Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What kind of malware was Manipulating my virus protections? Is it truly gone?


  • This topic is locked This topic is locked
12 replies to this topic

#1 Alyab123

Alyab123

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 AM

Posted 09 May 2014 - 02:54 AM

I started out in the "am I infected"  forum a few days ago. Condobloke asked me to run rkill, tdskiller, malwarebytes, and adwcleaner and but I don't know if he found anything. He had asked me to run JRT, but I never got to that. As the situation kept changing it began to get confusing. Eventually, I was referred here for more intensive help. I am telling this long winded story, because you ask for as much information as posssible, and I think the mixed up order of events may be significant. My post was much longer, but I worked hard to reduce it to just the technical facts! It is possible that all is already resolved, but I don't know how to tell.

I first noticed that something was wrong was when I logged on to my pc on Thursday morning May 1, finding my Windows Firewall was turned off, and my Avast Free protection was disabled without allowing me access to it - not even in safe mode. I tried to run malware bytes, but it got corrupted. I did run super antispyware, which just found a few inocuous adware trackers.
 
I tried a bunch of system restores, and finally one of them worked. I have many, due to all the installing and uninstalling I have done. So Friday afternoon I got back my virus protection, and re-installed malwarebytes, and ran both. They found nothing. Sunday, after a reboot of my pc, The Avast antivirus was again disabled, despite my having added password protection to it, and checking all startup items in msconfig very carefully. I don't remember everything I tried! I stayed offline most of the day, posting questions only from a friends' pc down the street!
 
Sunday night, Malwarebytes finally quarantined 3 registry values by vendors:
PUP.Optional.InstallBrain.A,  - an HKU\......\NLT|URL & 2 instances of PUP.Optional.SweetPacks.A   - which were related to Firefox\Extensions\.
 
I did not know if this was all, so I ran a portable Emisoft emergency kit I had downloaded to a flashdrive at my friend's house. It didn't find anything else, but I was not convinced I was done. I ran SuperAntiSpyware again, and this time it found an Adware.Tracking Cookie
    secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\BAILA\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\KW8BWQH6 ]
 
Feeling vulnerable, I reinstalled ZoneAlarm again, but this time it didn't prevent me from doing anything, except asking me if I want my ip address public or private. I was able to get online too, with no problems or alerts, and I wondered if it was even working at all. When I checked the Application control, almost everything is marked "Trusted". I didn't set that up, nor was I promted or alerted of any network activity.

At a certain point, although I hadn't found any "serious" malware, the virus software stopped getting
disabled. I don't know if any of these "low risk" items were the culprit, and I am not reassured that everything is gone from my computer.
 
Now I run a boot scan almost every time I have to reboot my pc. Avast found a bunch of "hidden files" in the Rootkit, in what seems to be restore points. The log said they would be repaired at the next system start, but at that point I was afraid to turn off my computer! Eventually when I did, the log showed a bunch of attempts to scan a particual System volume, but the "Archive was password protected". These files also seem to be in system restore points. All this while I've been enabling and disabling my network connection, in order to look for and ask for assistance, update my virus software, and post in this forum, yet staying off line as much as possible.

Nothing terrible seemed to be happening since the middle of this week, except that a random folder on my desktop started opening automatically whenever I log on. I don't know where the setting for this is, or if it is being activated by something still on my PC. In addition my pc became significantly slower, and I removed ZoneAlarm yet again in case it was the culprit. But it didn't make much of a difference. I think that the hard drive is working harder, spinning longer than it did before this mess.There's a lot of whirring going on when the PC boots. Anyway, the firewall, using its own settings, seemed to have become too liberal in it's control of the traffic on my PC for some mysterious reason. If my PC proves to be clean, I will deal with that in the appropriate forum.
 
Finally, yesterday, I ran a portable ClamAV from a flashdrive. It was denied permission to scan another group of files, and then it found a trojan:  

C:\DELL\drivers\R133281\IDE\WinXP\sataraid\nvraid.sys: Win.Trojan.Agent-145770 FOUND
 
I searched for the file, and it has not been deleted. Apparently 50% of the virus protection programs consider it trojan malware and 50% think it's fine and related to Nvidia. (see these links)
 
I don't know if I should delete this system file or not. Is this a necessary system file, or is it the cause of the havoc that was going on for a few days?

https://www.virustotal.com/en/file/be370d20ca813d766e1ee75ab83422739405d53f64839652ad3a542dcfb45ac0/analysis/

and
http://www.herdprotect.com/nvraid.sys-9c2e93bdc091fac395dc44c0868d1943fb2e35ba.aspx
 
I wrote this over the last day and a half, and I'm finally pasting it in here. My attention, and this post was delayed by the fact that I was trying unsuccessfully to create a Rescue disk for Macrium Reflect, to recover my disk image if necessary. I will take care of my other issues in the pertinent forums.
 
I realize that the symptoms are basically gone. It doesn't seem very complicated anymore. At this point, I guess I just want some clarity: Was this a serious infiltration, or not? Were those PUPS capable of taking control of my anti-malware programs?  If yes, is there any residue left on my PC? Was this an infiltration due to the new vulnerability of XP, or were these pups just things that come from time to time. Do I or do I not have a Trojan!
 
I need to make sure that my pc is clean... if possible. Once that is off my head, I will be looking into running Linux off a stick, or a partition on my Hard Drive, and keep XP completely separated from the web.

I'm attaching the logs as you requested:
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Baila Admin at 23:08:48 on 2014-05-08
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1169 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
mStart Page = hxxp://www.google.com
uProxyOverride = <local>
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSystemDetect] c:\documents and settings\baila admin\local settings\apps\2.0\xewxvdbo.c64\75w2to52.tv1\dell..tion_0f612f649c4a10af_0005.0007_59de4fd2458fcaec\DellSystemDetect.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ZoneAlarm] c:\program files\checkpoint\zonealarm\zatray.exe
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - <orphaned>
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: dell.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245387491250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341524095046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.8.1
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : DHCPNameServer = 192.168.8.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - <orphaned>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - <orphaned>
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.131\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\baila admin\application data\mozilla\firefox\profiles\youl8nq2.default user\
FF - prefs.js: browser.search.selectedEngine - Search By ZoneAlarm
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_206.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=HFA5&Lan={dfltLng}&gu=b32be9b93d684dd8843b7d9ee99f2664&tu=10G9y00Dp2D13P0&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 1c53481d000000000000001372392ab3
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 16197
FF - user.js: extensions.zonealarm.vrsn - 1.8.29.17
FF - user.js: extensions.zonealarm.vrsni - 1.8.29.17
FF - user.js: extensions.zonealarm.vrsnTs - 1.8.29.172:41:18
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm.smplGrp - NewUSR
FF - user.js: extensions.zonealarm.tlbrId - HFA5
FF - user.js: extensions.zonealarm.instlRef - ZLN122995913566701-1001
FF - user.js: extensions.zonealarm.dfltLng - EN
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.ffxUnstlRst - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm.rvrt - false
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.kw_url - hxxp://search.zonealarm.com/search?src=sp&tbid=HFA5&Lan=EN&gu=b32be9b93d684dd8843b7d9ee99f2664&tu=10G9y00Dp2D13P0&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.dnsErr - true
FF - user.js: extensions.zonealarm.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-7-3 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-7-3 180632]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-19 13560]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2013-6-28 16504]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-7-3 776976]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-7-3 411552]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2014-1-24 90200]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2014-4-25 534152]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-10 120088]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-5-4 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2013-7-3 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-7-3 50344]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2014-1-24 1715416]
R2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2014-4-22 605168]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe [2014-4-25 3592120]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\checkpoint\zonealarm\ZAPrivacyService.exe [2014-4-9 92176]
S1 A2DDA;A2 Direct Disk Access Support Driver;\??\f:\new folder\run\a2ddax86.sys --> f:\new folder\run\a2ddax86.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cleanhlp;cleanhlp;\??\f:\new folder\run\cleanhlp32.sys --> f:\new folder\run\cleanhlp32.sys [?]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-1-7 33616]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-5-4 50648]
S3 PSMounterEx;Macrium Reflect Image Explorer Driver;c:\windows\system32\drivers\psmounterex.sys [2013-8-1 65144]
S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [2013-6-28 13432]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
S3 WIMMount;WIMMount;c:\program files\macrium\reflect\wimmount.sys [2014-5-8 19024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
.
=============== Created Last 30 ================
.
2014-05-08 06:49:07    --------    d-----w-    c:\documents and settings\all users\application data\Macrium
2014-05-07 07:26:03    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\PCHealth
2014-05-07 06:51:23    --------    d-----w-    C:\187614ccc908693076
2014-05-07 06:40:52    --------    d-----w-    c:\program files\CheckPoint
2014-05-06 00:05:15    --------    d-----w-    C:\e60f7c6a8bd038d030cab7531ea12d
2014-05-05 10:04:01    199544    ----a-w-    C:\Tcpvcon.exe
2014-05-05 10:01:29    --------    d-----w-    c:\program files\TCPView
2014-05-05 09:45:07    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\Paint.NET
2014-05-05 09:35:44    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\Secunia PSI
2014-05-05 05:10:29    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\Deployment
2014-05-05 04:53:43    --------    d-----w-    c:\program files\Speccy
2014-05-05 03:05:32    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-05 03:05:14    50648    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-05 03:05:14    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-05-05 03:05:14    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-05-05 02:21:03    --------    d-----w-    C:\5f28ff4c13839aa1f7db84a9f9208b5e
2014-05-05 01:28:26    965232    ----a-w-    c:\program files\mozilla firefox\icuuc52.dll
2014-05-05 01:28:26    1266800    ----a-w-    c:\program files\mozilla firefox\icuin52.dll
2014-05-05 01:28:26    10594416    ----a-w-    c:\program files\mozilla firefox\icudt52.dll
2014-05-05 00:42:09    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2014-05-05 00:42:09    --------    d-----w-    c:\windows\system32\wbem\Repository
2014-05-05 00:21:09    24184    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-05-05 00:20:39    43152    ----a-w-    c:\windows\avastSS.scr
2014-05-02 12:11:52    --------    d-----w-    c:\documents and settings\baila admin\application data\Auslogics
2014-04-29 08:00:54    17931952    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-04-24 23:54:22    --------    d-----w-    C:\Share across operating systems
2014-04-09 03:54:01    --------    d-----w-    C:\71786299e9640aa8a1f2
2014-04-09 03:35:41    --------    d-----w-    C:\c7af9bd919cffe04339e326ca842f631
.
==================== Find3M  ====================
.
2014-05-05 00:20:51    776976    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-05-05 00:20:51    180632    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-05-05 00:20:49    67824    ----a-w-    c:\windows\system32\drivers\aswmonflt.sys
2014-05-05 00:20:49    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-04-29 08:01:02    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-29 08:01:02    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-04-07 10:14:34    1426178    ----a-w-    c:\program files\adwcleaner.exe
2014-03-06 17:59:23    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 17:59:22    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-03-06 17:59:22    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-03-06 17:59:22    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-03-06 00:46:54    385024    ----a-w-    c:\windows\system32\html.iec
2014-02-26 01:59:05    13312    ------w-    c:\windows\system32\xp_eos.exe
.
============= FINISH: 23:09:21.81 ===============
 
 
 
 Mod EDIT Merged posts~boopme


I think I may have broken a rule: I have been using my pc since I posted here, including installing and uninstalling comodo firewall with included junkware, running my virus software, and I currently have "online armor" installed, although I'm not sure It's configured properly.
 
just in case, I am running those logs again, and posting the updated results. I truly apologize for my impatience. I am just trying to secure my pc as much as is possible, until I can get online without windows xp. I don't know if I have any script blocking software.
 
dds.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Baila Admin at 1:01:22 on 2014-05-12
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1170 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Online Armor\OAui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Macrium\Reflect\Reflect.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
mStart Page = hxxp://www.google.com
uProxyOverride = <local>
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [@OnlineArmor GUI] "c:\program files\online armor\OAui.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - <orphaned>
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: dell.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245387491250
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341524095046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.8.1
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : NameServer = 192.168.8.1
TCP: Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A} : DHCPNameServer = 192.168.8.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\belarcadvisor\system\BAVoilaX.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - <orphaned>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - c:\program files\online armor\oaevent.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.131\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\baila admin\application data\mozilla\firefox\profiles\youl8nq2.default user\
FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_206.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=HFA5&Lan={dfltLng}&gu=e4cf83901aca4938b6cf0c6b9be10a00&tu=10G9y00Dr2D13P0&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 1c53481d000000000000001372392ab3
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 16199
FF - user.js: extensions.zonealarm.vrsn - 1.8.29.17
FF - user.js: extensions.zonealarm.vrsni - 1.8.29.17
FF - user.js: extensions.zonealarm.vrsnTs - 1.8.29.1712:56:16
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm.smplGrp - NewUSR
FF - user.js: extensions.zonealarm.tlbrId - HFA5
FF - user.js: extensions.zonealarm.instlRef - ZLN123029654877967-1001
FF - user.js: extensions.zonealarm.dfltLng - EN
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.ffxUnstlRst - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm.rvrt - false
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.kw_url - hxxp://search.zonealarm.com/search?src=sp&tbid=HFA5&Lan=EN&gu=e4cf83901aca4938b6cf0c6b9be10a00&tu=10G9y00Dr2D13P0&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.dnsErr - true
FF - user.js: extensions.zonealarm.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-7-3 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-7-3 180632]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-19 13560]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2013-6-28 16504]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-7-3 776976]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-7-3 411552]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2014-1-24 90200]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2014-5-11 210360]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2014-5-11 44984]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2014-5-11 34856]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2014-5-11 31912]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-10 120088]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-5-4 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswmonflt.sys [2013-7-3 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-7-3 50344]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2014-1-24 1715416]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2014-5-11 584864]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2014-5-11 4457688]
S1 A2DDA;A2 Direct Disk Access Support Driver;\??\f:\new folder\run\a2ddax86.sys --> f:\new folder\run\a2ddax86.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 cleanhlp;cleanhlp;\??\f:\new folder\run\cleanhlp32.sys --> f:\new folder\run\cleanhlp32.sys [?]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-1-7 33616]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-5-4 50648]
S3 PSMounterEx;Macrium Reflect Image Explorer Driver;c:\windows\system32\drivers\psmounterex.sys [2013-8-1 65144]
S3 PSVolAcc;PSVolAcc;c:\windows\system32\drivers\PSVolAcc.sys [2013-6-28 13432]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
S3 WIMMount;WIMMount;c:\program files\macrium\reflect\wimmount.sys [2014-5-8 19024]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S4 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2014-4-22 605168]
S4 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
.
=============== Created Last 30 ================
.
2014-05-11 22:28:58    --------    d-----w-    c:\documents and settings\all users\application data\Comodo
2014-05-11 21:20:56    --------    d-----w-    c:\documents and settings\baila admin\application data\OnlineArmor
2014-05-11 21:20:56    --------    d-----w-    c:\documents and settings\all users\application data\OnlineArmor
2014-05-11 21:20:38    44984    ----a-w-    c:\windows\system32\drivers\oahlp32.sys
2014-05-11 21:20:38    34856    ----a-w-    c:\windows\system32\drivers\OAmon.sys
2014-05-11 21:20:38    31912    ----a-w-    c:\windows\system32\drivers\OAnet.sys
2014-05-11 21:20:37    210360    ----a-w-    c:\windows\system32\drivers\OADriver.sys
2014-05-11 21:20:28    --------    d-----w-    c:\program files\Online Armor
2014-05-11 20:38:58    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2014-05-11 20:38:58    --------    d-----w-    c:\windows\system32\wbem\Repository
2014-05-11 20:30:12    22951    ----a-w-    c:\program files\CIS Clean-up Tool.bat
2014-05-11 09:55:32    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\AdTrustMedia
2014-05-11 09:55:31    1700352    ----a-w-    c:\windows\system32\gdiplus.dll
2014-05-11 09:50:52    --------    d-----w-    c:\documents and settings\all users\application data\Adtrustmedia
2014-05-11 08:50:54    3840    ----a-w-    c:\windows\system32\drivers\BANTExt.sys
2014-05-11 08:50:53    --------    d-----w-    c:\program files\Belarc
2014-05-09 17:05:37    --------    d-----w-    C:\85eb7d713512de4f1e951c08ce29
2014-05-08 06:49:07    --------    d-----w-    c:\documents and settings\all users\application data\Macrium
2014-05-07 07:26:03    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\PCHealth
2014-05-07 06:51:23    --------    d-----w-    C:\187614ccc908693076
2014-05-06 00:05:15    --------    d-----w-    C:\e60f7c6a8bd038d030cab7531ea12d
2014-05-05 10:04:01    199544    ----a-w-    C:\Tcpvcon.exe
2014-05-05 10:01:29    --------    d-----w-    c:\program files\TCPView
2014-05-05 09:45:07    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\Paint.NET
2014-05-05 09:35:44    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\Secunia PSI
2014-05-05 05:10:29    --------    d-----w-    c:\documents and settings\baila admin\local settings\application data\Deployment
2014-05-05 04:53:43    --------    d-----w-    c:\program files\Speccy
2014-05-05 03:05:32    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-05 03:05:14    50648    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-05 03:05:14    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-05-05 03:05:14    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-05-05 02:21:03    --------    d-----w-    C:\5f28ff4c13839aa1f7db84a9f9208b5e
2014-05-05 00:21:09    24184    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-05-05 00:20:39    43152    ----a-w-    c:\windows\avastSS.scr
2014-05-02 12:11:52    --------    d-----w-    c:\documents and settings\baila admin\application data\Auslogics
2014-04-29 08:00:54    17931952    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2014-04-24 23:54:22    --------    d-----w-    C:\Share across operating systems
.
==================== Find3M  ====================
.
2014-05-05 00:20:51    776976    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-05-05 00:20:51    180632    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-05-05 00:20:49    67824    ----a-w-    c:\windows\system32\drivers\aswmonflt.sys
2014-05-05 00:20:49    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-04-29 08:01:02    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-29 08:01:02    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-04-07 10:14:34    1426178    ----a-w-    c:\program files\adwcleaner.exe
2014-03-06 17:59:23    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 17:59:22    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-03-06 17:59:22    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-03-06 17:59:22    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-03-06 00:46:54    385024    ----a-w-    c:\windows\system32\html.iec
2014-02-26 01:59:05    13312    ------w-    c:\windows\system32\xp_eos.exe
.
============= FINISH:  1:02:35.06 ===============

Attached Files


Edited by boopme, 13 May 2014 - 09:17 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:03 AM

Posted 13 May 2014 - 10:30 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 AM

Posted 14 May 2014 - 06:51 AM

thank you bloopme for merging my posts.

 

Hi, nasdaq. You requested that I run malwarebytes and export the log, but you didn't say whether I should copy it to here.

I'm posting it in purple, so if you don't want  or need it, you can just skip all the purple text!

 

Malwarebytes Anti-Malware log:

Scan Date: 5/13/2014
Scan Time: 6:39:25 PM
Logfile: mbam scan.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.13.15
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Pessy

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 427001
Time Elapsed: 29 min, 11 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Upon creating the text log for this scan, I discovered logs for a bunch of previous malwarebytes scans. The one relevant one, From Sunday May 4 in the evening shows registry entries that it deleted. If this information would be helpful, please let me know if I should copy/paste that log into this thread.

 

 

_____________________________________

 

Please note, Adwcleaner hung, and froze my pc, at about 80% of the clean. I had to do a hard shutdown - using the power button on the Desktop. this actualy happened 2 times.

Since I found the "clean" log file, I presume the clean was done anyway, but I can't tell for sure if it's complete. 20% of the gauge was not yet "cleaned" when the computer froze. - twice!

I don't see or feel any repercussions yet:

 

ADWcleaner S1 txt:

# AdwCleaner v3.208 - Report created 14/05/2014 at 05:22:14
# Updated 11/05/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Pessy - BAILA
# Running from : C:\Documents and Settings\Pessy\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Documents and Settings\All Users\Application Data\uninstaller.exe
[x] Not Deleted : C:\Documents and Settings\Baila Admin\Application Data\Mozilla\Firefox\Profiles\o97t84xm.default\user.js
[x] Not Deleted : C:\Documents and Settings\Baila Admin\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\user.js
[x] Not Deleted : C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\o97t84xm.default\user.js
[x] Not Deleted : C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\oejkcgajlodefenbbjdnaiahmbnnoole
[x] Not Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
[x] Not Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
[x] Not Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
[x] Not Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{13086CD4-88B6-45E3-9182-3BC2664199F7}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{1FCD7139-C2A3-49AD-8B9E-E82E48AE5DF6}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{319FCB76-1568-4EFA-863B-B03A2B16EB5C}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{4796719D-2B92-47BC-920B-77BCDBDBCB6A}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{64A66B25-A70F-4373-95EF-3A1DB6040B3A}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{6FC5F7E0-D65A-465C-B8EE-A5F8E008D6DF}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{731D436C-464C-4F29-BFB2-DE9C458535AE}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{7C89C8A6-991C-4626-9E26-B12EB4D89C04}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEF00686-CAB8-4885-9CCB-78FF483041AA}
[x] Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{FDA55C78-736E-4E8A-996C-4A80FC0396FB}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{300BEC06-B743-4D19-86B9-11DC711D7FFB}
[x] Not Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Documents and Settings\Administrator.BAILA\Application Data\Mozilla\Firefox\Profiles\a6yh2qnj.default\prefs.js ]


[ File : C:\Documents and Settings\Baila\Application Data\Mozilla\Firefox\Profiles\aw7013lz.default-1380767280765\prefs.js ]


[ File : C:\Documents and Settings\Baila Admin\Application Data\Mozilla\Firefox\Profiles\o97t84xm.default\prefs.js ]


[ File : C:\Documents and Settings\Baila Admin\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\prefs.js ]


[ File : C:\Documents and Settings\bailap\Application Data\Mozilla\Firefox\Profiles\3gj9ppb8.default\prefs.js ]


[ File : C:\Documents and Settings\bailap\Application Data\Mozilla\Firefox\Profiles\9b722wuy.default\prefs.js ]


[ File : C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\o97t84xm.default\prefs.js ]


[ File : C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\prefs.js ]


-\\ Google Chrome v34.0.1847.131

[ File : C:\Documents and Settings\Baila\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10045&barid={DB8188AD-E4BD-11E2-8998-001372392AB3}
Deleted [Search Provider] : http://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : http://www.ask.com/web?q={searchTerms}

[ File : C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : http://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : http://www.ask.com/web?q={searchTerms}

 

 

_________________________________________

 

 

Frst.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:11-05-2014 01
Ran by Pessy (administrator) on BAILA on 14-05-2014 06:18:55
Running from C:\Documents and Settings\Pessy\Desktop\First.exe tool
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Emsisoft GmbH) C:\Program Files\Online Armor\oacat.exe
(Emsisoft GmbH) C:\Program Files\Online Armor\oasrv.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Blue Coat Systems, Inc.) C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
(Microsoft Corporation) C:\WINDOWS\system32\snmp.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
(Emsisoft GmbH) C:\Program Files\Online Armor\oaui.exe
(Emsisoft GmbH) C:\Program Files\Online Armor\oahlp.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3873704 2014-05-04] (AVAST Software)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [@OnlineArmor GUI] => C:\Program Files\Online Armor\OAui.exe [7558464 2013-10-11] (Emsisoft GmbH)
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2006-10-03] (Macrovision Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1454471165-1844237615-839522115-1062\...\Policies\Explorer: [NoFolderOptions] 0

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://startpage.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x868C7B177000CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {2D59A26F-65DA-4A5C-AFEF-96E62977B847} URL =
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1245387491250
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
ShellExecuteHooks: OA Shell Helper - {4F07DA45-8170-4859-9B5F-037EF2970034} - C:\Program Files\Online Armor\oaevent.dll [1033968 2013-10-11] (Emsisoft GmbH)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Tcpip\Parameters: [DhcpNameServer] 192.168.8.1
Tcpip\..\Interfaces\{075DE905-E2AF-483E-AC0D-DC1AE56EFD9A}: [NameServer]192.168.8.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User
FF user.js: detected! => C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\user.js
FF NewTab: https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF DefaultSearchEngine: Startpage HTTPS
FF SelectedSearchEngine: Startpage HTTPS
FF Homepage: https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_206.dll ()
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.450 - C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll No File
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File
FF Plugin: @real.com/nprpjplug;version=6.0.12.448 - C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\searchplugins\startpage-https.xml
FF Extension: DoNotTrackMe: Online Privacy Protection - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\Extensions\donottrackplus@abine.com [2014-05-13]
FF Extension: WOT - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-05-13]
FF Extension: Adblock Plus - C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-05-13]
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

Chrome:
=======
CHR HomePage:
CHR Extension: (Google Docs) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-05-14]
CHR Extension: (Google Drive) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-14]
CHR Extension: (YouTube) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-05-14]
CHR Extension: (Google Search) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-05-14]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-14]
CHR Extension: (Gmail) - C:\Documents and Settings\Pessy\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-05-14]
CHR HKCU\...\Chrome\Extension: [cmaiofennmphjldldcpphcechfnnohja] - C:\Documents and Settings\Baila Admin\Local Settings\Application Data\AdTrustMedia\PrivDog\PrivDog_chrome.crx [2014-05-14]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)
R2 6to4; C:\WINDOWS\System32\6to4svc.dll [100864 2010-02-12] (Microsoft Corporation)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-05-04] (AVAST Software)
R2 bckwfs; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [1715416 2014-01-24] (Blue Coat Systems, Inc.)
R2 OAcat; C:\Program Files\Online Armor\OAcat.exe [584864 2013-10-11] (Emsisoft GmbH)
S4 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [605168 2014-04-22] (Paramount Software UK Ltd)
R2 SvcOnlineArmor; C:\Program Files\Online Armor\oasrv.exe [4457688 2013-10-11] (Emsisoft GmbH)
S3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [X]

==================== Drivers (Whitelisted) ====================

R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2014-05-04] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [67824 2014-05-04] (AVAST Software)
R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [54832 2014-05-04] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-05-04] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [776976 2014-05-04] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [411552 2014-05-04] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57672 2014-05-04] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [180632 2014-05-04] ()
R1 bckd; C:\WINDOWS\System32\drivers\bckd.sys [90200 2014-01-24] (Blue Coat Systems, Inc.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S3 gfiark; C:\WINDOWS\System32\drivers\gfiark.sys [33616 2012-12-17] (GFI Software)
R0 gfibto; C:\WINDOWS\System32\drivers\gfibto.sys [13560 2013-06-30] (GFI Software)
S4 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2007-07-10] (HP)
S4 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2007-07-10] (HP)
S4 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2007-07-10] (HP)
S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [50648 2014-05-05] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [107736 2014-05-13] (Malwarebytes Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R1 OADevice; C:\WINDOWS\system32\drivers\OADriver.sys [210360 2013-10-11] ()
R1 oahlpXX; C:\WINDOWS\system32\drivers\oahlp32.sys [44984 2013-10-11] ()
R1 OAmon; C:\WINDOWS\system32\drivers\OAmon.sys [34856 2013-10-11] (Emsisoft)
R1 OAnet; C:\WINDOWS\system32\drivers\OAnet.sys [31912 2013-10-11] (Emsisoft)
S3 PAC7302; C:\WINDOWS\System32\DRIVERS\PAC7302.SYS [458752 2007-11-08] (PixArt Imaging Inc.)
S3 PSMounterEx; C:\WINDOWS\system32\drivers\psmounterex.sys [65144 2013-08-01] (Paramount Software UK Ltd)
R0 pssnap; C:\WINDOWS\System32\DRIVERS\pssnap.sys [16504 2013-06-28] (Macrium Software)
S3 PSVolAcc; C:\WINDOWS\system32\Drivers\PSVolAcc.sys [13432 2013-06-28] (Paramount Software UK Ltd)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1171464 2006-07-27] (SigmaTel, Inc.)
R1 Tcpip6; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
S3 WIMMount; C:\Program Files\Macrium\Reflect\wimmount.sys [19024 2014-05-08] (Microsoft Corporation)
S1 A2DDA; \??\F:\NEW FOLDER\RUN\a2ddax86.sys [X]
S3 cleanhlp; \??\F:\New folder\Run\cleanhlp32.sys [X]
S4 IntelIde; No ImagePath
S4 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-05-14 06:16 - 2014-05-14 06:18 - 00000000 ____D () C:\FRST
2014-05-14 06:14 - 2014-05-14 06:18 - 00000000 ____D () C:\Documents and Settings\Pessy\Desktop\First.exe tool
2014-05-14 06:00 - 2014-05-14 05:22 - 00005126 _____ () C:\Documents and Settings\Pessy\Desktop\AdwCleaner[S1].txt
2014-05-14 04:28 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\WINDOWS\system32\sqlite3.dll
2014-05-14 04:27 - 2014-05-14 05:44 - 00000000 ____D () C:\AdwCleaner
2014-05-14 04:26 - 2014-05-14 04:26 - 01325827 _____ () C:\Documents and Settings\Pessy\Desktop\AdwCleaner.exe
2014-05-14 04:24 - 2014-05-14 04:24 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Google
2014-05-14 01:13 - 2014-05-14 01:13 - 00001054 _____ () C:\Documents and Settings\Pessy\Desktop\mbam scan.txt
2014-05-13 06:27 - 2014-05-13 06:27 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Apple
2014-05-13 06:26 - 2014-05-13 06:26 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Apple Computer
2014-05-13 06:21 - 2014-05-13 06:21 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Mozilla
2014-05-13 06:02 - 2014-05-04 20:05 - 00000085 _____ () C:\Documents and Settings\Pessy\Application Data\mbam.context.scan
2014-05-13 06:01 - 2014-05-12 01:02 - 00020444 _____ () C:\Documents and Settings\Pessy\Desktop\attach.txt
2014-05-13 06:01 - 2014-05-08 23:09 - 00021176 _____ () C:\Documents and Settings\Pessy\Desktop\attach1.txt
2014-05-13 06:01 - 2014-05-08 05:02 - 00001992 _____ () C:\Documents and Settings\Pessy\Application Data\wklnhst.dat
2014-05-13 05:59 - 2014-05-13 04:13 - 00000242 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to Internet Options.lnk
2014-05-13 05:59 - 2014-05-12 19:25 - 00001632 _____ () C:\Documents and Settings\Pessy\Desktop\Update Checker.lnk
2014-05-13 05:59 - 2014-05-12 01:02 - 00014735 _____ () C:\Documents and Settings\Pessy\Desktop\dds.txt
2014-05-13 05:59 - 2014-05-09 15:52 - 00000394 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to Shared Documents.lnk
2014-05-13 05:59 - 2014-05-08 23:09 - 00013962 _____ () C:\Documents and Settings\Pessy\Desktop\dds1.txt
2014-05-13 05:59 - 2014-05-08 20:50 - 00002037 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to SUPERAntiSpyware Scan Log - 05-01-2014 - 20-34-49.log.lnk
2014-05-13 05:59 - 2014-05-08 10:02 - 00688992 ____R (Swearware) C:\Documents and Settings\Pessy\Desktop\dds.com
2014-05-13 05:59 - 2014-05-07 09:18 - 00003235 _____ () C:\Documents and Settings\Pessy\Desktop\clamav_report_070514_091843.txt
2014-05-13 05:59 - 2014-05-07 00:03 - 04164448 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe
2014-05-13 05:59 - 2014-05-06 22:06 - 00003138 _____ () C:\Documents and Settings\Pessy\Desktop\Rkill.txt
2014-05-13 05:59 - 2014-05-06 21:03 - 01933048 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Pessy\Desktop\rkill.exe
2014-05-13 05:59 - 2014-05-05 19:17 - 00003072 ___SH () C:\Documents and Settings\Pessy\Desktop\Thumbs.db
2014-05-13 05:59 - 2014-05-05 18:58 - 00033348 _____ () C:\Documents and Settings\Pessy\Desktop\Full system scan.txt
2014-05-13 05:59 - 2014-05-05 05:48 - 00000499 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to downloads.lnk
2014-05-13 05:59 - 2014-04-06 03:58 - 00000402 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to Local Area Connection.lnk
2014-05-13 05:59 - 2014-01-20 07:13 - 00000611 _____ () C:\Documents and Settings\Pessy\Desktop\NTREGOPT.lnk
2014-05-13 05:59 - 2014-01-20 07:13 - 00000592 _____ () C:\Documents and Settings\Pessy\Desktop\ERUNT.lnk
2014-05-13 05:59 - 2014-01-14 04:25 - 00000771 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to cleanmgr.exe.lnk
2014-05-13 05:59 - 2013-12-29 22:03 - 00001559 _____ () C:\Documents and Settings\Pessy\Desktop\The Extractor.lnk
2014-05-13 05:59 - 2013-12-29 20:17 - 00000917 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to Revouninstaller.exe.lnk
2014-05-13 05:59 - 2001-11-24 05:01 - 00004090 _____ () C:\Documents and Settings\Pessy\Desktop\ERUNT.txt
2014-05-13 05:58 - 2014-05-14 05:08 - 00002116 _____ () C:\Documents and Settings\Pessy\My Documents\Firefox Recovery Key.html
2014-05-13 05:58 - 2014-05-12 19:25 - 00001638 _____ () C:\Documents and Settings\Pessy\Start Menu\Programs\Update Checker.lnk
2014-05-13 05:58 - 2014-05-12 18:02 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Apple Computer
2014-05-13 05:58 - 2014-05-12 04:56 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Reflect
2014-05-13 05:58 - 2014-05-12 04:52 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Macrium
2014-05-13 05:58 - 2014-05-09 13:22 - 00300832 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Pessy\My Documents\Tcpview.exe
2014-05-13 05:58 - 2014-05-09 13:21 - 00036686 _____ () C:\Documents and Settings\Pessy\My Documents\Tracing a hacker.htm
2014-05-13 05:58 - 2014-05-09 13:21 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Tracing a hacker_files
2014-05-13 05:58 - 2014-05-09 13:19 - 00032077 _____ () C:\Documents and Settings\Pessy\My Documents\TCP and UDP Ports Explained.htm
2014-05-13 05:58 - 2014-05-09 13:19 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\TCP and UDP Ports Explained_files
2014-05-13 05:58 - 2014-05-09 13:17 - 00040699 _____ () C:\Documents and Settings\Pessy\My Documents\Understanding and Using Firewalls.htm
2014-05-13 05:58 - 2014-05-09 13:17 - 00035803 _____ () C:\Documents and Settings\Pessy\My Documents\How to open ports in Zone Alarm Professional.htm
2014-05-13 05:58 - 2014-05-09 13:17 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Understanding and Using Firewalls_files
2014-05-13 05:58 - 2014-05-09 13:17 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\How to open ports in Zone Alarm Professional_files
2014-05-13 05:58 - 2014-05-09 04:10 - 00033758 _____ () C:\Documents and Settings\Pessy\My Documents\How to configure the Windows Firewall in Windows XP.htm
2014-05-13 05:58 - 2014-05-09 04:10 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\How to configure the Windows Firewall in Windows XP_files
2014-05-13 05:58 - 2014-05-09 03:07 - 00019634 _____ () C:\Documents and Settings\Pessy\My Documents\Bleepingcomputerpost.txt
2014-05-13 05:58 - 2014-05-08 22:16 - 00007030 _____ () C:\Documents and Settings\Pessy\My Documents\Bleepingcomputer.txt
2014-05-13 05:58 - 2014-05-08 07:00 - 00000000 ____D () C:\Documents and Settings\Pessy\Desktop\cd files
2014-05-13 05:58 - 2014-05-08 06:47 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Roxio
2014-05-13 05:58 - 2014-05-07 16:26 - 00000402 _____ () C:\Documents and Settings\Pessy\My Documents\Data_050714_162514.roxio
2014-05-13 05:58 - 2014-05-02 11:39 - 00000000 ____H () C:\Documents and Settings\Pessy\My Documents\Default.rdp
2014-05-13 05:58 - 2014-05-02 08:11 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Auslogics
2014-05-13 05:58 - 2014-01-28 03:18 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Image Zone Express
2014-05-13 05:58 - 2014-01-27 06:30 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\HP
2014-05-13 05:58 - 2014-01-26 03:09 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Template
2014-05-13 05:58 - 2014-01-24 05:07 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Sun
2014-05-13 05:58 - 2014-01-23 02:22 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Media Player Classic
2014-05-13 05:58 - 2014-01-20 04:00 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\IObit
2014-05-13 05:58 - 2014-01-19 07:38 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\SUPERAntiSpyware.com
2014-05-13 05:58 - 2014-01-19 04:40 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Malwarebytes
2014-05-13 05:58 - 2014-01-14 22:10 - 00000000 __SHD () C:\Documents and Settings\Pessy\IECompatCache
2014-05-13 05:58 - 2014-01-14 04:49 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Printer Info Cache
2014-05-13 05:58 - 2014-01-14 02:30 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Help
2014-05-13 05:58 - 2013-12-24 02:19 - 00000000 __SHD () C:\Documents and Settings\Pessy\PrivacIE
2014-05-13 05:58 - 2013-12-18 18:55 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Macromedia
2014-05-13 05:58 - 2013-12-18 18:53 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Mozilla
2014-05-13 05:16 - 2014-05-14 06:10 - 00000178 ___SH () C:\Documents and Settings\Pessy\ntuser.ini
2014-05-13 05:16 - 2014-05-14 03:45 - 00000000 ____D () C:\Documents and Settings\Pessy
2014-05-13 05:16 - 2014-05-11 17:21 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\OnlineArmor
2014-05-13 05:16 - 2014-05-04 21:21 - 00000767 _____ () C:\Documents and Settings\Pessy\Start Menu\Programs\Internet Explorer.lnk
2014-05-13 05:16 - 2014-05-02 08:27 - 00001599 _____ () C:\Documents and Settings\Pessy\Start Menu\Programs\Remote Assistance.lnk
2014-05-13 05:16 - 2014-02-13 18:51 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\AVAST Software
2014-05-13 05:16 - 2014-01-28 23:00 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Adobe
2014-05-13 05:16 - 2013-12-17 18:48 - 00000788 _____ () C:\Documents and Settings\Pessy\Start Menu\Programs\Windows Media Player.lnk
2014-05-13 05:16 - 2013-12-17 18:48 - 00000000 ___RD () C:\Documents and Settings\Pessy\Start Menu\Programs\Accessories
2014-05-13 05:16 - 2013-12-17 18:47 - 00000000 __SHD () C:\Documents and Settings\Pessy\IETldCache
2014-05-13 05:14 - 2014-05-13 05:16 - 00000840 _____ () C:\WINDOWS\wmsetup.log
2014-05-13 05:13 - 2014-05-14 03:45 - 00000000 ____D () C:\Documents and Settings\esti
2014-05-13 04:46 - 2014-05-13 04:46 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\OnlineArmor
2014-05-13 04:13 - 2014-05-13 04:13 - 00000242 _____ () C:\Documents and Settings\Baila Admin\Desktop\Shortcut to Internet Options.lnk
2014-05-12 19:35 - 2014-05-12 19:35 - 00000406 _____ () C:\rescuepe.log
2014-05-12 19:21 - 2014-05-12 19:25 - 00001638 _____ () C:\Documents and Settings\Baila Admin\Start Menu\Programs\Update Checker.lnk
2014-05-12 19:21 - 2014-05-12 19:25 - 00001632 _____ () C:\Documents and Settings\Baila Admin\Desktop\Update Checker.lnk
2014-05-12 19:21 - 2014-05-12 19:21 - 00000000 ____D () C:\Program Files\FileHippo.com
2014-05-12 17:59 - 2014-05-12 17:59 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Apple Computer
2014-05-12 17:59 - 2014-05-12 17:59 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Apple
2014-05-12 01:02 - 2014-05-12 01:02 - 00020444 _____ () C:\Documents and Settings\Baila Admin\Desktop\attach.txt
2014-05-12 01:02 - 2014-05-12 01:02 - 00014735 _____ () C:\Documents and Settings\Baila Admin\Desktop\dds.txt
2014-05-11 18:45 - 2014-05-11 18:45 - 00000000 ____D () C:\Documents and Settings\Baila\Application Data\OnlineArmor
2014-05-11 18:28 - 2014-05-11 18:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Comodo
2014-05-11 17:20 - 2014-05-14 06:14 - 00000000 ____D () C:\Program Files\Online Armor
2014-05-11 17:20 - 2014-05-11 18:31 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\OnlineArmor
2014-05-11 17:20 - 2014-05-11 17:21 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\OnlineArmor
2014-05-11 17:20 - 2014-05-11 17:20 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Online Armor
2014-05-11 17:20 - 2013-10-11 03:41 - 00044984 _____ () C:\WINDOWS\system32\Drivers\oahlp32.sys
2014-05-11 17:20 - 2013-10-11 03:40 - 00210360 _____ () C:\WINDOWS\system32\Drivers\OADriver.sys
2014-05-11 17:20 - 2013-10-11 03:40 - 00034856 _____ (Emsisoft) C:\WINDOWS\system32\Drivers\OAmon.sys
2014-05-11 17:20 - 2013-10-11 03:40 - 00031912 _____ (Emsisoft) C:\WINDOWS\system32\Drivers\OAnet.sys
2014-05-11 17:01 - 2014-05-11 17:02 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-11 16:30 - 2010-07-08 00:31 - 00022951 _____ () C:\Program Files\CIS Clean-up Tool.bat
2014-05-11 16:06 - 2014-05-14 06:11 - 00000488 _____ () C:\WINDOWS\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805}.job
2014-05-11 05:55 - 2014-05-11 05:55 - 01700352 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdiplus.dll
2014-05-11 05:55 - 2014-05-11 05:55 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\AdTrustMedia
2014-05-11 05:54 - 2014-05-11 16:12 - 00065536 _____ () C:\WINDOWS\system32\config\COMODO I.evt
2014-05-11 05:50 - 2014-05-11 05:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adtrustmedia
2014-05-11 04:50 - 2014-05-12 19:19 - 00000000 ____D () C:\Program Files\Belarc
2014-05-11 04:35 - 2014-05-11 05:27 - 00128547 _____ () C:\WINDOWS\pfirewall.log
2014-05-09 13:22 - 2014-05-09 13:22 - 00300832 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Baila Admin\My Documents\Tcpview.exe
2014-05-09 13:21 - 2014-05-09 13:21 - 00036686 _____ () C:\Documents and Settings\Baila Admin\My Documents\Tracing a hacker.htm
2014-05-09 13:21 - 2014-05-09 13:21 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Tracing a hacker_files
2014-05-09 13:19 - 2014-05-09 13:19 - 00032077 _____ () C:\Documents and Settings\Baila Admin\My Documents\TCP and UDP Ports Explained.htm
2014-05-09 13:19 - 2014-05-09 13:19 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\TCP and UDP Ports Explained_files
2014-05-09 13:17 - 2014-05-09 13:17 - 00040699 _____ () C:\Documents and Settings\Baila Admin\My Documents\Understanding and Using Firewalls.htm
2014-05-09 13:17 - 2014-05-09 13:17 - 00035803 _____ () C:\Documents and Settings\Baila Admin\My Documents\How to open ports in Zone Alarm Professional.htm
2014-05-09 13:17 - 2014-05-09 13:17 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Understanding and Using Firewalls_files
2014-05-09 13:17 - 2014-05-09 13:17 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\How to open ports in Zone Alarm Professional_files
2014-05-09 13:08 - 2014-05-09 13:08 - 00431135 _____ () C:\WINDOWS\system32\vsconfig.xml
2014-05-09 13:05 - 2014-05-09 13:30 - 00001084 _____ () C:\WINDOWS\spupdsvc.log
2014-05-09 13:05 - 2014-05-09 13:06 - 00000000 ____D () C:\85eb7d713512de4f1e951c08ce29
2014-05-09 04:10 - 2014-05-09 04:10 - 00033758 _____ () C:\Documents and Settings\Baila Admin\My Documents\How to configure the Windows Firewall in Windows XP.htm
2014-05-09 04:10 - 2014-05-09 04:10 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\How to configure the Windows Firewall in Windows XP_files
2014-05-08 23:09 - 2014-05-08 23:09 - 00021176 _____ () C:\Documents and Settings\Baila Admin\Desktop\attach1.txt
2014-05-08 23:09 - 2014-05-08 23:09 - 00013962 _____ () C:\Documents and Settings\Baila Admin\Desktop\dds1.txt
2014-05-08 22:50 - 2014-05-09 03:07 - 00019634 _____ () C:\Documents and Settings\Baila Admin\My Documents\Bleepingcomputerpost.txt
2014-05-08 20:53 - 2014-05-08 22:16 - 00007030 _____ () C:\Documents and Settings\Baila Admin\My Documents\Bleepingcomputer.txt
2014-05-08 20:50 - 2014-05-08 20:50 - 00002037 _____ () C:\Documents and Settings\Baila Admin\Desktop\Shortcut to SUPERAntiSpyware Scan Log - 05-01-2014 - 20-34-49.log.lnk
2014-05-08 19:12 - 2014-05-14 03:52 - 00040566 _____ () C:\WINDOWS\setupapi.log
2014-05-08 10:02 - 2014-05-08 10:02 - 00688992 ____R (Swearware) C:\Documents and Settings\Baila Admin\Desktop\dds.com
2014-05-08 07:54 - 2014-05-12 04:56 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Reflect
2014-05-08 06:58 - 2014-05-08 07:00 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Desktop\cd files
2014-05-08 03:08 - 2014-05-12 16:31 - 00002285 _____ () C:\Documents and Settings\All Users\Desktop\Reflect.lnk
2014-05-08 03:08 - 2014-05-08 03:08 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Macrium
2014-05-08 02:52 - 2014-05-12 04:52 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Macrium
2014-05-08 02:49 - 2014-05-08 11:05 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Macrium
2014-05-07 16:26 - 2014-05-07 16:26 - 00000402 _____ () C:\Documents and Settings\Baila Admin\My Documents\Data_050714_162514.roxio
2014-05-07 09:18 - 2014-05-07 09:18 - 00003235 _____ () C:\Documents and Settings\Baila Admin\Desktop\clamav_report_070514_091843.txt
2014-05-07 03:26 - 2014-05-07 03:26 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\PCHealth
2014-05-07 03:15 - 2014-05-07 03:15 - 00000665 _____ () C:\Documents and Settings\Baila\My Documents\clamav_report_070514_031520.txt
2014-05-07 02:51 - 2014-05-07 02:52 - 00000000 ____D () C:\187614ccc908693076
2014-05-07 01:10 - 2014-05-07 01:10 - 00000402 _____ () C:\Documents and Settings\Baila\Desktop\Shortcut to Local Area Connection.lnk
2014-05-07 01:07 - 2014-05-14 06:11 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-05-07 01:07 - 2014-05-14 06:11 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-05-07 01:07 - 2014-05-07 01:07 - 00000000 ____N () C:\WINDOWS\Sti_Trace.log
2014-05-07 01:01 - 2014-05-14 06:13 - 00389896 _____ () C:\WINDOWS\WindowsUpdate.log
2014-05-06 22:36 - 2014-05-06 22:36 - 00001084 _____ () C:\Documents and Settings\Baila Admin\Desktop\malwarebytes for bleeping computer.txt
2014-05-06 22:06 - 2014-05-06 22:06 - 00003138 _____ () C:\Documents and Settings\Baila Admin\Desktop\Rkill.txt
2014-05-06 21:07 - 2014-05-07 00:03 - 04164448 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe
2014-05-06 21:03 - 2014-05-06 21:03 - 01933048 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Baila Admin\Desktop\rkill.exe
2014-05-06 02:19 - 2014-05-06 02:19 - 00001958 _____ () C:\Documents and Settings\Baila\My Documents\emisoft quarantine.txt
2014-05-06 01:47 - 2014-05-05 18:58 - 00033348 ____N () C:\Documents and Settings\Baila Admin\Desktop\Full system scan.txt
2014-05-05 20:05 - 2014-05-05 20:05 - 00000000 ____D () C:\e60f7c6a8bd038d030cab7531ea12d
2014-05-05 19:17 - 2014-05-05 19:17 - 00003072 ___SH () C:\Documents and Settings\Baila Admin\Desktop\Thumbs.db
2014-05-05 06:04 - 2010-07-28 15:47 - 00199544 _____ (Sysinternals - www.sysinternals.com) C:\Program Files\Tcpvcon.exe
2014-05-05 06:01 - 2014-05-08 04:33 - 00000000 ____D () C:\Program Files\TCPView
2014-05-05 05:48 - 2014-05-05 05:48 - 00000499 _____ () C:\Documents and Settings\Baila Admin\Desktop\Shortcut to downloads.lnk
2014-05-05 05:45 - 2014-05-07 17:32 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Paint.NET
2014-05-05 05:35 - 2014-05-05 05:35 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Secunia PSI
2014-05-05 05:15 - 2014-05-05 05:15 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2014-05-05 05:15 - 2014-05-05 05:15 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2014-05-05 05:06 - 2014-05-08 06:47 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\Roxio
2014-05-05 03:47 - 2014-05-05 03:47 - 00000633 _____ () C:\Documents and Settings\Baila Admin\Local Settings\Shortcut to Temp.lnk
2014-05-05 01:10 - 2014-05-11 04:39 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Deployment
2014-05-05 00:53 - 2014-05-05 00:53 - 00000654 _____ () C:\Documents and Settings\All Users\Desktop\Speccy.lnk
2014-05-05 00:53 - 2014-05-05 00:53 - 00000000 ____D () C:\Program Files\Speccy
2014-05-04 23:05 - 2014-05-13 18:09 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-05-04 23:05 - 2014-05-05 04:45 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-05-04 23:05 - 2014-05-04 23:07 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-04 23:05 - 2014-05-04 23:07 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-05-04 23:05 - 2014-05-04 23:07 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-04 23:05 - 2014-04-03 09:50 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-05-04 22:21 - 2014-05-04 22:21 - 00000000 ____D () C:\5f28ff4c13839aa1f7db84a9f9208b5e
2014-05-04 21:28 - 2014-05-11 04:35 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2014-05-04 21:21 - 2014-05-04 21:21 - 00000767 _____ () C:\Documents and Settings\Baila Admin\Start Menu\Programs\Internet Explorer.lnk
2014-05-04 20:21 - 2014-05-04 20:20 - 00024184 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
2014-05-04 20:20 - 2014-05-04 20:20 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2014-05-04 20:05 - 2014-05-04 20:05 - 00000085 _____ () C:\Documents and Settings\Baila Admin\Application Data\mbam.context.scan
2014-05-02 11:39 - 2014-05-02 11:39 - 00000000 ____H () C:\Documents and Settings\Baila Admin\My Documents\Default.rdp
2014-05-02 08:11 - 2014-05-02 08:11 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\Auslogics
2014-05-02 05:43 - 2014-05-02 07:49 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA\Local Settings\Application Data\Adobe
2014-05-02 05:32 - 2014-05-02 05:32 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA\Application Data\Malwarebytes
2014-05-02 04:57 - 2014-05-02 04:57 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Malwarebytes
2014-05-01 19:23 - 2014-05-01 19:23 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\SUPERAntiSpyware.com
2014-05-01 19:16 - 2014-05-13 05:23 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Mozilla
2014-05-01 19:16 - 2014-05-01 19:16 - 00000000 ____D () C:\Documents and Settings\bailap\Local Settings\Application Data\Mozilla
2014-05-01 19:16 - 2014-05-01 19:16 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Macromedia
2014-05-01 19:15 - 2014-05-01 19:15 - 00000000 ____D () C:\Documents and Settings\bailap\PrivacIE
2014-05-01 19:04 - 2014-05-01 19:04 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA\Application Data\SUPERAntiSpyware.com
2014-05-01 18:59 - 2014-05-01 18:59 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Apple Computer
2014-04-29 04:00 - 2014-04-29 04:00 - 17931952 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2014-04-25 00:38 - 2014-04-25 00:38 - 00534152 _____ (Check Point Software Technologies Ltd.) C:\WINDOWS\system32\vsdatant.sys
2014-04-24 19:54 - 2014-05-02 05:41 - 00000000 ____D () C:\Share across operating systems

==================== One Month Modified Files and Folders =======

2014-05-14 06:18 - 2014-05-14 06:16 - 00000000 ____D () C:\FRST
2014-05-14 06:18 - 2014-05-14 06:14 - 00000000 ____D () C:\Documents and Settings\Pessy\Desktop\First.exe tool
2014-05-14 06:14 - 2014-05-11 17:20 - 00000000 ____D () C:\Program Files\Online Armor
2014-05-14 06:13 - 2014-05-07 01:01 - 00389896 _____ () C:\WINDOWS\WindowsUpdate.log
2014-05-14 06:13 - 2012-07-17 23:54 - 00000364 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2014-05-14 06:12 - 2003-07-16 12:46 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-05-14 06:11 - 2014-05-11 16:06 - 00000488 _____ () C:\WINDOWS\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805}.job
2014-05-14 06:11 - 2014-05-07 01:07 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-05-14 06:11 - 2014-05-07 01:07 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-05-14 06:11 - 2014-03-27 19:57 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-05-14 06:11 - 2014-01-16 02:24 - 00000298 _____ () C:\WINDOWS\Tasks\ASC7_PerformanceMonitor.job
2014-05-14 06:11 - 2009-06-15 09:44 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-05-14 06:10 - 2014-05-13 05:16 - 00000178 ___SH () C:\Documents and Settings\Pessy\ntuser.ini
2014-05-14 06:00 - 2014-02-04 00:48 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-05-14 05:44 - 2014-05-14 04:27 - 00000000 ____D () C:\AdwCleaner
2014-05-14 05:22 - 2014-05-14 06:00 - 00005126 _____ () C:\Documents and Settings\Pessy\Desktop\AdwCleaner[S1].txt
2014-05-14 05:08 - 2014-05-13 05:58 - 00002116 _____ () C:\Documents and Settings\Pessy\My Documents\Firefox Recovery Key.html
2014-05-14 04:26 - 2014-05-14 04:26 - 01325827 _____ () C:\Documents and Settings\Pessy\Desktop\AdwCleaner.exe
2014-05-14 04:24 - 2014-05-14 04:24 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Google
2014-05-14 03:52 - 2014-05-08 19:12 - 00040566 _____ () C:\WINDOWS\setupapi.log
2014-05-14 03:45 - 2014-05-13 05:16 - 00000000 ____D () C:\Documents and Settings\Pessy
2014-05-14 03:45 - 2014-05-13 05:13 - 00000000 ____D () C:\Documents and Settings\esti
2014-05-14 03:45 - 2014-04-02 19:31 - 00000000 ____D () C:\Documents and Settings\bailap
2014-05-14 03:45 - 2014-01-14 05:42 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA
2014-05-14 03:45 - 2013-12-17 18:47 - 00000000 ____D () C:\Documents and Settings\Baila Admin
2014-05-14 03:45 - 2009-06-15 10:12 - 00000000 ____D () C:\Documents and Settings\Baila
2014-05-14 03:45 - 2009-06-15 10:10 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-05-14 03:45 - 2009-06-15 10:10 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-05-14 03:45 - 2009-06-15 09:42 - 00000000 ____D () C:\WINDOWS\Registration
2014-05-14 03:44 - 2014-01-19 04:40 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\Malwarebytes
2014-05-14 03:44 - 2011-12-11 21:27 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-05-14 03:44 - 2009-06-15 10:10 - 00032474 _____ () C:\WINDOWS\SchedLgU.Txt
2014-05-14 01:13 - 2014-05-14 01:13 - 00001054 _____ () C:\Documents and Settings\Pessy\Desktop\mbam scan.txt
2014-05-13 18:09 - 2014-05-04 23:05 - 00107736 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-05-13 15:30 - 2013-12-12 16:31 - 00000258 _____ () C:\WINDOWS\Tasks\Synchronize.job
2014-05-13 10:42 - 2014-04-09 10:54 - 00000664 _____ () C:\Documents and Settings\Baila\Local Settings\Application Data\d3d9caps.tmp
2014-05-13 07:42 - 2014-02-05 05:31 - 00000000 ____D () C:\Program Files\Blue Coat K9 Web Protection
2014-05-13 06:27 - 2014-05-13 06:27 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Apple
2014-05-13 06:26 - 2014-05-13 06:26 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Apple Computer
2014-05-13 06:26 - 2014-04-09 00:39 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-05-13 06:21 - 2014-05-13 06:21 - 00000000 ____D () C:\Documents and Settings\Pessy\Local Settings\Application Data\Mozilla
2014-05-13 05:46 - 2014-04-02 19:31 - 00000178 ___SH () C:\Documents and Settings\bailap\ntuser.ini
2014-05-13 05:23 - 2014-05-01 19:16 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Mozilla
2014-05-13 05:16 - 2014-05-13 05:14 - 00000840 _____ () C:\WINDOWS\wmsetup.log
2014-05-13 04:57 - 2009-06-15 10:12 - 00000178 ___SH () C:\Documents and Settings\Baila\ntuser.ini
2014-05-13 04:46 - 2014-05-13 04:46 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\OnlineArmor
2014-05-13 04:13 - 2014-05-13 05:59 - 00000242 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to Internet Options.lnk
2014-05-13 04:13 - 2014-05-13 04:13 - 00000242 _____ () C:\Documents and Settings\Baila Admin\Desktop\Shortcut to Internet Options.lnk
2014-05-13 03:57 - 2009-06-30 20:36 - 00076368 ____C () C:\Documents and Settings\Baila\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-05-12 19:35 - 2014-05-12 19:35 - 00000406 _____ () C:\rescuepe.log
2014-05-12 19:35 - 2013-06-28 17:38 - 00000000 ___SD () C:\Documents and Settings\Administrator
2014-05-12 19:32 - 2013-12-17 18:47 - 00000178 ___SH () C:\Documents and Settings\Baila Admin\ntuser.ini
2014-05-12 19:32 - 2009-06-14 20:58 - 00000000 ____D () C:\WINDOWS\security
2014-05-12 19:25 - 2014-05-13 05:59 - 00001632 _____ () C:\Documents and Settings\Pessy\Desktop\Update Checker.lnk
2014-05-12 19:25 - 2014-05-13 05:58 - 00001638 _____ () C:\Documents and Settings\Pessy\Start Menu\Programs\Update Checker.lnk
2014-05-12 19:25 - 2014-05-12 19:21 - 00001638 _____ () C:\Documents and Settings\Baila Admin\Start Menu\Programs\Update Checker.lnk
2014-05-12 19:25 - 2014-05-12 19:21 - 00001632 _____ () C:\Documents and Settings\Baila Admin\Desktop\Update Checker.lnk
2014-05-12 19:25 - 2013-07-03 22:48 - 00000000 ____D () C:\Program Files\autoruns
2014-05-12 19:21 - 2014-05-12 19:21 - 00000000 ____D () C:\Program Files\FileHippo.com
2014-05-12 19:19 - 2014-05-11 04:50 - 00000000 ____D () C:\Program Files\Belarc
2014-05-12 18:02 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Apple Computer
2014-05-12 18:02 - 2014-01-16 02:17 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\Apple Computer
2014-05-12 17:59 - 2014-05-12 17:59 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Apple Computer
2014-05-12 17:59 - 2014-05-12 17:59 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Apple
2014-05-12 16:31 - 2014-05-08 03:08 - 00002285 _____ () C:\Documents and Settings\All Users\Desktop\Reflect.lnk
2014-05-12 04:56 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Reflect
2014-05-12 04:56 - 2014-05-08 07:54 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Reflect
2014-05-12 04:52 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Macrium
2014-05-12 04:52 - 2014-05-08 02:52 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Macrium
2014-05-12 02:02 - 2012-06-28 22:04 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-05-12 01:02 - 2014-05-13 06:01 - 00020444 _____ () C:\Documents and Settings\Pessy\Desktop\attach.txt
2014-05-12 01:02 - 2014-05-13 05:59 - 00014735 _____ () C:\Documents and Settings\Pessy\Desktop\dds.txt
2014-05-12 01:02 - 2014-05-12 01:02 - 00020444 _____ () C:\Documents and Settings\Baila Admin\Desktop\attach.txt
2014-05-12 01:02 - 2014-05-12 01:02 - 00014735 _____ () C:\Documents and Settings\Baila Admin\Desktop\dds.txt
2014-05-11 18:45 - 2014-05-11 18:45 - 00000000 ____D () C:\Documents and Settings\Baila\Application Data\OnlineArmor
2014-05-11 18:31 - 2014-05-11 17:20 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\OnlineArmor
2014-05-11 18:28 - 2014-05-11 18:28 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Comodo
2014-05-11 17:21 - 2014-05-13 05:16 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\OnlineArmor
2014-05-11 17:21 - 2014-05-11 17:20 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\OnlineArmor
2014-05-11 17:20 - 2014-05-11 17:20 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Online Armor
2014-05-11 17:02 - 2014-05-11 17:01 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-11 16:28 - 2013-06-30 13:30 - 00000000 ____D () C:\WINDOWS\erdnt
2014-05-11 16:12 - 2014-05-11 05:54 - 00065536 _____ () C:\WINDOWS\system32\config\COMODO I.evt
2014-05-11 05:55 - 2014-05-11 05:55 - 01700352 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdiplus.dll
2014-05-11 05:55 - 2014-05-11 05:55 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\AdTrustMedia
2014-05-11 05:50 - 2014-05-11 05:50 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adtrustmedia
2014-05-11 05:27 - 2014-05-11 04:35 - 00128547 _____ () C:\WINDOWS\pfirewall.log
2014-05-11 04:50 - 2014-04-08 03:33 - 00000000 ____D () C:\Program Files\Secunia
2014-05-11 04:39 - 2014-05-05 01:10 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Deployment
2014-05-11 04:35 - 2014-05-04 21:28 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2014-05-11 04:35 - 2009-07-06 23:06 - 00000724 _____ () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2014-05-11 04:05 - 2009-06-14 21:01 - 00000327 __RSH () C:\boot.ini
2014-05-11 04:05 - 2003-07-16 12:45 - 00000935 _____ () C:\WINDOWS\win.ini
2014-05-11 04:05 - 2003-07-16 12:41 - 00002057 _____ () C:\WINDOWS\system.ini
2014-05-11 03:51 - 2009-06-15 09:45 - 00000000 ____D () C:\DELL
2014-05-11 03:35 - 2009-07-01 12:48 - 00000000 ____D () C:\Documents and Settings\Baila\My Documents\BUSINESS
2014-05-09 16:49 - 2009-07-07 12:39 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-05-09 15:52 - 2014-05-13 05:59 - 00000394 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to Shared Documents.lnk
2014-05-09 15:52 - 2014-01-21 23:52 - 00000394 _____ () C:\Documents and Settings\Baila Admin\Desktop\Shortcut to Shared Documents.lnk
2014-05-09 14:05 - 2014-01-20 09:08 - 00076368 _____ () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-05-09 13:30 - 2014-05-09 13:05 - 00001084 _____ () C:\WINDOWS\spupdsvc.log
2014-05-09 13:28 - 2014-01-20 08:59 - 00317952 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-05-09 13:22 - 2014-05-13 05:58 - 00300832 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Pessy\My Documents\Tcpview.exe
2014-05-09 13:22 - 2014-05-09 13:22 - 00300832 _____ (Sysinternals - www.sysinternals.com) C:\Documents and Settings\Baila Admin\My Documents\Tcpview.exe
2014-05-09 13:21 - 2014-05-13 05:58 - 00036686 _____ () C:\Documents and Settings\Pessy\My Documents\Tracing a hacker.htm
2014-05-09 13:21 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Tracing a hacker_files
2014-05-09 13:21 - 2014-05-09 13:21 - 00036686 _____ () C:\Documents and Settings\Baila Admin\My Documents\Tracing a hacker.htm
2014-05-09 13:21 - 2014-05-09 13:21 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Tracing a hacker_files
2014-05-09 13:19 - 2014-05-13 05:58 - 00032077 _____ () C:\Documents and Settings\Pessy\My Documents\TCP and UDP Ports Explained.htm
2014-05-09 13:19 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\TCP and UDP Ports Explained_files
2014-05-09 13:19 - 2014-05-09 13:19 - 00032077 _____ () C:\Documents and Settings\Baila Admin\My Documents\TCP and UDP Ports Explained.htm
2014-05-09 13:19 - 2014-05-09 13:19 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\TCP and UDP Ports Explained_files
2014-05-09 13:17 - 2014-05-13 05:58 - 00040699 _____ () C:\Documents and Settings\Pessy\My Documents\Understanding and Using Firewalls.htm
2014-05-09 13:17 - 2014-05-13 05:58 - 00035803 _____ () C:\Documents and Settings\Pessy\My Documents\How to open ports in Zone Alarm Professional.htm
2014-05-09 13:17 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\Understanding and Using Firewalls_files
2014-05-09 13:17 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\How to open ports in Zone Alarm Professional_files
2014-05-09 13:17 - 2014-05-09 13:17 - 00040699 _____ () C:\Documents and Settings\Baila Admin\My Documents\Understanding and Using Firewalls.htm
2014-05-09 13:17 - 2014-05-09 13:17 - 00035803 _____ () C:\Documents and Settings\Baila Admin\My Documents\How to open ports in Zone Alarm Professional.htm
2014-05-09 13:17 - 2014-05-09 13:17 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\Understanding and Using Firewalls_files
2014-05-09 13:17 - 2014-05-09 13:17 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\How to open ports in Zone Alarm Professional_files
2014-05-09 13:08 - 2014-05-09 13:08 - 00431135 _____ () C:\WINDOWS\system32\vsconfig.xml
2014-05-09 13:06 - 2014-05-09 13:05 - 00000000 ____D () C:\85eb7d713512de4f1e951c08ce29
2014-05-09 13:06 - 2014-01-15 02:10 - 00162688 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-05-09 13:06 - 2009-08-23 02:25 - 00000000 ____D () C:\WINDOWS\system32\XPSViewer
2014-05-09 13:05 - 2009-06-14 21:03 - 00687118 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-05-09 04:10 - 2014-05-13 05:58 - 00033758 _____ () C:\Documents and Settings\Pessy\My Documents\How to configure the Windows Firewall in Windows XP.htm
2014-05-09 04:10 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\My Documents\How to configure the Windows Firewall in Windows XP_files
2014-05-09 04:10 - 2014-05-09 04:10 - 00033758 _____ () C:\Documents and Settings\Baila Admin\My Documents\How to configure the Windows Firewall in Windows XP.htm
2014-05-09 04:10 - 2014-05-09 04:10 - 00000000 ____D () C:\Documents and Settings\Baila Admin\My Documents\How to configure the Windows Firewall in Windows XP_files
2014-05-09 03:07 - 2014-05-13 05:58 - 00019634 _____ () C:\Documents and Settings\Pessy\My Documents\Bleepingcomputerpost.txt
2014-05-09 03:07 - 2014-05-08 22:50 - 00019634 _____ () C:\Documents and Settings\Baila Admin\My Documents\Bleepingcomputerpost.txt
2014-05-09 02:25 - 2014-04-08 23:35 - 00000000 ____D () C:\c7af9bd919cffe04339e326ca842f631
2014-05-08 23:09 - 2014-05-13 06:01 - 00021176 _____ () C:\Documents and Settings\Pessy\Desktop\attach1.txt
2014-05-08 23:09 - 2014-05-13 05:59 - 00013962 _____ () C:\Documents and Settings\Pessy\Desktop\dds1.txt
2014-05-08 23:09 - 2014-05-08 23:09 - 00021176 _____ () C:\Documents and Settings\Baila Admin\Desktop\attach1.txt
2014-05-08 23:09 - 2014-05-08 23:09 - 00013962 _____ () C:\Documents and Settings\Baila Admin\Desktop\dds1.txt
2014-05-08 22:16 - 2014-05-13 05:58 - 00007030 _____ () C:\Documents and Settings\Pessy\My Documents\Bleepingcomputer.txt
2014-05-08 22:16 - 2014-05-08 20:53 - 00007030 _____ () C:\Documents and Settings\Baila Admin\My Documents\Bleepingcomputer.txt
2014-05-08 20:50 - 2014-05-13 05:59 - 00002037 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to SUPERAntiSpyware Scan Log - 05-01-2014 - 20-34-49.log.lnk
2014-05-08 20:50 - 2014-05-08 20:50 - 00002037 _____ () C:\Documents and Settings\Baila Admin\Desktop\Shortcut to SUPERAntiSpyware Scan Log - 05-01-2014 - 20-34-49.log.lnk
2014-05-08 17:43 - 2013-07-03 22:22 - 00000682 _____ () C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2014-05-08 17:43 - 2013-07-03 22:22 - 00000000 ____D () C:\Program Files\CCleaner
2014-05-08 15:00 - 2014-03-27 19:57 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-05-08 11:41 - 2009-06-26 01:53 - 00000000 ____D () C:\WINDOWS\Downloaded Installations
2014-05-08 11:05 - 2014-05-08 02:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Macrium
2014-05-08 10:02 - 2014-05-13 05:59 - 00688992 ____R (Swearware) C:\Documents and Settings\Pessy\Desktop\dds.com
2014-05-08 10:02 - 2014-05-08 10:02 - 00688992 ____R (Swearware) C:\Documents and Settings\Baila Admin\Desktop\dds.com
2014-05-08 09:41 - 2009-06-14 20:58 - 00000000 ____D () C:\WINDOWS\repair
2014-05-08 07:21 - 2013-07-08 01:03 - 00000284 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2014-05-08 07:00 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\Desktop\cd files
2014-05-08 07:00 - 2014-05-08 06:58 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Desktop\cd files
2014-05-08 06:47 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Roxio
2014-05-08 06:47 - 2014-05-05 05:06 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\Roxio
2014-05-08 05:02 - 2014-05-13 06:01 - 00001992 _____ () C:\Documents and Settings\Pessy\Application Data\wklnhst.dat
2014-05-08 05:02 - 2014-01-26 03:09 - 00001992 _____ () C:\Documents and Settings\Baila Admin\Application Data\wklnhst.dat
2014-05-08 04:56 - 2013-06-30 21:15 - 00000000 ____D () C:\Documents and Settings\Baila\My Documents\other interesting stuff
2014-05-08 04:54 - 2009-07-01 12:48 - 00000000 ____D () C:\Documents and Settings\Baila\My Documents\files
2014-05-08 04:33 - 2014-05-05 06:01 - 00000000 ____D () C:\Program Files\TCPView
2014-05-08 03:08 - 2014-05-08 03:08 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Macrium
2014-05-08 03:08 - 2014-04-07 00:58 - 00000000 ____D () C:\Program Files\Macrium
2014-05-08 02:21 - 2013-08-15 23:58 - 00000884 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-08 02:21 - 2013-08-15 23:58 - 00000880 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-07 17:32 - 2014-05-05 05:45 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Paint.NET
2014-05-07 16:26 - 2014-05-13 05:58 - 00000402 _____ () C:\Documents and Settings\Pessy\My Documents\Data_050714_162514.roxio
2014-05-07 16:26 - 2014-05-07 16:26 - 00000402 _____ () C:\Documents and Settings\Baila Admin\My Documents\Data_050714_162514.roxio
2014-05-07 13:58 - 2013-08-15 23:58 - 00000000 ____D () C:\Program Files\Google
2014-05-07 09:18 - 2014-05-13 05:59 - 00003235 _____ () C:\Documents and Settings\Pessy\Desktop\clamav_report_070514_091843.txt
2014-05-07 09:18 - 2014-05-07 09:18 - 00003235 _____ () C:\Documents and Settings\Baila Admin\Desktop\clamav_report_070514_091843.txt
2014-05-07 03:26 - 2014-05-07 03:26 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\PCHealth
2014-05-07 03:15 - 2014-05-07 03:15 - 00000665 _____ () C:\Documents and Settings\Baila\My Documents\clamav_report_070514_031520.txt
2014-05-07 02:52 - 2014-05-07 02:51 - 00000000 ____D () C:\187614ccc908693076
2014-05-07 01:10 - 2014-05-07 01:10 - 00000402 _____ () C:\Documents and Settings\Baila\Desktop\Shortcut to Local Area Connection.lnk
2014-05-07 01:07 - 2014-05-07 01:07 - 00000000 ____N () C:\WINDOWS\Sti_Trace.log
2014-05-07 00:03 - 2014-05-13 05:59 - 04164448 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe
2014-05-07 00:03 - 2014-05-06 21:07 - 04164448 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe
2014-05-06 22:36 - 2014-05-06 22:36 - 00001084 _____ () C:\Documents and Settings\Baila Admin\Desktop\malwarebytes for bleeping computer.txt
2014-05-06 22:06 - 2014-05-13 05:59 - 00003138 _____ () C:\Documents and Settings\Pessy\Desktop\Rkill.txt
2014-05-06 22:06 - 2014-05-06 22:06 - 00003138 _____ () C:\Documents and Settings\Baila Admin\Desktop\Rkill.txt
2014-05-06 21:03 - 2014-05-13 05:59 - 01933048 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Pessy\Desktop\rkill.exe
2014-05-06 21:03 - 2014-05-06 21:03 - 01933048 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Baila Admin\Desktop\rkill.exe
2014-05-06 02:19 - 2014-05-06 02:19 - 00001958 _____ () C:\Documents and Settings\Baila\My Documents\emisoft quarantine.txt
2014-05-05 20:05 - 2014-05-05 20:05 - 00000000 ____D () C:\e60f7c6a8bd038d030cab7531ea12d
2014-05-05 19:17 - 2014-05-13 05:59 - 00003072 ___SH () C:\Documents and Settings\Pessy\Desktop\Thumbs.db
2014-05-05 19:17 - 2014-05-05 19:17 - 00003072 ___SH () C:\Documents and Settings\Baila Admin\Desktop\Thumbs.db
2014-05-05 19:16 - 2014-01-20 04:16 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Adobe
2014-05-05 18:58 - 2014-05-13 05:59 - 00033348 _____ () C:\Documents and Settings\Pessy\Desktop\Full system scan.txt
2014-05-05 18:58 - 2014-05-06 01:47 - 00033348 ____N () C:\Documents and Settings\Baila Admin\Desktop\Full system scan.txt
2014-05-05 05:48 - 2014-05-13 05:59 - 00000499 _____ () C:\Documents and Settings\Pessy\Desktop\Shortcut to downloads.lnk
2014-05-05 05:48 - 2014-05-05 05:48 - 00000499 _____ () C:\Documents and Settings\Baila Admin\Desktop\Shortcut to downloads.lnk
2014-05-05 05:35 - 2014-05-05 05:35 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Secunia PSI
2014-05-05 05:15 - 2014-05-05 05:15 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2014-05-05 05:15 - 2014-05-05 05:15 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2014-05-05 05:15 - 2014-02-13 18:52 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Google
2014-05-05 04:45 - 2014-05-04 23:05 - 00050648 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-05-05 03:47 - 2014-05-05 03:47 - 00000633 _____ () C:\Documents and Settings\Baila Admin\Local Settings\Shortcut to Temp.lnk
2014-05-05 02:34 - 2009-06-14 20:58 - 00000000 ____D () C:\WINDOWS\Help
2014-05-05 00:53 - 2014-05-05 00:53 - 00000654 _____ () C:\Documents and Settings\All Users\Desktop\Speccy.lnk
2014-05-05 00:53 - 2014-05-05 00:53 - 00000000 ____D () C:\Program Files\Speccy
2014-05-05 00:48 - 2014-01-24 05:12 - 04194348 _____ () C:\WINDOWS\pfirewall.log.old
2014-05-04 23:07 - 2014-05-04 23:05 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-04 23:07 - 2014-05-04 23:05 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-05-04 23:07 - 2014-05-04 23:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-04 22:21 - 2014-05-04 22:21 - 00000000 ____D () C:\5f28ff4c13839aa1f7db84a9f9208b5e
2014-05-04 21:21 - 2014-05-13 05:16 - 00000767 _____ () C:\Documents and Settings\Pessy\Start Menu\Programs\Internet Explorer.lnk
2014-05-04 21:21 - 2014-05-04 21:21 - 00000767 _____ () C:\Documents and Settings\Baila Admin\Start Menu\Programs\Internet Explorer.lnk
2014-05-04 20:22 - 2013-07-03 02:02 - 00001733 _____ () C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
2014-05-04 20:20 - 2014-05-04 20:21 - 00024184 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
2014-05-04 20:20 - 2014-05-04 20:20 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2014-05-04 20:20 - 2013-07-03 02:02 - 00776976 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2014-05-04 20:20 - 2013-07-03 02:02 - 00411552 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2014-05-04 20:20 - 2013-07-03 02:02 - 00271264 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2014-05-04 20:20 - 2013-07-03 02:02 - 00180632 _____ () C:\WINDOWS\system32\Drivers\aswVmm.sys
2014-05-04 20:20 - 2013-07-03 02:02 - 00067824 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswmonflt.sys
2014-05-04 20:20 - 2013-07-03 02:02 - 00057672 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2014-05-04 20:20 - 2013-07-03 02:02 - 00054832 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2014-05-04 20:20 - 2013-07-03 02:02 - 00049944 _____ () C:\WINDOWS\system32\Drivers\aswRvrt.sys
2014-05-04 20:05 - 2014-05-13 06:02 - 00000085 _____ () C:\Documents and Settings\Pessy\Application Data\mbam.context.scan
2014-05-04 20:05 - 2014-05-04 20:05 - 00000085 _____ () C:\Documents and Settings\Baila Admin\Application Data\mbam.context.scan
2014-05-04 19:51 - 2009-08-11 22:20 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2014-05-02 11:39 - 2014-05-13 05:58 - 00000000 ____H () C:\Documents and Settings\Pessy\My Documents\Default.rdp
2014-05-02 11:39 - 2014-05-02 11:39 - 00000000 ____H () C:\Documents and Settings\Baila Admin\My Documents\Default.rdp
2014-05-02 08:27 - 2014-05-13 05:16 - 00001599 _____ () C:\Documents and Settings\Pessy\Start Menu\Programs\Remote Assistance.lnk
2014-05-02 08:27 - 2013-12-17 18:47 - 00001599 _____ () C:\Documents and Settings\Baila Admin\Start Menu\Programs\Remote Assistance.lnk
2014-05-02 08:11 - 2014-05-13 05:58 - 00000000 ____D () C:\Documents and Settings\Pessy\Application Data\Auslogics
2014-05-02 08:11 - 2014-05-02 08:11 - 00000000 ____D () C:\Documents and Settings\Baila Admin\Application Data\Auslogics
2014-05-02 08:11 - 2013-07-04 14:47 - 00000000 ____D () C:\Program Files\Auslogics
2014-05-02 08:11 - 2013-07-04 14:47 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Auslogics
2014-05-02 08:11 - 2009-07-09 15:21 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AIM
2014-05-02 08:11 - 2009-07-01 14:59 - 00000000 ____D () C:\Program Files\Common Files\AOL
2014-05-02 07:49 - 2014-05-02 05:43 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA\Local Settings\Application Data\Adobe
2014-05-02 07:49 - 2013-12-16 20:06 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-05-02 05:43 - 2014-01-21 00:07 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA\Application Data\Adobe
2014-05-02 05:41 - 2014-04-24 19:54 - 00000000 ____D () C:\Share across operating systems
2014-05-02 05:32 - 2014-05-02 05:32 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA\Application Data\Malwarebytes
2014-05-02 04:57 - 2014-05-02 04:57 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Malwarebytes
2014-05-01 19:31 - 2014-04-02 19:31 - 00076368 _____ () C:\Documents and Settings\bailap\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-05-01 19:23 - 2014-05-01 19:23 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\SUPERAntiSpyware.com
2014-05-01 19:16 - 2014-05-01 19:16 - 00000000 ____D () C:\Documents and Settings\bailap\Local Settings\Application Data\Mozilla
2014-05-01 19:16 - 2014-05-01 19:16 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Macromedia
2014-05-01 19:15 - 2014-05-01 19:15 - 00000000 ____D () C:\Documents and Settings\bailap\PrivacIE
2014-05-01 19:04 - 2014-05-01 19:04 - 00000000 ____D () C:\Documents and Settings\Administrator.BAILA\Application Data\SUPERAntiSpyware.com
2014-05-01 18:59 - 2014-05-01 18:59 - 00000000 ____D () C:\Documents and Settings\bailap\Application Data\Apple Computer
2014-05-01 18:40 - 2009-07-11 23:59 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-04-30 04:13 - 2007-08-13 18:54 - 06022144 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtml.dll
2014-04-30 04:13 - 2006-06-30 10:28 - 06022144 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2014-04-29 04:01 - 2014-02-04 00:48 - 00692400 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-04-29 04:01 - 2014-02-04 00:48 - 00070832 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-04-29 04:00 - 2014-04-29 04:00 - 17931952 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2014-04-28 15:22 - 2014-04-06 09:18 - 00000394 _____ () C:\Documents and Settings\Baila\Desktop\Shortcut to Shared Documents.lnk
2014-04-25 16:26 - 2014-04-01 20:22 - 00000792 _____ () C:\Documents and Settings\Baila\Desktop\current notes.txt
2014-04-25 00:38 - 2014-04-25 00:38 - 00534152 _____ (Check Point Software Technologies Ltd.) C:\WINDOWS\system32\vsdatant.sys
2014-04-24 03:02 - 2009-06-26 01:55 - 00000000 ____D () C:\Program Files\Java

Some content of TEMP:
====================
C:\Documents and Settings\Baila Admin\Local Settings\Temp\xReflect.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

 

and attached  is the addition.txt file as requested.

Thank you so much for your help.

Attached Files


Edited by Alyab123, 14 May 2014 - 06:55 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:03 AM

Posted 14 May 2014 - 09:11 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://startpage.com/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {2D59A26F-65DA-4A5C-AFEF-96E62977B847} URL =
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -  No File
FF NewTab: https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF DefaultSearchEngine: Startpage HTTPS
FF SelectedSearchEngine: Startpage HTTPS
FF Homepage: https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll No File
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\searchplugins\startpage-https.xml
CHR HKCU\...\Chrome\Extension: [cmaiofennmphjldldcpphcechfnnohja] - C:\Documents and Settings\Baila Admin\Local Settings\Application Data\AdTrustMedia\PrivDog\PrivDog_chrome.crx [2014-05-14]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S1 A2DDA; \??\F:\NEW FOLDER\RUN\a2ddax86.sys [X]
S3 cleanhlp; \??\F:\New folder\Run\cleanhlp32.sys [X]
S4 IntelIde; No ImagePath
S4 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]

C:\Documents and Settings\Baila Admin\Local Settings\Temp\xReflect.exe
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:56E2E879
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\Baila\My Documents\My Received Files:Roxio EMC Stream
AlternateDataStreams: C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe:SummaryInformation
AlternateDataStreams: C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe:SummaryInformation
AlternateDataStreams: C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please let me know of any remaining issues.

#5 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 AM

Posted 14 May 2014 - 03:53 PM

I really appreciate all you are doing. One thing, though? I didn't delete the firefox registry keys, because I have many preferences specific to my user profile.

I'm not sure why we just deleted my firefox startpage and newpage settings?

------------------------------------------------------------------------------------------------------------------------------

Here are the logs you requested:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:11-05-2014 01
Ran by Pessy at 2014-05-14 16:32:08 Run:1
Running from C:\Documents and Settings\Pessy\Desktop\First.exe tool
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://startpage.com/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {2D59A26F-65DA-4A5C-AFEF-96E62977B847} URL =
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} -  No File
FF NewTab: https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF DefaultSearchEngine: Startpage HTTPS
FF SelectedSearchEngine: Startpage HTTPS
FF Homepage: https://startpage.com/do/mypage.pl?prf=a92a93ca28805aed8f18c0a8727dc16c
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll No File
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll No File
FF SearchPlugin: C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\searchplugins\startpage-https.xml
CHR HKCU\...\Chrome\Extension: [cmaiofennmphjldldcpphcechfnnohja] - C:\Documents and Settings\Baila Admin\Local Settings\Application Data\AdTrustMedia\PrivDog\PrivDog_chrome.crx [2014-05-14]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S1 A2DDA; \??\F:\NEW FOLDER\RUN\a2ddax86.sys [X]
S3 cleanhlp; \??\F:\New folder\Run\cleanhlp32.sys [X]
S4 IntelIde; No ImagePath
S4 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]

C:\Documents and Settings\Baila Admin\Local Settings\Temp\xReflect.exe
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:56E2E879
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\Baila\My Documents\My Received Files:Roxio EMC Stream
AlternateDataStreams: C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe:SummaryInformation
AlternateDataStreams: C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe:SummaryInformation
AlternateDataStreams: C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

End
*****************

HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2D59A26F-65DA-4A5C-AFEF-96E62977B847} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{2D59A26F-65DA-4A5C-AFEF-96E62977B847} => Key not found.
HKCR\PROTOCOLS\Handler\cetihpz => Key deleted successfully.
HKCR\CLSID\{CF184AD3-CDCB-4168-A3F7-8E447D129300} => Key not found.
Firefox newtab deleted successfully.
Firefox DefaultSearchEngine deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox homepage deleted successfully.
HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53 => Key deleted successfully.
C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll not found.
HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53 => Key deleted successfully.
C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll not found.
C:\Documents and Settings\Pessy\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\searchplugins\startpage-https.xml => Moved successfully.
HKCU\SOFTWARE\Google\Chrome\Extensions\cmaiofennmphjldldcpphcechfnnohja => Key deleted successfully.
"C:\Documents and Settings\Baila Admin\Local Settings\Application Data\AdTrustMedia\PrivDog\PrivDog_chrome.crx" => File/Directory not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
A2DDA => Service deleted successfully.
cleanhlp => Service deleted successfully.
IntelIde => Service deleted successfully.
SBRE => Service deleted successfully.
vmci => Service deleted successfully.
C:\Documents and Settings\Baila Admin\Local Settings\Temp\xReflect.exe => Moved successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":56E2E879" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":5C321E34" ADS removed successfully.
C:\Documents and Settings\Baila\My Documents\My Received Files => ":Roxio EMC Stream" ADS removed successfully.
"C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe" => ":SummaryInformation" ADS not found.
C:\Documents and Settings\Baila Admin\Desktop\tdsskiller.exe => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.
"C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe" => ":SummaryInformation" ADS not found.
C:\Documents and Settings\Pessy\Desktop\tdsskiller.exe => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully.

==== End of Fixlog ====

 

 

 

 Results of screen317's Security Check version 0.99.83  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
a
v
a
s
t
!
ECHO is off.
A
n
t
i
v
i
r
u
s
ECHO is off.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 CCleaner     
 Adobe Flash Player     13.0.0.206  
 Adobe Reader XI  
 Mozilla Firefox (29.0.1)
 Google Chrome 34.0.1847.131  
````````Process Check: objlist.exe by Laurent````````  
 Tall Emu Online Armor OAcat.exe
 Tall Emu Online Armor oasrv.exe
 Tall Emu Online Armor oaui.exe
 Tall Emu Online Armor OAhlp.exe
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 25% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#6 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 AM

Posted 14 May 2014 - 04:32 PM

A few times during these processes my computer hung - like in the middle of the "clean" process of adwcleaner, and during the shutdown after the fix action of FRST. I dont know if this information is relevant.

 

In addition, I defragged my harddrive some time in the last week! I added users, but I didn't remove any!

 

Alyab



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:03 AM

Posted 15 May 2014 - 07:59 AM



I'm not sure why we just deleted my firefox startpage and newpage settings?

Not recommended

http://www.systemlookup.com/CLSID/45014-tbStar_dll_tbSta0_dll_tbSta1_dll.html

When all is well you can use it at you own risk.
===

Your logs are clean.

Any remaining issues?

#8 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 AM

Posted 16 May 2014 - 04:04 AM

Thank you.

Yes, I still have a question:

 

As I stated in my first post, clamAv had detected

C:\DELL\drivers\R133281\IDE\WinXP\sataraid\nvraid.sys: Win.Trojan.Agent-145770 FOUND
 
the file has not been deleted.

 

Apparently 50% of the virus protection programs consider it trojan malware and 50% think it's fine and related to Nvidia. (see these links)

 

https://www.virustotal.com/en/file/be370d20ca813d766e1ee75ab83422739405d53f64839652ad3a542dcfb45ac0/analysis/

and
http://www.herdprotect.com/nvraid.sys-9c2e93bdc091fac395dc44c0868d1943fb2e35ba.aspx
 
How can I know if this indeed needs to be deleted, or if it's a necessary system file?

 

did all of our work check out this issue?

 

ClamAv still finds 2 additional trojans, that are not showing as risky on virustotal, except by ClamAv and 1 by SuperAntiSpyware.

How am I supposed to approach such situations?



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:03 AM

Posted 16 May 2014 - 07:45 AM



C:\DELL\drivers\R133281\IDE\WinXP\sataraid\nvraid.sys
This file is for nForce™ RAID Driver from NVIDIA Corporation

http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-chrome&search=nvraid.sys
http://www.file.net/process/nvraid.sys.html

Do you still use that?

I do not see any Driver listed in your log so I suspect that your do not need it.

You can rename the file nvraid.sys.old and if all is well then you can delete it.
===

ClamAv still finds 2 additional trojans, that are not showing as risky on virustotal, except by ClamAv and 1 by SuperAntiSpyware.
How am I supposed to approach such situations?

You can submit the files to ClamAV

http://www.clamav.net/lang/en/

Link in the left pane.

They will investigate the issue.

===

#10 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 AM

Posted 16 May 2014 - 05:16 PM

You are correct! It's not showing up in the Nvidia drivers in device manager! I renamed it. Is this what I should do with the other "trojan" found by ClamWin?

 

C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\Cache\3\78\63F3Bd01: HTML.FileDownload_version_dll FOUND

 

I just realized the other one is gone, because I reset system restore, after doing all this stuff. I had too many restore points, and they were popping up here and there as having problems, or unable to be read.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:03 AM

Posted 17 May 2014 - 09:16 AM

C:\Documents and Settings\Baila Admin\Local Settings\Application Data\Mozilla\Firefox\Profiles\youl8nq2.Default User\Cache\3\78\63F3Bd01: HTML.FileDownload_version_dll FOUND

The item is in Firefox cache. Clean it.

How to:
https://support.mozilla.org/en-US/kb/how-clear-firefox-cache
===
 

should do with the other "trojan" found by ClamWin?

Not unless you are sure that that file is not required by the Operating system. That is not from Microsoft.

Never delete a file, always rename the problem file with an .old extension. If you made a mistake then you can restore the original name.

#12 Alyab123

Alyab123
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:03 AM

Posted 19 May 2014 - 05:23 PM

thank you for that last bit of advice, and for your time and attention.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,215 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:03 AM

Posted 20 May 2014 - 09:18 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users