Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Receiving port 1318 and Firefox is creating a ton of files

Started by docfxit , Dec 27 2014 10:15 AM

  • This topic is locked This topic is locked

#1
docfxit
Posted 27 December 2014 - 10:15 AM

docfxit

    Member

  • Member
  • PipPipPip
  • 102 posts

When I remote into the infected computer I am receiving a lot of communication on port 1318.  I'm also getting a ton of files being written to:

C:\Documents and Settings\Jim\Local Settings\Application Data\Mozilla\Firefox\Profiles\pel3t8hs.default-1408316845401\cache2\entries

 

Please help me figure out what is causing this.

 

I have run Malwarebytes (Up-to-Date)

I have installed Bitdefender (Up-to-Date)

Running Win XP Pro sp3 (MS updates updated)

 

Thank you,

 

Docfxit

 

OTL logfile created on: 12/27/2014 7:59:46 AM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Jim\Desktop\SpywareRemovers
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.00 Gb Total Physical Memory | 1.84 Gb Available Physical Memory | 61.38% Memory free
7.34 Gb Paging File | 6.14 Gb Available in Paging File | 83.68% Paging File free
Paging file location(s): C:\pagefile.sys 4605 6605 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 90.30 Gb Total Space | 55.30 Gb Free Space | 61.24% Space Free | Partition Type: NTFS
Drive F: | 113.40 Gb Total Space | 6.67 Gb Free Space | 5.88% Space Free | Partition Type: NTFS
Drive G: | 29.16 Gb Total Space | 14.56 Gb Free Space | 49.93% Space Free | Partition Type: NTFS
 
Computer Name: JIMSDESKTOP | User Name: Jim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/12/27 07:56:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jim\Desktop\SpywareRemovers\OTL.exe
PRC - [2014/12/15 03:29:59 | 005,476,112 | ---- | M] (TeamViewer GmbH) -- c:\Program Files\TeamViewer\TeamViewer_Desktop.exe
PRC - [2014/12/15 03:29:58 | 016,362,768 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\TeamViewer.exe
PRC - [2014/12/15 03:29:58 | 005,426,448 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\TeamViewer_Service.exe
PRC - [2014/12/15 03:07:21 | 000,229,136 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\tv_w32.exe
PRC - [2014/12/12 09:21:24 | 005,489,944 | ---- | M] (Piriform Ltd) -- C:\Program Files\CCleaner\CCleaner.exe
PRC - [2014/12/08 08:37:09 | 000,482,392 | ---- | M] (Bitdefender) -- C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe
PRC - [2014/12/08 08:36:57 | 001,918,176 | ---- | M] (Bitdefender) -- C:\Program Files\Bitdefender\Bitdefender\bdagent.exe
PRC - [2014/12/08 08:36:50 | 001,302,784 | ---- | M] (Bitdefender) -- C:\Program Files\Bitdefender\Bitdefender\vsserv.exe
PRC - [2014/12/05 02:07:55 | 035,962,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V5.19.exe
PRC - [2014/11/27 16:36:10 | 000,089,792 | ---- | M] (Microsoft Corporation) -- c:\fe0b05943fc00b6973534b255ad54e\mrtstub.exe
PRC - [2014/11/13 14:24:31 | 000,230,792 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.25.11\GoogleCrashHandler.exe
PRC - [2014/08/13 00:43:18 | 000,054,424 | ---- | M] (Bitdefender) -- C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
PRC - [2014/08/13 00:43:00 | 000,615,256 | ---- | M] (Bitdefender) -- C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe
PRC - [2014/08/10 17:16:22 | 001,794,840 | ---- | M] (UltraVNC) -- C:\Program Files\UltraVNC\winvnc.exe
PRC - [2014/07/23 01:18:36 | 003,596,240 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2014/07/23 01:12:50 | 000,134,624 | ---- | M] (Check Point Software Technologies Ltd.) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2014/07/21 11:22:02 | 002,462,160 | ---- | M] (Paramount Software UK Ltd) -- C:\Program Files\Macrium\Reflect\ReflectService.exe
PRC - [2014/07/03 16:37:32 | 000,283,664 | ---- | M] (Check Point Software Technologies, Ltd.) -- C:\Program Files\CheckPoint\ZoneAlarm\ThreatEmulation.exe
PRC - [2014/07/03 16:37:32 | 000,093,712 | ---- | M] (Check Point Software Technologies, Ltd.) -- C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
PRC - [2014/06/30 04:34:28 | 004,622,440 | ---- | M] (NTWind Software) -- C:\Program Files\WinSnap\WinSnap.exe
PRC - [2014/01/29 11:00:28 | 000,144,384 | ---- | M] (GoPro) -- C:\Program Files\CineForm\Tools\GoProCineFormStatusViewer.exe
PRC - [2013/06/25 09:43:10 | 001,844,864 | ---- | M] (Locktime Software) -- C:\Program Files\NetLimiter 3\NLClientApp.exe
PRC - [2013/06/25 09:43:10 | 001,132,160 | ---- | M] (Locktime Software) -- C:\Program Files\NetLimiter 3\nlsvc.exe
PRC - [2012/07/20 19:29:24 | 008,186,368 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe
PRC - [2010/07/04 11:51:26 | 000,017,408 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
PRC - [2008/09/20 12:47:08 | 000,091,648 | ---- | M] () -- C:\Program Files\stunnel\stunnel.exe
PRC - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/29 15:06:10 | 001,077,248 | ---- | M] (Marvell Semiconductor, Inc.) -- C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
PRC - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
PRC - [2007/02/21 00:15:02 | 000,112,208 | ---- | M] (Corel, Inc.) -- C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
PRC - [2007/02/08 18:14:10 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) -- C:\Program Files\UPHClean\uphclean.exe
PRC - [2005/01/01 15:41:28 | 000,151,552 | ---- | M] (Peas Inc.) -- C:\Program Files\DeeEnEs\DeeEnEs.exe
PRC - [2004/10/12 13:01:52 | 000,032,768 | ---- | M] (Smith Micro Software, Inc.) -- C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe
PRC - [2004/04/18 11:43:44 | 000,082,944 | ---- | M] (KeirNet) -- C:\Program Files\K9\K9.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/12/08 08:35:46 | 000,476,712 | ---- | M] () -- \\?\C:\Program Files\Common Files\Bitdefender\Bitdefender Threat Scanner\trufos.dll
MOD - [2014/10/13 07:28:49 | 001,514,976 | ---- | M] () -- \\?\C:\Program Files\Bitdefender\Bitdefender\bdnc.dll
MOD - [2014/10/13 07:28:18 | 000,204,280 | ---- | M] () -- C:\Program Files\Bitdefender\Bitdefender\txmlutil.dll
MOD - [2014/08/13 00:44:39 | 000,003,072 | ---- | M] () -- C:\Program Files\Bitdefender\Bitdefender\ui\accessl.ui
MOD - [2014/08/13 00:44:35 | 000,004,608 | ---- | M] () -- C:\Program Files\Bitdefender\Bitdefender\ui\imsecurityal.ui
MOD - [2014/07/23 23:21:26 | 002,138,096 | ---- | M] () -- C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttpph.mdl
MOD - [2014/07/23 23:21:24 | 001,128,744 | ---- | M] () -- C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttprbl.mdl
MOD - [2014/07/23 23:21:23 | 000,676,568 | ---- | M] () -- C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttpbr.mdl
MOD - [2014/07/23 23:21:20 | 000,490,144 | ---- | M] () -- C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttpdsp.mdl
MOD - [2014/02/27 03:39:35 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8cd995f00848816e3ec49dc326e3d49b\System.ServiceProcess.ni.dll
MOD - [2014/02/27 03:39:23 | 000,141,312 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\f254328a10638e87223d401b39197c91\System.Configuration.Install.ni.dll
MOD - [2014/02/27 03:32:46 | 000,978,944 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\4b6e70acd99dc22e29b7fc8f9ac340c4\System.Configuration.ni.dll
MOD - [2014/02/27 03:29:57 | 005,462,016 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\7faf645dc46781225cb722edf9e1e738\System.Xml.ni.dll
MOD - [2014/02/27 03:29:49 | 012,434,432 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\1cdfe1998ad6794db3237006906c6fa2\System.Windows.Forms.ni.dll
MOD - [2014/02/27 03:29:31 | 001,593,344 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\424bff3295c6e7539cc6df62b9425bd0\System.Drawing.ni.dll
MOD - [2014/02/27 03:28:59 | 002,295,808 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\159b4a6888004de346d499841ec088a7\System.Core.ni.dll
MOD - [2014/02/27 03:28:44 | 000,224,768 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\aed50a89ba1d32a5398e6469715594a7\PresentationFramework.Classic.ni.dll
MOD - [2014/02/27 03:28:43 | 000,368,128 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7b2e47989a7e6276b1f9f64528760f0d\PresentationFramework.Aero.ni.dll
MOD - [2014/02/27 03:28:41 | 014,329,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\dad6af4d4f3b92adf0497c5ec9565236\PresentationFramework.ni.dll
MOD - [2014/02/27 03:28:13 | 012,218,880 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\89c032d0f8bccf31bb55b775a10c6992\PresentationCore.ni.dll
MOD - [2014/02/27 03:27:35 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\872e96c13f44bfaeff84d126fb847963\WindowsBase.ni.dll
MOD - [2014/02/27 03:27:25 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\4b0455ae94e3cecca4bb3ba8c96828c9\System.ni.dll
MOD - [2014/02/27 03:27:16 | 011,497,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\dae02331a443fb52216ca83292cb2f21\mscorlib.ni.dll
MOD - [2014/02/12 19:58:32 | 000,073,544 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2014/02/12 19:58:10 | 001,044,808 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013/01/01 22:49:10 | 001,292,288 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2012/09/10 21:50:16 | 000,412,920 | ---- | M] () -- C:\Program Files\UltraVNC\SecureVNCPlugin.dsm
MOD - [2011/03/21 16:14:38 | 000,061,440 | ---- | M] () -- C:\Program Files\NetLimiter 3\nlsvcPS.dll
MOD - [2010/07/04 13:32:36 | 000,004,608 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerHook.dll
MOD - [2010/07/04 11:51:26 | 000,017,408 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerAssistant.exe
MOD - [2010/03/15 17:00:02 | 001,481,728 | ---- | M] () -- C:\WINDOWS\system32\LegitCheckControl.dll
MOD - [2010/03/15 17:00:02 | 000,190,976 | ---- | M] () -- C:\WINDOWS\system32\WgaLogon.dll
MOD - [2008/09/20 12:47:08 | 000,091,648 | ---- | M] () -- C:\Program Files\stunnel\stunnel.exe
MOD - [2008/09/20 12:20:26 | 000,074,240 | ---- | M] () -- C:\Program Files\stunnel\zlib1.dll
MOD - [2008/09/20 12:19:40 | 001,420,256 | ---- | M] () -- C:\Program Files\stunnel\libeay32.dll
MOD - [2008/09/20 12:19:40 | 000,306,052 | ---- | M] () -- C:\Program Files\stunnel\libssl32.dll
MOD - [2008/04/13 16:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 16:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/02/08 18:14:10 | 000,174,656 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
MOD - [2004/02/27 12:24:30 | 000,026,448 | ---- | M] () -- C:\WINDOWS\system32\smfaxmon.dll
 
 
========== Services (SafeList) ==========
 
SRV - File not found [Disabled | Stopped] --  -- (ACDaemon)
SRV - [2014/12/24 08:59:00 | 000,114,800 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/12/15 03:29:58 | 005,426,448 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\TeamViewer_Service.exe -- (TeamViewer)
SRV - [2014/12/08 08:36:50 | 001,302,784 | ---- | M] (Bitdefender) [Auto | Running] -- C:\Program Files\Bitdefender\Bitdefender\vsserv.exe -- (VSSERV)
SRV - [2014/08/13 00:43:18 | 000,054,424 | ---- | M] (Bitdefender) [Auto | Running] -- C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe -- (UPDATESRV)
SRV - [2014/08/10 17:16:22 | 001,794,840 | ---- | M] (UltraVNC) [Auto | Running] -- C:\Program Files\UltraVNC\winvnc.exe -- (uvnc_service)
SRV - [2014/07/23 01:18:36 | 003,596,240 | ---- | M] (Check Point Software Technologies Ltd.) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2014/07/21 11:22:02 | 002,462,160 | ---- | M] (Paramount Software UK Ltd) [Auto | Running] -- C:\Program Files\Macrium\Reflect\ReflectService.exe -- (ReflectService.exe)
SRV - [2014/07/03 16:37:32 | 000,093,712 | ---- | M] (Check Point Software Technologies, Ltd.) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe -- (ZAPrivacyService)
SRV - [2013/06/25 09:43:10 | 001,132,160 | ---- | M] (Locktime Software) [Auto | Running] -- C:\Program Files\NetLimiter 3\nlsvc.exe -- (nlsvc)
SRV - [2012/07/20 19:29:24 | 008,186,368 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.5\bin\mysqld.exe -- (MySQL55)
SRV - [2008/09/20 12:47:08 | 000,091,648 | ---- | M] () [Auto | Running] -- C:\Program Files\stunnel\stunnel.exe -- (stunnel)
SRV - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (MSFtpsvc)
SRV - [2008/04/13 16:12:22 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2007/02/08 18:14:10 | 000,174,656 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2007/02/05 09:11:18 | 000,075,320 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2007/02/05 09:11:16 | 000,112,184 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe -- (SonicStage Back-End Service)
SRV - [2007/01/04 19:48:52 | 000,112,152 | R--- | M] (InterVideo) [Disabled | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/12/14 01:21:20 | 000,045,056 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/12/14 01:02:08 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/12/14 00:46:16 | 000,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/04/27 14:59:24 | 000,241,725 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\UPHClean\uphclean.exe -- (UPHClean)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lmimirr.sys -- (lmimirr)
DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (ATICDSDr)
DRV - [2014/12/08 08:37:02 | 000,408,280 | ---- | M] (BitDefender S.R.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\trufos.sys -- (trufos)
DRV - [2014/12/08 08:35:51 | 001,073,160 | ---- | M] (BitDefender) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\avc3.sys -- (avc3)
DRV - [2014/08/13 00:44:30 | 000,528,248 | ---- | M] (BitDefender) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avckf.sys -- (avckf)
DRV - [2014/07/23 01:19:54 | 000,534,024 | ---- | M] (Check Point Software Technologies Ltd.) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2013/11/04 15:47:30 | 000,066,832 | ---- | M] (BitDefender SRL) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bdsandbox.sys -- (BDSandBox)
DRV - [2013/08/23 12:48:39 | 000,165,744 | ---- | M] (BitDefender LLC) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\gzflt.sys -- (gzflt)
DRV - [2013/07/26 10:53:51 | 000,135,600 | ---- | M] (BitDefender LLC) [Kernel | System | Running] -- C:\Program Files\Bitdefender\Bitdefender\bdselfpr.sys -- (bdselfpr)
DRV - [2013/06/28 15:02:08 | 000,016,504 | ---- | M] (Macrium Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\pssnap.sys -- (pssnap)
DRV - [2013/06/12 11:10:20 | 005,280,944 | ---- | M] (Locktime Software) [Kernel | System | Running] -- C:\Program Files\NetLimiter 3\nltdi.sys -- (nltdi)
DRV - [2013/06/12 11:10:20 | 005,229,360 | ---- | M] (Locktime Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nlndis.sys -- (NLNdisPT)
DRV - [2013/06/12 11:10:20 | 005,229,360 | ---- | M] (Locktime Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nlndis.sys -- (NLNdisMP)
DRV - [2012/11/02 13:17:14 | 000,242,504 | ---- | M] (BitDefender) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\avchv.sys -- (avchv)
DRV - [2012/09/10 21:50:22 | 000,011,496 | ---- | M] (UVNC BVBA) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mv2.sys -- (mv2)
DRV - [2012/06/18 12:34:48 | 000,015,576 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdrvio.sys -- (pwdrvio)
DRV - [2012/06/18 12:34:46 | 000,010,200 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\pwdspio.sys -- (pwdspio)
DRV - [2011/11/14 19:16:26 | 000,130,640 | ---- | M] (BitDefender LLC) [Kernel | System | Running] -- C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdftdif.sys -- (bdftdif)
DRV - [2011/08/09 16:33:58 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\BANTExt.sys -- (BANTExt)
DRV - [2011/07/30 13:33:12 | 000,073,576 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFlt2.Sys -- (LMouFlt2)
DRV - [2011/07/30 13:33:12 | 000,026,104 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFlt2.Sys -- (LHidFlt2)
DRV - [2010/09/23 22:04:50 | 000,095,024 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2010/07/04 11:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2009/06/17 08:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2009/06/17 08:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009/06/17 08:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009/06/17 08:55:58 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidEqd.sys -- (LHidEqd)
DRV - [2009/06/17 08:55:50 | 000,040,720 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LEqdUsb.sys -- (LEqdUsb)
DRV - [2008/01/31 10:35:54 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
DRV - [2007/10/19 10:29:22 | 000,161,792 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/09/19 20:33:17 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hdaudio.sys -- (HdAudAddService)
DRV - [2007/09/13 03:17:56 | 002,372,096 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/04/17 20:09:28 | 000,011,032 | ---- | M] (InterVideo) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\regi.sys -- (regi)
DRV - [2006/07/17 14:07:28 | 000,017,290 | R--- | M] (Broadcom Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btpmw32.sys -- (BCMTPM)
DRV - [2006/06/12 23:59:52 | 000,254,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2006/06/12 23:59:46 | 000,727,808 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/06/12 23:59:42 | 000,990,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.isUS: true
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:34.0.5
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=13:  File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Bitdefender\Bitdefender\ffpwdman\ [2014/04/22 14:12:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 34.0.5\extensions\\Components: C:\Program Files\FireFox\components [2014/12/24 08:58:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 34.0.5\extensions\\Plugins: C:\Program Files\FireFox\plugins [2014/12/24 08:58:52 | 000,000,000 | ---D | M]
 
[2014/05/01 09:26:25 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Extensions
[2014/12/08 17:11:54 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\pel3t8hs.default-1408316845401\extensions
 
O1 HOSTS File: ([2012/08/23 13:11:44 | 000,000,022 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1  localhost
O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [Bdagent] C:\Program Files\Bitdefender\Bitdefender\bdagent.exe (Bitdefender)
O4 - HKLM..\Run: [Client Access Express Welcome] C:\Program Files\Client Access\cwbwlwiz.exe (IBM Corporation)
O4 - HKLM..\Run: [Client Access Help Update] C:\Program Files\Client Access\cwbinhlp.exe (IBM Corporation)
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe (Corel, Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\hdashcut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\Logi_MwX.Exe (Logitech Inc.)
O4 - HKLM..\Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe (Marvell Semiconductor, Inc.)
O4 - HKLM..\Run: [SMSI Loader] C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe (Smith Micro Software, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies Ltd.)
O4 - HKCU..\Run: [Bitdefender Wallet] C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe (Bitdefender)
O4 - HKCU..\Run: [Bitdefender Wallet Agent] C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe (Bitdefender)
O4 - HKCU..\Run: [Bitdefender Wallet Application Agent] C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe (Bitdefender)
O4 - HKCU..\Run: [CCleaner Monitoring] C:\Program Files\CCleaner\CCleaner.exe (Piriform Ltd)
O4 - HKCU..\Run: [DeeEnEs] C:\Program Files\DeeEnEs\DeeEnEs.exe (Peas Inc.)
O4 - HKCU..\Run: [fsm]  File not found
O4 - HKCU..\Run: [NetLimiter] C:\Program Files\NetLimiter 3\NLClientApp.exe (Locktime Software)
O4 - HKCU..\Run: [WinSnap] C:\Program Files\WinSnap\WinSnap.exe (NTWind Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CineForm Status.lnk = C:\Program Files\CineForm\Tools\GoProCineFormStatusViewer.exe (GoPro)
O4 - Startup: C:\Documents and Settings\Jim\Start Menu\Programs\Startup\AS400SignOn.lnk = C:\Batch\AS400SignOn.exe ()
O4 - Startup: C:\Documents and Settings\Jim\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Launch K9.lnk = C:\Program Files\K9\K9.exe (KeirNet)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRemoteRecursiveEvents = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoInternetOpenWith = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LocalAccountTokenFilterPolicy = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: SoftwareSASGeneration = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSharedDocuments = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1345357543687 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1345357525312 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B0C754E3-253F-4332-9262-B3E9D5901E6B}: NameServer = 66.51.205.100,66.51.206.100
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/23 12:16:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/12/27 07:58:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Desktop\SpywareRemovers
[2014/12/27 07:42:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jim\Local Settings\Application Data\Locktime
[2014/12/27 07:38:11 | 000,000,000 | -HSD | C] -- C:\WINDOWS\System32\AI_RecycleBin
[2014/12/27 07:38:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\NetLimiter 3
[2014/12/27 07:37:37 | 000,000,000 | ---D | C] -- C:\Program Files\NetLimiter 3
[2014/12/27 07:37:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Locktime
[2014/12/26 23:41:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Jim\Recent
[2014/12/26 21:14:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 10
[2014/12/24 08:58:51 | 000,000,000 | ---D | C] -- C:\Program Files\FireFox
[2012/09/03 11:20:10 | 011,736,928 | ---- | C] (MiniTool Solution Ltd.                                      ) -- C:\Documents and Settings\Jim\Application Data\PWPE75.EXE
[2012/09/03 10:16:45 | 001,178,624 | ---- | C] (CPUID) -- C:\Documents and Settings\Jim\Application Data\siw_sdk.dll
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/12/27 07:52:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2014/12/27 07:41:12 | 000,001,024 | ---- | M] () -- C:\.rnd
[2014/12/27 07:40:47 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2014/12/27 07:40:47 | 000,000,218 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft Windows XP End of Service Notification Logon.job
[2014/12/27 07:39:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2014/12/27 07:29:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2014/12/27 07:07:57 | 000,214,472 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2014/12/26 21:48:26 | 000,000,721 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2014/12/26 21:18:58 | 000,000,726 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\UltraVNC Viewer.lnk
[2014/12/26 21:18:58 | 000,000,709 | ---- | M] () -- C:\Documents and Settings\Jim\Desktop\UltraVNC Server.lnk
[2014/12/26 21:12:01 | 000,114,904 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys
[2014/12/26 21:07:41 | 000,000,816 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2014/12/21 07:04:48 | 000,004,184 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2014/12/20 13:05:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2014/12/11 18:47:54 | 000,002,485 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WordPerfect X3.lnk
[2014/12/08 15:00:00 | 000,000,212 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft Windows XP End of Service Notification Monthly.job
[2014/12/08 08:37:02 | 000,408,280 | ---- | M] (BitDefender S.R.L.) -- C:\WINDOWS\System32\drivers\trufos.sys
[2014/12/08 08:35:51 | 001,073,160 | ---- | M] (BitDefender) -- C:\WINDOWS\System32\drivers\avc3.sys
[2014/12/07 14:46:19 | 000,000,275 | ---- | M] () -- C:\WINDOWS\vuepro32.ini
[2014/12/01 03:00:00 | 000,000,356 | ---- | M] () -- C:\WINDOWS\tasks\MyDefrag v4.3.1 Monthly.job
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/12/26 21:48:26 | 000,000,721 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2014/12/26 21:18:58 | 000,000,726 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\UltraVNC Viewer.lnk
[2014/12/26 21:18:58 | 000,000,709 | ---- | C] () -- C:\Documents and Settings\Jim\Desktop\UltraVNC Server.lnk
[2014/04/29 14:06:17 | 001,783,583 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1398805717.bdinstall.bin
[2014/04/29 10:36:13 | 000,184,957 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1398796367.bdinstall.bin
[2014/03/08 16:38:32 | 000,239,808 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2013/08/15 20:35:24 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\IsSSE2.exe
[2013/03/21 17:46:32 | 001,481,728 | ---- | C] () -- C:\WINDOWS\System32\LegitCheckControl.dll
[2012/09/06 20:24:26 | 000,000,110 | ---- | C] () -- C:\Documents and Settings\Jim\jobq.dat
[2012/08/24 19:03:41 | 000,196,877 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1345857740.bdinstall.bin
[2012/08/24 17:18:35 | 000,060,624 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1345857441.bdinstall.bin
[2012/08/23 13:16:33 | 000,295,818 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1659004503-1788223648-725345543-1003-0.dat
[2012/08/23 13:16:32 | 000,147,194 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2012/03/22 11:18:03 | 000,000,376 | ---- | C] () -- C:\Documents and Settings\Jim\Application Dataprivacy.xml
[2012/03/21 11:06:34 | 000,390,055 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1332354874.bdinstall.bin
[2012/03/18 08:41:21 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\kodakpcd.ini
[2011/05/13 14:01:12 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\housecall.guid.cache
[2009/03/24 17:25:04 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/12/27 08:39:34 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Jim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/07 15:03:20 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2008/12/07 15:03:20 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\B362E7A0DA.sys
[2008/12/01 18:44:14 | 000,000,040 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2008/12/01 11:09:03 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jim\Ÿ9Ÿ9
[2008/11/25 10:59:18 | 000,000,564 | ---- | C] () -- C:\Documents and Settings\Jim\SciTE.recent
[2008/11/25 10:59:18 | 000,000,156 | ---- | C] () -- C:\Documents and Settings\Jim\SciTE.session
[2008/11/23 22:46:42 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Jim\winscp.RND
 
========== ZeroAccess Check ==========
 
[2008/11/24 00:20:36 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/12/19 00:53:33 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 02:56:35 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 16:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2014/08/18 12:31:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2014/04/29 13:31:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BDLogging
[2014/04/29 13:32:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bitdefender
[2008/12/02 09:12:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland
[2008/12/03 12:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2012/03/01 19:26:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CA-SupportBridge
[2014/08/18 09:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2010/01/13 14:46:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
[2014/12/27 07:37:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Locktime
[2014/08/18 12:25:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macrium
[2011/11/09 16:20:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\magicJack
[2012/08/19 20:12:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Martau
[2012/08/31 14:44:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MySQL
[2010/01/13 14:10:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters Inc
[2008/12/04 21:30:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PKWARE
[2008/12/02 12:05:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SlySoft
[2014/05/10 14:08:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/07/30 13:00:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
[2010/07/10 08:01:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2014/04/29 13:11:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Bitdefender
[2012/03/22 10:12:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\ElevatedDiagnostics
[2012/03/05 13:06:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Foxit Software
[2014/02/15 18:26:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\GoPro
[2012/08/22 09:01:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Helge Klein
[2008/12/01 09:36:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\K9
[2012/08/24 09:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Leadertech
[2012/06/20 17:46:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Marvell
[2014/06/23 21:24:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\mjusbsp
[2012/08/31 14:00:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\MySQL
[2012/03/18 19:42:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Pegasus Mail
[2008/12/04 21:30:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\PKWARE
[2012/03/21 10:36:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\QuickScan
[2012/03/17 22:01:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Skinux
[2014/05/01 09:45:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\UpdateInfo
[2008/11/23 23:50:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Windows Desktop Search
[2008/11/24 00:11:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Windows Search
[2014/05/01 09:50:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jim\Application Data\Wise Plugin Manager
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:054203E4

< End of report >
 


  • 0

Advertisements

#2
zep516
Posted 27 December 2014 - 12:50 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)

Lets run a different set of scan log reports, and scan for adware too,with adwcleaner and Junkware removal tool.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
  • Next

    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found. Exit from AdwCleaner.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner
  • Next

    thisisujrt.gif Please download Junkware Removal Tool to your Desktop.

    Please close your security software to avoid potential conflicts. See Here how to disable you security protection (Anti Virus)
    Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
    The tool will open and start scanning your system.
    Please be patient as this can take a while to complete, depending on your system's specifications.
    On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
    Please post the contents of JRT.txt into your reply.


    In your next reply post;
  • The AdwCleaner [SO].txt Log
  • The JRT.txt Log
  • FRST.txt
  • Additions.txt
    Thanks
    Joe :)

  • 0

#3
docfxit
Posted 27 December 2014 - 08:36 PM

docfxit

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

Thank you Joe for taking a look at this for me.  I have discovered that the transmissions over port 1318 are produced by Teamviewer.  I was using Teamviewer at the time.  I still have a issue that looks very suspicious with thousands of files in Firefox.

 

AdwCleaner [SO].txt Log

# AdwCleaner v3.307 - Report created 17/08/2014 at 17:51:37
# Updated 17/08/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Jim - JIMSDESKTOP
# Running from : C:\Documents and Settings\Jim\My Documents\Downloads\adwcleaner_3.307.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\SpeedItup Free
Folder Deleted : C:\Documents and Settings\All Users\Uniblue

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\driverscanner
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{090ACFA1-1580-11D1-8AC0-00C0F00910F9}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B4E90801-B83C-11D0-8B40-00C0F00AE35A}
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKLM\SOFTWARE\Informer Technologies, Inc.\OpenCandy

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\pel3t8hs.default-1408316845401\prefs.js ]


*************************

AdwCleaner[R0].txt - [1453 octets] - [17/08/2014 17:46:35]
AdwCleaner[S0].txt - [1234 octets] - [17/08/2014 17:51:37]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1294 octets] ##########
 

JRT.txt Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Microsoft Windows XP x86
Ran by Jim on Sat 12/27/2014 at 18:16:20.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\WINDOWS\wininit.ini"



~~~ Folders

Successfully deleted: [Folder] "C:\WINDOWS\system32\ai_recyclebin"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 12/27/2014 at 18:21:24.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 27-12-2014
Ran by Jim (administrator) on JIMSDESKTOP on 27-12-2014 16:57:06
Running from C:\Documents and Settings\Jim\Desktop\SpywareRemovers
Loaded Profile: Jim (Available profiles: Jim & ASPNET & ATUUser5 & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\vsserv.exe
(Check Point Software Technologies Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Microsoft Corporation) C:\WINDOWS\system32\netdde.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\system32\inetsrv\inetinfo.exe
() C:\WINDOWS\system32\PSIService.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Paramount Software UK Ltd) C:\Program Files\Macrium\Reflect\ReflectService.exe
() C:\Program Files\stunnel\stunnel.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
(Microsoft Corporation) C:\Program Files\UPHClean\uphclean.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(Check Point Software Technologies, Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
(UltraVNC) C:\Program Files\UltraVNC\winvnc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer.exe
(Smith Micro Software, Inc.) C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe
(Marvell Semiconductor, Inc.) C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
() C:\Program Files\Unlocker\UnlockerAssistant.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdagent.exe
(Check Point Software Technologies Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
(Check Point Software Technologies, Ltd.) C:\Program Files\CheckPoint\ZoneAlarm\ThreatEmulation.exe
(Corel, Inc.) C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
(Peas Inc.) C:\Program Files\DeeEnEs\DeeEnEs.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe
(NTWind Software) C:\Program Files\WinSnap\WinSnap.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\tv_w32.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(GoPro) C:\Program Files\CineForm\Tools\GoProCineFormStatusViewer.exe
(KeirNet) C:\Program Files\K9\K9.exe
(Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Farbar) C:\Documents and Settings\Jim\Desktop\SpywareRemovers\Farbar Recovery Scan Tool.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SMSI Loader] => C:\Program Files\Common Files\Smith Micro Shared\Fax\SMLoader.exe [32768 2004-10-12] (Smith Micro Software, Inc.)
HKLM\...\Run: [Client Access Help Update] => C:\Program Files\Client Access\cwbinhlp.exe [24626 2001-05-08] (IBM Corporation)
HKLM\...\Run: [Client Access Express Welcome] => C:\Program Files\Client Access\cwbwlwiz.exe [20530 2001-05-08] (IBM Corporation)
HKLM\...\Run: [High Definition Audio Property Page Shortcut] => C:\WINDOWS\system32\HDAShCut.exe [61952 2007-09-19] (Windows ® Server 2003 DDK provider)
HKLM\...\Run: [PrnStatusMX] => C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe [1077248 2007-08-29] (Marvell Semiconductor, Inc.)
HKLM\...\Run: [UnlockerAssistant] => C:\Program Files\Unlocker\UnlockerAssistant.exe [17408 2010-07-04] ()
HKLM\...\Run: [Logitech Utility] => C:\WINDOWS\Logi_MwX.Exe [19968 2011-07-30] (Logitech Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [Bdagent] => C:\Program Files\Bitdefender\Bitdefender\bdagent.exe [1918176 2014-12-08] (Bitdefender)
HKLM\...\Run: [ZoneAlarm] => C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe [134624 2014-07-23] (Check Point Software Technologies Ltd.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [Corel Photo Downloader] => C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe [112208 2007-02-21] (Corel, Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\WgaLogon: C:\WINDOWS\system32\WgaLogon.dll ()
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [DeeEnEs] => C:\Program Files\DeeEnEs\DeeEnEs.exe [151552 2005-01-01] (Peas Inc.)
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [fsm] => [X]
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2014-12-08] (Bitdefender)
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2014-08-13] (Bitdefender)
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2014-08-13] (Bitdefender)
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [cdloader] => C:\Documents and Settings\Jim\Application Data\mjusbsp\cdloader2.exe [51592 2013-05-06] (magicJack L.P.)
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [WinSnap] => C:\Program Files\WinSnap\WinSnap.exe [4622440 2014-06-30] (NTWind Software)
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5489944 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Policies\Explorer: [NoSMBalloonTip] 0
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Policies\Explorer: [NoStartBanner] 0x01000000
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2014-12-08] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2014-08-13] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2014-08-13] (Bitdefender)
HKU\S-1-5-18\...\RunOnce: [ShowDeskFix] => regsvr32 /s /n /i:u shell32
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CineForm Status.lnk
ShortcutTarget: CineForm Status.lnk -> C:\Program Files\CineForm\Tools\GoProCineFormStatusViewer.exe (GoPro)
Startup: C:\Documents and Settings\Jim\Start Menu\Programs\Startup\AS400SignOn.lnk
ShortcutTarget: AS400SignOn.lnk -> C:\Batch\AS400SignOn.exe ()
Startup: C:\Documents and Settings\Jim\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files\ERUNT\AUTOBACK.EXE ()
Startup: C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Launch K9.lnk
ShortcutTarget: Launch K9.lnk -> C:\Program Files\K9\K9.exe (KeirNet)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
Handler: AutorunsDisabled\belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\..\Interfaces\{B0C754E3-253F-4332-9262-B3E9D5901E6B}: [NameServer] 66.51.205.100,66.51.206.100

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\pel3t8hs.default-1408316845401
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-05-29]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\Bitdefender\Bitdefender\ffpwdman
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender\ffpwdman [2014-04-29]
FF StartMenuInternet: FIREFOX.EXE - C:\Program Files\FireFox\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [ccahoghmggldkcdjiebjkidpfongdfbl] - C:\Program Files\Bitdefender\Bitdefender\pmbxcr.crx [2014-04-29]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 helpsvc; C:\WINDOWS\System32\svchost.exe [14336 2008-04-13] (Microsoft Corporation)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 IISADMIN; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-13] (Microsoft Corporation)
S3 MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [45056 2006-12-14] (Sony Corporation) [File not signed]
R2 MSFtpsvc; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-13] (Microsoft Corporation)
R2 MySQL55; C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.5\my.ini [9559 2012-08-31] () [File not signed]
S3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [57344 2006-12-14] () [File not signed]
R2 ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [174656 2007-02-08] () [File not signed]
R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [2462160 2014-07-21] (Paramount Software UK Ltd)
S3 SonicStage Back-End Service; C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe [112184 2007-02-05] (Sony Corporation)
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69632 2006-12-14] (Sony Corporation) [File not signed]
S3 SSScsiSV; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [75320 2007-02-05] (Sony Corporation)
R2 stunnel; C:\Program Files\stunnel\stunnel.exe [91648 2008-09-20] () [File not signed]
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe [54424 2014-08-13] (Bitdefender)
R2 UPHClean; C:\Program Files\UPHClean\uphclean.exe [241725 2005-04-27] (Microsoft Corporation) [File not signed]
R2 uvnc_service; C:\Program Files\UltraVNC\WinVNC.exe [1794840 2014-08-10] (UltraVNC)
R2 vsmon; C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe [3596240 2014-07-23] (Check Point Software Technologies Ltd.)
R2 VSSERV; C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [1302784 2014-12-08] (Bitdefender)
R2 W3SVC; C:\WINDOWS\system32\inetsrv\inetinfo.exe [15360 2008-04-13] (Microsoft Corporation)
R2 ZAPrivacyService; C:\Program Files\CheckPoint\ZoneAlarm\ZaPrivacyService.exe [93712 2014-07-03] (Check Point Software Technologies, Ltd.)
S4 ACDaemon; No ImagePath

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 atmeltpm; C:\WINDOWS\System32\DRIVERS\atmeltpm.sys [15872 2005-05-17] (Atmel, Inc.)
R0 avc3; C:\WINDOWS\System32\DRIVERS\avc3.sys [1073160 2014-12-08] (BitDefender)
R3 avchv; C:\WINDOWS\System32\DRIVERS\avchv.sys [242504 2012-11-02] (BitDefender)
R3 avckf; C:\WINDOWS\System32\DRIVERS\avckf.sys [528248 2014-08-13] (BitDefender)
R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2011-08-09] () [File not signed]
R3 BCMTPM; C:\WINDOWS\System32\DRIVERS\btpmw32.sys [17290 2006-07-17] (Broadcom Corp.)
R1 bdftdif; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdftdif.sys [130640 2011-11-14] (BitDefender LLC)
S3 BDSandBox; C:\WINDOWS\system32\drivers\bdsandbox.sys [66832 2013-11-04] (BitDefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Bitdefender\bdselfpr.sys [135600 2013-07-26] (BitDefender LLC)
R0 gzflt; C:\WINDOWS\System32\DRIVERS\gzflt.sys [165744 2013-08-23] (BitDefender LLC)
S3 HdAudAddService; C:\WINDOWS\System32\drivers\HdAudio.sys [145920 2007-09-19] (Windows ® Server 2003 DDK provider)
R3 Iviaspi; C:\WINDOWS\System32\drivers\iviaspi.sys [10368 2005-09-20] (InterVideo, Inc.) [File not signed]
S3 LEqdUsb; C:\WINDOWS\System32\Drivers\LEqdUsb.Sys [40720 2009-06-17] (Logitech, Inc.)
S3 LHidEqd; C:\WINDOWS\System32\Drivers\LHidEqd.Sys [10384 2009-06-17] (Logitech, Inc.)
S3 LUsbFilt; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [28560 2009-06-17] (Logitech, Inc.)
R3 mv2; C:\WINDOWS\System32\DRIVERS\mv2.sys [11496 2012-09-10] (UVNC BVBA)
R3 psadd; C:\WINDOWS\System32\DRIVERS\psadd.sys [21376 2008-01-31] (Lenovo (United States) Inc.) [File not signed]
R0 pssnap; C:\WINDOWS\System32\DRIVERS\pssnap.sys [16504 2013-06-28] (Macrium Software)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15576 2012-06-18] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10200 2012-06-18] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [36624 2006-10-18] (Sonic Solutions) [File not signed]
R1 SBRE; C:\WINDOWS\system32\drivers\SBREdrv.sys [95024 2010-09-23] (Sunbelt Software)
R0 trufos; C:\WINDOWS\System32\DRIVERS\trufos.sys [408280 2014-12-08] (BitDefender S.R.L.)
S3 USBAAPL; C:\WINDOWS\System32\Drivers\usbaapl.sys [45056 2013-03-18] (Apple, Inc.) [File not signed]
R1 Vsdatant; C:\WINDOWS\System32\vsdatant.sys [534024 2014-07-23] (Check Point Software Technologies Ltd.)
S3 ATICDSDr; No ImagePath
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 NLNdisMP; system32\DRIVERS\nlndis.sys [X]
S3 NLNdisPT; system32\DRIVERS\nlndis.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 Sdbus; C:\Windows\System32\Drivers\Sdbus.sys [79232 2008-04-13] (Microsoft Corporation)
U5 Tcpip6; C:\Windows\System32\Drivers\Tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-27 16:57 - 2014-12-27 16:57 - 00000000 ____D () C:\FRST
2014-12-27 16:53 - 2014-12-27 16:53 - 00001581 _____ () C:\Documents and Settings\All Users\Desktop\iTunes.lnk
2014-12-27 16:53 - 2014-12-27 16:53 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
2014-12-27 16:52 - 2014-12-27 16:53 - 00000000 ____D () C:\Program Files\iTunes
2014-12-27 16:52 - 2014-12-27 16:53 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-12-27 16:49 - 2014-12-27 16:49 - 00000000 ____D () C:\WINDOWS\LastGood
2014-12-27 16:38 - 2014-12-27 16:38 - 08350404 _____ () C:\video0.dat
2014-12-27 09:34 - 2014-12-27 09:34 - 00065536 _____ () C:\WINDOWS\Minidump\Mini122714-01.dmp
2014-12-27 07:58 - 2014-12-27 16:57 - 00000000 ____D () C:\Documents and Settings\Jim\Desktop\SpywareRemovers
2014-12-27 07:38 - 2014-12-27 08:25 - 00000000 __SHD () C:\WINDOWS\system32\AI_RecycleBin
2014-12-27 07:38 - 2014-12-27 08:24 - 00065536 _____ () C:\WINDOWS\system32\config\NetLimit.evt
2014-12-26 21:48 - 2014-12-26 21:48 - 00000721 _____ () C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2014-12-26 21:34 - 2014-12-26 21:34 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2014-12-26 21:34 - 2014-12-26 21:34 - 00000000 ____D () C:\Documents and Settings\JIMSDESKTOP\Local Settings\Temp
2014-12-26 21:34 - 2014-12-26 21:34 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\Temp
2014-12-26 21:34 - 2014-12-26 21:34 - 00000000 ____D () C:\Documents and Settings\ATUUser5\Local Settings\Temp
2014-12-26 21:34 - 2014-12-26 21:34 - 00000000 ____D () C:\Documents and Settings\All Users\Local Settings\Temp
2014-12-26 21:34 - 2014-12-26 21:34 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-12-26 21:18 - 2014-12-26 21:18 - 00000726 _____ () C:\Documents and Settings\Jim\Desktop\UltraVNC Viewer.lnk
2014-12-26 21:18 - 2014-12-26 21:18 - 00000709 _____ () C:\Documents and Settings\Jim\Desktop\UltraVNC Server.lnk
2014-12-26 21:14 - 2014-12-26 21:14 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\TeamViewer 10
2014-12-24 08:58 - 2014-12-24 08:59 - 00000000 ____D () C:\Program Files\FireFox

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-27 16:57 - 2014-08-18 09:09 - 00000000 ____D () C:\Documents and Settings\Jim\Local Settings\Temp
2014-12-27 16:54 - 2008-11-23 08:00 - 00000000 ____D () C:\WINDOWS\system32\inetsrv
2014-12-27 16:52 - 2014-08-18 12:30 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-12-27 16:52 - 2011-08-31 07:12 - 00000000 ____D () C:\Program Files\iPod
2014-12-27 16:29 - 2014-05-01 14:03 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-27 14:29 - 2014-05-01 14:03 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-27 13:05 - 2012-08-19 19:56 - 00000284 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2014-12-27 09:42 - 2012-08-24 08:18 - 01857951 _____ () C:\WINDOWS\WindowsUpdate.log
2014-12-27 09:41 - 2012-08-31 14:30 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-12-27 09:41 - 2010-08-16 10:45 - 00001024 _____ () C:\.rnd
2014-12-27 09:41 - 2008-11-23 08:09 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-12-27 09:41 - 2008-11-23 08:09 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-12-27 09:40 - 2014-08-17 16:54 - 00000218 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-12-27 09:40 - 2012-08-26 20:50 - 00000000 ____D () C:\WINDOWS\Registration
2014-12-27 09:40 - 2008-11-23 12:49 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-12-27 09:39 - 2014-03-08 16:38 - 00239808 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-12-27 09:39 - 2008-11-23 12:49 - 00032512 _____ () C:\WINDOWS\SchedLgU.Txt
2014-12-27 09:38 - 2008-11-23 12:50 - 00000178 ___SH () C:\Documents and Settings\Jim\ntuser.ini
2014-12-27 09:34 - 2010-03-03 16:38 - 00000000 __SHD () C:\WINDOWS\CSC
2014-12-27 08:00 - 2014-02-27 03:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-12-27 07:52 - 2012-08-29 08:43 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-12-27 07:34 - 2008-11-23 22:30 - 00000000 ____D () C:\Dnload
2014-12-27 07:11 - 2008-11-24 08:18 - 00050424 _____ () C:\Documents and Settings\Jim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-12-27 07:07 - 2008-11-23 08:04 - 00214472 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-12-26 23:42 - 2010-10-12 20:55 - 00000000 ____D () C:\Documents and Settings\Jim\My Documents\CCleanerBackup
2014-12-26 23:41 - 2008-11-23 12:50 - 00000000 ____D () C:\Documents and Settings\Jim
2014-12-26 21:52 - 2012-03-06 07:51 - 00003369 _____ () C:\Delete.log
2014-12-26 21:50 - 2008-11-25 19:08 - 00000000 ____D () C:\Program Files\UltraVNC
2014-12-26 21:48 - 2010-10-12 14:11 - 00000000 ____D () C:\Program Files\CCleaner
2014-12-26 21:39 - 2014-01-24 12:01 - 00000000 ____D () C:\Program Files\TeamViewer
2014-12-26 21:18 - 2010-09-22 20:37 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\UltraVNC
2014-12-26 21:12 - 2014-08-17 14:56 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-12-26 21:07 - 2014-08-17 14:55 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-26 21:07 - 2014-08-17 14:55 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-26 21:07 - 2014-04-30 08:40 - 00000816 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-26 20:43 - 2001-08-23 04:00 - 00000799 _____ () C:\WINDOWS\win.ini
2014-12-26 19:57 - 2014-05-01 13:31 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-12-26 19:57 - 2014-05-01 13:31 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-12-26 19:48 - 2012-08-30 15:55 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-12-21 07:04 - 2008-12-02 08:40 - 00004184 ___SH () C:\WINDOWS\system32\KGyGaAvL.sys
2014-12-11 18:47 - 2008-12-02 09:13 - 00002485 _____ () C:\Documents and Settings\All Users\Desktop\WordPerfect X3.lnk
2014-12-08 15:00 - 2014-08-17 16:54 - 00000212 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-12-08 08:37 - 2014-04-29 13:09 - 00408280 _____ (BitDefender S.R.L.) C:\WINDOWS\system32\Drivers\trufos.sys
2014-12-08 08:35 - 2014-04-29 13:31 - 01073160 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avc3.sys
2014-12-07 14:46 - 2008-12-01 17:46 - 00000275 _____ () C:\WINDOWS\vuepro32.ini
2014-12-01 03:00 - 2012-03-21 14:07 - 00000356 _____ () C:\WINDOWS\Tasks\MyDefrag v4.3.1 Monthly.job
2014-11-27 16:40 - 2007-09-19 20:48 - 109818608 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

Files to move or delete:
====================
C:\Documents and Settings\Jim\jobq.dat


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Additions.txt

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 27-12-2014
Ran by Jim at 2014-12-27 16:58:21
Running from C:\Documents and Settings\Jim\Desktop\SpywareRemovers
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Bitdefender Antivirus (Disabled - Up to date) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: ZoneAlarm Pro Firewall (Disabled) {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AboutTime (HKLM\...\AboutTime_is1) (Version:  - )
Active Ports (HKLM\...\Active Ports) (Version:  - )
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
Altap Salamander 3.0 (x86) (HKLM\...\Altap Salamander 3.0 (x86)) (Version: 3.0 - ALTAP)
Alt-Tab Task Switcher Powertoy for Windows XP (HKLM\...\{A7050037-F0EA-4BAB-BCD5-FC05507D6147}) (Version: 1.00.0001 - Microsoft Corporation)
AMD Catalyst Install Manager (HKLM\...\{B2393794-69B8-CD96-80CB-746DD220C15B}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
AnswerWorks 5.0 English Runtime (HKLM\...\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}) (Version: 5.0.7 - Vantage Software Technologies)
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.403.1.1-070912a-053410C-Lenovo - )
Atmel TPM Driver Installer 3.0.3.15 (HKLM\...\{BBD6BA59-4593-43CC-BBC8-8E53D354AEA4}) (Version: 3.0.3.15 - Atmel Corp)
AutoIt v3.3.8.1 (HKLM\...\AutoItv3) (Version:  - AutoIt Team)
Avanquest update (HKLM\...\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}) (Version: 1.18 - Avanquest Software)
AVS Update Manager 1.0 (HKLM\...\AVS Update Manager_is1) (Version:  - Online Media Technologies Ltd.)
AVS Video Converter 6 (HKLM\...\AVS4YOU Video Converter 6_is1) (Version:  - Online Media Technologies Ltd.)
AVS Video Converter 8 (HKLM\...\AVS4YOU Video Converter 7_is1) (Version:  - Online Media Technologies Ltd.)
AVS4YOU Software Navigator 1.4 (HKLM\...\AVS4YOU Software Navigator_is1) (Version:  - Online Media Technologies Ltd.)
Belarc Advisor 8.2 (HKLM\...\Belarc Advisor) (Version: 8.2.7.16 - Belarc Inc.)
Bitdefender Antivirus Plus (HKLM\...\Bitdefender) (Version: 17.27.0.1146 - Bitdefender)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Bonjour Print Services (HKLM\...\{9D210D79-AEC5-453B-960C-4DD2C73931E1}) (Version: 2.0.2.0 - Apple Inc.)
Broadcom Gigabit Integrated Controller (HKLM\...\{7E369B27-13E2-41A5-9879-358EE1C8B5AD}) (Version: 9.05.02 - Broadcom Corporation)
Broadcom TPM Driver Installer (HKLM\...\{9576B4EE-5E87-4C14-AFCE-2F6FC2B276B8}) (Version: 9.01.03 - Broadcom Corporation)
Catalyst Control Center - Branding (HKLM\...\{7CC853FD-298A-4AD5-A1D7-70ED2DCBFB3A}) (Version: 1.00.0000 - ATI)
ccc-core-preinstall (Version: 2007.0816.817.12778 - ATI) Hidden
ccc-core-static (Version: 2007.0816.817.12778 - ATI) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
CCScore (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
ClearType Tuning Control Panel Applet (HKLM\...\{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}) (Version: 1.01.0000 - Microsoft Corporation)
CopyProfile (HKLM\...\{9A9ED54A-0FAB-4D34-A3B9-F6C659E1F898}) (Version: 1.0.0 - Microsoft)
Corel Photo Album 6 (HKLM\...\{8A9B8148-DDD7-448F-BD6C-358386D32354}) (Version: 6.40 - Corel, Inc.)
Corel WinDVD 9 (HKLM\...\InstallShield_{E3993D46-AE3F-402E-9F9D-EEBDFBEC3564}) (Version: 9.0-B14.84 - Corel Corporation)
Corel WinDVD 9 (Version: 9.0-B14.84 - Corel Corporation) Hidden
Emicsoft MTS Converter (HKLM\...\Emicsoft MTS Converter_is1) (Version:  - )
erLT (Version: 1.20.0137 - Logitech, Inc.) Hidden
ERUNT 1.1j (HKLM\...\ERUNT_is1) (Version:  - Lars Hederer)
ESSBrwr (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
ESSCDBK (Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
ESScore (Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
ESSgui (Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
ESSini (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
ESSPCD (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
ESSPDock (Version: 6.03.0001.0004 - EASTMAN KODAK Company) Hidden
ESSTOOLS (Version: 5.00.0000.0004 - EASTMAN KODAK Company) Hidden
essvatgt (Version: 8.00.0000.0001 - EASTMAN KODAK Company) Hidden
Event Log Explorer 4.3 (HKLM\...\Event Log Explorer_is1) (Version: 4.3 - FSPro Labs)
FamilySearch Indexing 3.14.0 (HKLM\...\0591-8077-9297-0833) (Version: 3.14.0 - FamilySearch)
fflink (Version: 6.02.1001.0001 - EASTMAN KODAK Company) Hidden
fileacl (HKLM\...\{27AB7E90-D696-41F0-BEBB-29743EFC30FE}) (Version: 3.0.15 -  )
FileHippo.com Update Checker (HKLM\...\FileHippo.com) (Version:  - )
Foxit Phantom (HKLM\...\Foxit Phantom) (Version: 2.2.4.0225 - Foxit Software Company)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
GoPro Studio 2.0.1 (HKLM\...\GoPro Studio) (Version: 2.0.1 - WoodmanLabs Inc. d.b.a. GoPro)
HomeVision-Pro 3.5 (HKLM\...\HomeVision-Pro 3.5) (Version:  - )
HotFax MessageCenter (HKLM\...\HotFax MessageCenter) (Version:  - )
HP Color LaserJet CP1210 Series (HKLM\...\HP Color LaserJet CP1210 Series) (Version:  - )
HP Color LaserJet CP1210 Series Toolbox (HKLM\...\{1E187923-04E5-4E1F-9BF2-40E32D93A1C4}) (Version: 1.0.21 - Hewlett-Packard)
HPCarePackProducts (Version: 2.0.0.1 - HP) Hidden
hppusgCP1215 (Version: 000.000.00006 - ) Hidden
HSF2014 56K Data Fax Modem (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_201414F1) (Version:  - )
IBM AS/400 Client Access Express for Windows (HKLM\...\ClientAccessExpress) (Version:  - )
Image Resizer Powertoy for Windows XP (HKLM\...\{1CB92574-96F2-467B-B793-5CEB35C40C29}) (Version: 1.00.0001 - Microsoft Corporation)
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Jetsoft Art-Copy 7.6 - Business (HKLM\...\Jetsoft Art-Copy 7.6 - Business) (Version:  - )
jv16 PowerTools 2009 (HKLM\...\jv16 PowerTools 2009_is1) (Version:  - Macecraft Software)
K9 (HKLM\...\K9) (Version:  - )
kgcbaby (Version: 5.03.0000.0002 - EASTMAN KODAK Company) Hidden
kgchday (Version: 5.03.0000.0002 - EASTMAN KODAK Company) Hidden
kgchlwn (Version: 5.03.0000.0002 - EASTMAN KODAK Company) Hidden
kgcinvt (Version: 5.03.0000.0003 - EASTMAN KODAK Company) Hidden
kgckids (Version: 6.03.0001.0001 - EASTMAN KODAK Company) Hidden
kgcmove (Version: 6.03.0001.0001 - EASTMAN KODAK Company) Hidden
kgcvday (Version: 5.03.0000.0002 - EASTMAN KODAK Company) Hidden
Kodak EasyShare software (HKLM\...\{D32470A1-B10C-4059-BA53-CF0486F68EBC}) (Version:  - Eastman Kodak Company)
Macrium Reflect Free Edition (HKLM\...\MacriumReflect) (Version: 5.3 - Paramount Software (UK) Ltd.)
Macrium Reflect Free Edition (Version: 5.3.7149 - Paramount Software (UK) Ltd.) Hidden
magicJack (HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\magicJack) (Version: 3.1.6970.4873 - magicJack L.P.)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Windows Journal Viewer (HKLM\...\{43DCF766-6838-4F9A-8C91-D92DA586DFA8}) (Version: 1.5.2316.0 - Microsoft)
MiniTool Partition Wizard Professional Edition 7.5 (HKLM\...\{160479AF-4A05-4EE5-B3E7-1625227567EB}_is1) (Version:  - MiniTool Solution Ltd.)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
MyDefrag v4.3.1 (HKLM\...\MyDefrag v4.3.1_is1) (Version: 4.0.0.0 - J.C. Kessels)
MyInvoices & Estimates Deluxe (HKLM\...\{073786F2-18E0-439B-9A31-312B71FA48D5}) (Version: 8.0.0.0 - Avanquest Publishing USA, Inc.)
MySQL Connector/ODBC 5.1 (HKLM\...\{69733CDD-2AB0-44B7-979E-4753D810B103}) (Version: 5.1.11 - Oracle Corporation)
MySQL Installer (HKLM\...\{FE0E04A6-9CA8-4667-90A8-059C39D64873}) (Version: 1.1.4.0 - Oracle Corporation)
MySQL Notifier 1.0.3 (HKLM\...\{5681C7AB-E29D-4EE9-B0F0-809A28ECECFC}) (Version: 1.0.3 - Oracle)
MySQL Server 5.5 (HKLM\...\{4BCDC6E9-6C2B-46E4-BDC8-2AE0BF97DDA8}) (Version: 5.5.27 - Oracle Corporation)
MySQL Workbench 5.2 CE (HKLM\...\{232F51D0-D29F-4226-9285-FC84F4E5C7F8}) (Version: 5.2.42 - Oracle Corporation)
Nero 7 Ultra Edition (HKLM\...\{7516254D-7F98-49DD-8209-5D2208BD1033}) (Version: 7.03.0647 - Nero AG)
netbrdg (Version: 7.01.0000.0001 - EASTMAN KODAK Company) Hidden
OfotoXMI (Version: 8.03.0000.0001 - EASTMAN KODAK Company) Hidden
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
OpenMG Limited Patch 4.7-07-14-05-01 (HKLM\...\OpenMG HotFix4.7-07-13-22-01) (Version:  - )
OpenMG Secure Module 4.0.05 (Version: 4.0.05.10290 - Sony Corporation) Hidden
OpenMG Secure Module 4.7.00 (HKLM\...\InstallShield_{CCD663AE-610D-4BDF-AAB0-E914B044527D}) (Version: 4.7.00.12140 - Sony Corporation)
OpenMG Secure Module 4.7.00 (Version: 4.7.00.12140 - Sony Corporation) Hidden
pdfFactory Pro (HKLM\...\pdfFactory Pro) (Version: 4.65 - FinePrint Software, LLC)
Pegasus Mail (HKLM\...\Pegasus Mail) (Version:  - David Harris)
Pegasus Mail HTML Renderer 2.4.7.2 (HKLM\...\{A9F5E1E1-1281-4862-90B4-6CF8E6AF83CE}_is1) (Version:  - Micha's Midnight Manufacture)
PFPortChecker 1.0.39 (HKLM\...\PFPortChecker) (Version: 1.0.39 - Portforward.com)
Port Detective (HKLM\...\Port) (Version:  - )
PremiumSoft Navicat 10.1 for MySQL (HKLM\...\PremiumSoft Navicat for MySQL_is1) (Version: 10.1.5 - PremiumSoft CyberTech Ltd.)
Quicken 2011 (HKLM\...\{5FE545A1-D215-4216-9189-E7B39C9D1CC1}) (Version: 20.1.8.6 - Intuit)
SecureZIP for Windows 12.00.0017 (HKLM\...\{FB9589FD-F721-4C34-ACB6-C6169645EEB5}) (Version: 12.00.0017 - PKWARE, Inc)
SetACL Studio (HKLM\...\{2DD3F278-87D2-47BE-8A38-C3F709250CB7}) (Version: 1.2.2.0 - Helge Klein GmbH)
SFR (Version: 8.01.0000.0001 - Eastman Kodak Company) Hidden
SHASTA (Version: 7.01.0000.0001 - EASTMAN KODAK Company) Hidden
SIW version 2011.10.29 (HKLM\...\{AB67580-257C-45FF-B8F4-C8C30682091A}_is1) (Version: 2011.10.29 - Topala Software Solutions)
skin0001 (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
Skins (Version: 2007.0816.817.12778 - ATI) Hidden
SKINXSDK (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
SlimDrivers (HKLM\...\{1E91951D-0114-4692-8F55-F95E1B2F3542}) (Version: 2.2.22481 - SlimWare Utilities, Inc.)
Software Update for Web Folders (Version: 9.60.6715.0 - Microsoft Corporation) Hidden
SonicStage 4.3 (HKLM\...\{A0EB195B-5876-48E6-879D-33D4B2102610}) (Version: 4.3 - Sony Corporation)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.10.01.4325 - Analog Devices)
staticcr (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
stunnel (HKLM\...\stunnel) (Version:  - )
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamViewer 10 (HKLM\...\TeamViewer) (Version: 10.0.36897 - TeamViewer)
Total Uninstall 6.6.0 (HKLM\...\Total Uninstall 6_is1) (Version: 6.6.0 - Gavrila Martau)
Tweak UI (HKLM\...\Tweak UI 2.10) (Version:  - )
UltraEdit (HKLM\...\InstallShield_{635A6AF2-63AF-4C1C-AF57-BDC8AF6D397D}) (Version: 21.10.1023 - IDM Computer Solutions, Inc.)
UltraEdit (Version: 21.10.1023 - IDM Computer Solutions, Inc.) Hidden
UltraVnc (HKLM\...\Ultravnc2_is1) (Version: 1.2.0.5 - uvnc bvba)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
Update Manager (Version: 4.60 - Corel Corporation) Hidden
User Profile Hive Cleanup Service (HKLM\...\{FF77941A-2BFA-4A18-BE2E-69B9498E4D55}) (Version: 1.6.30 - Microsoft Corporation)
VC 9.0 Runtime (Version: 1.0.0 - Check Point Software Technologies Ltd) Hidden
ViewSonic Monitor Drivers (HKLM\...\{48963B63-7A10-49D6-8B08-61E6132453D0}) (Version:  - )
ViewSonic Windows XP Signed Files (HKLM\...\{FC47C7A5-BE63-11D5-B7C9-005004566E4D}) (Version:  - )
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
VPRINTOL (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
VuePrint (HKLM\...\VuePrint) (Version:  - )
Weather Display 10.37R Build 22 (HKLM\...\Weather Display_is1) (Version:  - )
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices  (03/07/2012 ) (HKLM\...\0B624A43DD66DBF5CF3EDFA9741A364E688062A4) (Version: 03/07/2012  - GoPro)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
WinSnap (HKLM\...\WinSnap) (Version: 4.5.3 - NTWind Software)
WIRELESS (Version: 8.02.0000.0001 - EASTMAN KODAK Company) Hidden
Wise Plugin Manager 1.01 (HKLM\...\Wise Plugin Manager_is1) (Version: 1.01 - WiseCleaner.com, Inc.)
WordPerfect Office X3 (HKLM\...\_{54DB13F1-0CE0-4BAB-BD5F-7DE150C043C8}) (Version:  - Corel Corporation)
WordPerfect Office X3 (Version: 13.3 - Corel Corporation) Hidden
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden
ZoneAlarm Firewall (Version: 13.3.052.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Pro (HKLM\...\ZoneAlarm Pro) (Version: 13.3.052.000 - Check Point)
ZoneAlarm Security (Version: 13.3.052.000 - Check Point Software Technologies Ltd.) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{037FB476-15E0-4ED1-B11A-E420B750B1A8}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe (Macrovision Corporation)
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}\InprocServer32 -> C:\WINDOWS\system32\phototoys.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{2837E0FE-686B-4CB0-BE53-0EA097EAF71B}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{5AFAFE48-7107-4FE5-B21A-86A4254541DD}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe (Macrovision Corporation)
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{5B7524C8-2446-40E9-9474-94A779DBA224}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{621D3650-F1D3-414C-97F9-03A02B211261}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{623E415A-22EF-4DAA-A2FF-E68E77A673C9}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{885BB46A-3F1E-44C3-A01B-A7D9260CC98B}\InprocServer32 -> C:\WINDOWS\Downloaded Program Files\dwusplay.dll (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{915C2CEB-216B-4B7C-89E4-9ED3512D58D9}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{92C5E738-7372-4CD6-BE57-15833624EBF3}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{9CAAD2EA-177B-4D07-871F-47255B5D30F3}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{B391A1DB-28C8-4506-A43C-5BD6051F16BA}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{b5eedee0-c06e-11cf-8c56-444553540000}\InprocServer32 -> C:\Program Files\UltraEdit\ue32ctmn.dll ()
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{C2B53DC2-A658-4919-8B9A-BEAAEEDB0AB0}\InprocServer32 -> C:\Program Files\fileacl\fileaclCOM.dll ()
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E42CE23D-69F9-480A-A15F-BFF5E4D170C3}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe (Macrovision Corporation)
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E50C953D-311A-481B-8F8D-C55E65AF7417}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9880553-B8A7-4960-A668-95C68BED571E}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9A93328-79D4-4AED-A778-146E7191F8BC}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{F1522EC1-F84F-4CE2-A38C-F9384B0DFD41}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe (Macrovision Corporation)
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{FFF2D28F-E4EE-44D9-8104-8E71556757F6}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe (Macrovision Corporation)

==================== Restore Points  =========================

26-12-2014 21:30:22 Uninstalled with Total Uninstall "Malwarebytes Anti-Exploit version 1.05.1.1016"
27-12-2014 07:37:31 Installed NetLimiter 3
27-12-2014 07:54:40 Software Distribution Service 3.0
27-12-2014 08:20:55 Uninstalled with Total Uninstall "{00000001-0000-0000-0000-000000000000}"
27-12-2014 08:22:47 Uninstalled with Total Uninstall "{54A4143B-6B4B-4082-B248-643B25561CCB}"
27-12-2014 08:24:16 Uninstalled with Total Uninstall "NetLimiter 3"
27-12-2014 08:24:33 Removed NetLimiter 3
27-12-2014 16:54:21 Uninstalled with Total Uninstall "QuickTime 7"

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2001-08-23 04:00 - 2012-08-23 13:11 - 00000022 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1  localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\MyDefrag v4.3.1 Monthly.job => ?

==================== Loaded Modules (whitelisted) =============

2008-09-05 23:30 - 2010-03-15 17:00 - 00190976 _____ () C:\WINDOWS\system32\WgaLogon.dll
2014-04-29 13:31 - 2014-10-13 07:28 - 00204280 _____ () C:\Program Files\Bitdefender\Bitdefender\txmlutil.dll
2014-04-29 13:31 - 2014-08-13 00:44 - 00003072 _____ () C:\Program Files\Bitdefender\Bitdefender\UI\accessl.ui
2014-04-29 13:31 - 2014-08-13 00:44 - 00004608 _____ () C:\Program Files\Bitdefender\Bitdefender\UI\IMSecurityAL.ui
2014-07-23 23:21 - 2014-07-23 23:21 - 00676568 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttpbr.mdl
2014-07-23 23:21 - 2014-07-23 23:21 - 00490144 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttpdsp.mdl
2014-07-23 23:21 - 2014-07-23 23:21 - 02138096 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttpph.mdl
2014-07-23 23:21 - 2014-07-23 23:21 - 01128744 _____ () C:\Program Files\Bitdefender\Bitdefender\otengines_00040_008\ashttprbl.mdl
2010-07-04 13:32 - 2010-07-04 13:32 - 00004608 _____ () C:\Program Files\Unlocker\UnlockerHook.dll
2008-11-30 09:20 - 2004-02-27 12:24 - 00026448 _____ () C:\WINDOWS\system32\SMFaxMon.dll
2007-02-08 18:14 - 2007-02-08 18:14 - 00174656 _____ () C:\WINDOWS\system32\PSIService.exe
2008-09-20 12:47 - 2008-09-20 12:47 - 00091648 _____ () C:\Program Files\stunnel\stunnel.exe
2008-09-20 12:19 - 2008-09-20 12:19 - 00306052 _____ () C:\Program Files\stunnel\libssl32.dll
2008-09-20 12:19 - 2008-09-20 12:19 - 01420256 _____ () C:\Program Files\stunnel\libeay32.dll
2008-09-20 12:20 - 2008-09-20 12:20 - 00074240 _____ () C:\Program Files\stunnel\ZLIB1.dll
2010-09-22 20:37 - 2012-09-10 21:50 - 00412920 _____ () C:\Program Files\UltraVNC\SecureVNCPlugin.dsm
2007-09-19 20:34 - 2013-01-01 22:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll
2004-08-03 15:56 - 2008-04-13 16:11 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2004-08-03 15:56 - 2008-04-13 16:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2010-07-04 11:51 - 2010-07-04 11:51 - 00017408 _____ () C:\Program Files\Unlocker\UnlockerAssistant.exe
2014-02-12 19:58 - 2014-02-12 19:58 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\WINDOWS\system32\cdm.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\muweb.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuapi.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuapi.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuauclt.exe:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaucpl.cpl:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaucpl.cpl.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaueng.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaueng.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wucltui.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wucltui.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wups.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wups2.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuweb.dll:BDU
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:054203E4

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1659004503-1788223648-725345543-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1659004503-1788223648-725345543-1007 - Limited - Enabled) => %SystemDrive%\Documents and Settings\JIMSDESKTOP\ASPNET
ATUUser5 (S-1-5-21-1659004503-1788223648-725345543-1008 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\ATUUser5
Gary (S-1-5-21-1659004503-1788223648-725345543-1010 - Administrator - Enabled)
Guest (S-1-5-21-1659004503-1788223648-725345543-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1659004503-1788223648-725345543-1000 - Limited - Disabled)
IUSR_JIMSDESKTOP (S-1-5-21-1659004503-1788223648-725345543-1012 - Limited - Enabled)
IWAM_JIMSDESKTOP (S-1-5-21-1659004503-1788223648-725345543-1013 - Limited - Enabled)
Jim (S-1-5-21-1659004503-1788223648-725345543-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Jim
SUPPORT_388945a0 (S-1-5-21-1659004503-1788223648-725345543-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============
Error: (12/27/2014 09:41:29 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (12/27/2014 09:36:05 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (12/27/2014 08:25:00 AM) (Source: NetDDE) (EventID: 206) (User: )
Description: Listen failed: 15:

Error: (12/27/2014 08:24:56 AM) (Source: NetDDE) (EventID: 206) (User: )
Description: Listen failed: 23: The ncb_lana_num member did not specify a valid network number.

Error: (12/27/2014 07:41:33 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (12/27/2014 07:38:05 AM) (Source: NetDDE) (EventID: 206) (User: )
Description: Listen failed: 15:

Error: (12/27/2014 07:38:03 AM) (Source: NetDDE) (EventID: 206) (User: )
Description: Listen failed: 23: The ncb_lana_num member did not specify a valid network number.

Error: (12/27/2014 07:10:33 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (12/27/2014 07:06:01 AM) (Source: PlugPlayManager) (EventID: 11) (User: )
Description: The device Root\LEGACY_ESPROTECTIONDRIVER\0000 disappeared from the system without first being prepared for removal.

Error: (12/26/2014 07:51:10 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor:  Intel® Pentium® D CPU 3.40GHz
Percentage of memory in use: 34%
Total physical RAM: 3070.22 MB
Available physical RAM: 2007.8 MB
Total Pagefile: 7513.2 MB
Available Pagefile: 6449.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 1920.07 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:90.3 GB) (Free:54.53 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive f: (BACKUP) (Fixed) (Total:113.4 GB) (Free:6.67 GB) NTFS
Drive g: (MyFiles) (Fixed) (Total:29.16 GB) (Free:14.56 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: B435B435)
Partition 1: (Active) - (Size=90.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=29.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=113.4 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

Thank you,

 

Docfxit


  • 0

#4
zep516
Posted 27 December 2014 - 10:24 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Hello,

Could you create a restore point before we begin. See Here

Re: These Firefox extensions:
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-05-29]
See Here

I have never seen this particular issue on a machine with the Firefox extensions,(DotNetAssistantExtension) I'm wondering if that's causing the issue you describe and if it isn't we don't want them there anyway as far as I can see. I have them in the fix along with the associated registry key along with some routine clean up.

A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
 
start
CloseProcesses:
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-05-29]
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [fsm] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 NLNdisMP; system32\DRIVERS\nlndis.sys [X]
S3 NLNdisPT; system32\DRIVERS\nlndis.sys [X]
2014-12-27 07:38 - 2014-12-27 08:25 - 00000000 __SHD () C:\WINDOWS\system32\AI_RecycleBin
02 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKCU..\Run: [fsm]  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{2837E0FE-686B-4CB0-BE53-0EA097EAF71B}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{5B7524C8-2446-40E9-9474-94A779DBA224}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{621D3650-F1D3-414C-97F9-03A02B211261}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{623E415A-22EF-4DAA-A2FF-E68E77A673C9}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{915C2CEB-216B-4B7C-89E4-9ED3512D58D9}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{92C5E738-7372-4CD6-BE57-15833624EBF3}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{9CAAD2EA-177B-4D07-871F-47255B5D30F3}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{B391A1DB-28C8-4506-A43C-5BD6051F16BA}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E50C953D-311A-481B-8F8D-C55E65AF7417}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9880553-B8A7-4960-A668-95C68BED571E}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9A93328-79D4-4AED-A778-146E7191F8BC}\localserver32 -> No File Path
AlternateDataStreams: C:\WINDOWS\system32\cdm.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\muweb.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuapi.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuapi.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuauclt.exe:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaucpl.cpl:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaucpl.cpl.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaueng.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaueng.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wucltui.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wucltui.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wups.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wups2.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuweb.dll:BDU
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:054203E4
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
REG: reg delete "HKLM\SOFTWARE\Mozilla\Firefox\Extensions" /v "{20a82645-c095-46ed-80e3-08825760534b}" /f 
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
hosts:
Emptytemp:
reboot:
end
Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.


Next this is also from the link provided above
  • Launch Firefox, go to the Firefox address bar and type in 'about:config'
  • Scroll down or use 'Filter' to find Preference name 'general.useragent.extra.microsoftdotnet'
  • Right-click on the item and select 'reset'
  • Restart Firefox
Remove the .NET Framework extension files. To do this, follow these steps:
  • Go to the Start Menu, and choose 'Run...
  • Type in 'explorer' and hit Enter or click 'OK'
  • Go to '%SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\'
  • Delete the 'DotNetAssistantExtension' folder and all its contents
In your next reply post:

Fixlog.txt
  • 0

#5
docfxit
Posted 28 December 2014 - 04:17 PM

docfxit

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

Thank you for the assistance.

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 27-12-2014
Ran by Jim at 2014-12-28 09:41:13 Run:1
Running from C:\Documents and Settings\Jim\Desktop\SpywareRemovers
Loaded Profile: Jim (Available profiles: Jim & ASPNET & ATUUser5 & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-05-29]
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\...\Run: [fsm] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 NLNdisMP; system32\DRIVERS\nlndis.sys [X]
S3 NLNdisPT; system32\DRIVERS\nlndis.sys [X]
2014-12-27 07:38 - 2014-12-27 08:25 - 00000000 __SHD () C:\WINDOWS\system32\AI_RecycleBin
02 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKCU..\Run: [fsm]  File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{2837E0FE-686B-4CB0-BE53-0EA097EAF71B}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{5B7524C8-2446-40E9-9474-94A779DBA224}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{621D3650-F1D3-414C-97F9-03A02B211261}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{623E415A-22EF-4DAA-A2FF-E68E77A673C9}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{915C2CEB-216B-4B7C-89E4-9ED3512D58D9}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{92C5E738-7372-4CD6-BE57-15833624EBF3}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{9CAAD2EA-177B-4D07-871F-47255B5D30F3}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{B391A1DB-28C8-4506-A43C-5BD6051F16BA}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E50C953D-311A-481B-8F8D-C55E65AF7417}\localserver32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9880553-B8A7-4960-A668-95C68BED571E}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9A93328-79D4-4AED-A778-146E7191F8BC}\localserver32 -> No File Path
AlternateDataStreams: C:\WINDOWS\system32\cdm.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\muweb.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuapi.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuapi.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuauclt.exe:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaucpl.cpl:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaucpl.cpl.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaueng.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuaueng.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wucltui.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wucltui.dll.mui:BDU
AlternateDataStreams: C:\WINDOWS\system32\wups.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wups2.dll:BDU
AlternateDataStreams: C:\WINDOWS\system32\wuweb.dll:BDU
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:054203E4
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
REG: reg delete "HKLM\SOFTWARE\Mozilla\Firefox\Extensions" /v "{20a82645-c095-46ed-80e3-08825760534b}" /f
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
hosts:
Emptytemp:
reboot:
end
*****************

Processes closed successfully.
HKLM\Software\Mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b} => value deleted successfully.
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension => Moved successfully.
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run\\fsm => value deleted successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => Key not found.
"HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value deleted successfully.
HKU\S-1-5-21-1659004503-1788223648-725345543-1003\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
Lbd => Service deleted successfully.
lmimirr => Service deleted successfully.
NLNdisMP => Service deleted successfully.
NLNdisPT => Service deleted successfully.
"C:\WINDOWS\system32\AI_RecycleBin" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\02 - BHO: (no name) - AutorunsDisabled - No CLSID value found. => Key not found.
HKCR\CLSID\02 - BHO: (no name) - AutorunsDisabled - No CLSID value found. => Key not found.
\\O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. => Value not found.
HKCR\CLSID\O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. => Key not found.
O4 - HKCU..\Run: [fsm]  File not found => Error: No automatic fix found for this entry.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present => Error: No automatic fix found for this entry.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{2837E0FE-686B-4CB0-BE53-0EA097EAF71B}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{5B7524C8-2446-40E9-9474-94A779DBA224}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{621D3650-F1D3-414C-97F9-03A02B211261}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{623E415A-22EF-4DAA-A2FF-E68E77A673C9}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{915C2CEB-216B-4B7C-89E4-9ED3512D58D9}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{92C5E738-7372-4CD6-BE57-15833624EBF3}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{9CAAD2EA-177B-4D07-871F-47255B5D30F3}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{B391A1DB-28C8-4506-A43C-5BD6051F16BA}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E50C953D-311A-481B-8F8D-C55E65AF7417}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9880553-B8A7-4960-A668-95C68BED571E}" => Key deleted successfully.
"HKU\S-1-5-21-1659004503-1788223648-725345543-1003_Classes\CLSID\{E9A93328-79D4-4AED-A778-146E7191F8BC}" => Key deleted successfully.
C:\WINDOWS\system32\cdm.dll => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\muweb.dll => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuapi.dll => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuapi.dll.mui => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuauclt.exe => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuaucpl.cpl => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuaucpl.cpl.mui => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuaueng.dll => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuaueng.dll.mui => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wucltui.dll => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wucltui.dll.mui => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wups.dll => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wups2.dll => ":BDU" ADS removed successfully.
C:\WINDOWS\system32\wuweb.dll => ":BDU" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":054203E4" ADS removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MSIServer" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vsmon" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys" => Key deleted successfully.

========= reg delete "HKLM\SOFTWARE\Mozilla\Firefox\Extensions" /v "{20a82645-c095-46ed-80e3-08825760534b}" /f =========


Error:  The system was unable to find the specified registry key or value


========= End of Reg: =========


=========  netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.


========= End of CMD: =========


=========  ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========


=========  netsh int ipv4 reset =========

The following command was not found: int ipv4 reset.

========= End of CMD: =========


=========  netsh int ipv6 reset =========

IPv6 is not installed.


========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
 

 

Thank you,

 

Docfxit


  • 0

#6
zep516
Posted 28 December 2014 - 04:26 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Hello,

Run a Malwarebytes scan. If you already have Malwarebytes then you will of course not have to download it. Here's instruction:

Please download Malwarebytes Anti-Malware to your desktop
Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Post that log
  • 0

#7
docfxit
Posted 28 December 2014 - 05:47 PM

docfxit

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

Thank you for the suggestion,

 

Malwarebytes.log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/28/2014
Scan Time: 3:16:54 PM
Logfile: MalwareBytes2014-12-28.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.28.12
Rootkit Database: v2014.12.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Jim

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 456738
Time Elapsed: 26 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Thanks,

 

Docfxit


  • 0

#8
zep516
Posted 28 December 2014 - 07:39 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Hello,

How is the file situation with Firefox now ? Lets also scan for adware

Next

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
  • NOTE: If you get an error message, it means that nothing was found. Exit from AdwCleaner.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner
  • Next

    thisisujrt.gif Please download Junkware Removal Tool to your Desktop.

    Please close your security software to avoid potential conflicts. See Here how to disable you security protection (Anti Virus)
    Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
    The tool will open and start scanning your system.
    Please be patient as this can take a while to complete, depending on your system's specifications.
    On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
    Please post the contents of JRT.txt into your reply.

    In your next reply post;
    • The AdwCleaner [SO].txt Log
    • The JRT.txt Log
    Thanks
    Joe :)

  • 0

#9
docfxit
Posted 28 December 2014 - 08:36 PM

docfxit

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

Thanks for working on this with me.

 

JRT.log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Microsoft Windows XP x86
Ran by Jim on Sun 12/28/2014 at 18:10:42.68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/28/2014 at 18:16:39.96
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

AdwCleaner.log

# AdwCleaner v4.106 - Report created 28/12/2014 at 17:59:55
# Updated 21/12/2014 by Xplode
# Database : 2014-12-28.1 [Live]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Jim - JIMSDESKTOP
# Running from : C:\Documents and Settings\Jim\Desktop\SpywareRemovers\adwcleaner_4.106.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v34.0.5 (x86 en-US)


*************************

AdwCleaner[R0].txt - [1453 octets] - [17/08/2014 16:46:35]
AdwCleaner[R1].txt - [987 octets] - [27/12/2014 17:05:31]
AdwCleaner[R2].txt - [1026 octets] - [28/12/2014 17:53:21]
AdwCleaner[S0].txt - [1374 octets] - [17/08/2014 16:51:37]
AdwCleaner[S1].txt - [1049 octets] - [27/12/2014 17:09:36]
AdwCleaner[S2].txt - [949 octets] - [28/12/2014 17:59:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1008 octets] ##########
 

After running both of these programs I cleared out all the files in:

C:\Documents and Settings\Jim\Local Settings\Application Data\Mozilla\Firefox\Profiles\pel3t8hs.default-1408316845401\cache2\entries

 

I opened up Firefox and went to:

https://www.java.com...stallapplet.jsp

 

I closed Firefox and ended up with 45 files in the above folder.

 

I can't understand what those files might be from.  It sure is a lot of traffic that I don't think is needed:

 

FileName1B807528B2F1289537C18AB88DFB85D30ECCF50A    FileSize35412.
FileName1D3A1CEF2BFADD85853ACF6BD064B82DA3C1E8EB    FileSize6894.
FileName2D193EBFDAB2E1D5ED66417BC9CC84925FF7DE1B    FileSize8262.
FileName5A18144F9BBEAC235A9119F74EE5290E3D2FDA07    FileSize2060.
FileName5BC0D6F02F9234634B2F16966748289D42E854D6    FileSize2133.
FileName6EE9491A2DB0476ED1B2C63DC6AD024BD1786360    FileSize2638.
FileName06FCF8BF5DB5F51F95443A8D32E4309EAEF5CC57    FileSize2951.
FileName8FCBFD40C1EFC07F7AB16B5E2FE5485FBF6FA2EE    FileSize3127.
FileName15E6DFDEA6B5852ED2A1C55FEC149D4D5A947C28    FileSize5115.
FileName23FCEA80C800A57801C2235DA1BD556331D1B471    FileSize8174.
FileName58D14312688A7411D05AA149080369CD118EEC3B    FileSize37996.
FileName72EC6AB602DDF7684F856896F7D3C08609525447    FileSize18827.
FileName0089F1D04A411C237FB41222B2FA32D0E42F485F    FileSize3157.
FileName355E519ECDC120F148A6B718A237764DADAA3E47    FileSize7416.
FileName653F73CB0624359E2AAE9520E3E9958B365FB9EF    FileSize14573.
FileName824DA89A3A961406F62E9BE3ED1777231225193C    FileSize5976.
FileName4766E908506DF794744E34D50C570E090988D2A0    FileSize2630.
FileName6541AA835C2436E683D47DBD90FA841332F3A734    FileSize15893.
FileName7151EFE35E834D3C136E892D52EFCDDD3DC7BC05    FileSize6761.
FileName9288AC3B68A4D1D2B562A188E30ACD2515A3CC4E    FileSize13576.
FileName9980C07B4A94A2E9E0B49FFF5788AAC55719C0E5    FileSize15913.
FileName31248CA38F20B09B9DE3DA45314C10F25B5D357D    FileSize8504.
FileName49251FD46D5C68714A75DF74ACCD3D311CA46C0C    FileSize20882.
FileName87004A6ED54C5106391D794395E887BB83D8E262    FileSize35945.
FileName170491E7137C9B7590E12728FD85D680CAD8B2C8    FileSize30171.
FileName5965744ECBF1BE72D5C91035CABB1990AECF79CB    FileSize7763.
FileNameA6BC3E04B9800FBC4DA88DF9D3E249CA7CD38160    FileSize4533.
FileNameAAC78B23D54501CDC25F086552BB107A8822C6C5    FileSize2601.
FileNameB348B1CEB7EA8E5C60A395641EEAFB2153FEF433    FileSize5581.
FileNameBE784179DBD9E5005A3F9038F776EA7586255BD2    FileSize4380.
FileNameC1FE16981DFDCE4823CA995A621E52C7EF4DB387    FileSize11777.
FileNameC4B4BFFE92BBCC2438ECACAD7CEC2B7EA8E9E77E    FileSize3436.
FileNameC572B7EC9E7BEB33987449D191C05DE05422E927    FileSize3795.
FileNameC1487DE5DE379D5CC5537768DF405C234C2DFF2D    FileSize2493.
FileNameCA761148A4C0E0F0A8340B3224F51DCAA43BB32D    FileSize5841.
FileNameCAA9BEA7D757047F29D58F7F32001824088971CD    FileSize2666.
FileNameD0BE474A8C55D875B0149A515EC49533C4EAF5F6    FileSize12433.
FileNameD7FA2D3D6A0CF7A384C0842C0B596DB2A3FD7B77    FileSize2709.
FileNameDC8988CE2F2C1FBE9AD19FD57AA5AAB58977FD33    FileSize13615.
FileNameE2A432FE4C9D0070EEA636B639E89869FEAAD64B    FileSize2773.
FileNameEC10AA031922485FC1AE9D27815A633E79991F26    FileSize17192.
FileNameEF9B106CA88BC70115F89C1ABF73DA60037801BE    FileSize10211.
FileNameF1A4280CAF308B9C39BE5BD8364F28C11F459D1A    FileSize13141.
FileNameF4DD521580140423E15789A83F6D6643C7B0083D    FileSize13086.
FileNameF23E8CD1CE84519674243FFD4755BE2C450B5B8B    FileSize20800.

Thanks,

 

Docfxit
 


  • 0

#10
zep516
Posted 28 December 2014 - 09:17 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Sorry I had you run those tools twice, maybe I need a break :)

Anyway,

Did some research, but only can find instructions for clearing them out, :(
http://techdows.com/...fox-cache2.html

Other then that, I'm not sure where all the files are coming from or if it's normal operation. I don't use the Firefox anymore so I can't do a comparison. I may download it, an fool with it though.

Lets remove the tools we used and the log files that were created on your computer.

Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report.
    Paste it for my review.
Thanks
Joe :)
  • 0

Advertisements

#11
docfxit
Posted 28 December 2014 - 10:12 PM

docfxit

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

Well that wasn't good.  I ran Delfix.  It appears DelFix changed Firefox to make it back to First Run.  That wiped out all bookmarks in Firefox.  It also wiped out all Quick Launch Icons. It also wiped out all my settings in Servant Salamander. 

 

Here is the Delfix.txt

 

# DelFix v10.8 - Logfile created 28/12/2014 at 19:45:58
# Updated 29/07/2014 by Xplode
# Username : Administrator - JIMSDESKTOP
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...

Deleted : \FRST
Deleted : \AdwCleaner
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware

~ Cleaning system restore ...

Deleted : RP #1570 [Uninstalled with Total Uninstall "Malwarebytes Anti-Exploit version 1.05.1.1016" | 12/27/2014 05:30:22]
Deleted : RP #1571 [Installed NetLimiter 3 | 12/27/2014 15:37:31]
Deleted : RP #1572 [Software Distribution Service 3.0 | 12/27/2014 15:54:40]
Deleted : RP #1573 [Uninstalled with Total Uninstall "{00000001-0000-0000-0000-000000000000}" | 12/27/2014 16:20:55]
Deleted : RP #1574 [Uninstalled with Total Uninstall "{54A4143B-6B4B-4082-B248-643B25561CCB}" | 12/27/2014 16:22:47]
Deleted : RP #1575 [Uninstalled with Total Uninstall "NetLimiter 3" | 12/27/2014 16:24:16]
Deleted : RP #1576 [Removed NetLimiter 3 | 12/27/2014 16:24:33]
Deleted : RP #1577 [Uninstalled with Total Uninstall "QuickTime 7" | 12/28/2014 00:54:21]
Deleted : RP #1578 [Installed Java 7 Update 71 | 12/28/2014 04:28:37]
Deleted : RP #1579 [Removed Java 7 Update 71 | 12/28/2014 04:38:34]
Deleted : RP #1580 [Installed Java 7 Update 71 | 12/28/2014 04:39:11]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

The setting in Firefox for browser.cache.use_new_backend

IS "0"

Which is off.

 

I don't have this folder on any other PC's running Firefox.

 

I tried to do a system restore and when I select system restore no program is launched.

 

Docfxit


  • 0

#12
zep516
Posted 28 December 2014 - 10:45 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
So sorry,
Let me investigate that further and report the dellfix issue to the author of the program. I use dellfix daily without issue.

Junkware Removal Tool (JRT) by Thisisu creates a registry back up ERUNT. - C:\Windows\ERUNT\JRT

Never had a user have to do that, so let me get instructions on exactly how to restore from ERUNT.

Joe

Edit
To restore the registry at a later point run the ERDNT program from the folder

C:\Windows\ERUNT\JRT

Hope that helps
  • 0

#13
docfxit
Posted 28 December 2014 - 11:29 PM

docfxit

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

Hi Joe,

 

I know how to restore from ERUNT

 

I have a bat file I created to do a restore.  Of course all lines need to be modified to each individual case:

MD e:\Windows\Tmp
copy e:\Windows\system32\config\system   e:\Windows\tmp\system.bak
copy e:\Windows\system32\config\software e:\Windows\tmp\software.bak
copy e:\Windows\system32\config\sam      e:\Windows\tmp\sam.bak
copy e:\Windows\system32\config\security e:\Windows\tmp\security.bak
copy e:\Windows\system32\config\default  e:\Windows\tmp\default.bak

del e:\Windows\system32\config\system
del e:\Windows\system32\config\software
del e:\Windows\system32\config\sam
del e:\Windows\system32\config\security
del e:\Windows\system32\config\default

copy e:\Windows\ERDNT\12-14-2011\system   e:\Windows\system32\config\system
copy e:\Windows\ERDNT\12-14-2011\software e:\Windows\system32\config\software
copy e:\Windows\ERDNT\12-14-2011\sam      e:\Windows\system32\config\sam
copy e:\Windows\ERDNT\12-14-2011\security e:\Windows\system32\config\security
copy e:\Windows\ERDNT\12-14-2011\default  e:\Windows\system32\config\default

::copy e:\Windows\TmpOrig\system.bak   e:\Windows\system32\config\system
::copy e:\Windows\TmpOrig\software.bak e:\Windows\system32\config\software
::copy e:\Windows\TmpOrig\sam.bak      e:\Windows\system32\config\sam
::copy e:\Windows\TmpOrig\security.bak e:\Windows\system32\config\security
::copy e:\Windows\TmpOrig\default.bak  e:\Windows\system32\config\default

I have recovered the Firefox Backup

 

Thanks,

 

Docfxit


  • 0

#14
zep516
Posted 28 December 2014 - 11:34 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,090 posts
Hey,

Thanks for that,

I'll report The Dellfix issue.

What about Servant Salamander ?
  • 0

#15
docfxit
Posted 29 December 2014 - 12:20 AM

docfxit

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 102 posts

That's ok.  I can re-configure Servant Salamander.

 

Thank you very much,

 

Docfxit


  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP