Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

PUP Start Now Identified [Solved]

Started by joseph456 , Apr 25 2015 11:39 PM

Start Now

This topic is locked

#1
joseph456

Posted 25 April 2015 - 11:39 PM

Member

Member
455 posts

Malwarebytes identified registry keys as follows:

(No malicious items detected)

Registry Keys: 3
PUP.Optional.StartNow.A, HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{5911488E-9D1E-40EC-8CBB-06B231CC153F}, No Action By User, [d7f6ee824248cd692242c87e21e2b050],
PUP.Optional.StartNow.A, HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{5911488E-9D1E-40EC-8CBB-06B231CC153F}, No Action By User, [d7f6ee824248cd692242c87e21e2b050],
PUP.Optional.StartNow.A, HKU\S-1-5-18\SOFTWARE\StartNow Toolbar, No Action By User, [379680f01f6bd066b86ab59c08fd1ce4],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

along with this item which is in quarantine:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/30/2014
Scan Time: 5:12:46 PM
(No malicious items detected)

Registry Keys: 1

PUP.Optional.InstallBrain.A, HKLM\SOFTWARE\InstallIQ, Quarantined, [e28c4dbc6714102640cbfc65729041bf],

Should I have it remove the item in quarantine and then rescan and let it delete the other three?

Thanks for your help.

#2
Valinorum

Posted 26 April 2015 - 08:50 AM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Yes, remove them. I would also like to see a diagnostic log of your PC to check if there are other stuffs left. Should you wish to continue, please, follow the guideline stated here.

Regards,
Valinorum

#3
joseph456

Posted 26 April 2015 - 03:27 PM

Member

Topic Starter
Member
455 posts

Reran Malwarebytes than Farbar

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-04-2015
Ran by Owner (administrator) on OWNER-FE8C2F80E on 26-04-2015 17:21:49
Running from C:\Documents and Settings\Owner\Desktop
Loaded Profiles: Owner (Available profiles: Owner & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Piriform Ltd) C:\Program Files\Speccy\Speccy.exe
(Ruiware) C:\Program Files\Ruiware\WinPatrol\WinPatrol.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2005-08-09] (ATI Technologies Inc.)
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\Run: [Speccy] => C:\Program Files\Speccy\Speccy.exe [5519128 2015-01-22] (Piriform Ltd)
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\Run: [WinPatrol] => C:\Program Files\Ruiware\WinPatrol\winpatrol.exe [1238152 2015-04-23] (Ruiware)
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\MountPoints2: {1b423f43-a144-11e1-8264-00904bcce900} - E:\LaunchU3.exe -a
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\ssflwbox.scr [393216 2008-04-14] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Billminder.lnk [2012-06-02]
ShortcutTarget: Billminder.lnk -> C:\QUICKENW\billmind.exe (Intuit)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = https://www.netaddre...?Domain=usa.net
https://login.microsoftonline.com/
https://duckduckgo.com/
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-07-25] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-07-25] (Oracle Corporation)
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate...b?1318284984953
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\z3zu8u0o.default-1407623485265
FF DefaultSearchEngine.US: Google
FF Homepage: about:home|hxxp://www.netvibes.com/privatepage/2#General|https://www.netaddre...gle.com/finance
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_17_0_0_169.dll [2015-04-25] ()
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-07-25] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
FF Plugin: @videolan.org/vlc,version=2.0.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2012-10-15] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll [2012-10-19] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll [2012-10-19] (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-02-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-07-25] (Oracle Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2013-09-10] () [File not signed]
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [265728 2003-07-17] (Broadcom Corporation)
R3 E1000; C:\WINDOWS\System32\DRIVERS\e1000325.sys [163840 2005-06-29] (Intel Corporation)
R0 giveio; C:\WINDOWS\System32\giveio.sys [5248 1996-04-03] () [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-04-14] (Malwarebytes Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
R1 MpKsle1e57987; c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2E8625AE-4A62-40C2-A9D6-00B6F8327DD0}\MpKsle1e57987.sys [39464 2015-04-26] (Microsoft Corporation)
R0 speedfan; C:\WINDOWS\System32\speedfan.sys [24184 2012-12-29] (Almico Software)
R3 STAC97; C:\WINDOWS\System32\drivers\STAC97.sys [252144 2003-10-14] (SigmaTel, Inc.)
R3 cpuz138; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\cpuz138\cpuz138_x32.sys [X]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-26 17:21 - 2015-04-26 17:22 - 00009266 _____ () C:\Documents and Settings\Owner\Desktop\FRST.txt
2015-04-26 17:21 - 2015-04-26 17:21 - 00000000 ____D () C:\FRST
2015-04-26 17:19 - 2015-04-26 17:19 - 01140736 _____ (Farbar) C:\Documents and Settings\Owner\Desktop\FRST.exe
2015-04-25 22:45 - 2015-04-25 22:45 - 00020680 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-04-25 22:43 - 2015-04-25 22:43 - 00128504 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-04-25 21:16 - 2015-04-25 21:16 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2015-04-25 20:40 - 2015-04-25 20:40 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
2015-04-25 20:14 - 2015-04-25 20:18 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-04-25 20:04 - 2015-04-25 20:04 - 00001687 _____ () C:\Documents and Settings\Owner\Start Menu\Programs\FileHippo App Manager.lnk
2015-04-25 20:04 - 2015-04-25 20:04 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\IsolatedStorage

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-26 17:22 - 2011-10-10 17:05 - 00000000 ____D () C:\Documents and Settings\Owner\Local Settings\Temp
2015-04-26 17:21 - 2014-02-25 00:13 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2015-04-26 17:18 - 2014-02-24 23:18 - 00184349 _____ () C:\WINDOWS\setupapi.log
2015-04-26 17:12 - 2011-10-10 16:58 - 01633884 _____ () C:\WINDOWS\WindowsUpdate.log
2015-04-26 17:12 - 2004-08-04 07:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-04-26 17:11 - 2011-10-10 12:52 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-04-26 17:11 - 2011-10-10 12:52 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-04-26 17:10 - 2011-10-10 17:04 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-04-26 17:09 - 2011-10-10 17:05 - 00000178 ___SH () C:\Documents and Settings\Owner\ntuser.ini
2015-04-26 17:09 - 2011-10-10 17:04 - 00032626 _____ () C:\WINDOWS\SchedLgU.Txt
2015-04-26 14:39 - 2014-03-30 16:33 - 00119512 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2015-04-26 11:20 - 2013-09-05 19:10 - 00000000 ____D () C:\Program Files\pdf995
2015-04-26 11:00 - 2011-10-10 17:04 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2015-04-25 23:49 - 2011-10-10 12:41 - 00000000 ____D () C:\WINDOWS\security
2015-04-25 22:43 - 2014-03-30 16:50 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-04-25 22:41 - 2011-10-10 17:05 - 00000000 ____D () C:\Documents and Settings\Owner
2015-04-25 22:33 - 2013-07-14 16:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-04-25 21:35 - 2012-06-09 17:04 - 00001774 ____H () C:\Documents and Settings\Owner\My Documents\Default.rdp
2015-04-25 21:16 - 2014-03-30 16:51 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-04-25 21:04 - 2012-07-26 00:00 - 00778416 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-04-25 21:04 - 2012-07-26 00:00 - 00142512 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-04-25 21:04 - 2011-10-13 16:59 - 00000000 ____D () C:\Documents and Settings\Owner\Local Settings\Application Data\Adobe
2015-04-25 20:41 - 2012-10-29 12:35 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2015-04-25 20:37 - 2013-08-05 09:17 - 00000000 ____D () C:\Documents and Settings\Owner\My Documents\CCleaner
2015-04-25 20:35 - 2013-11-17 17:46 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\WinPatrol
2015-04-25 20:35 - 2012-05-22 23:10 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\InstallMate
2015-04-25 20:17 - 2013-01-25 11:35 - 00000000 ____D () C:\Program Files\CCleaner
2015-04-25 20:04 - 2012-05-14 23:19 - 00000000 ____D () C:\Program Files\FileHippo.com
2015-04-25 19:58 - 2014-02-24 23:19 - 00000210 _____ () C:\WINDOWS\setupact.log
2015-04-25 19:58 - 2011-10-10 12:49 - 00603684 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-04-14 09:37 - 2014-03-30 16:50 - 00120024 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-04-14 09:37 - 2013-01-01 20:31 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-04-01 11:22 - 2011-10-11 10:13 - 125832184 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

==================== Files in the root of some directories =======

2012-01-30 15:41 - 2012-01-31 14:10 - 0000007 ___SH () C:\Documents and Settings\Owner\Application Data\date
2012-01-31 14:18 - 2013-09-02 17:11 - 0000268 _____ () C:\Documents and Settings\Owner\Application Data\default.rss
2012-06-04 08:39 - 2012-06-04 08:39 - 0000000 _____ () C:\Documents and Settings\Owner\Application Data\downloads.m3u
2012-01-30 15:40 - 2012-05-31 23:15 - 0000002 ___SH () C:\Documents and Settings\Owner\Application Data\evf6
2012-01-30 16:08 - 2012-06-09 21:03 - 0005632 _____ () C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-11-26 14:01 - 2012-03-01 15:18 - 0037632 _____ () C:\Documents and Settings\All Users\dlea.log
2011-11-25 14:06 - 2012-05-14 22:45 - 0053650 _____ () C:\Documents and Settings\All Users\dleaJSW.log
2011-11-25 13:35 - 2012-05-14 22:48 - 0029259 _____ () C:\Documents and Settings\All Users\dleascan.log
2011-11-25 21:11 - 2011-11-25 21:11 - 0000252 ____C () C:\Documents and Settings\All Users\FastPics.log
2011-12-24 20:00 - 2011-12-24 20:00 - 0000000 ____C () C:\Documents and Settings\All Users\LxWbGwLog.log
2011-11-25 13:30 - 2011-11-25 13:30 - 0000000 ____C () C:\Documents and Settings\All Users\UpdaterLog.txt

Some content of TEMP:
====================
C:\Documents and Settings\Owner\Local Settings\Temp\speccycpuid.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-04-2015
Ran by Owner at 2015-04-26 17:22:54
Running from C:\Documents and Settings\Owner\Desktop
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1275210071-1035525444-1606980848-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1275210071-1035525444-1606980848-1004 - Limited - Enabled)
Guest (S-1-5-21-1275210071-1035525444-1606980848-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1275210071-1035525444-1606980848-1000 - Limited - Disabled)
Owner (S-1-5-21-1275210071-1035525444-1606980848-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Owner
SUPPORT_388945a0 (S-1-5-21-1275210071-1035525444-1606980848-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM\...\7-zip) (Version: v9.20 - TUGUU SL) <==== ATTENTION
Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Advertising Center (Version: 0.0.0.2 - Nero AG) Hidden
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.163-050809a1-026378C-Gateway - )
Auslogics DiskDefrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: 5.4.0.0 - Auslogics Labs Pty Ltd)
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Canon MP Navigator EX 3.0 (HKLM\...\MP Navigator EX 3.0) (Version: - )
Canon MP490 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP490_series) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
CleanUp! (HKLM\...\CleanUp!) (Version: - )
ClearType Tuning Control Panel Applet (HKLM\...\{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}) (Version: 1.01.0000 - Microsoft Corporation)
C-Major Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: - )
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows5.0.0.2) (Version: 5.0.0.2 - Coupons.com Incorporated)
ERUNT 1.1j (HKLM\...\ERUNT_is1) (Version: - Lars Hederer)
FileHippo App Manager (HKLM\...\FileHippo.com) (Version: - FileHippo.com)
Google Update Helper (Version: 1.3.21.111 - Google Inc.) Hidden
HD Tune 2.55 (HKLM\...\HD Tune_is1) (Version: - EFD Software)
ImagXpress (Version: 7.0.74.0 - Nero AG) Hidden
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.7.0 - LIGHTNING UK!)
Intel® PRO Network Connections Drivers (HKLM\...\PROSet) (Version: - )
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217051FF}) (Version: 7.0.670 - Oracle)
K-Lite Codec Pack 8.2.0 (Full) (HKLM\...\KLiteCodecPack_is1) (Version: 8.2.0 - )
Leawo DVD Ripper version 4.3.0.0 (HKLM\...\{1FE417E2-6B8F-44CA-A7DF-A4BD072E8ED8}_is1) (Version: 4.3.0.0 - Leawo Software Co., Ltd.)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Menu Templates - Starter Kit (Version: 9.6.0.0 - Nero AG) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version: - Microsoft Corporation)
Microsoft Calculator Plus (HKLM\...\{83073C45-3003-4671-9A86-243AAADD915A}) (Version: 1.0.0 - Microsoft)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Excel Viewer (HKLM\...\{95120000-003F-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Motorola SM56 Data Fax Modem (HKLM\...\SMSERIAL) (Version: - )
Movie Templates - Starter Kit (Version: 9.6.0.0 - Nero AG) Hidden
Mozilla Firefox 37.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 37.0.2 (x86 en-US)) (Version: 37.0.2 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (KB925673) (HKLM\...\{FE9126DB-5F84-495A-BB46-3C724F1C2D08}) (Version: 6.00.3888.0 - Microsoft Corporation)
Nero 9 Essentials (HKLM\...\{6eb90063-f7c5-42f8-b197-571607c158d9}) (Version: - Nero AG)
Pdf995 (HKLM\...\Pdf995) (Version: - )
PdfEdit995 (HKLM\...\PdfEdit995) (Version: - )
Quicken Deluxe 98 (HKLM\...\Quicken Deluxe 98) (Version: - )
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Signature995 (HKLM\...\Signature995) (Version: - )
Speccy (HKLM\...\Speccy) (Version: 1.28 - Piriform)
SpeedFan (remove only) (HKLM\...\SpeedFan) (Version: - )
Toolbar Cleaner 1.1 (HKLM\...\Toolbar Cleaner) (Version: - Visicom Media Inc.)
TurboTax 2011 (HKLM\...\TurboTax 2011) (Version: - Intuit, Inc)
TurboTax 2012 (HKLM\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
VLC media player 2.0.4 (HKLM\...\VLC media player) (Version: 2.0.4 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows 7 Upgrade Advisor (HKLM\...\{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}) (Version: 2.0.5000.0 - Microsoft Corporation)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version: - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
WinPatrol (HKLM\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 33.5.2015.7 - Ruiware)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )
XML Paper Specification Shared Components Pack 1.0 (Version: - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

03-03-2015 21:50:35 Software Distribution Service 3.0
03-03-2015 23:09:40 Software Distribution Service 3.0
25-04-2015 22:15:38 Software Distribution Service 3.0
26-04-2015 02:06:35 Software Distribution Service 3.0

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 07:00 - 2004-08-04 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => c:\Program Files\Microsoft Security Client\MpCmdRun.exe

==================== Loaded Modules (whitelisted) ==============

2012-05-14 21:58 - 2013-09-05 19:11 - 00049852 _____ () C:\WINDOWS\system32\pdf995mon.dll
2015-04-25 20:50 - 2015-04-25 20:58 - 16863920 _____ () C:\WINDOWS\system32\Macromed\Flash\NPSWF32_17_0_0_169.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, the associated entry will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\ebay.com -> hxxp://www.ebay.com

IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\1001movie.com -> 1001movie.com
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\1001night.biz -> 1001night.biz
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\100gal.net -> 100gal.net
IE restricted site: HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\100sexlinks.com -> 100sexlinks.com

There are 5146 more restricted sites.

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: ApnUpdater => "C:\Program Files\Ask.com\Updater\Updater.exe"
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background
MSCONFIG\startupreg: StacSysTray => C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe

==================== FirewallRules (whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe] => Enabled:ABBYY FineReader
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Owner\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe] => Enabled:LogMeIn Rescue
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\dpvsetup.exe] => Enabled:Microsoft DirectPlay Voice Test
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\rundll32.exe] => Enabled:Run a DLL as an App
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe] => :LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)

==================== Faulty Device Manager Devices =============

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (04/25/2015 09:34:41 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (04/25/2015 09:34:41 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/03/2015 09:48:05 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (09/06/2014 08:53:39 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: mssecurityclientmsseces.exe4.4.304.00x80508018scheduledscancmainwindow__onautoscancomplete0security essentialsNILNILNIL

Error: (08/09/2014 06:52:05 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: mssecurityclientmsseces.exe4.4.304.00x80508018scheduledscancmainwindow__onautoscancomplete0security essentialsNILNILNIL

Error: (11/17/2013 09:02:05 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (11/17/2013 05:46:32 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: EventType mptelemetry, P1 80070490, P2 remediation, P3 remediationfailuretelemetry, P4 1.1.10003.0, P5 mpengine, P6 0, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (09/04/2013 09:42:18 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: mssecurityclientmsseces.exe4.3.215.00x80508018scheduledscancmainwindow__onautoscancomplete0security essentialsNILNILNIL

Error: (08/19/2013 05:43:59 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 4.3.215.0, P3 timeout, P4 1.1.9700.0, P5 fixed, P6 2 _ 2048, P7 5 _ not boot, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (07/04/2013 05:17:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

System errors:
=============
Error: (04/25/2015 11:43:37 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Error: (04/25/2015 11:43:34 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).

Error: (04/25/2015 10:46:28 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMService service failed to start due to the following error:
%%1053

Error: (04/25/2015 10:46:28 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the MBAMService service to connect.

Error: (04/25/2015 10:42:38 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

Error: (04/25/2015 09:35:08 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %OWNER-FE8C2F80E60 has encountered an error trying to update signatures.

   New Signature Version:

   Previous Signature Version: 1.193.1582.0

   Update Source: %OWNER-FE8C2F80E51

   Update Stage: 4.4.0304.00

   Source Path: 4.4.0304.01

   Signature Type: %OWNER-FE8C2F80E602

   Update Type: %OWNER-FE8C2F80E604

   User: OWNER-FE8C2F80E\Owner

   Current Engine Version: %OWNER-FE8C2F80E605

   Previous Engine Version: %OWNER-FE8C2F80E606

   Error code: %OWNER-FE8C2F80E607

   Error description: %OWNER-FE8C2F80E608

Error: (04/25/2015 09:35:08 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %OWNER-FE8C2F80E60 has encountered an error trying to update signatures.

   New Signature Version:

   Previous Signature Version: 1.193.1582.0

   Update Source: %OWNER-FE8C2F80E51

   Update Stage: 4.4.0304.00

   Source Path: 4.4.0304.01

   Signature Type: %OWNER-FE8C2F80E602

   Update Type: %OWNER-FE8C2F80E604

   User: OWNER-FE8C2F80E\Owner

   Current Engine Version: %OWNER-FE8C2F80E605

   Previous Engine Version: %OWNER-FE8C2F80E606

   Error code: %OWNER-FE8C2F80E607

   Error description: %OWNER-FE8C2F80E608

Error: (04/25/2015 08:01:40 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).

Error: (04/25/2015 08:01:37 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Error: (03/04/2015 02:29:59 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intuit Update Service v4 service terminated unexpectedly. It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (04/25/2015 09:34:41 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download....uthrootstl.cabArequired certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (04/25/2015 09:34:41 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download....uthrootstl.cabArequired certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (03/03/2015 09:48:05 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download....uthrootstl.cabArequired certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (09/06/2014 08:53:39 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: mssecurityclientmsseces.exe4.4.304.00x80508018scheduledscancmainwindow__onautoscancomplete0security essentialsNILNILNIL

Error: (08/09/2014 06:52:05 PM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: mssecurityclientmsseces.exe4.4.304.00x80508018scheduledscancmainwindow__onautoscancomplete0security essentialsNILNILNIL

Error: (11/17/2013 09:02:05 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

Error: (11/17/2013 05:46:32 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: mptelemetry80070490remediationremediationfailuretelemetry1.1.10003.0mpengine0unspecifiedNILNILNIL

Error: (09/04/2013 09:42:18 AM) (Source: Microsoft Security Client) (EventID: 5000) (User: )
Description: mssecurityclientmsseces.exe4.3.215.00x80508018scheduledscancmainwindow__onautoscancomplete0security essentialsNILNILNIL

Error: (08/19/2013 05:43:59 PM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)4.3.215.0timeout1.1.9700.0fixed2 _ 20485 _ not bootNILNILNIL

Error: (07/04/2013 05:17:01 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download....uthrootstl.cabArequired certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

==================== Memory info ===========================

Processor: Intel® Pentium® 4 CPU 3.00GHz
Percentage of memory in use: 22%
Total physical RAM: 2046.98 MB
Available physical RAM: 1577.36 MB
Total Pagefile: 3957.14 MB
Available Pagefile: 3619.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1944.64 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:37.25 GB) (Free:18.71 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 37.3 GB) (Disk ID: FFFFFFFF)
Partition 1: (Active) - (Size=37.3 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Thanks

#4
Valinorum

Posted 27 April 2015 - 07:46 AM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
- Open Notepad.exe. Do not use any other text editor software;
- Copy and Paste the contents inside the code-box to your Notepad --
```
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\MountPoints2: {1b423f43-a144-11e1-8264-00904bcce900} - E:\LaunchU3.exe -a
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
End
```
- Click on File > Save as...
  - Inside the File Name box type fixlist.txt;
  - From the Save as type drop down list, choose All Files
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;
  - Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
- After the completion, a log will be produced;
- Copy and Paste the contents of the log in your next reply.

Step #2 ESET Online Scanner
Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.
- Download esetsmartinstaller_enu.exe by clicking here.
- Right-click on the program and choose Run as administrator.
- Accept their terms and condition and proceed.
- Install Add-On/Active X if prompted.
- From the Computer Scan Setting check the following box --
  - Enable detection for potentially unwanted programs
- Click on Advanced Setting --
  - Check the box beside Remove Found Threats;
  - Check the box beside Scan archives
  - Check the box beside Scan for potentially unsafe applications
  - Check the box beside Enable Anti-Stealth Technology
- Click on Start and wait for the virus signature database to update.
- The online scan will begin automatically and can take several hours.
  - Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
- After the Scan finishes --
  - If no threats were found:
    - Put a checkmark in Uninstall application on close.
    - Close the program and report that nothing was found
  - If threats were found:
    - Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
    - Copy and Paste contents of the log file in your next reply.
Note: Enable your security programs afterwards.

Required Log(s):
- FRST Fix Log
- ESET Log

Regards,
Valinorum

#5
joseph456

Posted 27 April 2015 - 06:45 PM

Member

Topic Starter
Member
455 posts

Hi Valinorum -

Appreciate your help. Not sure how but it looks like ESET cleaned the threats. I attached a copy of what is still sitting on the desktop

Fixlog.txt from Farbar

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-04-2015
Ran by Owner at 2015-04-27 19:32:42 Run:2
Running from C:\Documents and Settings\Owner\Desktop
Loaded Profiles: Owner (Available profiles: Owner & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\...\MountPoints2: {1b423f43-a144-11e1-8264-00904bcce900} - E:\LaunchU3.exe -a
CMD: ipconfig /flushdns
CMD: bitsadmin /reset /allusers
End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-1275210071-1035525444-1606980848-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1b423f43-a144-11e1-8264-00904bcce900} => Key not found.
HKCR\CLSID\{1b423f43-a144-11e1-8264-00904bcce900} => Key not found.

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= bitsadmin /reset /allusers =========

'bitsadmin' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========

EmptyTemp: => Removed 31.4 MB temporary data.

The system needed a reboot.

==== End of Fixlog 19:32:59 ====

Then from ESET

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=770ce44a5b254840a12006f4273184be
# engine=23591
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-04-28 12:30:30
# local_time=2015-04-27 08:30:30 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 35962070 101366652 0 0
# scanned=38966
# found=13
# cleaned=13
# scan_time=2073
sh=1E3FF58866D59D4658FE8ED7DCA3E9B73F86BD83 ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\All Users\Application Data\APN\APN-Stub\W3IV6-G\APNIC.7z"
sh=D6356361CB5D33E62695230274A8C219D18884A5 ft=1 fh=758f4dd0748812c4 vn="a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\All Users\Application Data\APN\APN-Stub\W3IV6-G\APNIC.dll"
sh=68F39FDC5C97B7D3B93A4B793E3E9DAF1ED75344 ft=1 fh=c71c0011ed98cc6f vn="a variant of Win32/Toolbar.Babylon.F potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\Local Settings\Application Data\Babylon\Setup\BExternal.dll"
sh=D128CBAF3DEF02BD11A92A43C36D540E47BF06E0 ft=1 fh=6abf192eb2d8af09 vn="a variant of Win32/Toolbar.Babylon.E potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\Local Settings\Application Data\Babylon\Setup\IECookieLow.dll"
sh=C88D76106C34D093167BD69B433CFF15F24CFE68 ft=1 fh=c9f8a6e51b4e4ea2 vn="a variant of Win32/Toolbar.Babylon.E potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\Local Settings\Application Data\Babylon\Setup\Setup.exe"
sh=B7FD7CCF49DAA7A2154020E9C543B6AAD33ACB27 ft=1 fh=6fc2b4bbe3606611 vn="MSIL/MyPCBackup.B potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\My Documents\disk-defrag-setup.exe"
sh=59C75B45AC46FAC8C4018205544938C46B1BA631 ft=1 fh=ab462a0af6e69b03 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\My Documents\Computer\ccsetup405.exe"
sh=DFDA3BEB6A8E9899118BBDE16E4DE6878E323A90 ft=1 fh=dc19b4d7d4992970 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\My Documents\Downloads\ccsetup419.exe"
sh=1E331E9B90A7E95DE0F4A73E48E5A6D289CD07CA ft=1 fh=04da1d0b1c45b54a vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\My Documents\Downloads\spsetup128.exe"
sh=4367EED76EFBD15C0D913A166F6EE5BACF0A5118 ft=1 fh=2a10e6d6d8460a39 vn="Win32/InstallMonetizer.AQ potentially unwanted application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\My Documents\My Downloads\Computer\Auslogics\disk-defrag-setup.exe"
sh=6525F85F423A8ACB9DE261FCE7C1BFDCAF0651EC ft=1 fh=e751b5239200023c vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\My Documents\My Downloads\Computer\CCleaner\ccsetup404.exe"
sh=B8895BB21261766F960D2B6D5F22B0DD7A818812 ft=1 fh=fd6c520b6b39aef5 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Owner\My Documents\My Downloads\Computer\Speccy\spsetup122.exe"
sh=C15A67C725F560D37D0B9589810CBD4E78FC8704 ft=0 fh=0000000000000000 vn="a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application (deleted - quarantined)" ac=C fn="C:\WINDOWS\Installer\14bb6e3f.msi"

Attached Thumbnails

#6
Valinorum

Posted 27 April 2015 - 08:35 PM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Log looks good. How is your system running?

#7
joseph456

Posted 27 April 2015 - 08:39 PM

Member

Topic Starter
Member
455 posts

System is running fine. Glad you we able to delete those error files selected by ESET - was not sure how.

Have not try to restart because I was not sure what to do with the ESET on the desktop. Should I check "Delete the quarantined files" and "Uninstall application on close"?

Edited by joseph456, 27 April 2015 - 08:42 PM.

#8
Valinorum

Posted 27 April 2015 - 08:44 PM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Yes, delete the quarantined files. You may uninstall the application as well. If you are facing no issue, we shall clear our other quarantined files.

#9
joseph456

Posted 27 April 2015 - 08:55 PM

Member

Topic Starter
Member
455 posts

Ok Think I uninstalled ESET although original download is still on the desktop. And then while it was doing it I received this message - any relation to what we were doing. Think I saw something about USB3 in the list and I am using a Windows XP with USB 2. Don't even think I have eight hubs and these are the same items that have been installed all along. Computer is from 2004 (Gateway M675).

Appreciate your help.

Attached Thumbnails

#10
Valinorum

Posted 27 April 2015 - 09:00 PM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

This is not related to our fix. Please, restart your PC and see if it comes back.

#11
joseph456

Posted 27 April 2015 - 09:09 PM

Member

Topic Starter
Member
455 posts

Restarted the machine - seem to restart quicker and respond quicker after taking some time (as it usually does) to work through msseces.exe. At first when I placed a Thumb Drive in the right port, did not recognize, then I tried the other one and then that one again and it worked.

Thumb drives also seemed to respond quicker.

Thanks!

#12
Valinorum

Posted 27 April 2015 - 09:11 PM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Perusing your logs, I see no infection currently present in your system. Unless you are having any issue(s), the machine appears to be Malware-free as we speak.

♣ Removal of Tools and Quarantined Files ♣

Despite the tools we have used are clean, they are powerful removal tools and made in a way so that they carry out any commands given to them without (most cases) asking for a confirmation. In the hands of an inept person, they can make the machine un-bootable -- a scenario we do not wish to see. Also, we need to remove the quarantined files/folders from your system as a dormant malware can be as bad as an active one if given the proper environment. I shall now give you the guidelines to remove the tools and the quarantined files from your system.

Cleanup with Delfix
Please download DelFix by Xplode to your Desktop.
Download Link
- Double-click to run the program;
  - Note: Windows Vista/7/8 users right-click and choose Run as administrator
- Make sure that all the boxes are checked;
- Click Run;
- A log will be opened after the operation is finished;
- Copy and Paste it in your next reply

♣ Prevention and Future Guidelines ♣

Prevention is better than cure -- goes the old saying. As much as we love to see you visit our site, we do not want to see you having your PC infected by malwares again.

Keep Windows up-to-date.
It is extremely important that you keep your operating system (Windows) updated when updates are made available. It is set to alert you, so be sure not to ignore these notices and to allow the updates to install. Many of these are critical security packages which could very possibly be the difference between your picking up a future infiltration and simply passing right by it unharmed.
Run antivirus software and keep it up-to-date, too.
Antivirus software is your safety net if all other protections fail. The first line of defense is smart computing, of course, but everyone needs a backup. I'd recommend Microsoft Security Essentials or avast!, both of which are excellent, as well as free. Once they're installed, check periodically to ensure they have been successfully updating as well. An out-of-date antivirus is not a happy antivirus!
Keep your web browser plugins and other programs updated also.
This tip is rarely shared by technicians and its importance is not widely recognized, but it's absolutely critical. Programs such as Java, Adobe Flash Player and Adobe Reader, Internet Explorer, and myriad other such web-exposed items are deeply vulnerable to attack, which can quickly lead to a hopelessly infected system no matter what protection you currently have installed. The reason is that these programs are ubiquitous, but are also not perfect and are extremely complex... and as such, security vulnerabilities are discovered and exploited by hackers hoping to gain control over your machine. By performing every update for these programs as soon as it's made available, you will greatly reduce your exposure to dangerous internet threats.

A great way to do this is to install the Filehippo Update Checker and run it regularly. Also, try not to ignore any notifications you receive regarding updates to programs already installed on your PC.

No scripts is an excellent security device too. I like it but it is not for everyone because it requires you to take action if you want to see some things (pop ups, banners etc.) on sites you visit.

Download NoSript by Giorgio Maone.

Note: Sometimes you will get a site telling you that you need to install Java when actually all you need to do is enable the site through the no script icon down on the right hand side of your computer.
Watch out for new threat named CryptoLocker
CryptoLocker is a new type ransomware family malware that encrypts your important files and asks for a ransom to decrypt them. At the moment of posting this reply there are no tools that can undo the havoc this malware causes. We can help you to remove the malware from your system but the files that was encrypted cannot be recovered without the decryption key. So, I ask for your forbearance and practice constant vigilance. Please read the following article to acknowledge yourself about the safety measures.
How to prevent your computer from becoming infected by CryptoLocker.
And last of all, surf smart.
It doesn't matter how well the autopilot system works if the pilot keeps flying the plane into mountain ranges. Don't forget that no matter how much you have protecting yourself, your security ultimately begins and ends with you. Don't visit dangerous or questionable web sites, avoid suspicious links on Facebook and emails/email attachments you're unsure about, and just generally keep your wits about you, and you'll be much safer. Also, avoid illegal downloads, cracks, "warez", and all other too-good-to-be-true internet offerings: they're typically laden with malware. Be smart and you can avoid most threats lurking about the darker corners of the internet! And for even more tips, see our article How Did I Get Infected in the First Place? and Keep Your Computer Safe Online.

Regards,
Valinorum

#13
joseph456

Posted 27 April 2015 - 09:21 PM

Member

Topic Starter
Member
455 posts

System is running faster!

# DelFix v1.010 - Logfile created 27/04/2015 at 23:19:09
# Updated 26/04/2015 by Xplode
# Username : Owner - OWNER-FE8C2F80E
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\JavaRa.log
Deleted : C:\Documents and Settings\Owner\Desktop\Addition.txt
Deleted : C:\Documents and Settings\Owner\Desktop\esetsmartinstaller_enu.exe
Deleted : C:\Documents and Settings\Owner\Desktop\Fixlog.txt
Deleted : C:\Documents and Settings\Owner\Desktop\FRST.exe
Deleted : C:\Documents and Settings\Owner\Desktop\FRST.txt
Deleted : C:\Documents and Settings\Owner\Desktop\log.txt
Deleted : C:\Documents and Settings\Owner\My Documents\Downloads\TFC.exe
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #644 [Software Distribution Service 3.0 | 03/04/2015 01:50:35]
Deleted : RP #645 [Software Distribution Service 3.0 | 03/04/2015 03:09:40]
Deleted : RP #646 [Software Distribution Service 3.0 | 04/26/2015 02:15:38]
Deleted : RP #647 [Software Distribution Service 3.0 | 04/26/2015 06:06:35]
Deleted : RP #648 [System Checkpoint | 04/27/2015 06:14:55]
Deleted : RP #649 [Software Distribution Service 3.0 | 04/27/2015 12:28:46]
Deleted : RP #650 [Restore Point Created by FRST | 04/27/2015 23:32:08]
Deleted : RP #651 [Restore Point Created by FRST | 04/27/2015 23:32:49]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

#14
Valinorum

Posted 27 April 2015 - 09:27 PM

GeekU Guardian Bot

GeekU Moderator
3,330 posts

Surf safely.

#15
joseph456

Posted 27 April 2015 - 09:34 PM

Member

Topic Starter
Member
455 posts

Last Question - checking Java says I have a security risk since I have two outdated versions - Java 7 Update 51 and Update 67 - not sure how that happened. Thought I would just remove them both and not have Java on my computer. Please advise - not sure what they mean by security risk.