Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Doing Searches on Yahoo brings results then changes to ads - XP and Fi


  • This topic is locked This topic is locked

#1
caseyd

caseyd

    New Member

  • Member
  • Pip
  • 4 posts

I can see the search results for a split second, then it switches to ads related to "searched phrase"

 

Not sure what is causing this, I also use Malwarebytes Pro.

 

Thank you for your assistance.

 

OTL logfile created on: 8/11/2014 10:53:30 PM - Run 4
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\JRich\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.99 Gb Total Physical Memory | 2.04 Gb Available Physical Memory | 68.08% Memory free
7.23 Gb Paging File | 6.45 Gb Available in Paging File | 89.25% Paging File free
Paging file location(s): C:\pagefile.sys 4500 9000 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 462.40 Gb Total Space | 406.11 Gb Free Space | 87.83% Space Free | Partition Type: NTFS
Drive D: | 3.50 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
 
Computer Name: JRDESKTOP | User Name: JRich | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/08/11 22:35:09 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JRich\Desktop\OTL(1).exe
PRC - [2014/08/11 07:06:37 | 000,182,696 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2014/08/06 05:34:34 | 013,246,272 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version9\TeamViewer.exe
PRC - [2014/08/06 05:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
PRC - [2014/08/06 05:21:00 | 000,229,696 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version9\tv_w32.exe
PRC - [2014/07/29 18:29:11 | 000,275,568 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2014/06/17 17:56:02 | 000,242,216 | ---- | M] (Foxit Corporation) -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
PRC - [2013/10/22 12:57:22 | 000,369,152 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\pcCMService.exe
PRC - [2013/05/22 14:17:06 | 000,400,704 | ---- | M] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe
PRC - [2012/12/14 17:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/12/14 17:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/12/14 17:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2011/10/07 07:15:42 | 000,453,400 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointG\SetPointII.exe
PRC - [2011/10/07 05:40:42 | 001,387,288 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointP\SetPoint.exe
PRC - [2011/09/27 15:05:24 | 000,149,784 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
PRC - [2010/08/03 10:05:54 | 000,358,472 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
PRC - [2010/08/03 10:03:46 | 003,649,096 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
PRC - [2009/12/03 11:12:12 | 000,976,320 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2009/12/03 01:00:00 | 000,847,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
PRC - [2009/09/13 00:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2009/09/13 00:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/06/17 15:44:24 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\OEM03Mon.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/07/29 18:29:10 | 003,800,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2014/07/28 06:46:42 | 017,029,808 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll
MOD - [2013/05/22 14:17:06 | 000,400,704 | ---- | M] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe
MOD - [2013/01/02 02:49:10 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2011/10/07 05:41:16 | 000,879,896 | ---- | M] () -- C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll
MOD - [2008/04/13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 20:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2008/03/25 00:50:40 | 000,355,112 | ---- | M] () -- C:\WINDOWS\system32\msjetoledb40.dll
 
 
========== Services (SafeList) ==========
 
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2014/08/11 07:06:37 | 000,182,696 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2014/08/06 05:34:34 | 005,052,224 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe -- (TeamViewer9)
SRV - [2014/07/29 18:29:10 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/06/17 17:56:02 | 000,242,216 | ---- | M] (Foxit Corporation) [Auto | Running] -- C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe -- (FoxitCloudUpdateService)
SRV - [2013/10/22 12:57:22 | 000,369,152 | ---- | M] (Alcatel-Lucent) [Auto | Running] -- C:\Program Files\Common Files\Motive\pcCMService.exe -- (pcCMService)
SRV - [2012/12/14 17:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 17:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011/09/27 15:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2010/08/13 09:12:02 | 000,066,112 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll -- (nosGetPlusHelper)
SRV - [2010/03/29 08:53:22 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper)
SRV - [2008/05/08 01:53:24 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2004/03/18 17:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\Drivers\uti1oty1.sys -- (uti1oty1)
DRV - File not found [Kernel | Boot | Stopped] -- system32\ZoneLabs\srescan.sys -- (srescan)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\dsNcAdpt.sys -- (dsNcAdpt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - [2012/12/14 17:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/09/21 15:09:06 | 004,261,224 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvuvc.sys -- (LVUVC)
DRV - [2012/09/21 15:09:00 | 000,310,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvrs.sys -- (LVRS)
DRV - [2012/09/21 15:08:48 | 000,019,688 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvbusflt.sys -- (CompFilter)
DRV - [2012/06/19 17:54:20 | 006,141,584 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2011/09/02 02:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 02:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/09/02 02:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2010/02/02 16:09:42 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/02/02 16:09:42 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/11/23 17:37:18 | 000,014,856 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LGVirHid.sys -- (LGVirHid)
DRV - [2009/11/23 17:37:08 | 000,019,720 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LGBusEnum.sys -- (LGBusEnum)
DRV - [2009/11/18 08:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 08:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/10/22 13:54:18 | 000,037,392 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\46295242.sys -- (46295242)
DRV - [2009/10/09 23:31:10 | 000,315,408 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\4629524.sys -- (setup_9.0.0.722_29.03.2011_22-25drv)
DRV - [2009/09/25 17:59:42 | 000,128,016 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\46295241.sys -- (46295241)
DRV - [2009/09/08 19:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2009/03/30 04:09:28 | 000,239,336 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\RsFx0103.sys -- (RsFx0103)
DRV - [2007/06/17 15:44:34 | 000,235,808 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM03Vid.sys -- (OEM03Vid)
DRV - [2007/06/17 15:44:30 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM03Vfx.sys -- (OEM03Vfx)
DRV - [2007/06/17 15:44:20 | 000,141,376 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\OEM03Afx.sys -- (OEM03Afx)
DRV - [2007/06/01 14:41:00 | 000,018,432 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pmxmouse.sys -- (pmxmouse)
DRV - [2007/05/24 17:56:00 | 000,014,336 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pmxusblf.sys -- (pmxusblf)
DRV - [2007/01/15 18:57:08 | 000,031,616 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\livecamv.sys -- (RLDesignVirtualAudioCableWdm)
DRV - [2004/11/22 18:36:39 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2004/11/22 18:36:34 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080508
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080508
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.condui...&ctid=CT2645238
IE - HKCU\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo....s}&fr=chr-iobit
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "https://www.yahoo.com/"
FF - prefs.js..extensions.enabledAddons: %7B888d99e7-e8b5-46a3-851e-1ec45da1e644%7D:28.0.2
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:31.0
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll File not found
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.67.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.67.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\ATT\8.4.1.11\ma\bin\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@Motive.com/npMotiveRequest,version=1.0: C:\Program Files\Common Files\Motive\npMotiveRequest.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@nosltd.com/getPlus+®,version=1.6.2.90: C:\Program Files\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2852: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.46: C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1662: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.46: C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=:  File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll File not found
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\JRich\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Documents and Settings\JRich\Local Settings\Application Data\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10181.dll (Amazon.com, Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 31.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2014/07/29 18:28:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 31.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2014/07/29 18:28:50 | 000,000,000 | ---D | M]
 
[2008/07/02 10:15:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JRich\Application Data\Mozilla\Extensions
[2014/08/11 22:15:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\JRich\Application Data\Mozilla\Firefox\Profiles\g6hmveg3.default-1398705931171\extensions
[2014/04/28 13:33:13 | 000,033,235 | ---- | M] () (No name found) -- C:\Documents and Settings\JRich\Application Data\Mozilla\Firefox\Profiles\g6hmveg3.default-1398705931171\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi
[2014/08/11 22:15:37 | 000,967,685 | ---- | M] () (No name found) -- C:\Documents and Settings\JRich\Application Data\Mozilla\Firefox\Profiles\g6hmveg3.default-1398705931171\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2014/07/29 18:28:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2014/07/29 18:29:12 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2012/11/05 05:16:51 | 000,082,000 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
[2012/11/05 05:16:52 | 000,611,408 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\atgpcext.dll
[2008/12/17 14:38:26 | 000,046,408 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\atmccli.dll
[2009/09/13 00:05:42 | 000,124,240 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
[2009/09/13 00:06:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2009/09/13 00:06:32 | 000,091,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2009/09/13 00:06:28 | 000,022,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2008/12/17 14:38:36 | 000,098,712 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2009/11/12 18:22:21 | 000,061,848 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2010/11/18 18:44:16 | 001,680,272 | ---- | M] (Caminova, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdjvu.dll
[2009/10/30 21:57:51 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
[2009/09/13 00:08:36 | 000,406,864 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2005/04/05 04:38:20 | 000,053,355 | ---- | M] (Oracle Corporation) -- C:\Program Files\mozilla firefox\plugins\NPJinit13122.dll
[2010/03/31 12:02:08 | 000,787,744 | ---- | M] (Medical Informatics Engineering, Inc.) -- C:\Program Files\mozilla firefox\plugins\npzzatif.dll
[2009/09/13 00:06:24 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
 
========== Chrome  ==========
 
CHR - default_search_provider:  ()
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =
CHR - homepage: https://www.westatho...chSpectrum.aspx
CHR - plugin: Error reading preferences file
CHR - Extension: Easy Auto Refresh = C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aabcgdmkeabbnleenpncegpcngjpnjkc\3.1_0\
CHR - Extension: Google Voice Search Hotword (Beta) = C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_1\
CHR - Extension: Adblock Plus = C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.8.3_0\
CHR - Extension: Motive Extension = C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\edmgmpmklgfbohogafcfobonnkogchec\1.2.2_2\
CHR - Extension: Chromebleed = C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eeoekjnjgppnaegdjbcafdggilajhpic\2.0_0\
CHR - Extension: Google Wallet = C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_1\
 
O1 HOSTS File: ([2011/03/29 22:15:28 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [FUFAXSTM] C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
O4 - HKLM..\Run: [Launch LgDeviceAgent] C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe (Logitech Inc.)
O4 - HKLM..\Run: [OEM03Mon.exe] C:\WINDOWS\OEM03Mon.exe (Creative Technology Ltd.)
O4 - HKCU..\Run: [AmazonMP3DownloaderHelper] C:\Documents and Settings\JRich\Local Settings\Application Data\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: west.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: westathome.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: westathome.net ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: workathomeagent.net ([]* in Trusted sites)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} http://downloads.ewi...oOnlineScan.cab (ewidoOnlineScan Control)
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} http://www.worldwinn...0/tpir/tpir.cab (TPIR Control)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} http://www.auctiva.c...eUploader57.cab (Auctiva Image Uploader Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1344854531609 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1344854521937 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinn...ed/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.67.2)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} http://invite.mshow..../ShowSetup6.cab (ShowSetupObj6 Class)
O16 - DPF: {CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.67.2)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://liveops.webe...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} https://flowers-vpn....perSetupSP1.cab (JuniperSetupSP1 Control)
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} http://livenj02.cust...l/java/RntX.cab (Live Collaboration)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{64AC9DF7-EC5E-4CD9-BD95-EB528F04168E}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll) - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\JRich\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\JRich\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 14:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/08/11 22:48:38 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\JRich\Recent
[2014/08/11 22:35:07 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JRich\Desktop\OTL(1).exe
[2014/08/11 07:07:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2014/08/11 07:06:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Java
[2014/08/08 23:02:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 9
[2014/08/07 21:47:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\JRich\Local Settings\Application Data\Logitech® Webcam Software
[2014/08/07 21:35:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Foxit Software
[2014/08/07 21:35:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxit Reader
[2014/08/07 18:55:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\LWS
[2014/07/29 19:39:05 | 000,000,000 | ---D | C] -- C:\Program Files\Motive
[2014/07/29 18:28:45 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/08/27 07:29:10 | 012,556,224 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\JRich\gosetup.exe
[2008/05/10 04:29:08 | 000,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\JRich\Application Data\pcouffin.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/08/11 22:50:27 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2014/08/11 22:50:27 | 000,000,222 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft Windows XP End of Service Notification Logon.job
[2014/08/11 22:50:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/08/11 22:50:16 | 3209,871,360 | -HS- | M] () -- C:\hiberfil.sys
[2014/08/11 22:40:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2014/08/11 22:35:09 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JRich\Desktop\OTL(1).exe
[2014/08/11 22:24:30 | 000,000,998 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-18UA.job
[2014/08/11 22:09:51 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1032810499-2239792312-2568909323-1006UA.job
[2014/08/11 19:24:00 | 000,000,946 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-18Core.job
[2014/08/11 13:09:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1032810499-2239792312-2568909323-1006Core.job
[2014/08/08 23:02:19 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TeamViewer 9.lnk
[2014/08/08 15:00:00 | 000,000,216 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft Windows XP End of Service Notification Monthly.job
[2014/08/07 21:48:25 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2014/08/07 21:35:19 | 000,001,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2014/08/07 07:44:43 | 003,064,832 | ---- | M] () -- C:\WINDOWS\outlook.pst
[2014/08/01 08:35:11 | 000,002,143 | ---- | M] () -- C:\WINDOWS\ScreenHunter.INI
[2014/07/29 20:45:56 | 000,002,240 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AT&T Troubleshoot & Resolve.lnk
[2014/07/25 04:04:54 | 000,000,422 | ---- | M] () -- C:\Documents and Settings\JRich\My Documents\emea cancelled.rtf
[2014/07/24 04:23:17 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2014/07/21 12:00:26 | 000,504,919 | ---- | M] () -- C:\Documents and Settings\JRich\My Documents\rec338.pdf
[2014/07/19 03:13:54 | 000,002,302 | ---- | M] () -- C:\Documents and Settings\JRich\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2014/07/15 04:35:25 | 000,000,462 | ---- | M] () -- C:\Documents and Settings\JRich\My Documents\hmea07-15.rtf
[2014/07/14 20:23:38 | 000,024,292 | ---- | M] () -- C:\Documents and Settings\JRich\My Documents\mold.jpg
[2014/07/14 20:19:45 | 000,000,020 | ---- | M] () -- C:\Documents and Settings\JRich\My Documents\Picasa.ini
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/08/07 21:35:19 | 000,001,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2014/07/25 04:04:54 | 000,000,422 | ---- | C] () -- C:\Documents and Settings\JRich\My Documents\emea cancelled.rtf
[2014/07/21 12:00:24 | 000,504,919 | ---- | C] () -- C:\Documents and Settings\JRich\My Documents\rec338.pdf
[2014/07/15 04:35:25 | 000,000,462 | ---- | C] () -- C:\Documents and Settings\JRich\My Documents\hmea07-15.rtf
[2014/07/14 20:23:38 | 000,024,292 | ---- | C] () -- C:\Documents and Settings\JRich\My Documents\mold.jpg
[2014/07/14 20:19:45 | 000,000,020 | ---- | C] () -- C:\Documents and Settings\JRich\My Documents\Picasa.ini
[2014/03/12 17:32:16 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\sponge.last.runtime.cache
[2014/02/03 06:59:52 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2014/01/30 21:07:18 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dat
[2014/01/03 16:15:44 | 001,538,888 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1032810499-2239792312-2568909323-1006-0.dat
[2014/01/03 16:15:44 | 000,264,062 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/12/24 15:46:25 | 000,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2013/12/02 18:46:48 | 000,474,848 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2012/11/28 19:34:28 | 000,025,548 | ---- | C] () -- C:\WINDOWS\System32\drivers\RTAIODAT.DAT
[2012/06/20 15:56:39 | 000,826,538 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\census.cache
[2012/06/20 15:56:32 | 000,208,446 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\ars.cache
[2011/06/19 09:08:16 | 000,087,608 | ---- | C] () -- C:\Documents and Settings\JRich\Application Data\inst.exe
[2011/04/20 17:56:33 | 000,061,304 | ---- | C] () -- C:\Documents and Settings\JRich\g2mdlhlpx.exe
[2010/10/21 13:47:07 | 000,000,911 | ---- | C] () -- C:\Documents and Settings\JRich\jinitiator13122.trace
[2010/07/31 08:44:36 | 000,004,608 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/27 21:36:41 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\housecall.guid.cache
[2008/10/07 00:03:08 | 000,413,996 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\rx_image.Cache
[2008/08/08 16:31:12 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\fusioncache.dat
[2008/05/10 19:30:12 | 000,175,548 | ---- | C] () -- C:\Documents and Settings\JRich\Local Settings\Application Data\imageCache7.db
[2008/05/10 04:29:08 | 000,007,887 | ---- | C] () -- C:\Documents and Settings\JRich\Application Data\pcouffin.cat
[2008/05/10 04:29:08 | 000,001,144 | ---- | C] () -- C:\Documents and Settings\JRich\Application Data\pcouffin.inf
 
========== ZeroAccess Check ==========
 
[2004/08/10 14:09:48 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2010/05/19 20:35:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2008/09/18 12:20:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Applications
[2014/04/28 04:35:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2013/09/15 14:33:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2013/11/01 21:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2012/01/23 16:19:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2013/08/27 07:30:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CitrixLogs
[2012/02/12 16:25:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\dvdfab
[2011/04/14 19:13:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2014/01/31 00:01:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2008/05/10 04:15:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2008/05/08 01:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2012/10/20 08:41:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/03/12 15:09:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2008/05/08 01:53:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Uninstall
[2010/01/20 21:24:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2012/12/09 06:28:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Xactware
[2013/11/01 20:41:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ZA_PreservedFiles
[2010/07/13 13:09:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2014/06/28 14:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\.purple
[2009/04/27 14:00:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\.salesforce.com
[2014/04/21 21:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\10448
[2013/12/24 11:57:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\26354
[2014/04/21 21:18:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\6190
[2011/10/11 01:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Amazon
[2010/11/12 08:22:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\CheckPoint
[2011/04/15 07:24:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Dropbox
[2013/11/28 14:43:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\DVDFab9
[2013/12/11 18:46:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Epson
[2010/06/04 18:17:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Facebook
[2014/06/25 12:56:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Foxit Software
[2012/01/23 16:19:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\ICAClient
[2013/07/06 23:51:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\IDM
[2008/12/07 19:02:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Inbit
[2009/10/30 21:41:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\IObit
[2008/09/17 18:50:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Juniper Networks
[2011/03/12 15:09:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Leadertech
[2009/03/27 11:27:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Opera
[2014/04/12 18:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Opera Software
[2012/06/17 15:28:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Oracle
[2012/02/05 18:40:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\PogoChessBuddy
[2009/04/27 14:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\salesforce.com
[2013/09/29 15:00:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\SanDisk SecureAccess
[2013/08/27 08:53:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Splashtop
[2014/02/20 03:28:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\TeamViewer
[2014/03/13 10:34:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Thunderbird
[2008/05/28 16:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\tmp
[2009/09/25 07:59:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Trillian
[2012/07/13 22:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Vso
[2009/07/24 14:06:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\Web Meeting
[2014/06/13 12:58:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\webex
[2011/10/28 22:54:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\JRich\Application Data\West Corporation
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6A32D665
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D639181
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38C65A30
@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1B0EE21A
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E0CBC87A
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:627959E6
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5782349A
@Alternate Data Stream - 147 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D90BDEBC
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9A1975D2
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:66A53D9D
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:40751495
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CD16517D
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E4908EDC
@Alternate Data Stream - 144 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5CC6112D
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C1B7F164
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:56696967
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:86EBCA53
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5A6115DD
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:12CFF444
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E7CDD669
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A83E72FA
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FAF1F444
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3F3421F5
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:28534A3F
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C382CA7D
@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E379151
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FD333E7D
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F9F4A05F
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AF5DCAD7
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:65B701A9
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:358F1DD6
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:10025173
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:ED838F2C
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5B60B05
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BBFF53B4
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4D5855E9
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1EE6AB76
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AF365A0
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:19AAB705
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:06029D5A
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BA33ABBC
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9D0F60A0
@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:88B49E67
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F8DFFF5E
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F695209C
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B27FD665
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:35EAAAFC
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:15F163AE
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:46AA8FE7
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F3A020A
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6A8E576F
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7D49F8E6
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7524CE9F
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C604AFF4
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:72DE5382
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EEE6DFD0
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AE9A3E83
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A88A1788
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5D76F4B2
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5B1CE48A
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CD2D00F8
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55B05554
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3ED1AF68
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C9665738
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3712CD64
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:32FA3B00
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F43628AB
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7CC19ABF
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:78881DAD
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4FA041F5
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FBCBA407
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7A1DB3A8
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:84ABACE9
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F3FFD9B3
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B1109A4B
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:26C3A9AC
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1B57EDE3
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D16EA33
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:625D344A
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:07C3237F

< End of report >
 


  • 0

Advertisements


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts

Hello caseyd

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
  • 0

#3
caseyd

caseyd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Hi, Thank you for your assistance, per your request here are my two log files

 

==================================================================

 

# AdwCleaner v3.305 - Report created 13/08/2014 at 20:41:30
# Updated 14/08/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : JRich - JRDESKTOP
# Running from : C:\Documents and Settings\JRich\My Documents\Downloads\adwcleaner_3.305.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\JRich\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\JRich\Local Settings\Application Data\visi_coupon
File Deleted : C:\END

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKLM\Software\AskBarDis
Key Deleted : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Documents and Settings\JRich\Application Data\Mozilla\Firefox\Profiles\g6hmveg3.default-1398705931171\prefs.js ]


-\\ Google Chrome v

[ File : C:\Documents and Settings\JRich\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2645238
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2798 octets] - [13/08/2014 20:39:53]
AdwCleaner[S0].txt - [2763 octets] - [13/08/2014 20:41:30]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2823 octets] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by JRich on Wed 08/13/2014 at 20:47:15.10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\boost_interprocess"
Successfully deleted: [Folder] "C:\Program Files\coupons"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/13/2014 at 20:53:51.89
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


  • 0

#4
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts

Hello caseyd

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
  • 0

#5
caseyd

caseyd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

Hi:

 

1.  There were no problems running combo fix

2.  The computer seems to be ok.

3.  Thank you for your hard work.

4.  Below is my combo fix log

 

 

 

 

ComboFix 14-08-15.01 - JRich 08/14/2014  21:34:56.2.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3061.2351 [GMT -4:00]
Running from: c:\documents and settings\JRich\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\5782349A.TMP
c:\documents and settings\JRich\Application Data\inst.exe
c:\documents and settings\JRich\g2mdlhlpx.exe
c:\documents and settings\JRich\WINDOWS
c:\windows\system32\SET68D.tmp
c:\windows\system32\SET692.tmp
c:\windows\system32\SET699.tmp
c:\windows\wininit.ini
C:\WindowsXP-KB883517-v2-x86-ENU.exe
C:\WindowsXP-KB883517-v2-x86-Symbols-ENU.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PCCMSERVICE
-------\Service_pcCMService
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-15 to 2014-08-15  )))))))))))))))))))))))))))))))
.
.
2014-08-14 00:47 . 2014-08-14 00:47    --------    d-----w-    c:\windows\ERUNT
2014-08-14 00:40 . 2010-08-30 12:34    536576    ----a-w-    c:\windows\system32\sqlite3.dll
2014-08-14 00:39 . 2014-08-14 00:41    --------    d-----w-    C:\AdwCleaner
2014-08-11 11:07 . 2014-08-11 11:07    --------    d-----w-    c:\program files\Common Files\Java
2014-08-11 11:06 . 2014-08-11 11:06    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-08-11 11:06 . 2014-08-11 11:06    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-08-08 01:47 . 2014-08-08 01:47    --------    d-----w-    c:\documents and settings\JRich\Local Settings\Application Data\Logitech® Webcam Software
2014-08-08 01:35 . 2014-08-08 01:35    --------    d-----w-    c:\documents and settings\All Users\Foxit Software
2014-08-07 22:55 . 2014-08-07 23:14    --------    d-----w-    c:\program files\Common Files\LWS
2014-07-29 23:39 . 2014-07-29 23:39    --------    d-----w-    c:\program files\Motive
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-28 10:46 . 2014-02-10 22:59    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-28 10:46 . 2014-02-10 22:59    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-06-06 10:47 . 2014-06-06 10:47    4558848    ----a-w-    c:\windows\system32\GPhotos.scr
2012-11-05 09:16 . 2014-07-29 22:28    82000    ----a-w-    c:\program files\mozilla firefox\plugins\atgpcdec.dll
2012-11-05 09:16 . 2014-07-29 22:28    611408    ----a-w-    c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-17 18:38 . 2014-07-29 22:28    46408    ----a-w-    c:\program files\mozilla firefox\plugins\atmccli.dll
2009-09-13 04:05 . 2014-07-29 22:28    124240    ----a-w-    c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 04:06 . 2014-07-29 22:28    13136    ----a-w-    c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 04:06 . 2014-07-29 22:28    70488    ----a-w-    c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 04:06 . 2014-07-29 22:28    91480    ----a-w-    c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 04:06 . 2014-07-29 22:28    22360    ----a-w-    c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 04:07 . 2014-07-29 22:28    255312    ----a-w-    c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 04:06 . 2014-07-29 22:28    31064    ----a-w-    c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 04:06 . 2014-07-29 22:28    40280    ----a-w-    c:\program files\mozilla firefox\plugins\icalogon.dll
2008-12-17 18:38 . 2014-07-29 22:28    98712    ----a-w-    c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-08-14 18:33 . 2014-07-29 22:28    652640    ----a-w-    c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 04:06 . 2014-07-29 22:28    23896    ----a-w-    c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmazonMP3DownloaderHelper"="c:\documents and settings\JRich\Local Settings\Application Data\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe" [2013-05-22 400704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2013-05-01 421888]
"OEM03Mon.exe"="c:\windows\OEM03Mon.exe" [2007-06-17 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2012-09-21 466648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-08 05:53    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03    66328    ----a-w-    c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-12-06 23:27    136176    ----atw-    c:\documents and settings\JRich\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33    141624    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM03Mon.exe]
2007-06-17 19:44    36864    ----a-w-    c:\windows\OEM03Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 08:59    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-06-06 19:00    20065936    ----a-w-    c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\JRich\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer_Service.exe"=
.
R0 46295242;46295242 Boot Guard Driver;c:\windows\system32\drivers\46295242.sys [3/29/2011 4:22 PM 37392]
R1 46295241;46295241;c:\windows\system32\drivers\46295241.sys [3/29/2011 4:22 PM 128016]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 7:13 PM 65584]
R1 setup_9.0.0.722_29.03.2011_22-25drv;setup_9.0.0.722_29.03.2011_22-25drv;c:\windows\system32\drivers\4629524.sys [3/29/2011 4:22 PM 315408]
R2 FoxitCloudUpdateService;Foxit Cloud Safe Update Service;c:\program files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [7/7/2014 7:00 PM 242216]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [11/14/2012 1:23 PM 12184]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/13/2012 6:31 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/11/2009 5:44 AM 682344]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL10.XACTWARE\MSSQL\Binn\sqlservr.exe [3/30/2009 4:25 AM 43010392]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [2/20/2014 4:35 AM 5052224]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [9/6/2013 9:22 AM 14856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/11/2009 5:44 AM 21104]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\system32\drivers\OEM03Afx.sys [5/8/2008 1:31 AM 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\system32\drivers\OEM03Vfx.sys [5/8/2008 1:31 AM 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\system32\drivers\OEM03Vid.sys [5/8/2008 1:31 AM 235808]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [5/8/2008 1:47 AM 31616]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/28/2012 7:34 PM 1691480]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [3/3/2011 9:27 PM 19688]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 1:51 PM 14336]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/10/2008 4:29 AM 47360]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [5/10/2008 3:31 AM 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [5/10/2008 3:31 AM 14336]
S3 uti1oty1;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uti1oty1.sys --> c:\windows\system32\Drivers\uti1oty1.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3/31/2009 12:55 AM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 4:09 AM 239336]
S4 SQLAgent$XACTWARE;SQL Server Agent (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL10.XACTWARE\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 4:23 AM 366936]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
nosGetPlusHelper    REG_MULTI_SZ       nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-25 01:14]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-25 01:14]
.
2014-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2014-02-08 00:19]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2014-02-08 00:19]
.
2014-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1032810499-2239792312-2568909323-1006Core.job
- c:\documents and settings\JRich\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-06 23:27]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1032810499-2239792312-2568909323-1006UA.job
- c:\documents and settings\JRich\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-06 23:27]
.
2014-08-15 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
2014-08-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: west.com
Trusted Zone: westathome.com
Trusted Zone: westathome.net
Trusted Zone: workathomeagent.net
TCP: DhcpNameServer = 192.168.1.254
DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} - hxxp://invite.mshow.com/(pq5xzs45kkjo5v45pqroey45)/ShowSetup6.cab
FF - ProfilePath - c:\documents and settings\JRich\Application Data\Mozilla\Firefox\Profiles\g6hmveg3.default-1398705931171\
FF - prefs.js: browser.startup.homepage - hxxps://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
WebBrowser-{91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
AddRemove-ATT-AT&T Troubleshoot & Resolve - c:\program files\ATT\8.4.1.11\uninstall.exe
AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe
AddRemove-Coupon Printer for Windows5.0.0.3 - c:\program files\Coupons\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-14 21:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Logitech\SetPointG\SetPointII.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\wscntfy.exe
c:\program files\TeamViewer\Version9\TeamViewer.exe
c:\program files\TeamViewer\Version9\tv_w32.exe
.
**************************************************************************
.
Completion time: 2014-08-14  21:51:09 - machine was rebooted
ComboFix-quarantined-files.txt  2014-08-15 01:51
.
Pre-Run: 435,881,488,384 bytes free
Post-Run: 435,786,633,216 bytes free
.
- - End Of File - - 1F0A190ABBB41CC01B504FD4373ED39B
5CB90281D1A59B251F6603134774EEC3
 


  • 0

#6
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts

Hello caseyd

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
  • 0

#7
caseyd

caseyd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

1.  Computer is fine.

2.  One thing I noticed that combofix does is it deletes 2 programs I use for work.  Its not a problem to load them back but they are just citrix based applications, and I am not sure why combo fix doesnt like them.  Thats kind of harsh of combo fix to do that.

3.  Below is my combofix log after running the script.

 

Thank you for your assistance.

 

ComboFix 14-08-15.01 - JRich 08/15/2014  18:52:56.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3061.2232 [GMT -4:00]
Running from: c:\documents and settings\JRich\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\JRich\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-15 to 2014-08-15  )))))))))))))))))))))))))))))))
.
.
2014-08-14 00:47 . 2014-08-14 00:47    --------    d-----w-    c:\windows\ERUNT
2014-08-14 00:40 . 2010-08-30 12:34    536576    ----a-w-    c:\windows\system32\sqlite3.dll
2014-08-14 00:39 . 2014-08-14 00:41    --------    d-----w-    C:\AdwCleaner
2014-08-11 11:07 . 2014-08-11 11:07    --------    d-----w-    c:\program files\Common Files\Java
2014-08-11 11:06 . 2014-08-11 11:06    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-08-11 11:06 . 2014-08-11 11:06    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-08-08 01:47 . 2014-08-08 01:47    --------    d-----w-    c:\documents and settings\JRich\Local Settings\Application Data\Logitech® Webcam Software
2014-08-08 01:35 . 2014-08-08 01:35    --------    d-----w-    c:\documents and settings\All Users\Foxit Software
2014-08-07 22:55 . 2014-08-07 23:14    --------    d-----w-    c:\program files\Common Files\LWS
2014-07-29 23:39 . 2014-07-29 23:39    --------    d-----w-    c:\program files\Motive
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-28 10:46 . 2014-02-10 22:59    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-28 10:46 . 2014-02-10 22:59    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-06-06 10:47 . 2014-06-06 10:47    4558848    ----a-w-    c:\windows\system32\GPhotos.scr
2012-11-05 09:16 . 2014-07-29 22:28    82000    ----a-w-    c:\program files\mozilla firefox\plugins\atgpcdec.dll
2012-11-05 09:16 . 2014-07-29 22:28    611408    ----a-w-    c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-12-17 18:38 . 2014-07-29 22:28    46408    ----a-w-    c:\program files\mozilla firefox\plugins\atmccli.dll
2009-09-13 04:05 . 2014-07-29 22:28    124240    ----a-w-    c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 04:06 . 2014-07-29 22:28    13136    ----a-w-    c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 04:06 . 2014-07-29 22:28    70488    ----a-w-    c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 04:06 . 2014-07-29 22:28    91480    ----a-w-    c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 04:06 . 2014-07-29 22:28    22360    ----a-w-    c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 04:07 . 2014-07-29 22:28    255312    ----a-w-    c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 04:06 . 2014-07-29 22:28    31064    ----a-w-    c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 04:06 . 2014-07-29 22:28    40280    ----a-w-    c:\program files\mozilla firefox\plugins\icalogon.dll
2008-12-17 18:38 . 2014-07-29 22:28    98712    ----a-w-    c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-08-14 18:33 . 2014-07-29 22:28    652640    ----a-w-    c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 04:06 . 2014-07-29 22:28    23896    ----a-w-    c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmazonMP3DownloaderHelper"="c:\documents and settings\JRich\Local Settings\Application Data\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe" [2013-05-22 400704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2013-05-01 421888]
"OEM03Mon.exe"="c:\windows\OEM03Mon.exe" [2007-06-17 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"WUAppSetup"="c:\program files\Common Files\logishrd\WUApp32.exe" [2012-09-21 466648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-08 05:53    10536    ----a-w-    c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2011-09-27 19:03    66328    ----a-w-    c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LaunchU3.exe.lnk
backup=c:\windows\pss\LaunchU3.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-12-06 23:27    136176    ----atw-    c:\documents and settings\JRich\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33    141624    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM03Mon.exe]
2007-06-17 19:44    36864    ----a-w-    c:\windows\OEM03Mon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 08:59    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-06-06 19:00    20065936    ----a-w-    c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\JRich\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version9\\TeamViewer_Service.exe"=
.
R0 46295242;46295242 Boot Guard Driver;c:\windows\system32\drivers\46295242.sys [3/29/2011 4:22 PM 37392]
R1 46295241;46295241;c:\windows\system32\drivers\46295241.sys [3/29/2011 4:22 PM 128016]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 7:13 PM 65584]
R1 setup_9.0.0.722_29.03.2011_22-25drv;setup_9.0.0.722_29.03.2011_22-25drv;c:\windows\system32\drivers\4629524.sys [3/29/2011 4:22 PM 315408]
R2 FoxitCloudUpdateService;Foxit Cloud Safe Update Service;c:\program files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [7/7/2014 7:00 PM 242216]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [11/14/2012 1:23 PM 12184]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/13/2012 6:31 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/11/2009 5:44 AM 682344]
R2 MSSQL$XACTWARE;SQL Server (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL10.XACTWARE\MSSQL\Binn\sqlservr.exe [3/30/2009 4:25 AM 43010392]
R2 TeamViewer9;TeamViewer 9;c:\program files\TeamViewer\Version9\TeamViewer_Service.exe [2/20/2014 4:35 AM 5052224]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 5:37 PM 19720]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [9/6/2013 9:22 AM 14856]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/11/2009 5:44 AM 21104]
R3 OEM03Afx;Provides a software interface to control audio effects of OEM003 camera.;c:\windows\system32\drivers\OEM03Afx.sys [5/8/2008 1:31 AM 141376]
R3 OEM03Vfx;Creative Camera OEM003 Video VFX Driver;c:\windows\system32\drivers\OEM03Vfx.sys [5/8/2008 1:31 AM 7424]
R3 OEM03Vid;Creative Camera OEM003 Driver;c:\windows\system32\drivers\OEM03Vid.sys [5/8/2008 1:31 AM 235808]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [5/8/2008 1:47 AM 31616]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/28/2012 7:34 PM 1691480]
S3 CompFilter;UVCCompositeFilter;c:\windows\system32\drivers\lvbusflt.sys [3/3/2011 9:27 PM 19688]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/10/2004 1:51 PM 14336]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/10/2008 4:29 AM 47360]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [5/10/2008 3:31 AM 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [5/10/2008 3:31 AM 14336]
S3 uti1oty1;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\uti1oty1.sys --> c:\windows\system32\Drivers\uti1oty1.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [3/31/2009 12:55 AM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 4:09 AM 239336]
S4 SQLAgent$XACTWARE;SQL Server Agent (XACTWARE);c:\program files\Microsoft SQL Server\MSSQL10.XACTWARE\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 4:23 AM 366936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper    REG_MULTI_SZ       getPlusHelper
nosGetPlusHelper    REG_MULTI_SZ       nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-25 01:14]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-25 01:14]
.
2014-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2014-02-08 00:19]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2014-02-08 00:19]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1032810499-2239792312-2568909323-1006Core.job
- c:\documents and settings\JRich\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-06 23:27]
.
2014-08-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1032810499-2239792312-2568909323-1006UA.job
- c:\documents and settings\JRich\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-06 23:27]
.
2014-08-15 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
2014-08-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-29 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: west.com
Trusted Zone: westathome.com
Trusted Zone: westathome.net
Trusted Zone: workathomeagent.net
TCP: DhcpNameServer = 192.168.1.254
DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} - hxxp://invite.mshow.com/(pq5xzs45kkjo5v45pqroey45)/ShowSetup6.cab
FF - ProfilePath - c:\documents and settings\JRich\Application Data\Mozilla\Firefox\Profiles\g6hmveg3.default-1398705931171\
FF - prefs.js: browser.startup.homepage - hxxps://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-15 19:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(696)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(1572)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-08-15  19:01:42
ComboFix-quarantined-files.txt  2014-08-15 23:01
ComboFix2.txt  2014-08-15 01:51
.
Pre-Run: 436,187,602,944 bytes free
Post-Run: 436,456,124,416 bytes free
.
- - End Of File - - D5CAB013292958D163FEEB407B61DA0A
5CB90281D1A59B251F6603134774EEC3
 


  • 0

#8
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts

Hello caseyd

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
  • 0

#9
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
  • 0

#10
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts


Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
  • 0

#11
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP