Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potentially Unwanted/Unsafe Applications on ESET antivirus and possible malaware


  • This topic is locked This topic is locked
8 replies to this topic

#1 JoeWatson

JoeWatson

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 28 April 2014 - 05:24 AM

My computer has slowed down a lot and I think it's because of Potentially Unsafe/Unwanted Applications (PUAs0 which have shown up in a ESET scan and are in the detected threats log which I have attached.

 

ESET state that there are no infections on my computer but i think that someway the PUAs are the cause of the problem.

 

I have attached the dds logs and detected threats log

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by UserA at 16:37:40 on 2014-04-28
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3325.1791 [GMT 7:00]
.
AV: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Genie9\Genie Timeline\GenieTimelineService.exe
C:\WINDOWS\system32\KaraokeSer.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Genie9\Genie Timeline\GenieTimelineAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\UserA\Local Settings\Application Data\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ncr
uProxyServer = 194.28.8.139:3128
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: KeywordSpySEO Helper: {5F9575C2-1AB4-4883-8505-5C6D0DFDF2D5} - c:\program files\keywordspy seoppc plug-in\KeywordSpySEO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: KeywordSpy™ SEO/PPC: {0AE831B0-427E-4D0A-BC88-4BA47E7471C3} - c:\program files\keywordspy seoppc plug-in\KeywordSpySEO.dll
TB: KeywordSpy™ SEO/PPC: {0AE831B0-427E-4D0A-BC88-4BA47E7471C3} - c:\program files\keywordspy seoppc plug-in\KeywordSpySEO.dll
TB: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\documents and settings\all users\application data\flexnet\connect\11\ISUSPM.exe" -scheduler
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking11\Ereg.ini
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [nwiz] nwiz.exe /install
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDriveTypeAutoRun = dword:181
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-System: SynchronousMachineGroupPolicy = dword:0
mPolicies-System: SynchronousUserGroupPolicy = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Add to Evernote 4.0 - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: LastPass - c:\documents and settings\usera\local settings\application data\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - c:\documents and settings\usera\local settings\application data\lastpass\context.html?cmd=fillforms
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\program files\evernote\evernote\EvernoteIE.dll/204
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F9341940-7640-4157-9C5C-7D86B7449E20} - c:\program files\quintura inc\quintura search\iereg.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{1CC42A85-D11B-4EC9-A535-1A521C5F5791} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{82EDF653-5DED-49DC-A7C8-062D01FBB7BE} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{91303601-3A55-4EA0-8A9B-0943346E4896} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{AA04D44A-2DAE-4B42-B076-79675146A978} : DHCPNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.131\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\usera\application data\mozilla\firefox\profiles\dynlj516.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ncr
FF - component: c:\documents and settings\usera\application data\mozilla\firefox\profiles\dynlj516.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\copernic desktop search - home\firefox36connector\components\CSPXPCOMBridge.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2014-3-30 107256]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2012-3-14 134248]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-4-23 118768]
R1 RapportCerberus_59849;RapportCerberus_59849;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_59849.sys [2014-4-26 340432]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2014-3-30 156024]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2010-7-23 296808]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2013-9-12 1337752]
R2 GenieTimelineService;Genie Timeline Service;c:\program files\genie9\genie timeline\GenieTimelineService.exe [2013-4-16 313360]
R2 KaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\KaraokeSer.exe [2013-4-23 88688]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-27 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-27 857912]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-11-22 3290304]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2013-4-23 63088]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-11-11 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-27 107736]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-5-23 1399680]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2014-3-30 1444120]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-29 1656960]
S3 AsrCDDrv;AsrCDDrv;\??\c:\windows\system32\drivers\asrcddrv.sys --> c:\windows\system32\drivers\AsrCDDrv.sys [?]
S3 efavdrv;efavdrv;\??\c:\windows\system32\drivers\efavdrv.sys --> c:\windows\system32\drivers\efavdrv.sys [?]
S3 es1969;ESS 1969 Audio Driver (WDM);c:\windows\system32\drivers\es1969.sys [2009-10-1 72192]
S3 esihdrv;esihdrv;\??\c:\docume~1\usera\locals~1\temp\esihdrv.sys --> c:\docume~1\usera\locals~1\temp\esihdrv.sys [?]
S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys --> c:\windows\system32\drivers\gttap1.sys [?]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2013-3-26 15576]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2013-3-26 10200]
S3 wimmount;wimmount;c:\windows\system32\drivers\wimmount.sys [2010-6-15 19024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
ShellExec: Foxit Reader.exe: print="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/p "%1"
ShellExec: Foxit Reader.exe: printto="c:\program files\foxit software\foxit reader\Foxit Reader.exe"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2014-04-28 09:10:43    --------    d-----w-    c:\documents and settings\usera\safebrowsing
2014-04-28 08:24:19    --------    d-----w-    c:\documents and settings\usera\local settings\application data\LogMeIn Rescue Applet
2014-04-28 07:32:07    --------    d-----w-    c:\documents and settings\usera\local settings\application data\Skype
2014-04-27 04:49:22    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-27 04:48:04    50648    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-04-27 04:48:03    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-04-26 10:35:57    --------    d-----w-    c:\documents and settings\usera\local settings\application data\Trusteer
2014-04-26 08:41:22    --------    d-----w-    c:\documents and settings\usera\application data\Traffic Travis v4
2014-04-25 08:57:43    --------    d-----w-    c:\documents and settings\usera\application data\Affilorama
2014-04-25 03:04:18    --------    d-----w-    c:\program files\Folder Marker
2014-04-24 10:29:44    --------    d-----w-    c:\documents and settings\usera\application data\CommissionBlueprint.KeywordBlueprint2
2014-04-24 08:06:40    --------    d-----w-    c:\documents and settings\usera\Cache
2014-04-24 06:51:48    --------    d-----w-    c:\documents and settings\usera\application data\AgedDomainHunter
2014-04-10 10:33:57    --------    d-----w-    c:\documents and settings\usera\Doctor Web
2014-03-30 13:30:22    107256    ----a-w-    c:\windows\system32\drivers\RapportKELL.sys
2014-03-30 01:52:24    --------    d-----w-    c:\documents and settings\usera\startupCache
.
==================== Find3M  ====================
.
2014-04-09 08:40:07    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-04-09 08:40:06    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-03 02:50:56    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-06 17:59:23    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 17:59:22    43520    ------w-    c:\windows\system32\licmgr10.dll
2014-03-06 17:59:22    18944    ------w-    c:\windows\system32\corpol.dll
2014-03-06 17:59:22    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-03-06 00:46:54    385024    ------w-    c:\windows\system32\html.iec
2014-02-26 01:59:05    13312    ------w-    c:\windows\system32\xp_eos.exe
2014-02-20 02:23:06    11149312    ----a-w-    c:\program files\common files\lpuninstall.exe
2014-02-07 02:01:37    1879040    ------w-    c:\windows\system32\win32k.sys
2014-02-05 08:55:04    562688    ------w-    c:\windows\system32\qedit.dll
.
============= FINISH: 16:38:57.06 ===============
 

 

Mod Edit:  Pasted DDS log into post for easy viewing - Hamluis.

Attached Files

  • Attached File  logs.zip   14.28KB   10 downloads

Edited by hamluis, 28 April 2014 - 12:31 PM.
Pasted DDS into topic - Hamluis.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 02 May 2014 - 07:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 JoeWatson

JoeWatson
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 03 May 2014 - 01:31 AM

The first item is the AdwCleaner.txt after the scan and cleaning. I didn't clean the items in the registry as I don't really know what i'm doing. What do you suggest:

 

# AdwCleaner v3.205 - Report created 03/05/2014 at 09:56:02
# Updated 28/04/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : UserA - MYCOMPUTER
# Running from : C:\Documents and Settings\UserA\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\UserA\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\UserA\Application Data\Desktopicon
Folder Deleted : C:\Documents and Settings\UserA\Application Data\pdfforge

***** [ Shortcuts ] *****


***** [ Registry ] *****

[x] Not Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
[x] Not Deleted : HKLM\SOFTWARE\Classes\Prod.cap
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460D-9366-D71CDEDA3179}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{201F27D4-3704-41D6-89C1-AA35E39143ED}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{201F27D4-3704-41D6-89C1-AA35E39143ED}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3041D03E-FD4B-44E0-B742-2D9B88305F98}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9CFACCB6-2F3F-4177-94EA-0D2B72D384C1}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
[x] Not Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F72841F0-4EF1-4DF5-BCE5-B3AC8ACF5478}
[x] Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
[x] Not Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
[x] Not Deleted : HKCU\Software\APN PIP
[x] Not Deleted : HKCU\Software\Conduit
[x] Not Deleted : HKCU\Software\Softonic
[x] Not Deleted : HKCU\Software\YahooPartnerToolbar
[x] Not Deleted : HKLM\Software\Conduit
[x] Not Deleted : HKLM\Software\DigitalVolcano\OpenCandy
[x] Not Deleted : HKLM\Software\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Documents and Settings\UserA\Application Data\Mozilla\Firefox\Profiles\8sky6jsz.Profile 2\prefs.js ]


[ File : C:\Documents and Settings\UserA\Application Data\Mozilla\Firefox\Profiles\dynlj516.default\prefs.js ]


-\\ Google Chrome v34.0.1847.131

[ File : C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.speedbit.com/searchresults.asp?src=default&q={searchTerms}
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [3348 octets] - [03/05/2014 09:26:17]
AdwCleaner[R1].txt - [3408 octets] - [03/05/2014 09:34:54]
AdwCleaner[S0].txt - [3471 octets] - [03/05/2014 09:56:02]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3531 octets] ##########
 

The next item is the FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-05-2014
Ran by UserA (administrator) on MYCOMPUTER on 03-05-2014 11:53:55
Running from C:\Documents and Settings\UserA\Desktop\Farbar Rcovery Scan Tool 32 Bit
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Nuance Communications, Inc.) C:\Program Files\Common Files\Nuance\dgnsvc.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Acresso Corporation) C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe
(Genie9) C:\Program Files\Genie9\Genie Timeline\GenieTimelineService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(VIA Technologies, Inc.) C:\WINDOWS\system32\KaraokeSer.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Skype Technologies S.A.) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Genie9) C:\Program Files\Genie9\Genie Timeline\GenieTimeLineAgent.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvMediaCenter] => C:\WINDOWS\system32\NvMcTray.dll [86016 2008-10-07] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] => C:\WINDOWS\system32\NvCpl.dll [13574144 2008-10-07] (NVIDIA Corporation)
HKLM\...\Run: [DNS7reminder] => C:\Program Files\Nuance\NaturallySpeaking11\Ereg\Ereg.exe [259624 2007-04-16] (Nuance Communications, Inc.)
HKLM\...\Run: [UserFaultCheck] => %systemroot%\system32\dumprep 0 -u
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5110672 2013-09-12] (ESET)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoRecentDocsMenu] 1
HKU\.DEFAULT\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\.DEFAULT\...\Policies\Explorer: [NoSaveSettings] 0
HKU\.DEFAULT\...\Policies\Explorer: [ClassicShell] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoRecentDocsMenu] 1
HKU\S-1-5-19\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-19\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-19\...\Policies\Explorer: [ClassicShell] 0
HKU\S-1-5-19\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoRecentDocsMenu] 1
HKU\S-1-5-20\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-20\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-20\...\Policies\Explorer: [ClassicShell] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoWindowsUpdate] 0
HKU\S-1-5-21-790525478-2052111302-725345543-1003\...\Run: [ISUSPM] => C:\Documents and Settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe [222496 2010-07-23] (Acresso Corporation)
HKU\S-1-5-21-790525478-2052111302-725345543-1003\...\Policies\Explorer: [NoRecentDocsMenu] 1
HKU\S-1-5-21-790525478-2052111302-725345543-1003\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1

==================== Internet (Whitelisted) ====================

ProxyServer: 194.28.8.139:3128
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ncr
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
URLSearchHook: HKCU - KeywordSpySEO Helper - {5F9575C2-1AB4-4883-8505-5C6D0DFDF2D5} - C:\Program Files\KeywordSpy SEOPPC Plug-in\KeywordSpySEO.dll ()
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex}&startPage={startPage}&rlz=1I7GGLJ_en-GB
SearchScopes: HKCU - {88109753-7735-420f-98B4-1A3521EF3D27} URL = http://search.speedbit.com/searchresults.asp?src=default&q={searchTerms}
SearchScopes: HKCU - {88F81251-C7B8-40A3-B1D9-48EA8DB4B5E8} URL = http://www.google.com/search?q={searchTerms}&pws=0&hl=en&num=10
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - KeywordSpy™ SEO/PPC - {0AE831B0-427E-4D0A-BC88-4BA47E7471C3} - C:\Program Files\KeywordSpy SEOPPC Plug-in\KeywordSpySEO.dll ()
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPToolbar.dll (LastPass)
Toolbar: HKCU - No Name - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} -  No File
Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Toolbar: HKCU - KeywordSpy™ SEO/PPC - {0AE831B0-427E-4D0A-BC88-4BA47E7471C3} - C:\Program Files\KeywordSpy SEOPPC Plug-in\KeywordSpySEO.dll ()
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\UserA\Application Data\Mozilla\Firefox\C:\Documents and Settings\UserA
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_206.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf - C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf - C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @lastpass.com/NPLastPass - C:\Program Files\LastPass\nplastpass.dll (LastPass)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/wpi,version=1.0 - C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll (Microsoft Corp)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=1.0.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.0 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.4 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.7 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Documents and Settings\UserA\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcdec.dll (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcext.dll (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ieatgpc.dll (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npatgpc.dll (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npFoxitReaderPlugin.dll (Foxit Software Company)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-03-29]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-03-29]
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2014-03-19]
FF HKCU\...\Firefox\Extensions: [{57319509-7821-41B0-9FDF-3B58F146AE33}] - c:\program files\copernic desktop search - home\firefoxconnector
FF Extension: Copernic Desktop Search - Search Firefox content - c:\program files\copernic desktop search - home\firefoxconnector [2013-05-02]

Chrome:
=======
CHR HomePage: hxxp://sitezmeter.appspot.com/
CHR StartupUrls: "hxxp://www.google.com/ncr"
CHR DefaultSearchKeyword: google.com/ncr
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\34.0.1847.131\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\34.0.1847.131\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\34.0.1847.131\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (NPLastPass) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.90.5_0\nplastpass.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (ActiveTouch General Plugin Container) - C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll (WebEx Communications, Inc)
CHR Plugin: (Foxit Reader Plugin for Mozilla) - C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
CHR Plugin: (Microsoft Office 2003) - C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U3) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (WPI Detector 1.1) - C:\Program Files\Microsoft\Web Platform Installer\\npwpidetector.dll (Microsoft Corp)
CHR Plugin: (VLC Web Plugin) - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave for Director) - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Extension: (Xmarks Bookmark Sync) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla [2014-05-02]
CHR Extension: (SEOquake) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\akdgnmcogleenhbclghghlkkdndkjdjc [2010-07-07]
CHR Extension: (YouTube) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2011-12-19]
CHR Extension: (NoCountryRedirect (NCR)) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ciboebddidackjicoeoiigdnbmchkdll [2013-05-05]
CHR Extension: (Google Search) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2011-12-19]
CHR Extension: (SEO I.Q.) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dadlnlnlpkpchfljjcpkodcljofniggm [2014-03-12]
CHR Extension: (Flag for Chrome) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dbpojpfdiliekbbiplijcphappgcgjfn [2010-07-07]
CHR Extension: (Mozbar) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\eakacpaijcpapndcfffdgphdiccmpknp [2012-11-08]
CHR Extension: (Silver Bird) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\encaiiljifbdbjlphpgpiimidegddhic [2010-07-07]
CHR Extension: (LastPass: Free Password Manager) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2010-07-13]
CHR Extension: (kuber) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hhgojllinjdfbjknbpfcladgieljgoab [2010-07-07]
CHR Extension: (Muzy) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jammhkdcdlocifampbainkfchnoneahm [2012-09-23]
CHR Extension: (Skype Click to Call) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-07-23]
CHR Extension: (RSS Subscription Extension (by Google)) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nlbjncdgjeocebhnmkbbbdekmmmcbfjd [2010-07-07]
CHR Extension: (Google Wallet) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-29]
CHR Extension: (Print Friendly & PDF) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ohlencieiipommannpdfcmfdpjjmeolj [2013-03-17]
CHR Extension: (SEO Global For Google Search™) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ojgmigafbpedhdilmemphfklkbghlphi [2010-07-07]
CHR Extension: (Evernote Web Clipper) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pioclpoplcdbaefihamjohnefbikjilc [2011-09-27]
CHR Extension: (Gmail) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2011-12-19]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

R2 DragonSvc; C:\Program Files\Common Files\Nuance\dgnsvc.exe [296808 2010-07-23] (Nuance Communications, Inc.)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [1337752 2013-09-12] (ESET)
R2 GenieTimelineService; C:\Program Files\Genie9\Genie Timeline\GenieTimelineService.exe [313360 2013-04-16] (Genie9)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-04-29] (Oracle Corporation)
R2 KaraokeService; C:\WINDOWS\system32\KaraokeSer.exe [88688 2011-02-17] (VIA Technologies, Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation)
R2 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3290304 2012-11-22] (Skype Technologies S.A.)
S4 NMIndexingService; "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" [X]

==================== Drivers (Whitelisted) ====================

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1656960 2009-06-26] (Creative)
R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2008-02-27] ()
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S3 ds1; C:\WINDOWS\System32\drivers\ds1wdm.sys [334208 2001-08-17] (Yamaha Corp.)
R1 eamon; C:\WINDOWS\System32\DRIVERS\eamon.sys [184664 2013-09-17] (ESET)
R1 ehdrv; C:\WINDOWS\System32\DRIVERS\ehdrv.sys [134248 2013-09-17] (ESET)
R1 epfwtdir; C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [118768 2013-09-17] (ESET)
S3 es1969; C:\WINDOWS\System32\drivers\es1969.sys [72192 2001-08-17] (ESS Technology Inc.)
S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-14] (Microsoft Corporation)
R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [63088 2010-08-24] (Atheros Communications, Inc.)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [50648 2014-05-01] (Malwarebytes Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-04-03] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [107736 2014-05-03] (Malwarebytes Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1389056 2008-12-02] (Creative Technology Ltd.)
S3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-14] (Microsoft Corporation)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15576 2012-08-20] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10200 2012-08-20] ()
R1 RapportCerberus_59849; C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_59849.sys [340432 2014-04-26] ()
S3 RT73; C:\WINDOWS\System32\DRIVERS\Dr71WU.sys [429440 2011-05-23] (Ralink Technology, Corp.)
R3 VIAHdAudAddService; C:\WINDOWS\System32\drivers\viahduaa.sys [1399680 2009-09-17] (VIA Technologies, Inc.)
S3 AsrCDDrv; \??\C:\WINDOWS\system32\Drivers\AsrCDDrv.sys [X]
S3 efavdrv; \??\C:\WINDOWS\system32\drivers\efavdrv.sys [X]
S3 esihdrv; \??\C:\DOCUME~1\UserA\LOCALS~1\Temp\esihdrv.sys [X]
S3 gttap1; system32\DRIVERS\gttap1.sys [X]
S4 IntelIde; No ImagePath
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U5 Sdbus; C:\Windows\System32\Drivers\Sdbus.sys [79232 2008-04-14] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2008-05-02] ()

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-05-03 11:53 - 2014-05-03 11:53 - 00000000 ____D () C:\FRST
2014-05-03 11:50 - 2014-05-03 11:50 - 00045116 _____ () C:\Documents and Settings\UserA\prefs.js
2014-05-03 11:50 - 2014-05-03 11:50 - 00026884 _____ () C:\Documents and Settings\UserA\localstore.rdf
2014-05-03 11:50 - 2014-05-03 11:50 - 00007129 _____ () C:\Documents and Settings\UserA\pluginreg.dat
2014-05-03 11:50 - 2014-05-03 11:50 - 00000680 _____ () C:\Documents and Settings\UserA\sessionstore.js
2014-05-03 11:50 - 2014-05-03 11:50 - 00000154 _____ () C:\Documents and Settings\UserA\urlclassifierkey3.txt
2014-05-03 11:50 - 2014-05-03 11:50 - 00000000 ____D () C:\Documents and Settings\UserA\safebrowsing
2014-05-03 11:49 - 2014-05-03 11:53 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Farbar Rcovery Scan Tool 32 Bit
2014-05-03 09:31 - 2014-05-03 09:31 - 00003348 _____ () C:\Documents and Settings\UserA\Desktop\AdwCleaner[R0].txt
2014-05-03 09:27 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\WINDOWS\system32\sqlite3.dll
2014-05-03 09:26 - 2014-05-03 11:46 - 00000000 ____D () C:\AdwCleaner
2014-05-03 09:25 - 2014-05-03 09:25 - 00062655 _____ () C:\Documents and Settings\UserA\sessionstore.bak
2014-05-03 09:23 - 2014-05-03 09:23 - 00426492 _____ () C:\Documents and Settings\UserA\xmarks-baseline-f34c7cd9484f1edc.json
2014-05-03 09:17 - 2014-05-03 09:17 - 01310621 _____ () C:\Documents and Settings\UserA\Desktop\adwcleaner.exe
2014-05-02 15:39 - 2014-05-02 15:39 - 00041330 _____ () C:\Documents and Settings\UserA\addons.json
2014-05-02 14:25 - 2014-05-02 14:25 - 00380525 _____ () C:\Documents and Settings\UserA\Desktop\bookmarks.html
2014-05-02 09:26 - 2014-05-02 09:26 - 00000000 ____D () C:\Documents and Settings\UserA\startupCache
2014-05-02 08:37 - 2014-05-02 08:37 - 00023714 _____ () C:\Documents and Settings\UserA\extensions.json
2014-05-02 08:37 - 2014-05-02 08:37 - 00000927 _____ () C:\Documents and Settings\UserA\extensions.ini
2014-04-30 19:17 - 2014-05-01 20:51 - 00002110 _____ () C:\WINDOWS\COM+.log
2014-04-30 15:20 - 2014-04-30 15:20 - 00000000 ____D () C:\Documents and Settings\UserA\Cache
2014-04-29 15:39 - 2014-04-30 15:15 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Malaware Log Files
2014-04-29 15:31 - 2014-04-29 15:30 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-04-29 15:31 - 2014-04-29 15:30 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-04-29 15:31 - 2014-04-29 15:30 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-04-29 15:31 - 2014-04-29 15:30 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-04-29 15:31 - 2014-04-29 15:30 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-04-29 14:35 - 2014-04-29 14:37 - 00005842 _____ () C:\WINDOWS\system32\jupdate-1.7.0_55-b14.log
2014-04-29 14:35 - 2014-04-29 14:35 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-04-28 14:32 - 2014-04-28 14:32 - 00000000 ____D () C:\Documents and Settings\UserA\Local Settings\Application Data\Skype
2014-04-28 14:31 - 2014-04-28 14:31 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-04-28 14:31 - 2014-04-28 14:31 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Skype
2014-04-27 11:49 - 2014-05-03 10:20 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-04-27 11:48 - 2014-05-01 18:15 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-04-27 11:48 - 2014-04-27 11:48 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-27 11:48 - 2014-04-27 11:48 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-27 11:48 - 2014-04-27 11:48 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-27 11:44 - 2014-04-27 11:45 - 17305616 _____ (Malwarebytes Corporation ) C:\Documents and Settings\UserA\Desktop\mbam-setup-2.0.1.1004.exe
2014-04-27 10:02 - 2014-04-27 10:16 - 130564948 _____ () C:\Documents and Settings\UserA\Desktop\Joshua-April.mp4
2014-04-26 17:35 - 2014-04-26 17:35 - 00000000 ____D () C:\Documents and Settings\UserA\Local Settings\Application Data\Trusteer
2014-04-26 17:35 - 2014-04-26 17:35 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Trusteer Endpoint Protection
2014-04-26 15:41 - 2014-04-26 15:41 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\Traffic Travis v4
2014-04-26 15:41 - 2014-04-26 15:41 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Traffic Travis v4
2014-04-25 15:57 - 2014-04-25 15:57 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\Affilorama
2014-04-25 10:04 - 2014-04-25 10:04 - 00000000 ____D () C:\Program Files\Folder Marker
2014-04-25 10:04 - 2014-04-25 10:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Folder Marker
2014-04-24 17:29 - 2014-04-24 17:29 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\CommissionBlueprint.KeywordBlueprint2
2014-04-24 13:51 - 2014-04-24 14:01 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\AgedDomainHunter
2014-04-20 17:04 - 2014-04-20 17:04 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Sales Rescue TwoFer Delivery File
2014-04-18 16:52 - 2014-04-18 16:52 - 00017865 _____ () C:\Documents and Settings\UserA\mimeTypes.rdf
2014-04-17 16:42 - 2014-04-05 11:57 - 00450622 ____R () C:\WINDOWS\system32\Drivers\etc\hosts.20140417-164213.backup
2014-04-15 08:55 - 2014-05-01 18:10 - 00000000 ___RD () C:\Documents and Settings\UserA\Desktop\Make Income Online by Simply Recommending  Products
2014-04-14 21:26 - 2014-04-17 11:03 - 00000000 ____D () C:\Documents and Settings\UserA\My Documents\SmitFraudFix
2014-04-14 14:04 - 2014-04-14 14:04 - 00008643 _____ () C:\WINDOWS\KB2922229.log
2014-04-14 14:04 - 2014-04-14 14:04 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-04-14 13:52 - 2014-04-14 13:55 - 00011299 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-04-11 14:18 - 2014-04-19 21:11 - 00065536 _____ () C:\WINDOWS\system32\config\Doctor Web.evt
2014-04-10 17:33 - 2014-04-19 15:14 - 00000000 ____D () C:\Documents and Settings\UserA\Doctor Web
2014-04-10 17:33 - 2014-04-10 19:44 - 00065536 _____ () C:\WINDOWS\system32\config\Doctor W.evt
2014-04-06 11:54 - 2014-04-30 15:09 - 00000570 _____ () C:\WINDOWS\setupact.log
2014-04-06 11:54 - 2014-04-06 11:54 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-04-06 11:53 - 2014-04-30 15:09 - 00046009 _____ () C:\WINDOWS\setupapi.log
2014-04-05 11:57 - 2013-08-27 13:54 - 00450546 ____R () C:\WINDOWS\system32\Drivers\etc\hosts.20140405-115701.backup

==================== One Month Modified Files and Folders =======

2014-05-03 11:53 - 2014-05-03 11:53 - 00000000 ____D () C:\FRST
2014-05-03 11:53 - 2014-05-03 11:49 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Farbar Rcovery Scan Tool 32 Bit
2014-05-03 11:50 - 2014-05-03 11:50 - 00045116 _____ () C:\Documents and Settings\UserA\prefs.js
2014-05-03 11:50 - 2014-05-03 11:50 - 00026884 _____ () C:\Documents and Settings\UserA\localstore.rdf
2014-05-03 11:50 - 2014-05-03 11:50 - 00007129 _____ () C:\Documents and Settings\UserA\pluginreg.dat
2014-05-03 11:50 - 2014-05-03 11:50 - 00000680 _____ () C:\Documents and Settings\UserA\sessionstore.js
2014-05-03 11:50 - 2014-05-03 11:50 - 00000154 _____ () C:\Documents and Settings\UserA\urlclassifierkey3.txt
2014-05-03 11:50 - 2014-05-03 11:50 - 00000000 ____D () C:\Documents and Settings\UserA\safebrowsing
2014-05-03 11:50 - 2013-06-30 16:33 - 00000517 _____ () C:\Documents and Settings\UserA\dh-media-lists.rdf
2014-05-03 11:50 - 2013-06-30 16:29 - 00060073 _____ () C:\Documents and Settings\UserA\dh-smart-names.rdf
2014-05-03 11:50 - 2013-06-30 15:24 - 10485760 _____ () C:\Documents and Settings\UserA\places.sqlite
2014-05-03 11:50 - 2013-06-30 15:24 - 01933312 _____ () C:\Documents and Settings\UserA\permissions.sqlite
2014-05-03 11:50 - 2013-06-30 15:24 - 01048576 _____ () C:\Documents and Settings\UserA\cookies.sqlite
2014-05-03 11:50 - 2013-06-30 15:24 - 00344064 _____ () C:\Documents and Settings\UserA\cert8.db
2014-05-03 11:50 - 2013-06-30 15:24 - 00016384 _____ () C:\Documents and Settings\UserA\key3.db
2014-05-03 11:50 - 2013-06-30 15:24 - 00000001 _____ () C:\Documents and Settings\UserA\_CACHE_CLEAN_
2014-05-03 11:50 - 2013-06-30 15:24 - 00000000 ____D () C:\Documents and Settings\UserA\thumbnails
2014-05-03 11:50 - 2010-01-07 14:25 - 00000000 ____D () C:\Documents and Settings\UserA\Local Settings\Application Data\LastPass
2014-05-03 11:50 - 2009-02-24 12:10 - 00000000 ____D () C:\Documents and Settings\UserA
2014-05-03 11:49 - 2013-06-30 17:09 - 00039673 _____ () C:\Documents and Settings\UserA\xmarks.log
2014-05-03 11:49 - 2013-06-30 15:24 - 00000000 _____ () C:\Documents and Settings\UserA\parent.lock
2014-05-03 11:46 - 2014-05-03 09:26 - 00000000 ____D () C:\AdwCleaner
2014-05-03 11:21 - 2010-01-29 10:13 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-03 11:16 - 2014-03-21 08:12 - 00000514 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-790525478-2052111302-725345543-1003.job
2014-05-03 11:00 - 2009-02-24 12:05 - 01443982 ____C () C:\WINDOWS\WindowsUpdate.log
2014-05-03 10:40 - 2010-06-12 07:49 - 00000286 _____ () C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-790525478-2052111302-725345543-1003.job
2014-05-03 10:20 - 2014-04-27 11:49 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-05-03 10:18 - 2009-02-24 19:01 - 00000159 ____C () C:\WINDOWS\wiadebug.log
2014-05-03 10:18 - 2009-02-24 19:01 - 00000048 ____C () C:\WINDOWS\wiaservc.log
2014-05-03 10:18 - 2009-02-24 12:03 - 00000000 ____D () C:\WINDOWS\Registration
2014-05-03 10:17 - 2014-03-28 08:16 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-05-03 10:17 - 2010-06-12 07:49 - 00000278 _____ () C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-790525478-2052111302-725345543-1003.job
2014-05-03 10:17 - 2010-01-29 10:13 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-03 10:17 - 2009-02-24 12:10 - 00000006 ___HC () C:\WINDOWS\Tasks\SA.DAT
2014-05-03 09:59 - 2009-02-24 12:11 - 00000278 ___SH () C:\Documents and Settings\UserA\ntuser.ini
2014-05-03 09:59 - 2009-02-24 12:10 - 00032440 _____ () C:\WINDOWS\SchedLgU.Txt
2014-05-03 09:31 - 2014-05-03 09:31 - 00003348 _____ () C:\Documents and Settings\UserA\Desktop\AdwCleaner[R0].txt
2014-05-03 09:25 - 2014-05-03 09:25 - 00062655 _____ () C:\Documents and Settings\UserA\sessionstore.bak
2014-05-03 09:25 - 2013-06-30 15:24 - 11468800 _____ () C:\Documents and Settings\UserA\webappsstore.sqlite
2014-05-03 09:23 - 2014-05-03 09:23 - 00426492 _____ () C:\Documents and Settings\UserA\xmarks-baseline-f34c7cd9484f1edc.json
2014-05-03 09:17 - 2014-05-03 09:17 - 01310621 _____ () C:\Documents and Settings\UserA\Desktop\adwcleaner.exe
2014-05-03 09:02 - 2013-06-30 15:24 - 00000000 ____D () C:\Documents and Settings\UserA\bookmarkbackups
2014-05-03 07:49 - 2007-06-27 04:19 - 00002206 ____C () C:\WINDOWS\system32\wpa.dbl
2014-05-02 19:45 - 2009-02-24 18:51 - 00000000 ____D () C:\WINDOWS\repair
2014-05-02 17:12 - 2013-06-30 15:25 - 01212416 _____ () C:\Documents and Settings\UserA\healthreport.sqlite
2014-05-02 17:10 - 2013-06-30 17:09 - 00065536 _____ () C:\Documents and Settings\UserA\xmarks.sqlite
2014-05-02 16:09 - 2013-06-30 15:32 - 00524288 _____ () C:\Documents and Settings\UserA\formhistory.sqlite
2014-05-02 15:41 - 2013-06-30 15:34 - 00117020 _____ () C:\Documents and Settings\UserA\blocklist.xml
2014-05-02 15:39 - 2014-05-02 15:39 - 00041330 _____ () C:\Documents and Settings\UserA\addons.json
2014-05-02 15:35 - 2013-06-30 15:25 - 00000000 ____D () C:\Documents and Settings\UserA\healthreport
2014-05-02 14:25 - 2014-05-02 14:25 - 00380525 _____ () C:\Documents and Settings\UserA\Desktop\bookmarks.html
2014-05-02 09:26 - 2014-05-02 09:26 - 00000000 ____D () C:\Documents and Settings\UserA\startupCache
2014-05-02 09:26 - 2013-06-30 15:24 - 00000194 _____ () C:\Documents and Settings\UserA\compatibility.ini
2014-05-02 09:16 - 2014-02-09 13:05 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-05-02 08:37 - 2014-05-02 08:37 - 00023714 _____ () C:\Documents and Settings\UserA\extensions.json
2014-05-02 08:37 - 2014-05-02 08:37 - 00000927 _____ () C:\Documents and Settings\UserA\extensions.ini
2014-05-02 08:37 - 2013-06-30 16:21 - 00000000 ____D () C:\Documents and Settings\UserA\extensions
2014-05-01 20:51 - 2014-04-30 19:17 - 00002110 _____ () C:\WINDOWS\COM+.log
2014-05-01 20:47 - 2013-06-30 15:24 - 00229376 _____ () C:\Documents and Settings\UserA\content-prefs.sqlite
2014-05-01 18:15 - 2014-04-27 11:48 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-05-01 18:10 - 2014-04-15 08:55 - 00000000 ___RD () C:\Documents and Settings\UserA\Desktop\Make Income Online by Simply Recommending  Products
2014-05-01 10:08 - 2009-05-05 20:05 - 00000472 _____ () C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
2014-04-30 15:47 - 2009-02-26 16:47 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\Skype
2014-04-30 15:20 - 2014-04-30 15:20 - 00000000 ____D () C:\Documents and Settings\UserA\Cache
2014-04-30 15:15 - 2014-04-29 15:39 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Malaware Log Files
2014-04-30 15:09 - 2014-04-06 11:54 - 00000570 _____ () C:\WINDOWS\setupact.log
2014-04-30 15:09 - 2014-04-06 11:53 - 00046009 _____ () C:\WINDOWS\setupapi.log
2014-04-30 14:43 - 2013-11-14 21:13 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876331$
2014-04-29 15:31 - 2009-02-24 12:08 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-04-29 15:30 - 2014-04-29 15:31 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-04-29 15:30 - 2014-04-29 15:31 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-04-29 15:30 - 2014-04-29 15:31 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-04-29 15:30 - 2014-04-29 15:31 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-04-29 15:30 - 2014-04-29 15:31 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-04-29 15:29 - 2013-07-07 18:32 - 00000000 ____D () C:\Program Files\Java
2014-04-29 14:37 - 2014-04-29 14:35 - 00005842 _____ () C:\WINDOWS\system32\jupdate-1.7.0_55-b14.log
2014-04-29 14:35 - 2014-04-29 14:35 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-04-29 14:17 - 2009-02-24 22:05 - 00000000 ____D () C:\Documents and Settings\UserA\Local Settings\Application Data\Adobe
2014-04-29 14:16 - 2012-03-29 14:20 - 00692400 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-04-29 14:16 - 2011-05-18 17:04 - 00070832 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-04-28 14:32 - 2014-04-28 14:32 - 00000000 ____D () C:\Documents and Settings\UserA\Local Settings\Application Data\Skype
2014-04-28 14:31 - 2014-04-28 14:31 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-04-28 14:31 - 2014-04-28 14:31 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Skype
2014-04-28 14:31 - 2009-02-26 16:46 - 00000000 ___RD () C:\Program Files\Skype
2014-04-28 14:31 - 2009-02-26 16:46 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Skype
2014-04-27 11:48 - 2014-04-27 11:48 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-27 11:48 - 2014-04-27 11:48 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-27 11:48 - 2014-04-27 11:48 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-04-27 11:48 - 2012-11-11 14:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-04-27 11:45 - 2014-04-27 11:44 - 17305616 _____ (Malwarebytes Corporation ) C:\Documents and Settings\UserA\Desktop\mbam-setup-2.0.1.1004.exe
2014-04-27 10:16 - 2014-04-27 10:02 - 130564948 _____ () C:\Documents and Settings\UserA\Desktop\Joshua-April.mp4
2014-04-26 17:51 - 2009-04-21 16:52 - 00000000 ___RD () C:\Documents and Settings\UserA\Desktop\UTILITIES
2014-04-26 17:35 - 2014-04-26 17:35 - 00000000 ____D () C:\Documents and Settings\UserA\Local Settings\Application Data\Trusteer
2014-04-26 17:35 - 2014-04-26 17:35 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Trusteer Endpoint Protection
2014-04-26 17:35 - 2010-08-17 11:49 - 00000000 ____D () C:\Program Files\Trusteer
2014-04-26 15:41 - 2014-04-26 15:41 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\Traffic Travis v4
2014-04-26 15:41 - 2014-04-26 15:41 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Traffic Travis v4
2014-04-26 12:48 - 2011-08-23 11:28 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Desktop Icons
2014-04-26 07:42 - 2011-08-17 20:44 - 00000000 ____D () C:\Program Files\Public Domain Oracle FREEWARE
2014-04-25 18:17 - 2012-11-30 17:51 - 00000000 ____D () C:\Program Files\FileZilla FTP Client
2014-04-25 18:17 - 2009-03-03 17:44 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\FileZilla
2014-04-25 18:16 - 2011-04-19 10:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\FileZilla FTP Client
2014-04-25 18:13 - 2009-08-14 09:42 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\vlc
2014-04-25 18:06 - 2009-04-23 18:25 - 00000000 ____D () C:\Program Files\MSECache
2014-04-25 16:30 - 2012-09-16 20:41 - 00000000 ____D () C:\Documents and Settings\UserA\My Documents\My Kindle Content
2014-04-25 15:57 - 2014-04-25 15:57 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\Affilorama
2014-04-25 14:50 - 2009-05-25 15:07 - 00001634 _____ () C:\Documents and Settings\UserA\Application Data\SAS7_000.DAT
2014-04-25 10:35 - 2012-04-06 10:15 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\com.pageone.Curator
2014-04-25 10:20 - 2012-04-06 10:15 - 00000000 ____D () C:\Program Files\PageOneTraffic
2014-04-25 10:15 - 2009-08-11 18:38 - 00000187 _____ () C:\WINDOWS\ContentComposer.ini
2014-04-25 10:15 - 2009-08-11 18:24 - 00000000 ____D () C:\ContentComposer
2014-04-25 10:08 - 2010-10-07 09:57 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\ArcticLine
2014-04-25 10:04 - 2014-04-25 10:04 - 00000000 ____D () C:\Program Files\Folder Marker
2014-04-25 10:04 - 2014-04-25 10:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Folder Marker
2014-04-25 07:42 - 2011-11-30 15:36 - 00000000 ____D () C:\Program Files\TotalExcelConverter
2014-04-24 21:27 - 2012-02-09 11:38 - 00000000 ____D () C:\Program Files\Secunia
2014-04-24 21:21 - 2011-06-03 10:11 - 00000000 ____D () C:\Program Files\Niche Blueprints v3
2014-04-24 21:21 - 2011-06-03 10:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Niche Blueprints v3
2014-04-24 21:09 - 2009-02-24 12:03 - 00000000 ____D () C:\Program Files\Foxit Software
2014-04-24 17:37 - 2011-01-12 09:37 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\CommissionBlueprint.KeywordBlueprint2.E611A7DFA7A14643DD636F3114ECD771F85A61E0.1
2014-04-24 17:29 - 2014-04-24 17:29 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\CommissionBlueprint.KeywordBlueprint2
2014-04-24 17:28 - 2012-04-06 10:03 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\com.blueprintcentral.keywordblaze
2014-04-24 17:11 - 2009-08-05 10:02 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR
2014-04-24 16:53 - 2009-08-12 16:51 - 00000053 _____ () C:\WINDOWS\ArticleAssistant.ini
2014-04-24 16:53 - 2009-08-12 16:50 - 00000023 _____ () C:\WINDOWS\ovas.ini
2014-04-24 16:35 - 2011-10-22 20:17 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help
2014-04-24 16:29 - 2009-08-11 18:24 - 00000832 _____ () C:\WINDOWS\ccinst.ini
2014-04-24 16:26 - 2009-08-11 18:38 - 00000023 _____ () C:\WINDOWS\oldale.ini
2014-04-24 15:27 - 2009-09-24 18:02 - 00000000 ____D () C:\Program Files\Content Publisher v2
2014-04-24 15:19 - 2009-04-20 15:31 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Creating Fat Content Course
2014-04-24 15:19 - 2009-04-20 15:30 - 00000000 ____D () C:\Program Files\CreatingFatContentCourse
2014-04-24 15:04 - 2013-07-01 15:49 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\HandBrake
2014-04-24 14:20 - 2013-07-19 22:08 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Genie9
2014-04-24 14:20 - 2013-07-19 22:06 - 00000000 ____D () C:\Program Files\Genie9
2014-04-24 14:10 - 2009-04-24 21:07 - 00000000 ____D () C:\Documents and Settings\UserA\Local Settings\Application Data\CompetitionDominator
2014-04-24 14:01 - 2014-04-24 13:51 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\AgedDomainHunter
2014-04-24 09:33 - 2009-09-20 14:53 - 00000000 ____D () C:\Documents and Settings\UserA\My Documents\Joe's Docs
2014-04-21 20:49 - 2009-02-24 18:51 - 00000000 ____D () C:\WINDOWS\security
2014-04-21 20:42 - 2014-03-19 10:14 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\ESET
2014-04-20 17:04 - 2014-04-20 17:04 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Sales Rescue TwoFer Delivery File
2014-04-20 16:54 - 2009-02-24 18:54 - 00000282 __RSH () C:\boot.ini
2014-04-20 16:54 - 2007-06-27 04:19 - 00001706 ____C () C:\WINDOWS\win.ini
2014-04-20 16:54 - 2007-06-27 04:19 - 00000284 _____ () C:\WINDOWS\system.ini
2014-04-19 21:11 - 2014-04-11 14:18 - 00065536 _____ () C:\WINDOWS\system32\config\Doctor Web.evt
2014-04-19 15:14 - 2014-04-10 17:33 - 00000000 ____D () C:\Documents and Settings\UserA\Doctor Web
2014-04-18 16:52 - 2014-04-18 16:52 - 00017865 _____ () C:\Documents and Settings\UserA\mimeTypes.rdf
2014-04-18 09:46 - 2010-01-07 15:03 - 00000000 ____D () C:\Program Files\LastPass
2014-04-18 09:13 - 2011-03-28 16:02 - 00000000 _____ () C:\WINDOWS\MEMORY.DMP
2014-04-17 15:39 - 2009-03-29 09:55 - 00000000 ____D () C:\Documents and Settings\UserA\Application Data\Free Download Manager
2014-04-17 11:03 - 2014-04-14 21:26 - 00000000 ____D () C:\Documents and Settings\UserA\My Documents\SmitFraudFix
2014-04-16 22:20 - 2014-03-26 16:19 - 00688128 _____ () C:\Documents and Settings\UserA\seer.sqlite
2014-04-14 21:32 - 2009-06-25 16:31 - 00000000 ____D () C:\Documents and Settings\UserA\My Documents\PayPal
2014-04-14 21:15 - 2013-04-20 17:57 - 00000000 ____D () C:\Program Files\Recuva
2014-04-14 14:04 - 2014-04-14 14:04 - 00008643 _____ () C:\WINDOWS\KB2922229.log
2014-04-14 14:04 - 2014-04-14 14:04 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-04-14 14:04 - 2012-11-15 08:16 - 00535614 _____ () C:\WINDOWS\iis6.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00470511 _____ () C:\WINDOWS\FaxSetup.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00227516 _____ () C:\WINDOWS\ocgen.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00216169 _____ () C:\WINDOWS\tsoc.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00156625 _____ () C:\WINDOWS\comsetup.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00144194 _____ () C:\WINDOWS\msmqinst.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00095239 _____ () C:\WINDOWS\ntdtcsetup.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00082817 _____ () C:\WINDOWS\netfxocm.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00032594 _____ () C:\WINDOWS\MedCtrOC.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00026119 _____ () C:\WINDOWS\ocmsn.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00023654 _____ () C:\WINDOWS\msgsocm.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00023636 _____ () C:\WINDOWS\tabletoc.log
2014-04-14 14:04 - 2012-11-15 08:16 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-04-14 14:02 - 2013-08-19 08:17 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-04-14 13:55 - 2014-04-14 13:52 - 00011299 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-04-14 13:55 - 2012-11-15 08:16 - 00001374 _____ () C:\WINDOWS\imsins.BAK
2014-04-14 13:55 - 2007-06-27 04:19 - 88028728 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-04-14 13:54 - 2012-12-13 10:29 - 00044573 _____ () C:\WINDOWS\updspapi.log
2014-04-10 19:44 - 2014-04-10 17:33 - 00065536 _____ () C:\WINDOWS\system32\config\Doctor W.evt
2014-04-08 20:55 - 2014-03-28 08:16 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-04-07 21:50 - 2012-09-16 20:40 - 00000000 ____D () C:\Program Files\Amazon
2014-04-07 21:44 - 2013-06-30 16:02 - 00000000 ____D () C:\Documents and Settings\UserA\OfflineCache
2014-04-06 11:54 - 2014-04-06 11:54 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-04-05 11:57 - 2014-04-17 16:42 - 00450622 ____R () C:\WINDOWS\system32\Drivers\etc\hosts.20140417-164213.backup
2014-04-05 10:04 - 2012-05-24 21:26 - 00000000 ____D () C:\Documents and Settings\UserA\Desktop\Erica Stone Coaching
2014-04-04 14:02 - 2009-03-07 18:10 - 00000000 ____D () C:\Documents and Settings\UserA\.freemind
2014-04-03 09:50 - 2012-11-11 14:02 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys

Files to move or delete:
====================
C:\Documents and Settings\UserA\Application Data\Camdata.ini
C:\Documents and Settings\UserA\Application Data\CamLayout.ini
C:\Documents and Settings\UserA\Application Data\CamShapes.ini
C:\Documents and Settings\Administrator\xmlUpdater.exe
C:\Documents and Settings\Default User\xmlUpdater.exe
C:\Documents and Settings\UserA\persdict.dat
C:\Documents and Settings\UserA\pluginreg.dat
C:\Documents and Settings\UserA\prefs.js
C:\Documents and Settings\UserA\sessionstore.js
C:\Documents and Settings\UserA\xmlUpdater.exe


Some content of TEMP:
====================
C:\Documents and Settings\UserA\Local Settings\temp\Aged Domain Hunter.exe
C:\Documents and Settings\UserA\Local Settings\temp\Foxit Reader Updater.exe
C:\Documents and Settings\UserA\Local Settings\temp\Quarantine.exe
C:\Documents and Settings\UserA\Local Settings\temp\SkypeSetup.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

I hope I've done everytrhing OK

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 03 May 2014 - 08:33 AM

The first item is the AdwCleaner.txt after the scan and cleaning. I didn't clean the items in the registry as I don't really know what i'm doing. What do you suggest

Run the tool and remove all this is found.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

HKLM\...\Run: [UserFaultCheck] => %systemroot%\system32\dumprep 0 -u
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKCU - {88109753-7735-420f-98B4-1A3521EF3D27} URL = http://search.speedbit.com/searchresults.asp?src=default&q={searchTerms}
Toolbar: HKCU - No Name - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} -  No File
Toolbar: HKCU - No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\34.0.1847.131\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (NPLastPass) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.90.5_0\nplastpass.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 AsrCDDrv; \??\C:\WINDOWS\system32\Drivers\AsrCDDrv.sys [X]
S3 efavdrv; \??\C:\WINDOWS\system32\drivers\efavdrv.sys [X]
S3 esihdrv; \??\C:\DOCUME~1\UserA\LOCALS~1\Temp\esihdrv.sys [X]
S3 gttap1; system32\DRIVERS\gttap1.sys [X]
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
AlternateDataStreams: C:\WINDOWS:B12169B4D8777DE2
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0CB6E0BD
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0FF263E8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD

end

Save the files as fixlist.txt in to the same folder as FRST
Run FRST and click Fix only once and wait

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please let me know of any remaining issues.

#5 JoeWatson

JoeWatson
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 04 May 2014 - 02:51 AM

Not sure what you mean by "Run the tool and remove all this is found. Do you want me to run AdwCleaner again and scan and then delete the registry entries?

 

Meanwhilc where is the fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:01-05-2014
Ran by UserA at 2014-05-04 09:20:40 Run:1
Running from C:\Documents and Settings\UserA\Desktop\Farbar Rcovery Scan Tool 32 Bit
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

HKLM\...\Run: [UserFaultCheck] => %systemroot%\system32\dumprep 0 -u
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} URL =
SearchScopes: HKCU - {88109753-7735-420f-98B4-1A3521EF3D27} URL = http://search.speedbit.com/searchresults.asp?src=default&q={searchTerms}
Toolbar: HKCU - No Name - {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} -  No File
Toolbar: HKCU - No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\34.0.1847.131\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (NPLastPass) - C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.90.5_0\nplastpass.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S3 AsrCDDrv; \??\C:\WINDOWS\system32\Drivers\AsrCDDrv.sys [X]
S3 efavdrv; \??\C:\WINDOWS\system32\drivers\efavdrv.sys [X]
S3 esihdrv; \??\C:\DOCUME~1\UserA\LOCALS~1\Temp\esihdrv.sys [X]
S3 gttap1; system32\DRIVERS\gttap1.sys [X]
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
AlternateDataStreams: C:\WINDOWS:B12169B4D8777DE2
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0CB6E0BD
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0FF263E8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:F35A93AD

end
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\UserFaultCheck => Value deleted successfully.
Default URLSearchHook was restored successfully .
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{88109753-7735-420f-98B4-1A3521EF3D27} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{88109753-7735-420f-98B4-1A3521EF3D27} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4A1C6093-14F9-44D7-860E-5D265CFCA9D9} => Value deleted successfully.
HKCR\CLSID\{4A1C6093-14F9-44D7-860E-5D265CFCA9D9} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => Value deleted successfully.
HKCR\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} => Value deleted successfully.
HKCR\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.
HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.
HKCR\PROTOCOLS\Handler\ic32pp => Key deleted successfully.
HKCR\CLSID\{BBCA9F81-8F4F-11D2-90FF-0080C83D3571} => Key deleted successfully.
C:\Program Files\Google\Chrome\Application\34.0.1847.131\gcswf32.dll not found.
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll not found.
C:\Documents and Settings\UserA\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.90.5_0\nplastpass.dll not found.
C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll not found.
C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
AsrCDDrv => Service deleted successfully.
efavdrv => Service deleted successfully.
esihdrv => Service deleted successfully.
gttap1 => Service deleted successfully.
Lbd => Service deleted successfully.
C:\WINDOWS => ":B12169B4D8777DE2" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":0CB6E0BD" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":0FF263E8" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":5C321E34" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":A8ADE5D8" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":A9662AE0" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":DFC5A2B2" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":F35A93AD" ADS removed successfully.

==== End of Fixlog ====
 

And the ceckup.txt

 

 Results of screen317's Security Check version 0.99.82  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
ESET NOD32 Antivirus 7.0   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 KeywordSpy SEO/PPC Plug-in (remove only)
 SEO SpyGlass    
 Spybot - Search & Destroy
 Azon Spy    
 Java 7 Update 55  
 Adobe Flash Player     13.0.0.206  
 Mozilla Firefox (28.0)
 Google Chrome 34.0.1847.116  
 Google Chrome 34.0.1847.131  
 Google Chrome Plugins...  
````````Process Check: objlist.exe by Laurent````````  
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````

 

Hope that's OK
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 04 May 2014 - 08:18 AM

Sorry it should read
Run the tool and remove all that is found.

Any remaining issues with this computer?

#7 JoeWatson

JoeWatson
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 04 May 2014 - 09:58 AM

Hello nasdaq

 

No other issues.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 04 May 2014 - 12:26 PM

Glad we could help.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 AM

Posted 04 May 2014 - 12:26 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users