Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with BuyNSave adware, possibly more.


  • Please log in to reply
19 replies to this topic

#1 nowonmai

nowonmai

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 16 December 2014 - 01:50 PM

Mod edit: Moved to proper forum for FRST logs ~~ boopme

Windows 7 desktop with multiple users. BuyNSave adware on at least one account: extension keeps returning to Chrome.
 
Combofix, MalwareBytes and more have been run on the machine but not helped.
 
Please help me to fix this!
 
I have included Farbar FRST logs to get the ball rolling.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-12-2014 01
Ran by David (ATTENTION: The logged in user is not administrator) on BRIAN-DELL on 16-12-2014 15:31:23
Running from C:\Users\David\Desktop
Loaded Profiles: David & Zadmin1 (Available profiles: Brian & Jenny & David & Xander & Dave & Zadmin1 & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareTray.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Collobos Software) C:\Program Files (x86)\FingerPrint\FingerPrint.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Sun Microsystems, Inc.) C:\Windows\System32\jusched.exe
() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareDesktop.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8321568 2009-11-10] (Realtek Semiconductor)
HKLM\...\Run: [fssui] => C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe [884584 2012-03-08] (Microsoft Corporation)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [AdAwareTray] => C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareTray.exe [8925504 2014-10-15] ()
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [343168 2011-11-09] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM\...\RunOnce: [Raptor] => C:\Program Files\McAfee\Raptor\Raptor.exe [1804656 2014-12-12] (McAfee Inc.)
HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [415232 2009-07-14] (Microsoft Corporation)
HKLM-x32\...\RunOnce: [Launcher] => C:\Program Files (x86)\Dell DataSafe Local Backup\Components\scheduler\Launcher.exe [165184 2010-07-21] (Softthinks)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [1940160 2014-11-18] (Valve Corporation)
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22869088 2014-10-21] (Google)
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [499712 2013-05-20] (Greenshot)
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
ShortcutTarget: Dell Dock.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\My Program.lnk
ShortcutTarget: My Program.lnk -> C:\Program Files (x86)\FingerPrint\FingerPrint.exe (Collobos Software)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.uk.msn.com/USCON/2
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/USCON/2
URLSearchHook: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
URLSearchHook: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
URLSearchHook: [S-1-5-21-953662030-1232980813-3439487893-1008] ATTENTION ==> Default URLSearchHook is missing.
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM -> {2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
SearchScopes: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> {BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} URL = 
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll (LastPass)
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: Bing Bar Helper -> {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} -> C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll (LastPass)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll (LastPass)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll (LastPass)
Toolbar: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {226ACC34-3194-70E2-5AE7-864FCFE9E80D} http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: HKLM-x32 {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/bingame/amun/default/mjolauncher.cab
DPF: HKLM-x32 {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: HKLM-x32 {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: HKLM-x32 {94299420-321F-4FF9-A247-62A23EBB640B} http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: HKLM-x32 {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: HKLM-x32 {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: HKLM-x32 {C86FF4B0-AA1D-46D4-8612-025FB86583C7} http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab
DPF: HKLM-x32 {CAC181B0-4D70-402D-B571-C596A47D0CE0} http://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 0.0.0.0
 
FireFox:
========
FF ProfilePath: C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fisujp9g.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_145.dll ()
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll (LastPass)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\SysWOW64\npdeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll (LastPass)
FF Plugin-x32: @logitech.com/HarmonyRemote,version=1.0.0 -> C:\Program Files (x86)\Logitech\Harmony Remote Driver\NprtHarmonyPlugin.dll (Logitech Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @oberon-media.com/ONCAdapter -> C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll (Oberon-Media )
FF Plugin-x32: @pandasecurity.com/activescan -> C:\Program Files (x86)\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @veetle.com/veetleCorePlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @virtools.com/3DviaPlayer -> C:\Program Files (x86)\Virtools\3D Life Player\npvirtools.dll (Dassault Systèmes)
FF Plugin-x32: @zylom.com/ZylomGamesPlayer -> C:\ProgramData\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll (Zylom)
FF Plugin HKU\S-1-5-21-953662030-1232980813-3439487893-1004: pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npFoxitReaderPlugin.dll (Foxit Software Company)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npzylomgamesplayer.dll (Zylom)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml
FF Extension: Greasemonkey - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\fisujp9g.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013-08-28]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011-04-01]
FF HKLM-x32\...\Firefox\Extensions: [{B7082FAA-CB62-4872-9106-E42DD88EDE45}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2011-01-21]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.creativeit.tv/apple-macbook-pro-keyboard-repair.htm
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\David\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (WOT) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2014-12-16]
CHR Extension: (Adblock Pro) - C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch [2014-12-16]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
CHR HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\David\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [2013-05-08]
CHR HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2011-04-28]
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-08-13] (SUPERAntiSpyware.com)
R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2013-01-07] (Adobe Systems) [File not signed]
R2 AirPrint; C:\Program Files (x86)\AirPrint\airprint.exe [234784 2012-12-21] (Apple Inc.)
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2011-11-09] (Advanced Micro Devices, Inc.) [File not signed]
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [393080 2013-02-15] (BlueStack Systems, Inc.)
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384888 2013-02-15] (BlueStack Systems, Inc.)
R2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2009-06-09] (Stardock Corporation) [File not signed]
S2 FingerPrint; C:\Program Files (x86)\FingerPrint\FingerPrintService.exe [2190256 2013-01-07] (Collobos Software)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [127752 2014-12-06] (SurfRight B.V.)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
R2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareService.exe [707888 2014-10-15] ()
R2 LavasoftTcpService; C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.2.9.5\LavasoftTcpService.exe [1351512 2014-11-27] (Lavasoft Limited)
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
R2 LPDSVC; C:\Windows\system32\lpdsvc.dll [45568 2009-07-14] (Microsoft Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [1919256 2014-11-21] (IBM Corp.)
R2 SearchProtectionService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [15208 2014-11-27] ()
S3 ServiceLayer; C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe [633856 2011-06-08] (Nokia) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 A2DDA; C:\EEK\BIN\a2ddax64.sys [26176 2014-12-11] (Emsisoft GmbH)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [71032 2013-02-15] (BlueStack Systems)
R3 cleanhlp; C:\EEK\bin\cleanhlp64.sys [57024 2014-12-11] (Emsisoft GmbH)
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2014-12-14] ()
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-12-11] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R0 pavboot; C:\Windows\System32\drivers\pavboot64.sys [33800 2009-06-30] (Panda Security, S.L.)
R1 RapportCerberus_80083; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80083.sys [761720 2014-12-08] ()
R1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [445912 2014-11-21] (IBM Corp.)
R3 RapportIaso; c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso64.sys [424856 2014-12-08] (IBM Corp.)
R0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [534104 2014-11-21] (IBM Corp.)
R1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [557656 2014-11-21] (IBM Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-14] (Brother Industries Ltd.)
R3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [389240 2014-07-10] (BitDefender S.R.L.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Brian\AppData\Local\Temp\mfe_rr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-16 15:31 - 2014-12-16 15:32 - 00026286 _____ () C:\Users\David\Desktop\FRST.txt
2014-12-16 15:31 - 2014-12-16 15:31 - 00000000 ____D () C:\FRST
2014-12-16 15:29 - 2014-12-16 15:29 - 02119168 _____ (Farbar) C:\Users\David\Downloads\FRST64 (1).exe
2014-12-16 15:29 - 2014-12-16 15:29 - 00415232 _____ (Farbar) C:\Users\David\Desktop\FSS.exe
2014-12-16 15:26 - 2014-12-16 15:26 - 00002257 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-12-16 15:26 - 2014-12-16 15:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-12-16 15:21 - 2014-12-16 15:21 - 02119168 _____ (Farbar) C:\Users\David\Desktop\FRST64.exe
2014-12-16 10:32 - 2014-12-16 10:33 - 00000000 ____D () C:\Users\Brian\AppData\Local\{BD1E191B-002A-4647-93A9-4D8183ECD8BC}
2014-12-15 11:15 - 2014-12-15 11:16 - 00000000 ____D () C:\Users\Brian\AppData\Local\{C2219518-B62F-4827-A1E4-165E46D2DDF0}
2014-12-15 01:28 - 2014-12-16 10:33 - 00000000 ____D () C:\Users\David\AppData\Local\{F70C815C-C8CB-4C33-9E8F-1154770E3FA5}
2014-12-14 23:00 - 2014-12-14 23:00 - 00000000 ____D () C:\Users\David\AppData\Roaming\Lavasoft
2014-12-14 22:58 - 2014-12-14 22:58 - 00000436 _____ () C:\Users\Public\Documents\Ad-Aware_Report_Full_Manual_2014-12-14T22-55-41.418260.xml
2014-12-14 22:58 - 2014-12-14 22:58 - 00000000 __SHD () C:\Users\David\AppData\Local\EmieBrowserModeList
2014-12-14 17:36 - 2014-12-14 17:36 - 00088702 _____ () C:\ComboFix.txt
2014-12-14 17:02 - 2014-12-14 17:03 - 05601641 ____R (Swearware) C:\Users\David\Downloads\ComboFix.exe
2014-12-14 16:57 - 2014-12-14 16:57 - 00001645 _____ () C:\Users\David\Downloads\software_removal_tool.log
2014-12-14 14:26 - 2014-12-14 14:26 - 00043664 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2014-12-14 13:27 - 2014-12-14 13:27 - 00000000 ____D () C:\Users\David\AppData\Local\{F10866A1-472D-4173-8F1D-8FDA3E153D25}
2014-12-14 11:32 - 2014-12-14 11:32 - 28226128 _____ (Avery Products Corp.) C:\Users\Brian\Documents\Avery_Wizard_5_0_0_3026_5_en_UK.exe
2014-12-14 11:00 - 2014-12-14 11:12 - 00001626 _____ () C:\Users\Brian\Documents\Christmaslabels.csv
2014-12-14 10:27 - 2014-12-14 10:28 - 00000000 ____D () C:\Users\Brian\AppData\Local\{E458DFB7-6927-4A9E-B963-D01D1DD800FE}
2014-12-13 16:44 - 2014-12-13 16:44 - 00000000 ____D () C:\Users\Brian\Documents\Updater
2014-12-13 16:34 - 2014-12-13 16:43 - 00000000 ____D () C:\Users\Public\Documents\User Guides
2014-12-13 11:47 - 2014-12-14 14:43 - 00000000 ____D () C:\Users\Zadmin1
2014-12-13 11:30 - 2014-12-13 11:30 - 00001192 _____ () C:\Users\Public\Desktop\My LastPass Vault.lnk
2014-12-13 10:39 - 2014-12-13 10:40 - 00000000 ____D () C:\Users\Brian\AppData\Local\{FF40CCA3-313D-4D63-AE51-47EBBB8089F2}
2014-12-12 10:49 - 2014-12-13 10:33 - 00000000 ____D () C:\Program Files (x86)\stinger
2014-12-12 10:49 - 2014-12-12 10:49 - 00000000 ____D () C:\Program Files\McAfee
2014-12-11 18:17 - 2014-12-14 14:43 - 00000000 ____D () C:\EEK
2014-12-11 18:17 - 2014-12-11 18:17 - 00000745 _____ () C:\Users\Brian\Desktop\Start Emsisoft Emergency Kit.lnk
2014-12-11 16:28 - 2014-12-13 11:56 - 00000000 ____D () C:\Users\Brian\Desktop\Malware Rootkit
2014-12-11 16:28 - 2014-12-11 17:30 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-11 16:22 - 2014-12-11 16:22 - 00000558 _____ () C:\Windows\PFRO.log
2014-12-11 15:45 - 2011-06-26 06:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-11 15:45 - 2010-11-07 17:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-11 15:45 - 2009-04-20 04:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-11 15:45 - 2000-08-31 00:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-11 15:45 - 2000-08-31 00:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-11 15:45 - 2000-08-31 00:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-11 15:45 - 2000-08-31 00:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-11 15:45 - 2000-08-31 00:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-11 15:33 - 2014-12-11 15:38 - 00004492 _____ () C:\Users\Brian\Desktop\Rkill.txt
2014-12-11 15:14 - 2014-12-11 15:14 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-11 14:48 - 2014-10-18 02:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-11 14:48 - 2014-10-18 01:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-11 14:48 - 2014-07-07 02:06 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2014-12-11 14:48 - 2014-07-07 02:06 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2014-12-11 14:48 - 2014-07-07 02:06 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2014-12-11 14:48 - 2014-07-07 02:02 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2014-12-11 14:48 - 2014-07-07 01:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2014-12-11 14:48 - 2014-07-07 01:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rrinstaller.exe
2014-12-11 14:48 - 2014-07-07 01:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfpmp.exe
2014-12-11 14:48 - 2014-07-07 01:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mferror.dll
2014-12-11 14:40 - 2014-12-14 17:36 - 00000000 ____D () C:\Qoobox
2014-12-11 14:39 - 2014-12-11 16:01 - 00000000 ____D () C:\Windows\erdnt
2014-12-11 10:07 - 2014-12-04 02:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-11 10:07 - 2014-12-04 02:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-11 10:07 - 2014-12-04 02:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-11 10:07 - 2014-12-04 02:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-11 10:07 - 2014-12-04 02:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-11 10:07 - 2014-12-04 02:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2014-12-11 10:07 - 2014-12-04 02:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-11 10:07 - 2014-12-01 23:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2014-12-11 10:06 - 2014-11-27 01:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-11 10:06 - 2014-11-27 01:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-11 10:06 - 2014-11-22 03:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-11 10:06 - 2014-11-22 03:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-11 10:06 - 2014-11-22 02:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-11 10:06 - 2014-11-22 02:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-11 10:06 - 2014-11-22 02:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-11 10:06 - 2014-11-22 02:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-11 10:06 - 2014-11-22 02:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-11 10:06 - 2014-11-22 02:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-11 10:06 - 2014-11-22 02:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-11 10:06 - 2014-11-22 02:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-11 10:06 - 2014-11-22 02:35 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-11 10:06 - 2014-11-22 02:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-11 10:06 - 2014-11-22 02:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-11 10:06 - 2014-11-22 02:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-11 10:06 - 2014-11-22 02:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-11 10:06 - 2014-11-22 02:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-11 10:06 - 2014-11-22 02:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-11 10:06 - 2014-11-22 02:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-11 10:06 - 2014-11-22 02:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-11 10:06 - 2014-11-22 02:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-11 10:06 - 2014-11-22 02:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-11 10:06 - 2014-11-22 02:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-11 10:06 - 2014-11-22 02:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-11 10:06 - 2014-11-22 02:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-11 10:06 - 2014-11-22 02:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-11 10:06 - 2014-11-22 02:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-11 10:06 - 2014-11-22 02:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-11 10:06 - 2014-11-22 01:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-11 10:06 - 2014-11-22 01:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-11 10:06 - 2014-11-22 01:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-11 10:06 - 2014-11-22 01:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-11 10:06 - 2014-11-22 01:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-11 10:06 - 2014-11-22 01:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-11 10:06 - 2014-11-22 01:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-11 10:06 - 2014-11-22 01:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-11 10:06 - 2014-11-22 01:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-11 10:06 - 2014-11-22 01:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-11 10:06 - 2014-11-22 01:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-11 10:06 - 2014-11-22 01:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-11 10:06 - 2014-11-22 01:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-11 10:06 - 2014-11-22 01:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-11 10:06 - 2014-11-22 01:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-11 10:06 - 2014-11-22 01:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-11 10:06 - 2014-11-22 01:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-11 10:06 - 2014-11-22 01:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-11 10:06 - 2014-11-22 01:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-11 10:06 - 2014-11-22 01:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-11 10:06 - 2014-11-22 01:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-11 10:06 - 2014-11-22 01:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-11 10:06 - 2014-11-22 01:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-11 10:06 - 2014-11-22 01:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-11 10:06 - 2014-11-22 00:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-11 10:06 - 2014-11-22 00:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-11 10:06 - 2014-11-11 03:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-11 10:06 - 2014-11-11 02:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-11 10:06 - 2014-11-11 01:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-11 10:05 - 2014-11-22 03:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-11 10:05 - 2014-11-08 03:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-11 10:05 - 2014-11-08 02:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-11 10:05 - 2014-10-30 02:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-11 10:05 - 2014-10-30 01:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-11 10:05 - 2014-10-03 02:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-11 10:05 - 2014-10-03 02:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-11 10:05 - 2014-10-03 02:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-11 10:05 - 2014-10-03 02:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-11 10:05 - 2014-10-03 02:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-11 10:05 - 2014-10-03 01:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-11 10:05 - 2014-10-03 01:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-11 10:05 - 2014-10-03 01:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-11 10:05 - 2014-10-03 01:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-11 10:05 - 2014-10-03 01:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-10 14:04 - 2014-12-14 14:26 - 00000224 _____ () C:\Windows\setupact.log
2014-12-10 14:04 - 2014-12-10 14:04 - 00000000 _____ () C:\Windows\setuperr.log
2014-12-09 15:13 - 2014-12-11 09:55 - 00000000 ____D () C:\Users\Brian\AppData\Local\{46E4F220-E444-4BAD-A3E1-66336E0B749B}
2014-12-08 14:35 - 2014-12-09 02:35 - 00000000 ____D () C:\Users\Brian\AppData\Local\{05010EC9-08AB-43B7-9E5F-EEC3CE99BBAB}
2014-12-08 01:25 - 2014-12-08 01:25 - 00000000 ____D () C:\Users\Brian\AppData\Local\{292D0617-2C1F-4444-A395-1921DFB891FF}
2014-12-07 19:32 - 2014-12-07 19:32 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\LavasoftStatistics
2014-12-07 19:31 - 2014-12-07 19:32 - 00000000 ____D () C:\Users\Brian\AppData\Local\Lavasoft
2014-12-07 19:30 - 2014-12-13 10:37 - 00004584 _____ () C:\Windows\SysWOW64\LavasoftTcpService.ini
2014-12-07 19:30 - 2014-12-13 10:37 - 00002416 _____ () C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini
2014-12-07 19:30 - 2014-12-13 10:37 - 00002416 _____ () C:\Windows\system32\LavasoftTcpServiceOff.ini
2014-12-07 19:30 - 2014-11-27 10:44 - 00358736 _____ (Lavasoft Limited) C:\Windows\system32\LavasoftTcpService64.dll
2014-12-07 19:29 - 2014-11-27 10:44 - 00312424 _____ (Lavasoft Limited) C:\Windows\SysWOW64\LavasoftTcpService.dll
2014-12-07 19:28 - 2014-12-07 19:28 - 00000000 ____D () C:\Program Files (x86)\Lavasoft
2014-12-07 19:27 - 2014-12-07 20:33 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\Lavasoft
2014-12-07 19:27 - 2014-12-07 19:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2014-12-07 19:26 - 2014-12-07 19:26 - 00000000 ____D () C:\Program Files\Lavasoft
2014-12-07 19:24 - 2014-12-07 19:24 - 00000000 ____D () C:\Program Files\Common Files\Lavasoft
2014-12-07 19:23 - 2014-12-07 19:27 - 00000000 ____D () C:\ProgramData\Lavasoft
2014-12-07 13:24 - 2014-12-07 13:24 - 00000000 ____D () C:\Users\Brian\AppData\Local\{8F45A434-6643-4153-9F2E-4C6FED64F645}
2014-12-07 01:23 - 2014-12-07 01:24 - 00000000 ____D () C:\Users\Brian\AppData\Local\{8273A873-8506-4268-9E74-6724C1883940}
2014-12-06 22:09 - 2014-12-07 16:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-12-06 22:09 - 2014-12-07 16:49 - 00000000 ____D () C:\Program Files\HitmanPro
2014-12-04 13:57 - 2014-12-13 16:21 - 00000000 ____D () C:\Users\Brian\Documents\DeDRM_plugin
2014-12-04 13:53 - 2014-12-04 13:53 - 00001816 _____ () C:\Users\Brian\Desktop\tools v6.0.9.zip
2014-12-04 13:49 - 2014-12-07 16:49 - 00000000 ____D () C:\ProgramData\apllfojojmaohffbnmpabpdgenbppnjn
2014-11-26 21:59 - 2014-11-26 21:59 - 07158230 _____ () C:\Users\David\Desktop\Lunt.bmp
2014-11-26 19:39 - 2014-12-02 13:17 - 00000000 ____D () C:\Users\David\AppData\Local\{CB7C92E7-A7D3-4E91-AA39-27746182CDCC}
2014-11-24 22:42 - 2014-12-07 16:48 - 00000000 ____D () C:\Users\Jenny\AppData\Roaming\vlc
2014-11-24 16:28 - 2014-12-13 16:36 - 00000000 ____D () C:\Users\Brian\Documents\RobinHobb
2014-11-18 20:28 - 2014-11-11 03:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-18 20:28 - 2014-11-11 03:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-18 20:28 - 2014-11-11 02:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-18 20:28 - 2014-11-11 02:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-18 14:56 - 2014-11-18 14:56 - 01202848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FM20.DLL
2014-11-18 12:10 - 2014-11-18 12:15 - 00000000 ____D () C:\Users\Brian\Desktop\NZ SECURITY
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-16 15:26 - 2010-02-20 15:53 - 00000000 ____D () C:\Program Files (x86)\Google
2014-12-16 14:51 - 2010-05-05 17:23 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-16 14:30 - 2009-07-14 05:10 - 01910390 _____ () C:\Windows\WindowsUpdate.log
2014-12-16 14:18 - 2010-10-13 13:31 - 00000632 __RSH () C:\Users\David\ntuser.pol
2014-12-16 14:18 - 2010-02-19 14:06 - 00000000 ____D () C:\Users\David
2014-12-16 10:33 - 2010-05-05 17:23 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-15 16:09 - 2012-12-14 14:13 - 00000000 ____D () C:\Users\David\AppData\Local\CrashDumps
2014-12-15 13:40 - 2012-09-13 11:07 - 00000000 ____D () C:\Users\Brian\AppData\Local\CrashDumps
2014-12-15 11:15 - 2010-10-03 15:14 - 00000632 __RSH () C:\Users\Brian\ntuser.pol
2014-12-15 11:15 - 2010-02-18 15:21 - 00000000 ____D () C:\Users\Brian
2014-12-14 23:00 - 2012-05-14 11:13 - 00000000 ___RD () C:\Users\David\Google Drive
2014-12-14 22:59 - 2010-03-24 20:21 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-12-14 17:32 - 2009-07-14 02:34 - 00000215 _____ () C:\Windows\system.ini
2014-12-14 14:40 - 2009-07-14 04:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-14 14:40 - 2009-07-14 04:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-14 14:26 - 2009-07-14 05:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-14 14:14 - 2014-05-16 22:52 - 00000512 _____ () C:\Windows\system32\.crusader
2014-12-14 13:46 - 2013-01-30 10:57 - 00000000 ___RD () C:\Users\David\Dropbox
2014-12-14 13:45 - 2010-02-19 18:51 - 00000000 ____D () C:\Users\David\AppData\Roaming\Dropbox
2014-12-14 13:42 - 2010-02-19 18:54 - 00001023 _____ () C:\Users\David\Desktop\Dropbox.lnk
2014-12-14 13:42 - 2010-02-19 18:51 - 00000000 ____D () C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-14 13:22 - 2013-05-22 22:51 - 00000000 ____D () C:\Program Files\My Dell
2014-12-14 13:22 - 2010-02-13 20:48 - 00000000 ____D () C:\ProgramData\PCDr
2014-12-14 11:35 - 2012-11-21 00:22 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\Avery
2014-12-13 18:18 - 2009-07-14 03:20 - 00000000 ____D () C:\Windows\rescache
2014-12-13 16:47 - 2012-01-02 14:03 - 00032256 ___SH () C:\Users\Brian\Documents\Thumbs.db
2014-12-13 16:36 - 2014-02-03 22:55 - 00000000 ____D () C:\Users\Brian\Documents\My Kindle Content
2014-12-13 16:23 - 2010-01-03 20:30 - 00000000 ____D () C:\Users\Brian\Documents\Miscellaneous
2014-12-13 16:21 - 2013-10-17 16:28 - 00000000 ____D () C:\Users\Brian\Documents\Calibre Library
2014-12-13 13:03 - 2010-03-08 15:36 - 00000000 ____D () C:\Users\Brian\AppData\Local\Apps\2.0
2014-12-13 11:50 - 2013-03-17 18:45 - 00000000 ____D () C:\Program Files (x86)\EXIF Date Changer
2014-12-13 11:31 - 2012-09-10 20:23 - 00000000 ____D () C:\Program Files (x86)\LastPass
2014-12-13 11:30 - 2012-09-10 20:23 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LastPass
2014-12-13 11:30 - 2012-09-10 20:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LastPass
2014-12-13 11:09 - 2010-02-18 15:25 - 00000000 ____D () C:\Users\Brian\AppData\Local\SoftThinks
2014-12-11 17:31 - 2014-05-11 16:53 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-11 17:31 - 2014-05-11 16:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-11 17:31 - 2014-05-11 16:53 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-11 17:31 - 2013-09-12 10:24 - 00001104 _____ () C:\Users\Public\Desktop\MalwarebytesAnti-Malware.lnk
2014-12-11 15:59 - 2010-02-27 13:23 - 00000000 ____D () C:\Users\Xander
2014-12-11 15:14 - 2014-05-07 02:02 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-11 15:14 - 2009-07-14 03:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-11 15:14 - 2009-07-14 03:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-11 15:12 - 2010-02-13 20:44 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-11 15:11 - 2013-08-15 02:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-11 14:51 - 2010-02-21 11:54 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-09 23:59 - 2013-01-30 11:10 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-09 23:59 - 2010-02-14 05:17 - 00000000 ____D () C:\Windows\Panther
2014-12-09 23:57 - 2012-04-24 10:31 - 00000824 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-12-09 23:57 - 2012-04-24 10:31 - 00000000 ____D () C:\Program Files\CCleaner
2014-12-09 14:33 - 2014-05-27 18:42 - 00000000 ____D () C:\AdwCleaner
2014-12-09 08:00 - 2013-08-13 15:48 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-12-08 19:00 - 2013-09-17 11:11 - 00007619 _____ () C:\Users\Brian\AppData\Local\Resmon.ResmonCfg
2014-12-08 09:51 - 2013-08-21 13:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trusteer Endpoint Protection
2014-12-07 16:50 - 2012-12-28 20:58 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
2014-12-07 16:49 - 2014-05-16 22:27 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-12-07 16:49 - 2013-10-17 16:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\calibre - E-book Management
2014-12-07 16:49 - 2013-10-17 16:26 - 00000000 ____D () C:\Program Files (x86)\Calibre2
2014-12-07 16:49 - 2013-01-01 01:36 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-12-07 16:49 - 2011-12-13 11:33 - 00000000 ____D () C:\ProgramData\ArcSoft
2014-12-07 16:49 - 2009-07-14 03:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-12-07 16:48 - 2013-10-14 12:05 - 00000000 ____D () C:\Users\David\AppData\Roaming\Greenshot
2014-12-07 16:48 - 2012-11-13 10:46 - 00000000 ___RD () C:\Users\Jenny\Google Drive
2014-12-07 16:48 - 2010-03-05 17:20 - 00000000 __RHD () C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-12-07 16:48 - 2010-03-05 17:20 - 00000000 __RHD () C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-12-07 16:48 - 2010-03-05 17:20 - 00000000 ___HD () C:\Users\Dave\AppData\Roaming\Trusteer
2014-12-07 16:48 - 2010-02-18 18:30 - 00000000 ____D () C:\Users\Jenny
2014-12-07 16:48 - 2009-07-14 03:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-12-07 16:48 - 2009-07-14 03:20 - 00000000 ____D () C:\Windows\registration
2014-12-07 09:51 - 2010-12-25 23:24 - 00000000 ____D () C:\Program Files (x86)\MSN Games
2014-12-07 09:51 - 2009-07-14 05:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2014-12-07 09:41 - 2011-08-01 11:33 - 00000000 ____D () C:\Program Files (x86)\Nokia
2014-12-06 15:45 - 2012-06-30 15:03 - 00000000 ____D () C:\Windows\OvtCam
2014-12-04 16:15 - 2009-07-14 05:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-04 14:13 - 2014-02-03 22:55 - 00002233 _____ () C:\Users\Brian\Desktop\Kindle.lnk
2014-12-04 14:13 - 2014-02-03 22:55 - 00000000 ____D () C:\Users\Brian\AppData\Local\Amazon
2014-12-04 13:21 - 2014-08-23 20:48 - 00000000 ____D () C:\Users\Public\Documents\U3A Membership
2014-11-26 21:59 - 2014-09-26 20:27 - 00000000 ____D () C:\Users\David\Documents\Map Overlays
2014-11-26 19:09 - 2014-01-09 17:12 - 00000000 ___RD () C:\Users\Jenny\Dropbox
2014-11-24 15:41 - 2010-02-13 20:46 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-11-24 11:07 - 2013-10-15 07:41 - 00000000 ____D () C:\Users\Jenny\AppData\Roaming\Dropbox
2014-11-24 11:06 - 2010-10-03 15:14 - 00000632 __RSH () C:\Users\Jenny\ntuser.pol
2014-11-21 06:14 - 2014-05-11 16:53 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-21 06:14 - 2014-05-11 16:53 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-21 06:14 - 2013-01-28 15:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-21 00:30 - 2011-03-04 11:31 - 00534104 _____ (IBM Corp.) C:\Windows\system32\Drivers\RapportKE64.sys
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
ATTENTION: ==> Could not access BCD, see Addition.txt for additional information.
 
==================== End Of Log ============================
 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-12-2014 01
Ran by David at 2014-12-16 15:32:59
Running from C:\Users\David\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AV: Ad-Aware Antivirus (Disabled - Out of date) {D87B6541-12A1-DAEA-0033-9B8057AAB996}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Ad-Aware Antivirus (Disabled - Out of date) {631A84A5-349B-D564-3A83-A0F22C2DF32B}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Ad-Aware Firewall (Disabled) {E040E464-58CE-DBB2-2B6C-32B5A979FEED}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32Red Casino (HKLM-x32\...\32red) (Version: 16.6.1.11212 - )
3DVIA player 5.0 (HKLM-x32\...\{4E868D3D-6EEB-4273-926C-2287236B5B79}) (Version: 5.0.0.12 - 3DVIA)
64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Ad-Aware Antivirus (HKLM\...\{6D1428BD-E5F2-4378-B620-E7442E7C2BFB}_AdAwareUpdater) (Version: 11.4.6792.0 - Lavasoft)
Ad-Aware Web Companion (x32 Version: 1.0.813.1538 - Lavasoft) Hidden
AdAwareInstaller (Version: 11.4.6792.0 - Lavasoft) Hidden
AdAwareUpdater (Version: 11.4.6792.0 - Lavasoft) Hidden
Adobe Creative Suite 2 (HKLM-x32\...\{0134A1A1-C283-4A47-91A1-92F19F960372}) (Version:  - )
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.5.635 - Adobe Systems, Inc.)
Amazon MP3 Downloader 1.0.9 (HKLM-x32\...\Amazon MP3 Downloader) (Version:  - )
AMD Catalyst Install Manager (HKLM\...\{0BD776F3-057D-4C11-020C-4FA9B13D04F9}) (Version: 3.0.855.0 - Advanced Micro Devices, Inc.)
AntimalwareEngine (Version: 3.0.0.56 - Lavasoft) Hidden
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft PhotoImpression 6 (HKLM-x32\...\{D56401D6-E356-4CA5-97A3-024D666F5E5C}) (Version: 6.1.7.129 - ArcSoft)
ArcSoft Print Creations - Album Page (HKLM-x32\...\{E6B4117F-AC59-4B13-9274-EB136E8897EE}) (Version:  - ArcSoft)
ArcSoft Print Creations - Funhouse (HKLM-x32\...\{9591C049-5CAE-4E89-A8D9-191F1899628B}) (Version:  - ArcSoft)
ArcSoft Print Creations - Greeting Card (HKLM-x32\...\{F04F9557-81A9-4293-BC49-2C216FA325A7}) (Version:  - ArcSoft)
ArcSoft Print Creations - Photo Book (HKLM-x32\...\{56589DFE-0C29-4DFE-8E42-887B771ECD23}) (Version:  - ArcSoft)
ArcSoft Print Creations - Photo Calendar (HKLM-x32\...\{CA9ED5E4-1548-485B-A293-417840060158}) (Version:  - ArcSoft)
ArcSoft Print Creations - Scrapbook (HKLM-x32\...\{B0D83FCD-9D42-43ED-8315-250326AADA02}) (Version:  - ArcSoft)
ArcSoft Print Creations - Slimline Card (HKLM-x32\...\{007B37D9-0C45-4202-834B-DD5FAAE99D63}) (Version:  - ArcSoft)
ArcSoft Print Creations (HKLM-x32\...\{CAE8A0F1-B498-4C23-95FA-55047E730C8F}) (Version: 2.8.255.384 - ArcSoft)
Ask Toolbar Updater (HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.5.36191 - Ask.com) <==== ATTENTION
ATI Catalyst Control Center (HKLM-x32\...\{055EE59D-217B-43A7-ABFF-507B966405D8}) (Version: 2.009.0714.2131 - )
Audacity 2.0 (HKLM-x32\...\Audacity_is1) (Version:  - Audacity Team)
Avery Wizard 4.0 (HKLM-x32\...\{F5D84887-8A6F-4993-8560-B3AA44CB620D}) (Version: 4.0.201 - Avery)
Avery Wizard 5.0 (HKLM-x32\...\{FC3B3A5D-7058-4627-9F1E-F95CC38B6054}) (Version: 5.0.5 - Avery)
B109n-z (x32 Version: 140.0.690.000 - Hewlett-Packard) Hidden
Bing Bar (HKLM-x32\...\{D322A9E3-758B-4D60-A7C4-65C88FD378D0}) (Version: 7.2.241.0 - Microsoft Corporation)
BlueStacks App Player (HKLM-x32\...\BlueStacks App Player) (Version: 0.7.9.860 - BlueStack Systems, Inc.)
BlueStacks Notification Center (HKLM-x32\...\{CD9D0827-A6D6-4E2C-B31E-23F01577E27B}) (Version: 0.7.9.860 - BlueStack Systems, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bonjour Print Services (HKLM\...\{0DA20600-6130-443B-9D4B-F30520315FA6}) (Version: 2.0.2.0 - Apple Inc.)
BufferChm (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
calibre (HKLM-x32\...\{75EA944A-4C53-4A0A-8B3B-E195EDAA626C}) (Version: 2.12.0 - Kovid Goyal)
CardRecovery 6.00 (HKLM-x32\...\{88D68A69-D247-466B-90DD-575F6BE16230}_is1) (Version:  - WinRecovery Software)
ccc-core-static (x32 Version: 2009.0714.2132.36830 - ATI) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.00 - Piriform)
Chunky (HKLM\...\Chunky) (Version:  - )
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dell DataSafe Local Backup - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 2.34 - Dell)
Dell DataSafe Local Backup (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 9.4.45 - Dell)
Dell DataSafe Online (HKLM-x32\...\{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}) (Version: 1.2.0011 - Dell, Inc.)
Dell Dock (HKLM\...\{E60B7350-EA5F-41E0-9D6F-E508781E36D2}) (Version: 2.0.0 - Dell)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Getting Started Guide (HKLM-x32\...\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}) (Version: 1.00.0000 - Dell Inc.)
DesignPro 5 (HKLM-x32\...\InstallShield_{23AAEA74-A836-4565-9903-684BC87A5529}) (Version: 5.5.708 - Avery Dennison)
DesignPro 5 (x32 Version: 5.5.708 - Avery Dennison) Hidden
Destinations (x32 Version: 140.0.77.000 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
doPDF 7.2 printer (HKLM\...\doPDF 7 printer_is1) (Version:  - Softland)
Dragon Age II Demo (HKLM-x32\...\Steam App 47940) (Version:  - BioWare)
Dropbox (HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
EPUB to MOBI (HKLM-x32\...\{C65AA5AE-8B80-46B6-ADFC-BBF1EFF2AD98}_is1) (Version:  - epubtomobi.com)
ESSBrwr (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
ESSCDBK (x32 Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
ESScore (x32 Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
ESSgui (x32 Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
ESSini (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
ESSPCD (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
ESSTOOLS (x32 Version: 5.00.0000.0004 - EASTMAN KODAK Company) Hidden
essvatgt (x32 Version: 8.00.0000.0001 - EASTMAN KODAK Company) Hidden
Exact Audio Copy 1.0beta3 (HKLM-x32\...\Exact Audio Copy) (Version: 1.0beta3 - Andre Wiethoff)
FeedDemon (HKLM-x32\...\FeedDemon_is1) (Version: 3.1.0.20 - NewsGator Technologies, Inc.)
fflink (x32 Version: 6.02.1001.0001 - EASTMAN KODAK Company) Hidden
FileMagnet (HKLM-x32\...\FileMagnet) (Version:  - Magnetism, Inc.)
FingerPrint 2.2.0.597 (HKLM-x32\...\{85D5BFBB-8BC4-467B-BADA-D574A3CDC139}_is1) (Version: 2.2.0.597 - Collobos Software)
FlatOut: Ultimate Carnage (HKLM-x32\...\Steam App 12360) (Version:  - BugBear)
Foxit Reader (HKLM-x32\...\Foxit Reader) (Version: 3.2.0.303 - Foxit Corporation)
Free File Viewer 2014 (HKLM-x32\...\FreeFileViewer_is1) (Version: 2014.2.16.0 - Bitberry Software) <==== ATTENTION
GIMP 2.6.11 (HKLM-x32\...\WinGimp-2.0_is1) (Version: 2.6.11 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Drive (HKLM-x32\...\{C60F3836-333A-4AE2-B526-CFDBA143A9BA}) (Version: 1.18.7821.2489 - Google, Inc.)
Google Earth Plug-in (HKLM-x32\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google SketchUp 7 (HKLM-x32\...\{597E70FF-7C46-4EED-8092-91B7C2E0529D}) (Version: 2.1.6860 - Google, Inc.)
Google SketchUp 8 (HKLM-x32\...\{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}) (Version: 3.0.11752 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google+ Auto Backup (HKLM-x32\...\{A50DE037-B5C0-4C8A-8049-B0C576B313D1}) (Version: 1.0.21.81 - Google)
GoToAssist 8.0.0.514 (HKLM-x32\...\GoToAssist) (Version:  - )
GPBaseService2 (x32 Version: 140.0.211.000 - Hewlett-Packard) Hidden
Greenshot 1.1.5.2643 (HKLM\...\Greenshot_is1) (Version: 1.1.5.2643 - Greenshot)
Half-Life 2 (HKLM-x32\...\Steam App 220) (Version:  - Valve)
Hewlett-Packard ACLM.NET v1.1.0.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.232 - SurfRight B.V.)
HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
HP IDF Software (HKLM-x32\...\{974025B1-769B-49E9-817C-C638ABE8F372}) (Version: 11.15.1000 - Hewlett-Packard Company)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.2024 - HP Photo Creations Powered by RocketLife)
HP Photosmart Wireless B109n-z All-in-One Driver Software 14.0 Rel. 6 (HKLM\...\{79A72AAD-7ED4-49D8-872D-D1465061F9DB}) (Version:  - HP)
HP Print Projects 1.0 (HKLM\...\HP Print Projects) (Version: 1.0 - HP)
HP Product Detection (HKLM-x32\...\{A436F67F-687E-4736-BD2B-537121A804CF}) (Version: 11.14.0001 - HP)
HP Smart Web Printing 4.60 (HKLM\...\HP Smart Web Printing) (Version: 4.60 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (x32 Version: 1.00.0000 - Microsoft) Hidden
HPPhotoGadget (x32 Version: 140.0.524.000 - Hewlett-Packard) Hidden
hpPrintProjects (x32 Version: 130.0.303.000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
HPSSupply (x32 Version: 140.0.211.000 - Hewlett-Packard) Hidden
hpWLPGInstaller (x32 Version: 130.0.303.000 - Hewlett-Packard) Hidden
iCloud (HKLM\...\{8B485965-8EFE-464A-842F-CF8F18C3DFD7}) (Version: 1.1.0.40 - Apple Inc.)
IETester v0.5.2 (remove only) (HKLM-x32\...\IETester) (Version: 0.5.2 - Core Services)
ImageScanTool V2.0.1 (HKLM-x32\...\{0946691D-11AD-4226-B1D8-1633902288EB}) (Version: 2.00.1000 - 35mm Film Scanner)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.2.0 - LIGHTNING UK!)
iTunes (HKLM\...\{D601CEAD-2E4F-4BBB-85CC-C29A4CE6A3C0}) (Version: 11.1.3.8 - Apple Inc.)
Java 7 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
Java™ 6 Update 17 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416017FF}) (Version: 6.0.170 - Sun Microsystems, Inc.)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
JDownloader 0.9 (HKLM-x32\...\5513-1208-7298-9440) (Version: 0.9 - AppWork GmbH)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
kgchday (x32 Version: 5.03.0000.0002 - EASTMAN KODAK Company) Hidden
kgcinvt (x32 Version: 5.03.0000.0003 - EASTMAN KODAK Company) Hidden
kgckids (x32 Version: 6.03.0001.0001 - EASTMAN KODAK Company) Hidden
Kodak EasyShare software (HKLM-x32\...\{D32470A1-B10C-4059-BA53-CF0486F68EBC}) (Version:  - Eastman Kodak Company)
LastPass (uninstall only) (HKLM-x32\...\LastPass) (Version:  - LastPass)
LavasoftTcpService (x32 Version: 2.2.9.5 - Lavasoft) Hidden
Logitech Harmony Remote Software (HKLM-x32\...\{634F79E1-2A41-4C40-9E8D-89EC740AC9D6}) (Version: 0.6.0201 - Logitech)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
MarketResearch (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
Memory-Map OS Edition Version 5 (HKLM-x32\...\{B3FB6B55-C271-44FC-BA03-BBD8B2EA6EEF}) (Version: 5.0.0 - Memory-Map, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Image Composite Editor (HKLM\...\{B821CDAA-34DE-46FD-87C9-E6EE7158DB5D}) (Version: 1.4.4 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Basic 2007 (HKLM-x32\...\BASICR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM-x32\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Monkey Quest (HKLM-x32\...\Monkey Quest) (Version: 1.0 - Viacom)
Mozilla Firefox 23.0.1 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 23.0.1 (x86 en-GB)) (Version: 23.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 23.0.1 - Mozilla)
MSVC90_x64 (Version: 1.0.1.2 - Nokia) Hidden
MSVC90_x86 (x32 Version: 1.0.1.2 - Nokia) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.4.6422.14 - PC-Doctor, Inc.)
netbrdg (x32 Version: 7.01.0000.0001 - EASTMAN KODAK Company) Hidden
Network64 (Version: 140.0.215.000 - Hewlett-Packard) Hidden
Network64 (Version: 140.0.221.000 - Hewlett-Packard) Hidden
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.6.9 - Notepad++ Team)
Numen: Contest of Heroes (HKLM-x32\...\Steam App 60800) (Version:  - Cinemax)
NVIDIA PhysX (HKLM-x32\...\{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}) (Version: 9.09.0814 - NVIDIA Corporation)
Oddworld: Abe's Oddysee (HKLM-x32\...\Steam App 15700) (Version:  - Oddworld Inhabitants)
OfotoXMI (x32 Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
Oracle VM VirtualBox 4.2.16 (HKLM\...\{4CC3444D-7279-4E83-984F-18E9A7B2E803}) (Version: 4.2.16 - Oracle Corporation)
OVTScanner_X64 (HKLM-x32\...\{AE09704D-9051-4C25-B940-77F889F0C93F}) (Version: 1.00.0000 - OVT)
Paint Shop Pro 7 Anniversary Edition (HKLM-x32\...\{D6DE02C7-1F47-11D4-9515-00105AE4B89A}) (Version: 7.0.4.0000 - Jasc Software Inc)
Paint.NET v3.5.10 (HKLM\...\{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}) (Version: 3.60.0 - dotPDN LLC)
Panda ActiveScan 2.0 (HKLM-x32\...\ActiveScan 2.0) (Version: 01.04.01.0014 - Panda Security)
Pando Media Booster (HKLM-x32\...\{980A182F-E0A2-4A40-94C1-AE0C1235902E}) (Version: 2.6.0.1 - Pando Networks Inc.)
PC Connectivity Solution (HKLM-x32\...\{C373F7C4-05D2-4047-96D1-6AF30661C6AA}) (Version: 11.4.19.0 - Nokia)
PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Pirate101 (HKLM-x32\...\{662140BE-138C-4DC1-B4CD-B62C6C855A25}) (Version: 1.0.0 - KingsIsle Entertainment, Inc.)
Plants vs. Zombies: Game of the Year (HKLM-x32\...\Steam App 3590) (Version:  - PopCap)
Portal 2 (HKLM-x32\...\Steam App 620) (Version:  - Valve)
Portal: The First Slice (HKLM-x32\...\Steam App 410) (Version:  - Valve)
PowerDVD DX (HKLM-x32\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.3.5424 - CyberLink Corp.)
PS_AIO_06_B109n-z_SW_Min (x32 Version: 140.0.690.000 - Hewlett-Packard) Hidden
QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
QuickTransfer (x32 Version: 140.0.98.000 - Hewlett-Packard) Hidden
Rapport (Version: 3.5.1205.20 - Trusteer) Hidden
Rapport (x32 Version: 3.5.1404.34 - Trusteer) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5977 - Realtek Semiconductor Corp.)
ReNamer (HKLM-x32\...\ReNamer_is1) (Version: 5.50 - [den4b] Denis Kozlov)
Roxio Burn (HKLM-x32\...\{B2E47DE7-800B-40BB-BD1F-9F221C3AEE87}) (Version: 1.01 - Roxio)
Samsung AllShare (HKLM-x32\...\InstallShield_{DF47ACA3-7C78-4C08-8007-AC682563C9F1}) (Version: 2.1.0.12031_10 - Samsung Electronics Co., Ltd.)
Samsung AllShare (x32 Version: 2.1.0.12031_10 - Samsung Electronics Co., Ltd.) Hidden
Scan (x32 Version: 140.0.80.000 - Hewlett-Packard) Hidden
Scribus 1.3.3.14 (HKLM-x32\...\Scribus 1.3.3.14) (Version: 1.3.3.14 - The Scribus Team)
SFR (x32 Version: 8.01.0000.0001 - Eastman Kodak Company) Hidden
SHASTA (x32 Version: 7.01.0000.0001 - EASTMAN KODAK Company) Hidden
Shattered Horizon (HKLM-x32\...\Steam App 18110) (Version:  - Futuremark)
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 14.0 - HP)
skin0001 (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
Skins (x32 Version: 2009.0714.2132.36830 - ATI) Hidden
SKINXSDK (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
SmartWebPrinting (x32 Version: 140.0.186.000 - Hewlett-Packard) Hidden
SolutionCenter (x32 Version: 140.0.213.000 - Hewlett-Packard) Hidden
Spotify (HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Spotify) (Version: 0.6.5 - )
SqrSoft® Advanced Crossfading (remove only) (HKLM-x32\...\SqrSoftACF) (Version:  - )
SqrSoft® Advanced Crossfading (remove only) (HKLM-x32\...\SqrSoftACFDW) (Version:  - )
Stamp 2.8 (HKLM-x32\...\ST6UNST #1) (Version:  - )
staticcr (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
Status (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
Suite Specific (x32 Version: 2.0.0 - Adobe Systems, Incorporated) Hidden
Super Meat Boy (HKLM-x32\...\Steam App 40800) (Version:  - )
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1026 - SUPERAntiSpyware.com)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System Requirements Lab CYRI (HKLM-x32\...\{943A8D28-80D6-41DC-AE94-81FEB42041BF}) (Version: 4.5.1.0 - Husdawg, LLC)
Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version:  - Valve)
The Witcher: Enhanced Edition (HKLM-x32\...\Steam App 20900) (Version:  - CD Projekt RED)
TomTom HOME (HKLM-x32\...\{99072AB4-D795-44D5-9D65-E3C9F8322C97}) (Version: 2.9.7 - TomTom)
TomTom HOME Visual Studio Merge Modules (HKLM-x32\...\{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}) (Version: 1.0.2 - TomTom International B.V.)
Toolbox (x32 Version: 140.0.428.000 - Hewlett-Packard) Hidden
TrayApp (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
Trusteer Endpoint Protection (HKLM-x32\...\Rapport_msi) (Version: 3.5.1404.34 - Trusteer)
Ultimate Live Music Audio Converter version 1.0.0 (HKLM-x32\...\{F41231C2-E89B-44D9-B5ED-E327B9940964}_is1) (Version: 1.0.0 - )
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Veetle TV (HKLM-x32\...\Veetle TV) (Version: 0.9.18 - Veetle, Inc)
Vernons Casino (HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Vernons Casino) (Version:  - )
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
VPRINTOL (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
Web Companion (HKLM-x32\...\{89C9F6E5-50D4-400C-AB96-5A947584D4D6}_WebCompanion) (Version: 1.0.813.1538 - Lavasoft)
WebReg (x32 Version: 140.0.212.017 - Hewlett-Packard) Hidden
Winamp (HKLM-x32\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0) (HKLM\...\FCEC33AD40CEA5E0FC4CEE6E42041A0DA189652D) (Version: 08/22/2008 7.0.0.0 - Nokia)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
WIRELESS (x32 Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
Xmarks for IE (HKLM-x32\...\{C56BBAC8-0DD2-4CE4-86E0-F2BDEABDD0CF}) (Version: 127.0.160 - Xmarks)
Zylom Games Player Plugin (HKLM-x32\...\Zylom Games Player Plugin) (Version:  - Zylom Games)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
Could not list Restore Points. Check "winmgmt" service or repair WMI.
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 02:34 - 2014-12-14 17:32 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\Windows\Tasks\FreeFileViewerUpdateChecker.job => ? <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ?
 
==================== Loaded Modules (whitelisted) =============
 
2014-10-15 14:03 - 2014-10-15 14:03 - 08925504 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareTray.exe
2014-10-15 14:03 - 2014-10-15 14:03 - 03396400 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\RCF.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00123744 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_filesystem-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00024408 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_system-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00055648 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_date_time-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00103768 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_thread-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00033624 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_chrono-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00500056 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_locale-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 02132800 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\HtmlFramework.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00066872 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\DllStorage.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00869712 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareTrayDefaultSkin.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00811328 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\Localization.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 16893248 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareDesktop.exe
2014-10-15 14:03 - 2014-10-15 14:03 - 00788824 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_regex-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 00451440 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\boost_program_options-vc100-mt-1_55.dll
2014-10-15 14:03 - 2014-10-15 14:03 - 09304408 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.4.6792.0\AdAwareDesktopDefaultSkin.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:370EF5E8
AlternateDataStreams: C:\ProgramData\TEMP:4E9307D7
AlternateDataStreams: C:\ProgramData\TEMP:813C4833
AlternateDataStreams: C:\ProgramData\TEMP:B3B423E1
AlternateDataStreams: C:\ProgramData\TEMP:E9014DCF
AlternateDataStreams: C:\ProgramData\TEMP:F82297CD
AlternateDataStreams: C:\Users\David\Documents\mcmerge-win32-v0.4.zip:com.apple.metadatakMDItemWhereFroms
AlternateDataStreams: C:\Users\David\Documents\mcmerge-win32-v0.4.zip:com.apple.quarantine
AlternateDataStreams: C:\Users\Jenny\Documents\Anne McCaffrey:AFP_AfpInfo
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk => C:\Windows\pss\Adobe Gamma.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk => C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak EasyShare software.lnk => C:\Windows\pss\Kodak EasyShare software.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Brian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Amazon Cloud Drive.lnk => C:\Windows\pss\Amazon Cloud Drive.lnk.Startup
MSCONFIG\startupreg: AE43EAC771ADEE2FEEB86AD6759833F2448FAA11._service_run => "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=service
MSCONFIG\startupreg: AllShareAgent => C:\Program Files (x86)\Samsung\AllShare\AllShareAgent.exe
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: ArcSoft Connection Service => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSCONFIG\startupreg: BlueStacks Agent => C:\Program Files (x86)\BlueStacks\HD-Agent.exe
MSCONFIG\startupreg: Dell DataSafe Online => "C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe" /m
MSCONFIG\startupreg: Desktop Disc Tool => "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
MSCONFIG\startupreg: DownBook => "C:\Users\Brian\AppData\Local\DownBook\DownBook.exe" 20439fa5cd415006653f7bd18f922164 6
MSCONFIG\startupreg: Greenshot => C:\Program Files\Greenshot\Greenshot.exe
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: msnmsgr => "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
MSCONFIG\startupreg: PC Suite Tray => "C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
MSCONFIG\startupreg: PDVDDXSrv => "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: TomTomHOME.exe => "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-953662030-1232980813-3439487893-500 - Administrator - Disabled)
Brian (S-1-5-21-953662030-1232980813-3439487893-1000 - Limited - Enabled) => C:\Users\Brian
Dave (S-1-5-21-953662030-1232980813-3439487893-1006 - Limited - Enabled) => C:\Users\Dave
David (S-1-5-21-953662030-1232980813-3439487893-1004 - Limited - Enabled) => C:\Users\David
Guest (S-1-5-21-953662030-1232980813-3439487893-501 - Limited - Enabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-953662030-1232980813-3439487893-1002 - Limited - Enabled)
Jenny (S-1-5-21-953662030-1232980813-3439487893-1003 - Limited - Enabled) => C:\Users\Jenny
Xander (S-1-5-21-953662030-1232980813-3439487893-1005 - Limited - Enabled) => C:\Users\Xander
Zadmin1 (S-1-5-21-953662030-1232980813-3439487893-1008 - Administrator - Enabled) => C:\Users\Zadmin1
Zadmin2 (S-1-5-21-953662030-1232980813-3439487893-1009 - Administrator - Enabled)
 
==================== Faulty Device Manager Devices =============
 
Name: Photosmart Wireless B109n-z
Description: Photosmart Wireless B109n-z
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/15/2014 04:09:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: googledrivesync.exe, version: 1.18.7821.2489, time stamp: 0x509418e4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x0002e3be
Faulting process id: 0x2e0
Faulting application start time: 0xgoogledrivesync.exe0
Faulting application path: googledrivesync.exe1
Faulting module path: googledrivesync.exe2
Report Id: googledrivesync.exe3
 
Error: (12/15/2014 01:40:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 39.0.2171.71, time stamp: 0x547407a7
Faulting module name: chrome_child.dll, version: 39.0.2171.71, time stamp: 0x54740768
Exception code: 0x80000003
Fault offset: 0x0052c099
Faulting process id: 0x20cc
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
 
Error: (12/15/2014 11:58:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 39.0.2171.71, time stamp: 0x547407a7
Faulting module name: chrome_child.dll, version: 39.0.2171.71, time stamp: 0x54740768
Exception code: 0x80000003
Fault offset: 0x0052c099
Faulting process id: 0x1b38
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
 
Error: (12/15/2014 11:29:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: splwow64.exe, version: 6.1.7601.17777, time stamp: 0x4f35fbfe
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000374
Fault offset: 0x00000000000c4102
Faulting process id: 0x1be8
Faulting application start time: 0xsplwow64.exe0
Faulting application path: splwow64.exe1
Faulting module path: splwow64.exe2
Report Id: splwow64.exe3
 
Error: (12/15/2014 11:18:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: splwow64.exe, version: 6.1.7601.17777, time stamp: 0x4f35fbfe
Faulting module name: GDI32.dll, version: 6.1.7601.18577, time stamp: 0x53f7f650
Exception code: 0xc0000005
Fault offset: 0x000000000000ce3e
Faulting process id: 0x20a0
Faulting application start time: 0xsplwow64.exe0
Faulting application path: splwow64.exe1
Faulting module path: splwow64.exe2
Report Id: splwow64.exe3
 
Error: (12/15/2014 11:16:58 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: splwow64.exe, version: 6.1.7601.17777, time stamp: 0x4f35fbfe
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000005
Fault offset: 0x00000000000532f2
Faulting process id: 0x198
Faulting application start time: 0xsplwow64.exe0
Faulting application path: splwow64.exe1
Faulting module path: splwow64.exe2
Report Id: splwow64.exe3
 
Error: (12/15/2014 00:40:09 AM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: The backup was not successful. The error is: Windows Backup cannot find any of the backup storage locations. (0x8078005D).
 
Error: (12/15/2014 00:39:58 AM) (Source: Microsoft-Windows-Backup) (EventID: 561) (User: NT AUTHORITY)
Description: The backup operation that started at '1601-01-01T00:00:00.000000000Z' has failed because no backup storage location could be found. Please confirm that the backup storage location is attached and online, and then rerun the backup operation.
 
Error: (12/14/2014 09:36:49 PM) (Source: FingerPrint Service) (EventID: 1) (User: )
Description: 5464 Sun Dec 14 21:36:49 2014 main.cpp ServiceMain:265 initialization failed
 
Error: (12/14/2014 09:36:49 PM) (Source: FingerPrint Service) (EventID: 1) (User: )
Description: 5464 Sun Dec 14 21:36:49 2014 reactor.cpp fingerprint::reactor::initialize:135 unable to setup sockets
 
 
System errors:
=============
Error: (12/16/2014 10:33:24 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: 
%%31
 
Error: (12/16/2014 10:31:57 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (12/15/2014 11:16:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: 
%%31
 
Error: (12/15/2014 11:15:31 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.189.2118.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.6.0305.00
 
Source Path: 4.6.0305.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (12/15/2014 11:15:16 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (12/15/2014 11:15:13 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
 
Error: (12/15/2014 11:14:43 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
 
Error: (12/14/2014 09:36:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The FingerPrint Service service terminated unexpectedly.  It has done this 17956 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.
 
Error: (12/14/2014 09:36:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The FingerPrint Service service terminated unexpectedly.  It has done this 17955 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.
 
Error: (12/14/2014 09:36:24 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The FingerPrint Service service terminated unexpectedly.  It has done this 17954 time(s).  The following corrective action will be taken in 500 milliseconds: Restart the service.
 
 
Microsoft Office Sessions:
=========================
Error: (03/17/2013 00:20:21 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1282 seconds with 1260 seconds of active time.  This session ended with a crash.
 
Error: (01/06/2013 08:19:11 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 65 seconds with 60 seconds of active time.  This session ended with a crash.
 
Error: (03/13/2012 02:13:22 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 49 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (11/17/2011 05:06:46 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6562.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 14 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (10/02/2011 09:38:06 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6565.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 1079 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (06/16/2011 02:28:00 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6550.5004, Microsoft Office Version: 12.0.6425.1000. This session lasted 108710 seconds with 180 seconds of active time.  This session ended with a crash.
 
Error: (06/12/2011 02:51:51 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6550.5004, Microsoft Office Version: 12.0.6425.1000. This session lasted 359771 seconds with 1320 seconds of active time.  This session ended with a crash.
 
Error: (11/25/2010 11:56:20 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6539.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (08/10/2010 08:40:49 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 4905 seconds with 4560 seconds of active time.  This session ended with a crash.
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-12-14 17:28:31.196
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-14 17:28:30.213
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-14 17:28:29.230
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-14 17:28:28.247
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-11 15:59:19.536
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-12-11 15:59:18.663
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: AMD Athlon™ II X3 425 Processor
Percentage of memory in use: 65%
Total physical RAM: 3838.98 MB
Available physical RAM: 1331.61 MB
Total Pagefile: 7676.13 MB
Available Pagefile: 4513.79 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:288.9 GB) (Free:53.7 GB) NTFS
Drive i: (Elements) (Fixed) (Total:931.51 GB) (Free:133.54 GB) NTFS
 
==================== MBR & Partition Table ==================
 
==================== End Of Log ============================

Edited by boopme, 16 December 2014 - 01:55 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 AM

Posted 21 December 2014 - 09:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-953662030-1232980813-3439487893-1008] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM -> {2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
CHR HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Brian\AppData\Local\Temp\mfe_rr.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:370EF5E8
AlternateDataStreams: C:\ProgramData\TEMP:4E9307D7
AlternateDataStreams: C:\ProgramData\TEMP:813C4833
AlternateDataStreams: C:\ProgramData\TEMP:B3B423E1
AlternateDataStreams: C:\ProgramData\TEMP:E9014DCF
AlternateDataStreams: C:\ProgramData\TEMP:F82297CD

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 nowonmai

nowonmai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 21 December 2014 - 04:43 PM

Hello nasdaq. Thankyou for your assistance.

 

I ran FRST with the fixlist and rebooted as instructed. However, I did not think to run it with admin privileges or from an admin account. Is this a problem?

 

I have appended the fixlog below. However there are some other things to mention:

 

1. The Buynsave malware is still present (when I launch Chrome, I get the dialog about developer mode extensions, and the buynsave extension has been reinstalled (I delete it from Chrome every time).

2. I thought I would run another scan with FRST, however when I launch it it quits with the error: "Line 3846 (File C:\Users\David\Desktop\FRST64.exe Error: Error in expression". I tried this several times, rebooting in between and found that each time a different, new fixlog was generated. I have also appended some of these below (the first one was overwritten before I realise it was created).

 

If you need me to run FRST again I will need to know how to make it launch properly (delete prefs/cache?).

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-12-2014 01
Ran by David at 2014-12-21 20:45:55 Run:4
Running from C:\Users\David\Desktop
Loaded Profile: David (Available profiles: Brian & Jenny & David & Xander & Dave & Zadmin1 & Guest)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-953662030-1232980813-3439487893-1008] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM -> {2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
CHR HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Brian\AppData\Local\Temp\mfe_rr.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:370EF5E8
AlternateDataStreams: C:\ProgramData\TEMP:4E9307D7
AlternateDataStreams: C:\ProgramData\TEMP:813C4833
AlternateDataStreams: C:\ProgramData\TEMP:B3B423E1
AlternateDataStreams: C:\ProgramData\TEMP:E9014DCF
AlternateDataStreams: C:\ProgramData\TEMP:F82297CD
 
End
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value could not be deleted.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist => Key could not be deleted. Access denied.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8" => Key could not be deleted. Access denied.
HKCR\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\SOFTWARE\Policies\Google => Key could not be deleted. Access denied.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => Key could not be deleted. Access denied.
Error setting Default URLSearchHook.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE} => Key could not be deleted. Access denied.
HKCR\CLSID\{2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE} => Key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} => Key could not be deleted. Access denied.
HKCR\Wow6432Node\CLSID\{BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} => Key could not be deleted. Error: -1073741772
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key could not be deleted. Access denied.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found. 
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found. 
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => Key could not be deleted. Access denied.
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => Key could not be deleted. Access denied.
HKLM\Software\Wow6432Node\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18 => Key could not be deleted. Access denied.
Could not move "C:\Program Files (x86)\Veetle\Player\npvlc.dll" => Scheduled to move on reboot.
HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.1.5 => Key could not be deleted. Access denied.
Could not move "C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml" => Scheduled to move on reboot.
HKLM\SOFTWARE\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd => Key could not be deleted. Access denied.
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh => Key could not be deleted. Access denied.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd => Key could not be deleted. Access denied.
catchme => Error deleting Service
MFE_RR => Error deleting Service
"C:\ProgramData\TEMP" => ":370EF5E8" ADS not found.
"C:\ProgramData\TEMP" => ":4E9307D7" ADS not found.
"C:\ProgramData\TEMP" => ":813C4833" ADS not found.
"C:\ProgramData\TEMP" => ":B3B423E1" ADS not found.
"C:\ProgramData\TEMP" => ":E9014DCF" ADS not found.
"C:\ProgramData\TEMP" => ":F82297CD" ADS not found.
 
 
=======ADDITIONAL FIXLOG GENERATED WHEN FRST QUITS ON LAUNCH=======
 
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-21 21:02:31)<=
 
==> ATTENTION: System is not rebooted.
C:\Program Files (x86)\Veetle\Player\npvlc.dll => Moved successfully.
C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll => Moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml => Moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml => Moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml => Moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml => Moved successfully.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-21 21:02:55)<=
 
==> ATTENTION: System is not rebooted.
C:\Program Files (x86)\Veetle\Player\npvlc.dll => Is moved successfully.
C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml => Is moved successfully.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-21 21:06:51)<=
 
==> ATTENTION: System is not rebooted.
C:\Program Files (x86)\Veetle\Player\npvlc.dll => Is moved successfully.
C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml => Is moved successfully.
 
=======ADDITIONAL FIXLOG GENERATED WHEN FRST QUITS ON LAUNCH=======
 
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-21 21:20:13)<=
 
==> ATTENTION: System is not rebooted.
C:\Program Files (x86)\Veetle\Player\npvlc.dll => Is moved successfully.
C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml => Is moved successfully.
C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml => Is moved successfully.
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 AM

Posted 22 December 2014 - 08:19 AM

Ran by David (ATTENTION: The logged in user is not administrator) on BRIAN-DELL on 16-12-2014 15:31:23


Execute the fix again. This time run it as an Administrator.

Post the logs and let me know if the problem persists.

#5 nowonmai

nowonmai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 22 December 2014 - 09:02 AM

Thanks for your quick response. I was able to get FRST to open after deleting the C:\FRST folder. 

 

I was then able to press the Fix button.

 

FRST threw a dialog with the following message, so I don't know if it made it all the way through the fixlist.

 

Line 9878 (File C:\Users\Zadmin1\Desktop\FRST64.exe)

 

Error: Error in expression

 

(The line number in the error message is different from the one last time)

 

The Buynsave adware is still present in Chrome: I delete it from the browser but it reappears on relaunch.

 

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-12-2014 01

Ran by Zadmin1 at 2014-12-22 13:45:11 Run:1
Running from C:\Users\Zadmin1\Desktop
Loaded Profiles: David & Zadmin1 (Available profiles: Brian & Jenny & David & Xander & Dave & Zadmin1 & Guest)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-953662030-1232980813-3439487893-1008] ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM -> {2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-953662030-1232980813-3439487893-1004 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll (Veetle Inc)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
CHR HKU\S-1-5-21-953662030-1232980813-3439487893-1004\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - No Path
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 MFE_RR; \??\C:\Users\Brian\AppData\Local\Temp\mfe_rr.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:370EF5E8
AlternateDataStreams: C:\ProgramData\TEMP:4E9307D7
AlternateDataStreams: C:\ProgramData\TEMP:813C4833
AlternateDataStreams: C:\ProgramData\TEMP:B3B423E1
AlternateDataStreams: C:\ProgramData\TEMP:E9014DCF
AlternateDataStreams: C:\ProgramData\TEMP:F82297CD
 
End
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist" => Key deleted successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1"" => Key deleted successfully.
HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2"" => Key deleted successfully.
HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3"" => Key deleted successfully.
HKCR\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4"" => Key deleted successfully.
HKCR\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5"" => Key deleted successfully.
HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6"" => Key deleted successfully.
HKCR\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7"" => Key deleted successfully.
HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8"" => Key deleted successfully.
HKCR\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
HKLM\SOFTWARE\Policies\Google => Key not found. 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => Key not found. 
Error setting Default URLSearchHook.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE}" => Key deleted successfully.
HKCR\CLSID\{2FAC7EB6-FF86-4A38-AC31-96CB5714A6AE} => Key not found. 
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{BCD023F9-3AA7-4F32-8AE5-069DB367BFDB}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BCD023F9-3AA7-4F32-8AE5-069DB367BFDB} => Key could not be deleted. Error: -1073741772
"HKU\S-1-5-21-953662030-1232980813-3439487893-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found. 
HKU\S-1-5-21-953662030-1232980813-3439487893-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Value not found.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18" => Key deleted successfully.
C:\Program Files (x86)\Veetle\Player\npvlc.dll not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.1.5" => Key deleted successfully.
C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll not found.
"C:\Program Files (x86)\mozilla firefox\searchplugins\bingober174957570.xml" => not found.
"C:\Program Files (x86)\mozilla firefox\searchplugins\bingober502973790.xml" => not found.
"C:\Program Files (x86)\mozilla firefox\searchplugins\bingober520922734.xml" => not found.
"C:\Program Files (x86)\mozilla firefox\searchplugins\bingober8667009.xml" => not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => Key deleted successfully.
"HKU\S-1-5-21-953662030-1232980813-3439487893-1004\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => Key deleted successfully.
catchme => Service deleted successfully.
MFE_RR => Service deleted successfully.
C:\ProgramData\TEMP => ":370EF5E8" ADS removed successfully.
C:\ProgramData\TEMP => ":4E9307D7" ADS removed successfully.
C:\ProgramData\TEMP => ":813C4833" ADS removed successfully.
C:\ProgramData\TEMP => ":B3B423E1" ADS removed successfully.
C:\ProgramData\TEMP => ":E9014DCF" ADS removed successfully.
C:\ProgramData\TEMP => ":F82297CD" ADS removed successfully.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 AM

Posted 22 December 2014 - 10:51 AM

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#7 nowonmai

nowonmai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 22 December 2014 - 11:21 AM

I reset Chrome as instructed.

 

BuyNSave still gets reinstalled at relaunch.

 

I also got redirected to an "install Adobe Flash" page that tried to download a setup.exe file. I discarded the file, of course. I had not seen this before but the computer's owner had. Probably Adblock Pro was preventing it.

 

Securitycheck log follows:

 

 Results of screen317's Security Check version 0.99.93  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
Ad-Aware Antivirus              
 Antivirus out of date! (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 Ad-Aware 
 JavaFX 2.1.1    
 Java 7 Update 25  
 Java version 32-bit out of Date! 
  Adobe Flash Player 14.0.0.145 Flash Player out of Date!  
 Mozilla Firefox 23.0.1 Firefox out of Date!  
 Google Chrome (39.0.2171.95) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Ad-Aware AAWService.exe is disabled! 
 Ad-Aware AAWTray.exe is disabled! 
 Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.4.6792.0\AdAwareService.exe 
 Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.4.6792.0\AdAwareTray.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 AM

Posted 22 December 2014 - 02:36 PM

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
The latest version is Java 7 Update 71 for the 32 bit Operating system.
Java 8 Update 25 for the 64 bit Operating system.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 25

===

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
===

How is it now?

#9 nowonmai

nowonmai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 22 December 2014 - 07:35 PM

I ran the ipconfig commands.

 

I updated Flash.

 

I installed the latest Java from Oracle's website.

 

I used Oracle's tool to remove Java 6 and Java 7.

 

I ran Security Check once more and it is still complaining about old Java; however I cannot find any old versions with Oracle's old version applet, with the Java Updater, or in the Remove Programs section of the Control Panel.

 

I will remove Firefox for now as nobody uses it.

 

 Results of screen317's Security Check version 0.99.93  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
Ad-Aware Antivirus              
 Antivirus out of date! (On Access scanning disabled!) 
`````````Anti-malware/Other Utilities Check:````````` 
 Ad-Aware 
 Java 8 Update 25  
 Java version 32-bit out of Date! 
 Adobe Flash Player 16.0.0.235  
 Mozilla Firefox 23.0.1 Firefox out of Date!  
 Google Chrome (39.0.2171.95) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Ad-Aware AAWService.exe is disabled! 
 Ad-Aware AAWTray.exe is disabled! 
 Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.4.6792.0\AdAwareService.exe 
 Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.4.6792.0\AdAwareTray.exe 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 AM

Posted 23 December 2014 - 09:37 AM

Java 8 Update 25
Java version 32-bit out of Date


You have the latest version for your 64 bit operating system.

We are working to correct this false positive.
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 nowonmai

nowonmai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 23 December 2014 - 06:03 PM

Thankyou for the information regarding Java versions.

 

What should be my next step in removing the BuynSave malware?


Edited by nowonmai, 23 December 2014 - 06:03 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 AM

Posted 24 December 2014 - 08:48 AM

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===


Keep me posted.

#13 nowonmai

nowonmai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 24 December 2014 - 10:06 AM

Thanks again.

 

I had deleted Firefox yesterday since nobody uses it on this machine.

 

I reset Chrome as per your instructions.

 

I reset Internet Explorer.

 

However, the BuynSave extension still returns to chrome on every reboot.

 

Further information that may be relevant?

 

  • this is only happening with one account on a machine with multiple users.
  • that account was an admin account at the time of infection, but the owner of  the machine subsequently changed it to a normal user.

Other accounts on the machine seem to be OK, including a newly-created admin account and another user account that was similarly an admin account previously but had its privileges reduced.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:19 AM

Posted 24 December 2014 - 10:38 AM

I missed this one.
Remove it from the Tasks folder.

Task: C:\Windows\Tasks\FreeFileViewerUpdateChecker.job => ? <==== ATTENTION

How is it now?

#15 nowonmai

nowonmai
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 24 December 2014 - 11:04 AM

That didn't do it either I am afraid: I removed the file, rebooted the machine, reset Chrome again and Buynsave still keeps coming back.

 

FreeFileViewer is a program my father uses frequently - should I delete it and tell him to use something else?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users