Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help badly needed removing viruses

Started by Johnonml , Jul 26 2015 09:06 PM

Please log in to reply

#1
Johnonml

Posted 26 July 2015 - 09:06 PM

Member

Member
18 posts

Running XP Pro SP3. Both Avira and MBAM have identified different viruses, one of which is TR/Trash.gen which keeps coming back every time i quarantine and delete. I've read through a previous thread on this issue but I'm wondering if each situation is unique and requires a slightly different approach. Hoping someone here can help.

John

#2
RKinner

Posted 27 July 2015 - 09:50 AM

Malware Expert

Expert
24,625 posts

Download : ADWCleaner to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder.

Junkware-Removal-Tool

Please download Junkware Removal Tool to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site

Pause your anti-virus. Close all browsers.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
click on the Addition.txt box.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please copy and paste that log back here and also the second log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

#3
Johnonml

Posted 27 July 2015 - 11:26 AM

Member

Topic Starter
Member
18 posts

RKinner,

Thank you very much for answering my plea for help. Below is the cut and paste from ADWCleaner. I will do Junkware Removal Tool next and post separately.

# AdwCleaner v4.208 - Logfile created 27/07/2015 at 13:17:04
# Updated 09/07/2015 by Xplode
# Database : 2015-07-26.2 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Administrator - JOHN-A1D9946862
# Running from : C:\Documents and Settings\Administrator\My Documents\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
Folder Deleted : C:\Program Files\Coupons
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\PackageAware
File Deleted : C:\Program Files\Mozilla Firefox\browser\searchplugins\yahoo.xml

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{625F420E-A4A9-4B40-BC23-716C1C43893A}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\DriverTuner_Init
Key Deleted : HKCU\Software\DriverTuner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.0.1

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v39.0 (x86 en-US)

[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("avira.safe_search.installed", "[\"safesearchplus\"]");
[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Avira SafeSearch");
[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("browser.uiCustomization.state", "{\"placements\":{\"PanelUI-contents\":[\"edit-controls\",\"zoom-controls\",\"new-window-button\",\"privatebrowsing-button\",\"save-page-button\",\"print-but[...]
[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("extensions.safesearch.MP_DISTINCT_ID", "\"3c89d9ae9189cfe832fbc08584877908fce57a0a\"");
[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("extensions.safesearch.SAUTH_rndsnr", "\"be51f160fb976eb7505754073a764bb8ec22bea6\"");
[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("extensions.safesearch.install", "1434244911043");
[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("extensions.safesearch.search_offer_disabled", "true");
[zopgorq4.default-1434168856046\prefs.js] - Line Deleted : user_pref("extensions.xpiState", "{\"app-profile\":{\"[email protected]\":{\"d\":\"C:\\\\Documents and Settings\\\\Administrator\\\\Application Data\\\\Mozilla\\\\Firefox\\\\Profiles\\\\zopgorq4.default-1[...]

-\\ Google Chrome v44.0.2403.107

[C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

-\\ Opera v0.0.0.0

*************************

AdwCleaner[R0].txt - [3399 bytes] - [27/07/2015 13:10:35]
AdwCleaner[S0].txt - [3315 bytes] - [27/07/2015 13:17:04]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3374 bytes] ##########

#4
Johnonml

Posted 27 July 2015 - 11:47 AM

Member

Topic Starter
Member
18 posts

Below is the cut and paste of Junkware Removal Tool. Farbar Recovery Scan Tool will be in my next post.

Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.1 (07.16.2015:1)
OS: Microsoft Windows XP x86
Ran by Administrator on Mon 07/27/2015 at 13:35:16.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Tasks

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{0F78C39E-82BC-44E4-9CA5-4459221C388d}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0F78C39E-82BC-44E4-9CA5-4459221C388d}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] C:\Documents and Settings\Administrator\Application Data\newsoft
Successfully deleted: [Folder] C:\Documents and Settings\Administrator\My Documents\my pagemanager
Successfully deleted: [Folder] C:\Program Files\newsoft

~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\Administrator\Application Data\mozilla\firefox\profiles\zopgorq4.default-1434168856046\searchplugins\avira-safesearch.xml
Successfully deleted the following from C:\Documents and Settings\Administrator\Application Data\mozilla\firefox\profiles\zopgorq4.default-1434168856046\prefs.js

user_pref(avira.safe_search.installed, [\safesearchplus\]);
user_pref(browser.uiCustomization.state, {\placements\:{\PanelUI-contents\:[\edit-controls\,\zoom-controls\,\new-window-button\,\privatebrowsing-button\,\save-
user_pref(extensions.bootstrappedAddons, {\[email protected]\:{\version\:\1.1.5\,\type\:\extension\,\descriptor\:\C:\\\\Documents and Settings\\\\Admini
user_pref(extensions.safesearch.MP_DISTINCT_ID, \06a2e567e8f20edc713769ac2889f7fe658557ec\);
user_pref(extensions.safesearch.SAUTH_rndsnr, \983c017cb46b694005f6b66eef60e8d42f791750\);
user_pref(extensions.safesearch.install, 1438017717149);
user_pref(extensions.safesearch.search_offer_disabled, true);
user_pref(extensions.xpiState, {\app-profile\:{\[email protected]\:{\d\:\C:\\\\Documents and Settings\\\\Administrator\\\\Application Data\\\\Mozilla\\\\Firefox\\\\Profi

~~~ Chrome

[C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 07/27/2015 at 13:41:34.62
End of JRT log

#5
Johnonml

Posted 27 July 2015 - 11:59 AM

Member

Topic Starter
Member
18 posts

Below are the 2 logs from FRST.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-07-2015
Ran by Administrator (administrator) on JOHN-A1D9946862 (27-07-2015 13:52:26)
Running from C:\Documents and Settings\Administrator\My Documents\Downloads
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avguard.exe
(Intel) C:\Program Files\Intel\AMT\LMS.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avshadow.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Farbar) C:\Documents and Settings\Administrator\My Documents\Downloads\FRST(1).exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\Antivirus\avgnt.exe [782008 2015-07-25] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Avira Systray] => C:\Program Files\Avira\Launcher\Avira.Systray.exe [134368 2015-06-02] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [FUFAXRCV] => C:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe [650784 2015-01-20] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXSTM] => C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe [863776 2015-01-20] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [1065024 2014-06-10] (SEIKO EPSON CORPORATION)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\896\G2AWinLogon.dll [2013-12-03] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-1993962763-515967899-725345543-500\...\Run: [EPLTarget\P0000000000000002] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIKLE.EXE [261696 2013-09-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-18\...\RunOnce: [panda] => reg.exe delete "HKCU\Software\AppDataLow\Software\panda" /f
HKU\S-1-5-18\...\RunOnce: [panda_XP] => reg.exe delete "HKCU\Software\panda" /f
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)
GroupPolicyScripts: Group Policy detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.co...t&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo...p={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-1993962763-515967899-725345543-500\Software\Microsoft\Internet Explorer\Main,Start Page = http://advisorservices.com/
HKU\S-1-5-21-1993962763-515967899-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo...p={searchTerms}
HKU\S-1-5-21-1993962763-515967899-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.co...t&type=avastbcl
SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1993962763-515967899-725345543-500 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
BHO: No Name -> {53707962-6F74-2D53-2644-206D7942484F} -> No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-24] (Oracle Corporation)
BHO: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-24] (Oracle Corporation)
DPF: {25D9AA40-ED39-11D2-A038-009027078284} https://www.advisors...lDownloader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1272029577203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://adventsoftwa...ort/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
DPF: {EB329BD2-7DC2-4F54-A6F2-634797C735C5} https://www.advisors...oScheduler2.CAB
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 71.242.0.12
Tcpip\..\Interfaces\{0F9C668B-672F-40FF-A711-C1713B1A10FA}: [DhcpNameServer] 192.168.1.1 71.242.0.12

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-15] ()
FF Plugin: @canon.com/MycameraPlugin -> C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-24] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1993962763-515967899-725345543-500: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2015-06-10] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcdec.dll [2010-12-30] (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcext.dll [2010-12-30] (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atmccli.dll [2010-12-30] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ieatgpc.dll [2010-07-06] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npatgpc.dll [2010-07-06] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2011-06-07] (Adobe Systems Inc.)
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046\searchplugins\avira-safesearch.xml [2015-07-27]
FF Extension: Avira Browser Safety - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046\Extensions\[email protected] [2015-07-02]
FF Extension: Avira SafeSearch Plus - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046\Extensions\[email protected] [2015-06-13]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-01-21]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-05]
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-05]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-05]
CHR Extension: (Avira Browser Safety) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2015-06-14]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-05]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-05]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-05]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.goo...ice/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files\Avira\Antivirus\avmailc.exe [887128 2015-07-25] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\Antivirus\sched.exe [461672 2015-07-25] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\Antivirus\avguard.exe [461672 2015-07-25] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\Antivirus\AVWEBGRD.EXE [1212048 2015-07-25] (Avira Operations GmbH & Co. KG)
S2 APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [176193 2005-12-12] (American Power Conversion Corporation) [File not signed]
S2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation) [File not signed]
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [217280 2015-06-02] (Avira Operations GmbH & Co. KG)
S2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [577008 2014-11-04] (SEIKO EPSON CORPORATION)
S2 EpsonScanSvc; C:\WINDOWS\system32\EscSvc.exe [126128 2012-05-17] (Seiko Epson Corporation)
S3 GoToAssist; C:\Program Files\Citrix\GoToAssist\896\g2aservice.exe [13720 2013-12-03] (Citrix Online, a division of Citrix Systems, Inc.)
R2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel) [File not signed]
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Afc; C:\WINDOWS\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.) [File not signed]
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [108448 2015-07-25] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [136728 2015-07-25] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\System32\DRIVERS\avkmgr.sys [37896 2015-05-27] (Avira Operations GmbH & Co. KG)
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2004-12-13] (Adaptec, Inc.) [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [98520 2015-07-27] (Malwarebytes Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
R1 ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [31848 2015-05-27] (Avira Operations GmbH & Co. KG)
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-27 13:51 - 2015-07-27 13:52 - 00000000 ____D C:\FRST
2015-07-27 13:41 - 2015-07-27 13:41 - 00002999 _____ C:\Documents and Settings\Administrator\Desktop\JRT.txt
2015-07-27 13:09 - 2015-07-27 13:17 - 00000000 ____D C:\AdwCleaner
2015-07-26 21:49 - 2015-07-27 13:20 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-26 21:46 - 2015-07-26 21:46 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-26 21:46 - 2015-07-26 21:46 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-26 21:45 - 2015-07-26 21:46 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-07-26 21:45 - 2015-06-18 08:41 - 00121560 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-26 21:45 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-26 20:53 - 2015-07-26 22:32 - 00000180 _____ C:\WINDOWS\setupact.log
2015-07-26 20:53 - 2015-07-26 20:53 - 00000000 _____ C:\WINDOWS\setuperr.log
2015-07-23 09:53 - 2006-09-05 15:28 - 00038480 ____N (CANON INC.) C:\WINDOWS\system32\IJRMF.exe
2015-07-22 01:50 - 2015-07-22 01:50 - 00000000 _____ C:\WINDOWS\EEventManager.INI
2015-07-21 23:24 - 2015-07-21 23:24 - 00000045 _____ C:\WINDOWS\WF-4630.ini
2015-07-21 23:18 - 2015-07-27 12:18 - 00000917 _____ C:\WINDOWS\Tasks\EPSON WF-4630 Series Update {0F4A6D9A-2324-4AAE-8868-421933931469}.job
2015-07-21 23:18 - 2015-07-27 12:18 - 00000731 _____ C:\WINDOWS\Tasks\EPSON WF-4630 Series Invitation {0F4A6D9A-2324-4AAE-8868-421933931469}.job
2015-07-21 23:11 - 2015-07-21 23:11 - 00000000 ____D C:\Program Files\Common Files\EPSON
2015-07-21 23:11 - 2013-10-22 00:04 - 00142848 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\E_TLMBKLE.DLL
2015-07-21 23:11 - 2011-03-14 23:03 - 00081408 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\E_TD4BKLE.DLL
2015-07-21 23:11 - 2007-04-09 21:06 - 00008192 _____ (SEIKO EPSON CORP.) C:\WINDOWS\system32\E_DCINST.DLL
2015-07-21 23:04 - 2015-07-21 23:04 - 00000159 _____ C:\Documents and Settings\All Users\Desktop\Epson WF-4630 User’s Guide.url
2015-07-21 23:01 - 2015-07-22 01:38 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Epson
2015-07-21 23:00 - 2015-07-22 01:38 - 00000000 ____D C:\Program Files\EPSON Software
2015-07-21 23:00 - 2015-07-22 01:38 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\EPSON Software
2015-07-21 23:00 - 2015-07-21 23:00 - 00000000 ____D C:\Program Files\EpsonNet
2015-07-21 23:00 - 2012-11-12 20:41 - 00458310 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\ensppui.dll
2015-07-21 23:00 - 2012-11-12 20:41 - 00458310 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enppui.dll
2015-07-21 23:00 - 2012-11-12 15:15 - 00476027 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\ensppmon.dll
2015-07-21 23:00 - 2012-11-12 15:15 - 00476027 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enppmon.dll
2015-07-21 23:00 - 2012-10-22 17:19 - 00218112 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enspres.dll
2015-07-21 23:00 - 2012-10-22 17:19 - 00218112 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enpres.dll
2015-07-21 23:00 - 2012-05-17 00:00 - 00126128 _____ (Seiko Epson Corporation) C:\WINDOWS\system32\escsvc.exe
2015-07-21 23:00 - 2011-12-12 00:00 - 00342016 _____ (Seiko Epson Corporation) C:\WINDOWS\system32\eswiaud.dll
2015-07-21 23:00 - 2010-11-22 13:27 - 00147472 _____ (TWAIN Working Group) C:\WINDOWS\system32\twaindsm.dll
2015-07-20 15:45 - 2015-07-20 15:45 - 00017920 _____ C:\Documents and Settings\Administrator\Desktop\Q2 2015 FeesInvoiceDetails.xls
2015-07-20 13:29 - 2015-07-20 13:41 - 00009539 _____ C:\Documents and Settings\Administrator\Desktop\Q2-2015Billings.xlsx
2015-07-16 22:26 - 2015-07-23 09:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\EPSON
2015-07-16 22:26 - 2015-07-21 23:00 - 00000665 _____ C:\Documents and Settings\All Users\Desktop\EPSON Scan.lnk
2015-07-16 22:26 - 2015-07-16 22:26 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\EPSON Scan
2015-07-16 22:26 - 2007-03-27 00:00 - 00067072 _____ (SEIKO EPSON CORP.) C:\WINDOWS\system32\escwiad.dll
2015-07-16 22:16 - 2015-07-23 09:57 - 00053521 _____ C:\WINDOWS\setupapi.log
2015-07-16 21:50 - 2015-07-16 21:50 - 00000604 _____ C:\Documents and Settings\Administrator\My Documents\cc_July 15 backkup.reg
2015-07-07 10:27 - 2015-07-07 10:27 - 00000841 _____ C:\Documents and Settings\All Users\Desktop\Avira.lnk
2015-07-04 14:39 - 2015-07-04 14:39 - 00000704 _____ C:\Documents and Settings\Administrator\Desktop\Quoizel Cortland Instrcutions.lnk
2015-07-04 14:25 - 2015-07-04 14:25 - 00000704 _____ C:\Documents and Settings\Administrator\Desktop\Quoizel Salem Instructions.lnk
2015-07-04 13:23 - 2015-07-17 12:12 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-27 13:52 - 2010-04-23 08:42 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2015-07-27 13:34 - 2014-03-05 12:47 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-27 13:20 - 2010-04-23 08:35 - 01575187 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-27 13:20 - 2004-08-04 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-07-27 13:19 - 2014-03-27 09:32 - 00000238 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-07-27 13:19 - 2014-03-05 12:47 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-27 13:19 - 2010-04-23 19:49 - 00215383 _____ C:\WINDOWS\system32\nvapps.xml
2015-07-27 13:19 - 2010-04-23 04:23 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-07-27 13:19 - 2010-04-23 04:23 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-07-27 13:18 - 2010-04-23 08:42 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-27 13:17 - 2014-10-15 05:26 - 00165274 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-07-27 13:17 - 2010-04-23 08:42 - 00032442 _____ C:\WINDOWS\SchedLgU.Txt
2015-07-27 13:17 - 2010-04-23 08:34 - 00000000 ____D C:\WINDOWS\Registration
2015-07-27 13:04 - 2010-04-23 13:02 - 00002515 _____ C:\Documents and Settings\Administrator\Desktop\Word 2007.lnk
2015-07-27 11:25 - 2015-06-13 21:34 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2015-07-27 01:41 - 2014-10-15 05:26 - 01073650 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1993962763-515967899-725345543-500-0.dat
2015-07-26 17:55 - 2013-03-05 13:35 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2015-07-26 14:17 - 2010-04-26 14:16 - 00000140 _____ C:\WINDOWS\datapo32.INI
2015-07-26 14:16 - 2010-04-23 17:54 - 00000000 ____D C:\Axys3
2015-07-26 09:59 - 2012-02-01 04:00 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2585542$
2015-07-25 17:35 - 2014-03-05 12:48 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-07-25 13:55 - 2015-06-13 21:19 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Avira
2015-07-25 13:54 - 2015-06-13 21:27 - 00136728 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
2015-07-25 13:54 - 2015-06-13 21:27 - 00108448 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
2015-07-25 02:27 - 2010-04-23 08:42 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2015-07-25 02:27 - 2010-04-23 08:42 - 00000000 ____D C:\Documents and Settings\Administrator
2015-07-23 09:52 - 2010-04-23 20:27 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Canon
2015-07-23 09:52 - 2010-04-23 04:17 - 00000000 ____D C:\WINDOWS\twain_32
2015-07-22 10:31 - 2010-05-16 13:44 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\Re-Orgs of Holdings
2015-07-22 00:20 - 2010-09-09 22:35 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\EPSON
2015-07-21 23:03 - 2010-09-09 22:34 - 00000000 ____D C:\Program Files\epson
2015-07-21 23:03 - 2010-04-23 09:18 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2015-07-17 12:01 - 2010-04-23 20:15 - 00000000 _____ C:\WINDOWS\system32\NEWSOFT
2015-07-16 21:59 - 2010-04-23 04:21 - 00000211 ___SH C:\boot.ini
2015-07-16 21:59 - 2004-08-04 06:00 - 00000507 _____ C:\WINDOWS\win.ini
2015-07-16 21:59 - 2004-08-04 06:00 - 00000227 _____ C:\WINDOWS\system.ini
2015-07-15 20:29 - 2014-08-10 15:20 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2015-07-15 20:26 - 2012-04-04 10:37 - 00778416 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-07-15 20:26 - 2011-05-18 10:03 - 00142512 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-07-15 09:47 - 2013-07-19 05:56 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-07-15 09:38 - 2010-04-23 12:14 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2015-07-08 15:00 - 2014-03-27 09:32 - 00000232 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-07-08 10:01 - 2015-06-13 21:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Package Cache
2015-07-07 10:26 - 2015-06-13 21:19 - 00000000 ____D C:\Program Files\Avira
2015-07-05 12:17 - 2010-06-28 18:15 - 00000000 ____D C:\Program Files\Defraggler
2015-07-05 12:09 - 2012-11-13 06:27 - 00000000 ____D C:\Program Files\CCleaner
2015-07-05 09:26 - 2014-11-24 18:42 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-07-03 08:49 - 2010-04-23 11:07 - 127070192 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-06-29 16:17 - 2014-06-04 15:38 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\Chimicles Case

==================== Files in the root of some directories =======

2013-05-07 11:04 - 2013-03-13 13:58 - 6533200 _____ (AVAST Software) C:\Program Files\AVAST Soft
2010-04-23 19:21 - 2014-10-29 21:35 - 0003584 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some files in TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\avgnt.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\_is28E.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-07-2015
Ran by Administrator at 2015-07-27 13:53:01
Running from C:\Documents and Settings\Administrator\My Documents\Downloads
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1993962763-515967899-725345543-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1993962763-515967899-725345543-1003 - Limited - Enabled)
Guest (S-1-5-21-1993962763-515967899-725345543-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1993962763-515967899-725345543-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1993962763-515967899-725345543-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.3.0.0 - Adobe Systems Incorporated)
Acrobat.com (Version: 2.3.0 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
APC PowerChute Personal Edition (HKLM\...\{5A0C892E-FD1C-4203-941E-0956AED20A6A}) (Version: 2.0 - American Power Conversion Corporation)
ArcSoft PhotoImpression 6 (HKLM\...\{D03E7B00-CA85-4684-9321-1888873C34BD}) (Version: 6 - ArcSoft)
ArcSoft Print Creations (HKLM\...\{0D6D96F4-0CAF-4522-B05F-70A88EDECDFD}) (Version: - ArcSoft)
Avira (HKLM\...\{8467e01f-0496-42ce-b247-88ef205b4880}) (Version: 1.1.40.29239 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.40.29239 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM\...\Avira Antivirus) (Version: 15.0.12.408 - Avira Operations GmbH & Co. KG)
Axys Report Writer Pro (Version: - ) Hidden
Canon Auto Update Service (HKLM\...\Auto Update Service) (Version: 1.1.2.18 - Canon Inc.)
CANON iMAGE GATEWAY MyCamera Download Plugin (HKLM\...\MyCamera Download Plugin) (Version: 3.1.1.2 - Canon Inc.)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (HKLM\...\CANON iMAGE GATEWAY Task) (Version: 1.9.0.9 - Canon Inc.)
Canon MOV Decoder (HKLM\...\Canon MOV Decoder) (Version: 1.9.0.8 - Canon Inc.)
Canon MOV Encoder (HKLM\...\Canon MOV Encoder) (Version: 1.8.0.1 - Canon Inc.)
Canon MovieEdit Task for ZoomBrowser EX (HKLM\...\MovieEditTask) (Version: 3.9.0.6 - Canon Inc.)
Canon MP Navigator 2.2 (HKLM\...\MP Navigator 2.2) (Version: - )
Canon MP830 User Registration (HKLM\...\Canon MP830 User Registration) (Version: - )
Canon Utilities Easy-PhotoPrint (HKLM\...\Easy-PhotoPrint) (Version: - )
Canon Utilities EOS Video Snapshot Task for ZoomBrowser EX (HKLM\...\EOS Video Snapshot Task) (Version: 1.0.0.10 - Canon Inc.)
Canon Utilities ZoomBrowser EX (HKLM\...\ZoomBrowser EX) (Version: 6.9.0.1 - Canon Inc.)
Canon ZoomBrowser EX Memory Card Utility (HKLM\...\ZoomBrowser EX Memory Card Utility) (Version: 1.6.0.15 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.07 - Piriform)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{6740FE60-43C1-4D15-8C4A-001624134B14}) (Version: 1.0.312 - Citrix)
Defraggler (HKLM\...\Defraggler) (Version: 2.19 - Piriform)
Dell Resource CD (HKLM\...\{42929F0F-CE14-47AF-9FC7-FF297A603021}) (Version: 1.10.0000 - Dell Inc.)
Document Capture Pro (HKLM\...\{8930DCE5-510D-4476-A879-835188F7B6F4}) (Version: 1.06.0011 - Seiko Epson Corporation)
Document Capture Pro OneNote Connector (HKLM\...\{65FC2F65-FCD4-495C-B250-1F7C049E4A39}) (Version: 1.00.0000 - Seiko Epson Corporation)
Dropbox (HKU\S-1-5-21-1993962763-515967899-725345543-500\...\Dropbox) (Version: 1.2.52 - Dropbox, Inc.)
DX (HKLM\...\DX) (Version: - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.7.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{E4631929-CBD3-49A1-9BB7-F36E701F7C34}) (Version: 3.10.0040 - Seiko Epson Corporation)
Epson FAX Utility (HKLM\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.53.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM\...\EPSON PC-FAX Driver 2) (Version: - )
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version: - SEIKO EPSON Corporation)
EPSON Scan (HKLM\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EPSON Scan OCR Component (HKLM\...\{563B99D8-8895-4E3E-AE8D-15BE8C05F1C1}) (Version: 2.30.00 - SEIKO EPSON Corp.)
EPSON Scan PDF Extensions (HKLM\...\{F9956472-6E16-4F83-BF9A-F887EF4A45B7}) (Version: 1.03.0001 - SEIKO EPSON Corp.)
EPSON WF-4630 Series Printer Uninstall (HKLM\...\EPSON WF-4630 Series) (Version: - SEIKO EPSON Corporation)
Epson WF-4630 User’s Guide version 1.0 (HKLM\...\UsersGuideEpson WF-4630 User’s Guide_is1) (Version: 1.0 - )
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
Google Chrome (HKLM\...\Google Chrome) (Version: 44.0.2403.107 - Google Inc.)
Google Update Helper (Version: 1.3.28.1 - Google Inc.) Hidden
GoToAssist Corporate (HKLM\...\GoToAssist) (Version: 10.4.0.896 - Citrix Online, a division of Citrix Systems, Inc.)
GoToMeeting 4.5.0.457 (HKU\S-1-5-21-1993962763-515967899-725345543-500\...\GoToMeeting) (Version: - )
High Definition Audio Driver Package - KB835221 (HKLM\...\KB835221WXP) (Version: 20040219.000000 - Microsoft Corporation)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - Intel Corporation)
Intel® Management Engine Interface (HKLM\...\HECI) (Version: - Intel Corporation)
Intel® PRO Network Connections Drivers (HKLM\...\PROSet) (Version: - )
Intel® Active Management Technology (HKLM\...\MESOL) (Version: - Intel Corporation)
Java 7 Update 76 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217076FF}) (Version: 7.0.760 - Oracle)
Java 8 Update 20 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218020F0}) (Version: 8.0.200 - Oracle Corporation)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Automated Troubleshooting Services Shim (HKLM\...\{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb) (Version: - )
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version: - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Fix it Center (HKLM\...\{B7588D45-AFDC-4C93-9E2E-A100F3554B64}) (Version: 1.0.0100 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 en-US) (HKLM\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.1.1 - Mozilla)
MSN (HKLM\...\MSNINST) (Version: - )
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (Version: 1.0.0.0 - Webroot Software, Inc.) Hidden
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
NexDef Plug-in (HKLM\...\Autobahn) (Version: - )
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.3 - NVIDIA Corporation)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
pipes (HKLM\...\5227-6584-8232-0004) (Version: - )
Presto! PageManager 7.15.14 (HKLM\...\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}) (Version: 7.15.14E - NewSoft)
QuickBooks 2000 (HKLM\...\QuickBooks 2000) (Version: - )
ScanSoft OmniPage SE 4.0 (HKLM\...\{C1E693A4-B1D5-4DCD-B68D-2087835B7184}) (Version: 15.00.0020 - Nuance Communications, Inc.)
SMPlayer 0.6.9 (HKLM\...\SMPlayer) (Version: 0.6.9 - RVM)
Software Updater (HKLM\...\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}) (Version: 4.3.7 - SEIKO EPSON CORPORATION)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
TD AMERITRADE Statements/Confirmations Manager (HKLM\...\{812A8682-4387-11D7-B10D-0001022C9950}) (Version: 1.11.0.0 - TD AMERITRADE, Inc.)
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{10A44844-4465-456E-8C97-80BDD4F68845}) (Version: 6.500.3146.0 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows PowerShell™ 1.0 MUI pack (HKLM\...\KB926141) (Version: 2 - Microsoft Corporation)
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\457\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)

==================== Restore Points =========================

26-07-2015 22:31:16 July 26 2015Restore Point
27-07-2015 13:35:19 JRT Pre-Junkware Removal

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 06:00 - 2010-10-21 06:26 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\EPSON WF-4630 Series Invitation {0F4A6D9A-2324-4AAE-8868-421933931469}.job => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TTSKLE.EXE
Task: C:\WINDOWS\Tasks\EPSON WF-4630 Series Update {0F4A6D9A-2324-4AAE-8868-421933931469}.job => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TTSKLE.EXE:/EXE:{0F4A6D9A-2324-4AAE-8868-421933931469} /F:UpdateSYSTEMĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => 0x01050100CAB242AF436BA44B9FB20F57C4EF841A46004E0100000000F0000100200000000014730F000000000313040050028821000000000000000000000000000000000000380063003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F0066007400200053006500630075007200690074007900200043006C00690065006E0074005C004D00700043006D006400520075006E002E00650078006500000026005300630061006E0020002D005300630068006500640075006C0065004A006F00620020002D0052006500730074007200690063007400500072006900760069006C006500670065007300000000000700530059005300540045004D000000140050006500720069006F0064006900630020007300630061006E0020007400610073006B002E000000000008000200078000000000010030000000DD070300050000000000000011002B0000000000000000000000000001000000010000000000000000000000
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (Whitelisted) ==============

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1993962763-515967899-725345543-500\...\advisorservices.com -> advisorservices.com
IE trusted site: HKU\S-1-5-21-1993962763-515967899-725345543-500\...\advisorservices.com -> hxxps://advisorservices.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1993962763-515967899-725345543-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.1 - 71.242.0.12
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk => C:\WINDOWS\pss\Dropbox.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^NexDef Plug-in.lnk => C:\WINDOWS\pss\NexDef Plug-in.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk => C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk => C:\WINDOWS\pss\APC UPS Status.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fabrik Ultimate Backup Status.lnk => C:\WINDOWS\pss\Fabrik Ultimate Backup Status.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\WINDOWS\pss\McAfee Security Scan Plus.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Delivery Agent.lnk => C:\WINDOWS\pss\QuickBooks Delivery Agent.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: atchk => "C:\Program Files\Intel\AMT\atchk.exe"
MSCONFIG\startupreg: AvastUI.exe => "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
MSCONFIG\startupreg: ctfmon.exe => "C:\WINDOWS\system32\ctfmon.exe"
MSCONFIG\startupreg: HotKeysCmds => "C:\WINDOWS\system32\hkcmd.exe"
MSCONFIG\startupreg: IgfxTray => "C:\WINDOWS\system32\igfxtray.exe"
MSCONFIG\startupreg: KernelFaultCheck => "%systemroot%\system32\dumprep" 0 -k
MSCONFIG\startupreg: Messenger (Yahoo!) => "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
MSCONFIG\startupreg: MSConfig => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background
MSCONFIG\startupreg: NvCplDaemon => "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
MSCONFIG\startupreg: NvMediaCenter => "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
MSCONFIG\startupreg: nwiz => "nwiz.exe" /install
MSCONFIG\startupreg: OpwareSE4 => "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
MSCONFIG\startupreg: Persistence => "C:\WINDOWS\system32\igfxpers.exe"
MSCONFIG\startupreg: SoundMAXPnP => "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
MSCONFIG\startupreg: Spotify => "C:\Documents and Settings\Administrator\Application Data\Spotify\Spotify.exe" -autostart -minimized
MSCONFIG\startupreg: Spotify Web Helper => "C:\Documents and Settings\Administrator\Application Data\Spotify\SpotifyWebHelper.exe"
MSCONFIG\startupreg: SpybotSD TeaTimer => "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
MSCONFIG\startupreg: SpySweeper => "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
MSCONFIG\startupreg: SSBkgdUpdate => "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: TkBellExe => "C:\program files\real\realplayer\update\realsched.exe" -osboot
MSCONFIG\startupreg: WrtMon.exe => "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE] => Disabled:Microsoft Office OneNote
StandardProfile\AuthorizedApplications: [C:\WINDOWS\Network Diagnostic\xpnetdiag.exe] => Disabled:@xpsp3res.dll,-20000
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\sessmgr.exe] => Disabled:@xpsp2res.dll,-22019
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe] => Disabled:Dropbox
StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Disabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe] => Disabled:Opera Internet Browser - Plugin wrapper
StandardProfile\AuthorizedApplications: [C:\Program Files\pipes\pipes.exe] => Enabled:pipes
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe] => :LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\mmc.exe] => Disabled:Microsoft Management Console
StandardProfile\AuthorizedApplications: [C:\Program Files\pandasecuritytb\ToolbarCleaner.exe] => Enabled:ToolbarCleaner
StandardProfile\AuthorizedApplications: [C:\Spotify.exe] => Disabled:Spotify
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Application Data\Spotify\spotify.exe] => Disabled:Spotify
StandardProfile\AuthorizedApplications: [C:\Program Files\Opera\opera.exe] => Disabled:Opera Internet Browser
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\AuthorizedApplications: [C:\Program Files\EPSON Software\Event Manager\EEventManager.exe] => Enabled:EEventManager.exe
StandardProfile\AuthorizedApplications: [D:\Common\EpsonNet Setup\ENEasyApp.exe] => Enabled:EpsonNet Setup

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\DOWNLOADS\ADWCLEANER.EXE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\DOWNLOADS\ADWCLEANER.EXE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\RECENT\VIRUS STUFF.DOC.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\RECENT\VIRUS STUFF.DOC.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 12:11:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application update.exe, version 15.0.12.402, faulting module msvcp120.dll, version 12.0.21005.1, fault address 0x0000e5a8.
Processing media-specific event for [update.exe!ws!]

Error: (07/25/2015 07:54:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application update.exe, version 15.0.12.402, faulting module msvcp120.dll, version 12.0.21005.1, fault address 0x0000e5a8.
Processing media-specific event for [update.exe!ws!]

Error: (07/25/2015 03:54:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application update.exe, version 15.0.12.402, faulting module msvcp120.dll, version 12.0.21005.1, fault address 0x0000e5a8.
Processing media-specific event for [update.exe!ws!]

Error: (07/24/2015 08:18:52 AM) (Source: $(ProductName) Service Host) (EventID: 0) (User: )
Description: Failed to process session change. System.InvalidOperationException: Collection was modified; enumeration operation may not execute.
   at System.ThrowHelper.ThrowInvalidOperationException(ExceptionResource resource)
   at System.Collections.Generic.Dictionary`2.ValueCollection.Enumerator.MoveNext()
   at Avira.OE.ServiceHost.ServiceModelListStorage.InvokeServiceModelCreated(ServiceModelDictionary serviceModelDictionary, String userSid)
   at Avira.OE.ServiceHost.ServiceModelListStorage.GetServiceModelDictionary(String userId)
   at Avira.OE.ServiceHost.DesktopApplications.UpdateOnNewUserSid(String userSid)
   at Avira.OE.ServiceHost.DesktopApplications.OnSessionChange(Int32 sessionId, SessionChangeReason reason)
   at Avira.OE.ServiceHost.ServiceHost.OnSessionChange(SessionChangeDescription changeDescription)
   at System.ServiceProcess.ServiceBase.DeferredSessionChange(Int32 eventType, IntPtr eventData)

Error: (06/14/2015 09:34:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application spybotsd.exe, version 1.6.2.46, faulting module spybotsd.exe, version 1.6.2.46, fault address 0x000049ee.
Processing media-specific event for [spybotsd.exe!ws!]

Error: (06/02/2015 07:10:10 PM) (Source: MsiInstaller) (EventID: 11706) (User: JOHN-A1D9946862)
Description: Product: TD AMERITRADE Statements/Confirmations Manager -- Error 1706. No valid source could be found for product TD AMERITRADE Statements/Confirmations Manager. The Windows installer cannot continue.(NULL)(NULL)(NULL)(NULL)

System errors:
=============
Error: (07/27/2015 01:35:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (07/27/2015 01:35:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Avira Service Host service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (07/27/2015 01:35:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Active Management Technology User Notification Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Epson Scanner Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The EpsonCustomerParticipation service terminated unexpectedly. It has done this 1 time(s).

Microsoft Office:
=========================
Error: (03/20/2014 04:35:49 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6690.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 22910 seconds with 60 seconds of active time. This session ended with a crash.

Error: (09/30/2012 07:26:06 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 62 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/13/2012 03:27:02 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (11/14/2011 03:48:09 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6565.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

Error: (11/14/2011 02:06:22 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6565.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (07/14/2011 03:16:51 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10578 seconds with 60 seconds of active time. This session ended with a crash.

Error: (06/11/2010 02:00:27 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

Error: (06/11/2010 02:00:00 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

Error: (06/11/2010 01:53:49 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

==================== Memory info ===========================

Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of memory in use: 21%
Total physical RAM: 3325.54 MB
Available physical RAM: 2608.12 MB
Total Virtual: 6488.33 MB
Available Virtual: 5532.53 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149 GB) (Free:92.56 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 41AB2316)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End of log ============================

#6
RKinner

Posted 27 July 2015 - 12:30 PM

Malware Expert

Expert
24,625 posts

Clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml

You do not have the latest Java.
First go into Control Panel, Add/Remove Software (XP) or Programs and Features (Vista/Win 7) and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
Java 7 Update 76
Java 8 Update 20
Java 8 Update 25
Java 8 Update 31

Java has been very vulnerable to infection so unless you absolutely need it you should not reinstall it.

If you feel you must have Java:
Get the latest Java at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Do not let it install the yahoo toolbar or other foistware.
Once installed, go into Control Panel, Java, Security and set the slider to the Highest then OK.

Download the attached fixlist.txt to the same location as FRST
Run FRST and press Fix
A fix log will be generated please post that. Run FRST again, check the Additions box and then Scan. You will get two logs. Post them both.

I'm not seeing much so let's run some more scans. Let me know if any of the links don't work. Skip on to the next one if you can't get one to work.:

Download aswMBR.exe to your desktop.
Double click aswMBR.exe
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html

Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.

    * :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


    * A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe and to start the program.

If TDSSKiller alerts you that the system needs to reboot, please consent.

Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

#7
Johnonml

Posted 27 July 2015 - 01:42 PM

Member

Topic Starter
Member
18 posts

Need your help as I'm at an impasse.

I cleared the java cache, then uninstalled the 4 older javas.

I will not install the most recent java unless a website i need for work requires it.

Here's what has me stumped: "Download the attached fixlist.txt to the same location as FRST
Run FRST and press Fix. A fix log will be generated please post that. Run FRST again, check the Additions box and then Scan. You will get two logs. Post them both."

I'm not sure what you are referring to as the attached fixlist.text and what you want me to do with it. Can you please clarify? Do I still need to do this if I did not install latest version of Java? Or can I go on to the final 4 scans?

#8
RKinner

Posted 27 July 2015 - 02:36 PM

Malware Expert

Expert
24,625 posts

Sorry forgot to attach the fixlist.

#9
Johnonml

Posted 27 July 2015 - 02:52 PM

Member

Topic Starter
Member
18 posts

when I click on the fixlist.txt link you provided, it gives me the choice between "open with notepad" or "save file". Which of those do I select please?

#10
RKinner

Posted 27 July 2015 - 02:54 PM

Malware Expert

Expert
24,625 posts

Save it. It need to be in the same directory where Frst.exe lives.

#11
Johnonml

Posted 27 July 2015 - 03:11 PM

Member

Topic Starter
Member
18 posts

both fixlist.txt and frst.exe are in my Downloads file under My Documents. I'll assume this is correct unless i hear otherwise from you.

#12
Johnonml

Posted 27 July 2015 - 03:36 PM

Member

Topic Starter
Member
18 posts

fixlog.txt is copied and pasted below:

Fix result of Farbar Recovery Scan Tool (x86) Version: 26-07-2015
Ran by Administrator at 2015-07-27 17:13:13 Run:1
Running from C:\Documents and Settings\Administrator\My Documents\Downloads
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
HKU\S-1-5-18\...\RunOnce: [panda] => reg.exe delete "HKCU\Software\AppDataLow\Software\panda" /f
HKU\S-1-5-18\...\RunOnce: [panda_XP] => reg.exe delete "HKCU\Software\panda" /f
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
GroupPolicyScripts: Group Policy detected <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
BHO: No Name -> {53707962-6F74-2D53-2644-206D7942484F} -> No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-24] (Oracle Corporation)
BHO: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-24] (Oracle Corporation)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-24] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-24] (Oracle Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> No Filepath
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InprocServer32 -> No Filepath
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
EmptyTemp:

*****************

HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\panda => value removed successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\panda_XP => value removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully.
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found.
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully.
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}" => key removed successfully.
HKCR\CLSID\{53707962-6F74-2D53-2644-206D7942484F} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
"HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}" => key removed successfully.
HKCR\CLSID\{9030D464-4C02-4ABF-8ECC-5164760863C6} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
"HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully.
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.31.2 => key not found.
C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll not found.
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.31.2 => key not found.
C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll not found.
IntelIde => service removed successfully.
WS2IFSL => service removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020420-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020421-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020422-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020423-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020424-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{00020425-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}" => key removed successfully.
"HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}" => key removed successfully.
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully.
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => moved successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => moved successfully.
EmptyTemp: => 4.9 GB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 17:14:41 ====

#13
Johnonml

Posted 27 July 2015 - 03:54 PM

Member

Topic Starter
Member
18 posts

FRST.txt log below

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-07-2015
Ran by Administrator (administrator) on JOHN-A1D9946862 (27-07-2015 17:37:18)
Running from C:\Documents and Settings\Administrator\My Documents\Downloads
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avguard.exe
(American Power Conversion Corporation) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
(Intel Corporation) C:\Program Files\Intel\AMT\atchksrv.exe
(SEIKO EPSON CORPORATION) C:\Program Files\epson\EpsonCustomerParticipation\EPCP.exe
(Seiko Epson Corporation) C:\WINDOWS\system32\escsvc.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel) C:\Program Files\Intel\AMT\LMS.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Intel) C:\Program Files\Intel\AMT\UNS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avshadow.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Antivirus\avgnt.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON Software\FAX Utility\FUFAXSTM.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON Software\Event Manager\EEventManager.exe
(SEIKO EPSON CORPORATION) C:\WINDOWS\system32\spool\drivers\w32x86\3\E_TATIKLE.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\Antivirus\avgnt.exe [782008 2015-07-25] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Avira Systray] => C:\Program Files\Avira\Launcher\Avira.Systray.exe [134368 2015-06-02] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [FUFAXRCV] => C:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe [650784 2015-01-20] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXSTM] => C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe [863776 2015-01-20] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [1065024 2014-06-10] (SEIKO EPSON CORPORATION)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\896\G2AWinLogon.dll [2013-12-03] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-1993962763-515967899-725345543-500\...\Run: [EPLTarget\P0000000000000002] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TATIKLE.EXE [261696 2013-09-12] (SEIKO EPSON CORPORATION)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll [2012-02-14] (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.co...t&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo...p={searchTerms}
HKU\S-1-5-21-1993962763-515967899-725345543-500\Software\Microsoft\Internet Explorer\Main,Start Page = http://advisorservices.com/
HKU\S-1-5-21-1993962763-515967899-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo...p={searchTerms}
HKU\S-1-5-21-1993962763-515967899-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.co...t&type=avastbcl
SearchScopes: HKLM -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1993962763-515967899-725345543-500 -> {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo...p={searchTerms}
DPF: {25D9AA40-ED39-11D2-A038-009027078284} https://www.advisors...lDownloader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1272029577203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://adventsoftwa...ort/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab
DPF: {EB329BD2-7DC2-4F54-A6F2-634797C735C5} https://www.advisors...oScheduler2.CAB
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 71.242.0.12
Tcpip\..\Interfaces\{0F9C668B-672F-40FF-A711-C1713B1A10FA}: [DhcpNameServer] 192.168.1.1 71.242.0.12

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-15] ()
FF Plugin: @canon.com/MycameraPlugin -> C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-15] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1993962763-515967899-725345543-500: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Administrator\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2015-06-10] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcdec.dll [2010-12-30] (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcext.dll [2010-12-30] (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atmccli.dll [2010-12-30] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ieatgpc.dll [2010-07-06] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npatgpc.dll [2010-07-06] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2011-06-07] (Adobe Systems Inc.)
FF SearchPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046\searchplugins\avira-safesearch.xml [2015-07-27]
FF Extension: Avira Browser Safety - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046\Extensions\[email protected] [2015-07-02]
FF Extension: Avira SafeSearch Plus - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046\Extensions\[email protected] [2015-06-13]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-01-21]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-05]
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-05]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-05]
CHR Extension: (Avira Browser Safety) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2015-06-14]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-05]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-05]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-05]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.goo...ice/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files\Avira\Antivirus\avmailc.exe [887128 2015-07-25] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\Antivirus\sched.exe [461672 2015-07-25] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\Antivirus\avguard.exe [461672 2015-07-25] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\Antivirus\AVWEBGRD.EXE [1212048 2015-07-25] (Avira Operations GmbH & Co. KG)
R2 APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [176193 2005-12-12] (American Power Conversion Corporation) [File not signed]
R2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation) [File not signed]
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [217280 2015-06-02] (Avira Operations GmbH & Co. KG)
R2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [577008 2014-11-04] (SEIKO EPSON CORPORATION)
R2 EpsonScanSvc; C:\WINDOWS\system32\EscSvc.exe [126128 2012-05-17] (Seiko Epson Corporation)
S3 GoToAssist; C:\Program Files\Citrix\GoToAssist\896\g2aservice.exe [13720 2013-12-03] (Citrix Online, a division of Citrix Systems, Inc.)
R2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Afc; C:\WINDOWS\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.) [File not signed]
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [108448 2015-07-25] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [136728 2015-07-25] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\System32\DRIVERS\avkmgr.sys [37896 2015-05-27] (Avira Operations GmbH & Co. KG)
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2004-12-13] (Adaptec, Inc.) [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [98520 2015-07-27] (Malwarebytes Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [193552 2012-08-30] (Microsoft Corporation)
R1 ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [31848 2015-05-27] (Avira Operations GmbH & Co. KG)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-27 16:06 - 2015-07-27 16:06 - 00001369 _____ C:\Documents and Settings\Administrator\Desktop\IMG_0442.JPG.lnk
2015-07-27 16:02 - 2015-07-27 16:02 - 00001369 _____ C:\Documents and Settings\Administrator\Desktop\IMG_0433.JPG.lnk
2015-07-27 15:59 - 2015-07-27 16:01 - 00001389 _____ C:\Documents and Settings\Administrator\Desktop\IMG_0434.JPG.lnk
2015-07-27 13:51 - 2015-07-27 17:37 - 00000000 ____D C:\FRST
2015-07-27 13:41 - 2015-07-27 13:41 - 00002999 _____ C:\Documents and Settings\Administrator\Desktop\JRT.txt
2015-07-27 13:09 - 2015-07-27 13:17 - 00000000 ____D C:\AdwCleaner
2015-07-26 21:49 - 2015-07-27 17:31 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-07-26 21:46 - 2015-07-26 21:46 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-26 21:46 - 2015-07-26 21:46 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-26 21:45 - 2015-07-26 21:46 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-07-26 21:45 - 2015-06-18 08:41 - 00121560 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-07-26 21:45 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-07-26 20:53 - 2015-07-26 22:32 - 00000180 _____ C:\WINDOWS\setupact.log
2015-07-26 20:53 - 2015-07-26 20:53 - 00000000 _____ C:\WINDOWS\setuperr.log
2015-07-23 09:53 - 2006-09-05 15:28 - 00038480 ____N (CANON INC.) C:\WINDOWS\system32\IJRMF.exe
2015-07-22 01:50 - 2015-07-22 01:50 - 00000000 _____ C:\WINDOWS\EEventManager.INI
2015-07-21 23:24 - 2015-07-21 23:24 - 00000045 _____ C:\WINDOWS\WF-4630.ini
2015-07-21 23:18 - 2015-07-27 17:18 - 00000917 _____ C:\WINDOWS\Tasks\EPSON WF-4630 Series Update {0F4A6D9A-2324-4AAE-8868-421933931469}.job
2015-07-21 23:18 - 2015-07-27 17:18 - 00000731 _____ C:\WINDOWS\Tasks\EPSON WF-4630 Series Invitation {0F4A6D9A-2324-4AAE-8868-421933931469}.job
2015-07-21 23:11 - 2015-07-21 23:11 - 00000000 ____D C:\Program Files\Common Files\EPSON
2015-07-21 23:11 - 2013-10-22 00:04 - 00142848 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\E_TLMBKLE.DLL
2015-07-21 23:11 - 2011-03-14 23:03 - 00081408 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\E_TD4BKLE.DLL
2015-07-21 23:11 - 2007-04-09 21:06 - 00008192 _____ (SEIKO EPSON CORP.) C:\WINDOWS\system32\E_DCINST.DLL
2015-07-21 23:04 - 2015-07-21 23:04 - 00000159 _____ C:\Documents and Settings\All Users\Desktop\Epson WF-4630 User’s Guide.url
2015-07-21 23:01 - 2015-07-22 01:38 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Epson
2015-07-21 23:00 - 2015-07-22 01:38 - 00000000 ____D C:\Program Files\EPSON Software
2015-07-21 23:00 - 2015-07-22 01:38 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\EPSON Software
2015-07-21 23:00 - 2015-07-21 23:00 - 00000000 ____D C:\Program Files\EpsonNet
2015-07-21 23:00 - 2012-11-12 20:41 - 00458310 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\ensppui.dll
2015-07-21 23:00 - 2012-11-12 20:41 - 00458310 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enppui.dll
2015-07-21 23:00 - 2012-11-12 15:15 - 00476027 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\ensppmon.dll
2015-07-21 23:00 - 2012-11-12 15:15 - 00476027 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enppmon.dll
2015-07-21 23:00 - 2012-10-22 17:19 - 00218112 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enspres.dll
2015-07-21 23:00 - 2012-10-22 17:19 - 00218112 _____ (SEIKO EPSON CORPORATION) C:\WINDOWS\system32\enpres.dll
2015-07-21 23:00 - 2012-05-17 00:00 - 00126128 _____ (Seiko Epson Corporation) C:\WINDOWS\system32\escsvc.exe
2015-07-21 23:00 - 2011-12-12 00:00 - 00342016 _____ (Seiko Epson Corporation) C:\WINDOWS\system32\eswiaud.dll
2015-07-21 23:00 - 2010-11-22 13:27 - 00147472 _____ (TWAIN Working Group) C:\WINDOWS\system32\twaindsm.dll
2015-07-20 15:45 - 2015-07-20 15:45 - 00017920 _____ C:\Documents and Settings\Administrator\Desktop\Q2 2015 FeesInvoiceDetails.xls
2015-07-20 13:29 - 2015-07-20 13:41 - 00009539 _____ C:\Documents and Settings\Administrator\Desktop\Q2-2015Billings.xlsx
2015-07-16 22:26 - 2015-07-23 09:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\EPSON
2015-07-16 22:26 - 2015-07-21 23:00 - 00000665 _____ C:\Documents and Settings\All Users\Desktop\EPSON Scan.lnk
2015-07-16 22:26 - 2015-07-16 22:26 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\EPSON Scan
2015-07-16 22:26 - 2007-03-27 00:00 - 00067072 _____ (SEIKO EPSON CORP.) C:\WINDOWS\system32\escwiad.dll
2015-07-16 22:16 - 2015-07-23 09:57 - 00053521 _____ C:\WINDOWS\setupapi.log
2015-07-16 21:50 - 2015-07-16 21:50 - 00000604 _____ C:\Documents and Settings\Administrator\My Documents\cc_July 15 backkup.reg
2015-07-07 10:27 - 2015-07-07 10:27 - 00000841 _____ C:\Documents and Settings\All Users\Desktop\Avira.lnk
2015-07-04 14:39 - 2015-07-04 14:39 - 00000704 _____ C:\Documents and Settings\Administrator\Desktop\Quoizel Cortland Instrcutions.lnk
2015-07-04 14:25 - 2015-07-04 14:25 - 00000704 _____ C:\Documents and Settings\Administrator\Desktop\Quoizel Salem Instructions.lnk
2015-07-04 13:23 - 2015-07-17 12:12 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-27 17:37 - 2010-04-23 08:42 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2015-07-27 17:32 - 2010-04-23 19:49 - 00215383 _____ C:\WINDOWS\system32\nvapps.xml
2015-07-27 17:31 - 2004-08-04 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-07-27 17:23 - 2010-04-23 08:35 - 01581051 _____ C:\WINDOWS\WindowsUpdate.log
2015-07-27 17:22 - 2010-04-23 04:23 - 00000157 _____ C:\WINDOWS\wiadebug.log
2015-07-27 17:21 - 2014-10-15 05:26 - 00165274 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-07-27 17:21 - 2010-04-23 08:42 - 00032442 _____ C:\WINDOWS\SchedLgU.Txt
2015-07-27 17:21 - 2010-04-23 08:42 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-07-27 17:21 - 2010-04-23 04:23 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-07-27 17:13 - 2010-04-23 10:18 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2015-07-27 17:13 - 2010-04-23 08:42 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Temp
2015-07-27 17:13 - 2010-04-23 08:38 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Temp
2015-07-27 16:42 - 2010-04-23 13:02 - 00002515 _____ C:\Documents and Settings\Administrator\Desktop\Word 2007.lnk
2015-07-27 15:22 - 2010-06-04 01:50 - 00000000 ____D C:\Program Files\Java
2015-07-27 13:17 - 2010-04-23 08:34 - 00000000 ____D C:\WINDOWS\Registration
2015-07-27 11:25 - 2015-06-13 21:34 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2015-07-27 01:41 - 2014-10-15 05:26 - 01073650 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1993962763-515967899-725345543-500-0.dat
2015-07-26 17:55 - 2013-03-05 13:35 - 00000384 ____H C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2015-07-26 14:17 - 2010-04-26 14:16 - 00000140 _____ C:\WINDOWS\datapo32.INI
2015-07-26 14:16 - 2010-04-23 17:54 - 00000000 ____D C:\Axys3
2015-07-26 09:59 - 2012-02-01 04:00 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2585542$
2015-07-25 17:35 - 2014-03-05 12:48 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-07-25 13:55 - 2015-06-13 21:19 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Avira
2015-07-25 13:54 - 2015-06-13 21:27 - 00136728 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
2015-07-25 13:54 - 2015-06-13 21:27 - 00108448 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
2015-07-25 02:27 - 2010-04-23 08:42 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2015-07-25 02:27 - 2010-04-23 08:42 - 00000000 ____D C:\Documents and Settings\Administrator
2015-07-23 09:52 - 2010-04-23 20:27 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Canon
2015-07-23 09:52 - 2010-04-23 04:17 - 00000000 ____D C:\WINDOWS\twain_32
2015-07-22 10:31 - 2010-05-16 13:44 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\Re-Orgs of Holdings
2015-07-22 00:20 - 2010-09-09 22:35 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\EPSON
2015-07-21 23:03 - 2010-09-09 22:34 - 00000000 ____D C:\Program Files\epson
2015-07-21 23:03 - 2010-04-23 09:18 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2015-07-17 12:01 - 2010-04-23 20:15 - 00000000 _____ C:\WINDOWS\system32\NEWSOFT
2015-07-16 21:59 - 2010-04-23 04:21 - 00000211 ___SH C:\boot.ini
2015-07-16 21:59 - 2004-08-04 06:00 - 00000507 _____ C:\WINDOWS\win.ini
2015-07-16 21:59 - 2004-08-04 06:00 - 00000227 _____ C:\WINDOWS\system.ini
2015-07-15 20:29 - 2014-08-10 15:20 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2015-07-15 20:26 - 2012-04-04 10:37 - 00778416 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-07-15 20:26 - 2011-05-18 10:03 - 00142512 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-07-15 09:47 - 2013-07-19 05:56 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-07-15 09:38 - 2010-04-23 12:14 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2015-07-08 10:01 - 2015-06-13 21:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Package Cache
2015-07-07 10:26 - 2015-06-13 21:19 - 00000000 ____D C:\Program Files\Avira
2015-07-05 12:17 - 2010-06-28 18:15 - 00000000 ____D C:\Program Files\Defraggler
2015-07-05 12:09 - 2012-11-13 06:27 - 00000000 ____D C:\Program Files\CCleaner
2015-07-05 09:26 - 2014-11-24 18:42 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-07-03 08:49 - 2010-04-23 11:07 - 127070192 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-06-29 16:17 - 2014-06-04 15:38 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents\Chimicles Case

==================== Files in the root of some directories =======

2013-05-07 11:04 - 2013-03-13 13:58 - 6533200 _____ (AVAST Software) C:\Program Files\AVAST Soft
2010-04-23 19:21 - 2014-10-29 21:35 - 0003584 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some files in TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\avgnt.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

#14
Johnonml

Posted 27 July 2015 - 03:55 PM

Member

Topic Starter
Member
18 posts

Additions.txt log below

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-07-2015
Ran by Administrator at 2015-07-27 17:38:03
Running from C:\Documents and Settings\Administrator\My Documents\Downloads
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1993962763-515967899-725345543-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1993962763-515967899-725345543-1003 - Limited - Enabled)
Guest (S-1-5-21-1993962763-515967899-725345543-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1993962763-515967899-725345543-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1993962763-515967899-725345543-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.3.0.0 - Adobe Systems Incorporated)
Acrobat.com (Version: 2.3.0 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
APC PowerChute Personal Edition (HKLM\...\{5A0C892E-FD1C-4203-941E-0956AED20A6A}) (Version: 2.0 - American Power Conversion Corporation)
ArcSoft PhotoImpression 6 (HKLM\...\{D03E7B00-CA85-4684-9321-1888873C34BD}) (Version: 6 - ArcSoft)
ArcSoft Print Creations (HKLM\...\{0D6D96F4-0CAF-4522-B05F-70A88EDECDFD}) (Version: - ArcSoft)
Avira (HKLM\...\{8467e01f-0496-42ce-b247-88ef205b4880}) (Version: 1.1.40.29239 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.40.29239 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM\...\Avira Antivirus) (Version: 15.0.12.408 - Avira Operations GmbH & Co. KG)
Axys Report Writer Pro (Version: - ) Hidden
Canon Auto Update Service (HKLM\...\Auto Update Service) (Version: 1.1.2.18 - Canon Inc.)
CANON iMAGE GATEWAY MyCamera Download Plugin (HKLM\...\MyCamera Download Plugin) (Version: 3.1.1.2 - Canon Inc.)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (HKLM\...\CANON iMAGE GATEWAY Task) (Version: 1.9.0.9 - Canon Inc.)
Canon MOV Decoder (HKLM\...\Canon MOV Decoder) (Version: 1.9.0.8 - Canon Inc.)
Canon MOV Encoder (HKLM\...\Canon MOV Encoder) (Version: 1.8.0.1 - Canon Inc.)
Canon MovieEdit Task for ZoomBrowser EX (HKLM\...\MovieEditTask) (Version: 3.9.0.6 - Canon Inc.)
Canon MP Navigator 2.2 (HKLM\...\MP Navigator 2.2) (Version: - )
Canon MP830 User Registration (HKLM\...\Canon MP830 User Registration) (Version: - )
Canon Utilities Easy-PhotoPrint (HKLM\...\Easy-PhotoPrint) (Version: - )
Canon Utilities EOS Video Snapshot Task for ZoomBrowser EX (HKLM\...\EOS Video Snapshot Task) (Version: 1.0.0.10 - Canon Inc.)
Canon Utilities ZoomBrowser EX (HKLM\...\ZoomBrowser EX) (Version: 6.9.0.1 - Canon Inc.)
Canon ZoomBrowser EX Memory Card Utility (HKLM\...\ZoomBrowser EX Memory Card Utility) (Version: 1.6.0.15 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.07 - Piriform)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{6740FE60-43C1-4D15-8C4A-001624134B14}) (Version: 1.0.312 - Citrix)
Defraggler (HKLM\...\Defraggler) (Version: 2.19 - Piriform)
Dell Resource CD (HKLM\...\{42929F0F-CE14-47AF-9FC7-FF297A603021}) (Version: 1.10.0000 - Dell Inc.)
Document Capture Pro (HKLM\...\{8930DCE5-510D-4476-A879-835188F7B6F4}) (Version: 1.06.0011 - Seiko Epson Corporation)
Document Capture Pro OneNote Connector (HKLM\...\{65FC2F65-FCD4-495C-B250-1F7C049E4A39}) (Version: 1.00.0000 - Seiko Epson Corporation)
Dropbox (HKU\S-1-5-21-1993962763-515967899-725345543-500\...\Dropbox) (Version: 1.2.52 - Dropbox, Inc.)
DX (HKLM\...\DX) (Version: - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.7.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{E4631929-CBD3-49A1-9BB7-F36E701F7C34}) (Version: 3.10.0040 - Seiko Epson Corporation)
Epson FAX Utility (HKLM\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.53.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM\...\EPSON PC-FAX Driver 2) (Version: - )
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version: - SEIKO EPSON Corporation)
EPSON Scan (HKLM\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EPSON Scan OCR Component (HKLM\...\{563B99D8-8895-4E3E-AE8D-15BE8C05F1C1}) (Version: 2.30.00 - SEIKO EPSON Corp.)
EPSON Scan PDF Extensions (HKLM\...\{F9956472-6E16-4F83-BF9A-F887EF4A45B7}) (Version: 1.03.0001 - SEIKO EPSON Corp.)
EPSON WF-4630 Series Printer Uninstall (HKLM\...\EPSON WF-4630 Series) (Version: - SEIKO EPSON Corporation)
Epson WF-4630 User’s Guide version 1.0 (HKLM\...\UsersGuideEpson WF-4630 User’s Guide_is1) (Version: 1.0 - )
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
Google Chrome (HKLM\...\Google Chrome) (Version: 44.0.2403.107 - Google Inc.)
Google Update Helper (Version: 1.3.28.1 - Google Inc.) Hidden
GoToAssist Corporate (HKLM\...\GoToAssist) (Version: 10.4.0.896 - Citrix Online, a division of Citrix Systems, Inc.)
GoToMeeting 4.5.0.457 (HKU\S-1-5-21-1993962763-515967899-725345543-500\...\GoToMeeting) (Version: - )
High Definition Audio Driver Package - KB835221 (HKLM\...\KB835221WXP) (Version: 20040219.000000 - Microsoft Corporation)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - Intel Corporation)
Intel® Management Engine Interface (HKLM\...\HECI) (Version: - Intel Corporation)
Intel® PRO Network Connections Drivers (HKLM\...\PROSet) (Version: - )
Intel® Active Management Technology (HKLM\...\MESOL) (Version: - Intel Corporation)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Automated Troubleshooting Services Shim (HKLM\...\{c9920352-04e6-469d-bab8-e2b9c7c75415}.sdb) (Version: - )
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version: - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Fix it Center (HKLM\...\{B7588D45-AFDC-4C93-9E2E-A100F3554B64}) (Version: 1.0.0100 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 en-US) (HKLM\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.1.1 - Mozilla)
MSN (HKLM\...\MSNINST) (Version: - )
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (Version: 1.0.0.0 - Webroot Software, Inc.) Hidden
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
NexDef Plug-in (HKLM\...\Autobahn) (Version: - )
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.3 - NVIDIA Corporation)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
pipes (HKLM\...\5227-6584-8232-0004) (Version: - )
Presto! PageManager 7.15.14 (HKLM\...\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}) (Version: 7.15.14E - NewSoft)
QuickBooks 2000 (HKLM\...\QuickBooks 2000) (Version: - )
ScanSoft OmniPage SE 4.0 (HKLM\...\{C1E693A4-B1D5-4DCD-B68D-2087835B7184}) (Version: 15.00.0020 - Nuance Communications, Inc.)
SMPlayer 0.6.9 (HKLM\...\SMPlayer) (Version: 0.6.9 - RVM)
Software Updater (HKLM\...\{8DBC5A0A-31C4-46C7-B252-6B593EA11A87}) (Version: 4.3.7 - SEIKO EPSON CORPORATION)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
TD AMERITRADE Statements/Confirmations Manager (HKLM\...\{812A8682-4387-11D7-B10D-0001022C9950}) (Version: 1.11.0.0 - TD AMERITRADE, Inc.)
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{10A44844-4465-456E-8C97-80BDD4F68845}) (Version: 6.500.3146.0 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows PowerShell™ 1.0 MUI pack (HKLM\...\KB926141) (Version: 2 - Microsoft Corporation)
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\457\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32 -> C:\WINDOWS\system32\mscomctl.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1993962763-515967899-725345543-500_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll (Dropbox, Inc.)

==================== Restore Points =========================

26-07-2015 22:31:16 July 26 2015Restore Point
27-07-2015 13:35:19 JRT Pre-Junkware Removal
27-07-2015 15:18:21 Removed Java 7 Update 76
27-07-2015 15:19:33 Removed Java 8 Update 20
27-07-2015 15:20:00 Removed Java 8 Update 25
27-07-2015 15:22:14 Removed Java 8 Update 31

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 06:00 - 2010-10-21 06:26 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\EPSON WF-4630 Series Invitation {0F4A6D9A-2324-4AAE-8868-421933931469}.job => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TTSKLE.EXE
Task: C:\WINDOWS\Tasks\EPSON WF-4630 Series Update {0F4A6D9A-2324-4AAE-8868-421933931469}.job => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_TTSKLE.EXE:/EXE:{0F4A6D9A-2324-4AAE-8868-421933931469} /F:UpdateSYSTEMĊSearches for EPSON software updates, and notifies you when updates are available.If this task is disabled or stopped, your EPSON software will not be automatically kept up to date.Thi
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => 0x01050100CAB242AF436BA44B9FB20F57C4EF841A46004E0100000000F0000100200000000014730F000000000313040050028821000000000000000000000000000000000000380063003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F0066007400200053006500630075007200690074007900200043006C00690065006E0074005C004D00700043006D006400520075006E002E00650078006500000026005300630061006E0020002D005300630068006500640075006C0065004A006F00620020002D0052006500730074007200690063007400500072006900760069006C006500670065007300000000000700530059005300540045004D000000140050006500720069006F0064006900630020007300630061006E0020007400610073006B002E000000000008000200078000000000010030000000DD070300050000000000000011002B0000000000000000000000000001000000010000000000000000000000

==================== Loaded Modules (Whitelisted) ==============

2004-08-04 06:00 - 2007-04-02 08:49 - 00355112 _____ () C:\WINDOWS\system32\msjetoledb40.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1993962763-515967899-725345543-500\...\advisorservices.com -> advisorservices.com
IE trusted site: HKU\S-1-5-21-1993962763-515967899-725345543-500\...\advisorservices.com -> hxxps://advisorservices.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1993962763-515967899-725345543-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.1 - 71.242.0.12
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk => C:\WINDOWS\pss\Dropbox.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^NexDef Plug-in.lnk => C:\WINDOWS\pss\NexDef Plug-in.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk => C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk => C:\WINDOWS\pss\APC UPS Status.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fabrik Ultimate Backup Status.lnk => C:\WINDOWS\pss\Fabrik Ultimate Backup Status.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\WINDOWS\pss\McAfee Security Scan Plus.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Delivery Agent.lnk => C:\WINDOWS\pss\QuickBooks Delivery Agent.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: atchk => "C:\Program Files\Intel\AMT\atchk.exe"
MSCONFIG\startupreg: AvastUI.exe => "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
MSCONFIG\startupreg: ctfmon.exe => "C:\WINDOWS\system32\ctfmon.exe"
MSCONFIG\startupreg: HotKeysCmds => "C:\WINDOWS\system32\hkcmd.exe"
MSCONFIG\startupreg: IgfxTray => "C:\WINDOWS\system32\igfxtray.exe"
MSCONFIG\startupreg: KernelFaultCheck => "%systemroot%\system32\dumprep" 0 -k
MSCONFIG\startupreg: Messenger (Yahoo!) => "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
MSCONFIG\startupreg: MSConfig => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background
MSCONFIG\startupreg: NvCplDaemon => "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
MSCONFIG\startupreg: NvMediaCenter => "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
MSCONFIG\startupreg: nwiz => "nwiz.exe" /install
MSCONFIG\startupreg: OpwareSE4 => "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
MSCONFIG\startupreg: Persistence => "C:\WINDOWS\system32\igfxpers.exe"
MSCONFIG\startupreg: SoundMAXPnP => "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
MSCONFIG\startupreg: Spotify => "C:\Documents and Settings\Administrator\Application Data\Spotify\Spotify.exe" -autostart -minimized
MSCONFIG\startupreg: Spotify Web Helper => "C:\Documents and Settings\Administrator\Application Data\Spotify\SpotifyWebHelper.exe"
MSCONFIG\startupreg: SpybotSD TeaTimer => "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
MSCONFIG\startupreg: SpySweeper => "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
MSCONFIG\startupreg: SSBkgdUpdate => "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: TkBellExe => "C:\program files\real\realplayer\update\realsched.exe" -osboot
MSCONFIG\startupreg: WrtMon.exe => "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE] => Disabled:Microsoft Office OneNote
StandardProfile\AuthorizedApplications: [C:\WINDOWS\Network Diagnostic\xpnetdiag.exe] => Disabled:@xpsp3res.dll,-20000
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\sessmgr.exe] => Disabled:@xpsp2res.dll,-22019
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe] => Disabled:Dropbox
StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Disabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Opera\pluginwrapper\opera_plugin_wrapper.exe] => Disabled:Opera Internet Browser - Plugin wrapper
StandardProfile\AuthorizedApplications: [C:\Program Files\pipes\pipes.exe] => Enabled:pipes
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe] => :LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\mmc.exe] => Disabled:Microsoft Management Console
StandardProfile\AuthorizedApplications: [C:\Program Files\pandasecuritytb\ToolbarCleaner.exe] => Enabled:ToolbarCleaner
StandardProfile\AuthorizedApplications: [C:\Spotify.exe] => Disabled:Spotify
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Administrator\Application Data\Spotify\spotify.exe] => Disabled:Spotify
StandardProfile\AuthorizedApplications: [C:\Program Files\Opera\opera.exe] => Disabled:Opera Internet Browser
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\AuthorizedApplications: [C:\Program Files\EPSON Software\Event Manager\EEventManager.exe] => Enabled:EEventManager.exe
StandardProfile\AuthorizedApplications: [D:\Common\EpsonNet Setup\ENEasyApp.exe] => Enabled:EpsonNet Setup

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (07/27/2015 05:13:47 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 39.0.0.5659, faulting module mozalloc.dll, version 39.0.0.5659, fault address 0x00001aa1.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (07/27/2015 04:00:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application msimn.exe, version 6.0.2900.5512, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x000a24bd.
Processing media-specific event for [msimn.exe!ws!]

Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\DOWNLOADS\ADWCLEANER.EXE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MY DOCUMENTS\DOWNLOADS\ADWCLEANER.EXE> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\RECENT\VIRUS STUFF.DOC.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 01:17:40 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\RECENT\VIRUS STUFF.DOC.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Error: (07/27/2015 12:11:45 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application update.exe, version 15.0.12.402, faulting module msvcp120.dll, version 12.0.21005.1, fault address 0x0000e5a8.
Processing media-specific event for [update.exe!ws!]

Error: (07/25/2015 07:54:34 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application update.exe, version 15.0.12.402, faulting module msvcp120.dll, version 12.0.21005.1, fault address 0x0000e5a8.
Processing media-specific event for [update.exe!ws!]

Error: (07/25/2015 03:54:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application update.exe, version 15.0.12.402, faulting module msvcp120.dll, version 12.0.21005.1, fault address 0x0000e5a8.
Processing media-specific event for [update.exe!ws!]

Error: (07/24/2015 08:18:52 AM) (Source: $(ProductName) Service Host) (EventID: 0) (User: )
Description: Failed to process session change. System.InvalidOperationException: Collection was modified; enumeration operation may not execute.
   at System.ThrowHelper.ThrowInvalidOperationException(ExceptionResource resource)
   at System.Collections.Generic.Dictionary`2.ValueCollection.Enumerator.MoveNext()
   at Avira.OE.ServiceHost.ServiceModelListStorage.InvokeServiceModelCreated(ServiceModelDictionary serviceModelDictionary, String userSid)
   at Avira.OE.ServiceHost.ServiceModelListStorage.GetServiceModelDictionary(String userId)
   at Avira.OE.ServiceHost.DesktopApplications.UpdateOnNewUserSid(String userSid)
   at Avira.OE.ServiceHost.DesktopApplications.OnSessionChange(Int32 sessionId, SessionChangeReason reason)
   at Avira.OE.ServiceHost.ServiceHost.OnSessionChange(SessionChangeDescription changeDescription)
   at System.ServiceProcess.ServiceBase.DeferredSessionChange(Int32 eventType, IntPtr eventData)

System errors:
=============
Error: (07/27/2015 05:31:59 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (07/27/2015 01:35:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (07/27/2015 01:35:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Avira Service Host service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (07/27/2015 01:35:48 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Active Management Technology User Notification Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).

Error: (07/27/2015 01:35:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Epson Scanner Service service terminated unexpectedly. It has done this 1 time(s).

Microsoft Office:
=========================
Error: (03/20/2014 04:35:49 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6690.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 22910 seconds with 60 seconds of active time. This session ended with a crash.

Error: (09/30/2012 07:26:06 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 62 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/13/2012 03:27:02 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash.

Error: (11/14/2011 03:48:09 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6565.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

Error: (11/14/2011 02:06:22 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6565.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 1 seconds with 0 seconds of active time. This session ended with a crash.

Error: (07/14/2011 03:16:51 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10578 seconds with 60 seconds of active time. This session ended with a crash.

Error: (06/11/2010 02:00:27 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

Error: (06/11/2010 02:00:00 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

Error: (06/11/2010 01:53:49 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6535.5002, Microsoft Office Version: 12.0.6425.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

==================== Memory info ===========================

Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz
Percentage of memory in use: 30%
Total physical RAM: 3325.54 MB
Available physical RAM: 2309.18 MB
Total Virtual: 6488.33 MB
Available Virtual: 5179.05 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:149 GB) (Free:97.71 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149 GB) (Disk ID: 41AB2316)
Partition 1: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End of log ============================

#15
Johnonml

Posted 27 July 2015 - 04:32 PM

Member

Topic Starter
Member
18 posts

Combofix.txt log is below. Cannot wait to hear your interpretation of this as it appears quite a bit was deleted, yes?

ComboFix 15-07-23.01 - Administrator 07/27/2015 18:11:23.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2816 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\ADMINI~1\LOCALS~1\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\documents and settings\Administrator\cuwkqjazuy.tmp
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\Administrator\Local Settings\Temp\avgnt.exe\Avira.OE.ExtApi.dll
c:\documents and settings\Administrator\My Documents\~WRL0001.tmp
c:\documents and settings\Administrator\WINDOWS
c:\windows\$msi31uninstall_kb893803v2$
c:\windows\$msi31uninstall_kb893803v2$\msi.dll
c:\windows\$msi31uninstall_kb893803v2$\msiexec.exe
c:\windows\$msi31uninstall_kb893803v2$\msihnd.dll
c:\windows\$msi31uninstall_kb893803v2$\msimsg.dll
c:\windows\$msi31uninstall_kb893803v2$\msisip.dll
c:\windows\$msi31uninstall_kb893803v2$\reg00013
c:\windows\$msi31uninstall_kb893803v2$\reg00014
c:\windows\$msi31uninstall_kb893803v2$\reg00015
c:\windows\$msi31uninstall_kb893803v2$\reg00016
c:\windows\$msi31uninstall_kb893803v2$\reg00017
c:\windows\$msi31uninstall_kb893803v2$\reg00018
c:\windows\$msi31uninstall_kb893803v2$\reg00019
c:\windows\$msi31uninstall_kb893803v2$\reg00020
c:\windows\$msi31uninstall_kb893803v2$\reg00021
c:\windows\$msi31uninstall_kb893803v2$\reg00022
c:\windows\$msi31uninstall_kb893803v2$\reg00023
c:\windows\$msi31uninstall_kb893803v2$\reg00024
c:\windows\$msi31uninstall_kb893803v2$\reg00025
c:\windows\$msi31uninstall_kb893803v2$\reg00026
c:\windows\$msi31uninstall_kb893803v2$\reg00027
c:\windows\$msi31uninstall_kb893803v2$\reg00028
c:\windows\$msi31uninstall_kb893803v2$\reg00029
c:\windows\$msi31uninstall_kb893803v2$\reg00030
c:\windows\$msi31uninstall_kb893803v2$\reg00031
c:\windows\$msi31uninstall_kb893803v2$\reg00032
c:\windows\$msi31uninstall_kb893803v2$\reg00033
c:\windows\$msi31uninstall_kb893803v2$\reg00034
c:\windows\$msi31uninstall_kb893803v2$\reg00035
c:\windows\$msi31uninstall_kb893803v2$\reg00036
c:\windows\$msi31uninstall_kb893803v2$\reg00037
c:\windows\$msi31uninstall_kb893803v2$\reg00038
c:\windows\$msi31uninstall_kb893803v2$\reg00039
c:\windows\$msi31uninstall_kb893803v2$\reg00040
c:\windows\$msi31uninstall_kb893803v2$\reg00041
c:\windows\$msi31uninstall_kb893803v2$\reg00042
c:\windows\$msi31uninstall_kb893803v2$\reg00043
c:\windows\$msi31uninstall_kb893803v2$\reg00044
c:\windows\$msi31uninstall_kb893803v2$\reg00045
c:\windows\$msi31uninstall_kb893803v2$\reg00046
c:\windows\$msi31uninstall_kb893803v2$\reg00047
c:\windows\$msi31uninstall_kb893803v2$\reg00048
c:\windows\$msi31uninstall_kb893803v2$\reg00051
c:\windows\$msi31uninstall_kb893803v2$\reg00052
c:\windows\$msi31uninstall_kb893803v2$\reg00053
c:\windows\$msi31uninstall_kb893803v2$\reg00054
c:\windows\$msi31uninstall_kb893803v2$\reg00055
c:\windows\$msi31uninstall_kb893803v2$\reg00056
c:\windows\$msi31uninstall_kb893803v2$\reg00057
c:\windows\$msi31uninstall_kb893803v2$\reg00058
c:\windows\$msi31uninstall_kb893803v2$\reg00059
c:\windows\$msi31uninstall_kb893803v2$\reg00060
c:\windows\$msi31uninstall_kb893803v2$\reg00061
c:\windows\$msi31uninstall_kb893803v2$\reg00062
c:\windows\$msi31uninstall_kb893803v2$\reg00063
c:\windows\$msi31uninstall_kb893803v2$\reg00064
c:\windows\$msi31uninstall_kb893803v2$\reg00065
c:\windows\$msi31uninstall_kb893803v2$\reg00066
c:\windows\$msi31uninstall_kb893803v2$\reg00067
c:\windows\$msi31uninstall_kb893803v2$\reg00068
c:\windows\$msi31uninstall_kb893803v2$\reg00069
c:\windows\$msi31uninstall_kb893803v2$\reg00070
c:\windows\$msi31uninstall_kb893803v2$\reg00071
c:\windows\$msi31uninstall_kb893803v2$\reg00072
c:\windows\$msi31uninstall_kb893803v2$\reg00073
c:\windows\$msi31uninstall_kb893803v2$\reg00074
c:\windows\$msi31uninstall_kb893803v2$\reg00075
c:\windows\$msi31uninstall_kb893803v2$\reg00076
c:\windows\$msi31uninstall_kb893803v2$\reg00077
c:\windows\$msi31uninstall_kb893803v2$\reg00078
c:\windows\$msi31uninstall_kb893803v2$\reg00079
c:\windows\$msi31uninstall_kb893803v2$\reg00080
c:\windows\$msi31uninstall_kb893803v2$\reg00081
c:\windows\$msi31uninstall_kb893803v2$\reg00082
c:\windows\$msi31uninstall_kb893803v2$\reg00083
c:\windows\$msi31uninstall_kb893803v2$\reg00084
c:\windows\$msi31uninstall_kb893803v2$\reg00085
c:\windows\$msi31uninstall_kb893803v2$\reg00086
c:\windows\$msi31uninstall_kb893803v2$\reg00087
c:\windows\$msi31uninstall_kb893803v2$\reg00088
c:\windows\$msi31uninstall_kb893803v2$\reg00089
c:\windows\$msi31uninstall_kb893803v2$\reg00090
c:\windows\$msi31uninstall_kb893803v2$\reg00091
c:\windows\$msi31uninstall_kb893803v2$\reg00092
c:\windows\$msi31uninstall_kb893803v2$\reg00093
c:\windows\$msi31uninstall_kb893803v2$\reg00094
c:\windows\$msi31uninstall_kb893803v2$\reg00095
c:\windows\$msi31uninstall_kb893803v2$\reg00096
c:\windows\$msi31uninstall_kb893803v2$\reg00097
c:\windows\$msi31uninstall_kb893803v2$\reg00098
c:\windows\$msi31uninstall_kb893803v2$\reg00099
c:\windows\$msi31uninstall_kb893803v2$\reg00100
c:\windows\$msi31uninstall_kb893803v2$\reg00101
c:\windows\$msi31uninstall_kb893803v2$\reg00102
c:\windows\$msi31uninstall_kb893803v2$\reg00103
c:\windows\$msi31uninstall_kb893803v2$\reg00104
c:\windows\$msi31uninstall_kb893803v2$\reg00105
c:\windows\$msi31uninstall_kb893803v2$\reg00106
c:\windows\$msi31uninstall_kb893803v2$\reg00107
c:\windows\$msi31uninstall_kb893803v2$\reg00108
c:\windows\$msi31uninstall_kb893803v2$\reg00109
c:\windows\$msi31uninstall_kb893803v2$\reg00110
c:\windows\$msi31uninstall_kb893803v2$\reg00111
c:\windows\$msi31uninstall_kb893803v2$\reg00112
c:\windows\$msi31uninstall_kb893803v2$\reg00113
c:\windows\$msi31uninstall_kb893803v2$\reg00114
c:\windows\$msi31uninstall_kb893803v2$\reg00115
c:\windows\$msi31uninstall_kb893803v2$\reg00116
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.exe
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.inf
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.txt
c:\windows\$msi31uninstall_kb893803v2$\spuninst\updspapi.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2015-06-27 to 2015-07-27 )))))))))))))))))))))))))))))))
.
.
2015-07-27 17:51 . 2015-07-27 21:38   --------   d-----w-   C:\FRST
2015-07-27 17:09 . 2015-07-27 17:17   --------   d-----w-   C:\AdwCleaner
2015-07-27 01:49 . 2015-07-27 22:18   98520   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-07-27 01:45 . 2015-06-18 12:41   121560   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2015-07-27 01:45 . 2015-06-18 12:41   23256   ----a-w-   c:\windows\system32\drivers\mbam.sys
2015-07-27 01:45 . 2015-07-27 01:46   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware
2015-07-23 13:53 . 2006-09-05 19:28   38480   ------w-   c:\windows\system32\IJRMF.exe
2015-07-22 03:11 . 2015-07-22 03:11   --------   d-----w-   c:\program files\Common Files\EPSON
2015-07-22 03:11 . 2013-10-22 04:04   142848   ----a-w-   c:\windows\system32\E_TLMBKLE.DLL
2015-07-22 03:11 . 2011-03-15 03:03   81408   ----a-w-   c:\windows\system32\E_TD4BKLE.DLL
2015-07-22 03:11 . 2007-04-10 01:06   8192   ----a-w-   c:\windows\system32\E_DCINST.DLL
2015-07-22 03:01 . 2015-07-22 05:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Epson
2015-07-22 03:00 . 2015-07-22 05:38   --------   d-----w-   c:\program files\EPSON Software
2015-07-22 03:00 . 2015-07-22 03:00   --------   d-----w-   c:\program files\EpsonNet
2015-07-22 03:00 . 2012-11-13 00:41   458310   ----a-w-   c:\windows\system32\ensppui.dll
2015-07-22 03:00 . 2012-11-13 00:41   458310   ----a-w-   c:\windows\system32\enppui.dll
2015-07-22 03:00 . 2012-11-12 19:15   476027   ----a-w-   c:\windows\system32\ensppmon.dll
2015-07-22 03:00 . 2012-11-12 19:15   476027   ----a-w-   c:\windows\system32\enppmon.dll
2015-07-22 03:00 . 2012-10-22 21:19   218112   ----a-w-   c:\windows\system32\enspres.dll
2015-07-22 03:00 . 2012-10-22 21:19   218112   ----a-w-   c:\windows\system32\enpres.dll
2015-07-22 03:00 . 2012-05-17 04:00   126128   ----a-w-   c:\windows\system32\escsvc.exe
2015-07-22 03:00 . 2011-12-12 04:00   342016   ----a-w-   c:\windows\system32\eswiaud.dll
2015-07-22 03:00 . 2010-11-22 17:27   147472   ----a-w-   c:\windows\system32\twaindsm.dll
2015-07-17 02:26 . 2007-03-27 04:00   67072   ----a-w-   c:\windows\system32\escwiad.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-07-25 17:54 . 2015-06-14 01:27   136728   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2015-07-25 17:54 . 2015-06-14 01:27   108448   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2015-07-16 00:26 . 2012-04-04 14:37   778416   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2015-07-16 00:26 . 2011-05-18 14:03   142512   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2015-06-17 05:01 . 2015-06-17 05:01   1202856   ----a-w-   c:\windows\system32\FM20.DLL
2015-05-27 17:07 . 2015-06-14 01:27   37896   ----a-w-   c:\windows\system32\drivers\avkmgr.sys
2013-03-13 17:58 . 2013-05-07 15:04   6533200   ----a-w-   c:\program files\AVAST Soft
2010-12-30 16:08 . 2015-07-04 17:23   28488   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-12-30 16:08 . 2015-07-04 17:23   185240   ----a-w-   c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-12-30 16:08 . 2015-07-04 17:23   46408   ----a-w-   c:\program files\mozilla firefox\plugins\atmccli.dll
2010-07-06 21:26 . 2015-07-04 17:23   101760   ----a-w-   c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58   94208   ----a-w-   c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPLTarget\P0000000000000002"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_TATIKLE.EXE" [2013-09-12 261696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]
"avgnt"="c:\program files\Avira\Antivirus\avgnt.exe" [2015-07-25 782008]
"Avira Systray"="c:\program files\Avira\Launcher\Avira.Systray.exe" [2015-06-02 134368]
"FUFAXRCV"="c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe" [2015-01-20 650784]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2015-01-20 863776]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2014-06-11 1065024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
"MaxGPOScriptWait"= 600 (0x258)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2013-12-03 21:54   14232   ----a-w-   c:\program files\Citrix\GoToAssist\896\g2awinlogon.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^NexDef Plug-in.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\NexDef Plug-in.lnk
backup=c:\windows\pss\NexDef Plug-in.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^APC UPS Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
backup=c:\windows\pss\APC UPS Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Fabrik Ultimate Backup Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Fabrik Ultimate Backup Status.lnk
backup=c:\windows\pss\Fabrik Ultimate Backup Status.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks Delivery Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57   959904   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk]
2009-12-01 16:43   401408   ----a-w-   c:\program files\Intel\AMT\atchk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring]
2015-06-01 18:27   6405912   ----a-w-   c:\program files\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12   15360   ----a-w-   c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-08-18 17:59   170520   ----a-w-   c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-08-18 18:00   150040   ----a-w-   c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 00:12   169984   ----a-w-   c:\windows\pchealth\helpctr\binaries\msconfig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-03-28 04:03   13684736   ----a-w-   c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-03-28 04:03   86016   ----a-w-   c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-03-28 04:03   1657376   ----a-w-   c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
2006-10-11 16:45   75304   ----a-w-   c:\program files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-08-18 17:59   141848   ----a-w-   c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2009-06-22 18:21   1044480   ----a-w-   c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07   2260480   --sha-r-   c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-09-28 17:16   185896   ----a-w-   c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
2006-09-20 12:35   20480   ----a-w-   c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\pipes\\pipes.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Spotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\EPSON Software\\Event Manager\\EEventManager.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [6/13/2015 9:27 PM 37896]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\Antivirus\sched.exe [6/13/2015 9:28 PM 461672]
R2 Avira.ServiceHost;Avira Service Host;c:\program files\Avira\Launcher\Avira.ServiceHost.exe [6/2/2015 5:14 PM 217280]
R2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\EpsonCustomerParticipation\EPCP.exe [11/4/2014 5:00 PM 577008]
R2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\escsvc.exe [7/21/2015 11:00 PM 126128]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [6/28/2013 5:48 PM 14624]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [7/26/2015 9:46 PM 1871160]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [7/26/2015 9:45 PM 1133880]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [4/23/2010 9:24 AM 2519040]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [7/26/2015 9:45 PM 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [7/26/2015 9:49 PM 98520]
S2 AntiVirMailService;Avira Mail Protection;c:\program files\Avira\Antivirus\avmailc.exe [6/13/2015 9:27 PM 887128]
S2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\Antivirus\avwebgrd.exe [6/13/2015 9:28 PM 1212048]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 11:09 PM 267568]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-07-25 21:34   995144   ----a-w-   c:\program files\Google\Chrome\Application\44.0.2403.107\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-07-27 c:\windows\Tasks\EPSON WF-4630 Series Invitation {0F4A6D9A-2324-4AAE-8868-421933931469}.job
- c:\windows\System32\spool\DRIVERS\W32X86\3\E_TTSKLE.EXE [2015-07-22 00:20]
.
2015-07-27 c:\windows\Tasks\EPSON WF-4630 Series Update {0F4A6D9A-2324-4AAE-8868-421933931469}.job
- c:\windows\System32\spool\DRIVERS\W32X86\3\E_TTSKLE.EXE [2015-07-22 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://advisorservices.com/
mStart Page = https://www.yahoo.co...t&type=avastbcl
mSearch Bar = https://www.yahoo.co...t&type=avastbcl
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: advisorservices.com
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
DPF: {25D9AA40-ED39-11D2-A038-009027078284} - hxxps://www.advisorservices.com/content/advisor/files/UrlDownloader.cab
DPF: {EB329BD2-7DC2-4F54-A6F2-634797C735C5} - hxxps://www.advisorservices.com/content/advisor/files/VeoScheduler2.CAB
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zopgorq4.default-1434168856046\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MsMpSvc
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-AvastUI - c:\program files\AVAST Software\Avast\AvastUI.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-Spotify - c:\documents and settings\Administrator\Application Data\Spotify\Spotify.exe
MSConfigStartUp-Spotify Web Helper - c:\documents and settings\Administrator\Application Data\Spotify\SpotifyWebHelper.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-TkBellExe - c:\program files\real\realplayer\update\realsched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-07-27 18:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1993962763-515967899-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b2,3f,6a,57,b7,eb,00,44,83,b7,4b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b2,3f,6a,57,b7,eb,00,44,83,b7,4b,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(744)
c:\program files\Citrix\GoToAssist\896\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2548)
c:\windows\system32\WININET.dll
c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\SCardSvr.exe
c:\program files\Avira\Antivirus\avguard.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Google\Update\GoogleUpdate.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Malwarebytes Anti-Malware\mbam.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Avira\Antivirus\avshadow.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
.
**************************************************************************
.
Completion time: 2015-07-27 18:27:35 - machine was rebooted
ComboFix-quarantined-files.txt 2015-07-27 22:27
.
Pre-Run: 104,781,471,744 bytes free
Post-Run: 104,733,683,712 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 573BAB0F6661FD36EE48EFCC79C306A9
8F558EB6672622401DA993E1E865C861