000

Error: (02/11/2015 03:23:32 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(000001DC,0x0053c030,00039D10,0,00038D08,4096,[0])0x80070057

Error: (02/11/2015 03:23:32 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(000001DC,0x0053c010,00039D10,0,00038D08,4096,[0])0x80070057

Error: (01/17/2015 05:08:56 PM) (Source: VSS) (EventID: 8193) (User: )
Description: CoCreateInstance0x80080005

Error: (12/13/2014 09:09:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: acrord32.exe11.0.1.36msvcr100.dll10.0.40219.32500002008

Error: (11/15/2014 06:46:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe28.0.0.5186mozalloc.dll28.0.0.51860000119c

Error: (11/15/2014 06:45:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe28.0.0.5186mozalloc.dll28.0.0.51860000119c


==================== Memory info ===========================

Processor:  Intel(R) Pentium(R) 4 CPU 3.20GHz
Percentage of memory in use: 95%
Total physical RAM: 1022.09 MB
Available physical RAM: 41.64 MB
Total Virtual: 2460.32 MB
Available Virtual: 1449.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149 GB) (Free:55.7 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: D71AD71A)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End of log ============================
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 17, 2015, 07:15:21 AM
Hiya chip,

Logs look good, no obvious malware or infection. Continue as follows please:

Your Java (http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

Go to http://java.com/en/ (http://java.com/en/) and click on "Do I have Java"
It will check your current version and then offer to update to the latest version
Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them. <<-- Very Important

Next,

Download "Delfix by Xplode" (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror" (http://en.kioskea.net/download/download-24087-delfix)

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629 (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629)

Let me know if there are any remaining issues or conceerns...

Cheers,

Kevin...
Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 17, 2015, 03:23:00 PM
Thanks Kevin,

Did the Delfix. When you see that Java issue, is it associated with a specific browser? I only ask because I usually use Firefox and Mozilla has blocked Java from running on their browser due to security concerns.So, I show here that I'm maybe 3 or 4 updates behind, but I can't even use it to download any updates and  it's probably moot anyway as it's blocked. However, my backup, Internet Explorer did have it, so I installed the latest there, then went in and removed the earlier version. Funny after I did that I got a message saying 'I had an non-current version (which might not be secure)' and did I want to delete it? I clicked yes and it was done in about a second. I'm thinking maybe a remnant of the old version. Anyway, new one is in. Otherwise all seems well and operating normally. Was there anything else we might try regarding the issue you found early on with the IE proxy?

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 17, 2015, 04:30:08 PM
Hiya Chip,

I do not have any version of Java installed on any of my systems, don`t miss it, never been prompted for it, do I need it, probably not...

All references to proxy server were gone from last FRST logs, I do not see any remaining issues or concerns for recent logs....?

Do you have any remaining issues or concerns..

Thank you,

Kevin...

Title: Re: [Resolved - K] Police Report Malware
Post by: chipmeister on August 17, 2015, 05:01:51 PM
Actually, I do not. Things are working well, thanks. I've also pretty much figured life without Java is just fine. Now all I have to do is try to get my one Malwarebytes function to work and I'll be good. That's been an issue. Worked with them for weeks and nothing has helped, including downloading a new vesion. Oh well, technology. Anyway, thank you so much for the help. I appreciate your time. Thanks again,

Chip
Title: Re: [Resolved - K] Police Report Malware
Post by: kevinf80 on August 18, 2015, 12:16:29 AM
Since this issue appears to be resolved the topic has been closed. Glad we could help.... :t 

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.

 :ty