Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Requesting help to remove PUM.Bad.Proxy


  • This topic is locked This topic is locked
34 replies to this topic

#1 ProblemWithOlaf

ProblemWithOlaf

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 26 May 2014 - 10:43 AM

Hi,

 

MalwareBytes identifies PUM.bad.proxy, quarantines it daily, then it reappears. I don't seem to have any other problems, but it worries me that MB finds this.  Can someone help me remove this?

 

I have pasted the DDS log below and attached the attach.txt.

 

I'd appreciate any help you can provide!

 

Thanks...

 

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.55.2
Run by Administrator at 11:31:19 on 2014-05-26
#Option MBR scan  is disabled.
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3037.585 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NOVA\viaWARP\WARP_SERVICE.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\NOVALink.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\NOVA\viaWARP\viawarp_ssl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqusgl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\NOVA\viaWARP\WARPConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.live.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeBridge] <no file>
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [ToolBoxFX] "c:\program files\hewlett-packard\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~2.lnk - c:\ups\wstd\WSTDMessaging.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~1.lnk - c:\ups\wstd\wstdPldReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: taxsoftware.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{0D847542-2424-476D-859B-48DE5666D858} : DHCPNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\bunkvxce.default-1399910637187\
FF - prefs.js: browser.startup.homepage - hxxps://my.yahoo.com/
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_206.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_13_0_0_214.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 231960]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2009-7-23 8960]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-21 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-21 857912]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 WarpService;WarpService;c:\program files\nova\viawarp\WARP_Service.exe [2008-11-11 1533336]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2009-7-23 11264]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-7-23 110080]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-7-2 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-21 107736]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-7-23 16640]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe","%1"
ShellExec: DAZZLE.EXE: open=c:\program files\envelope manager\dazzle\DAZZLE.EXE
ShellExec: DAZZLE.EXE: print=c:\program files\envelope manager\dazzle\DAZZLE.EXE
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-05-24 16:38:34    8073384    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e0ee40a2-44a5-4de2-8759-67bc572b5041}\mpengine.dll
2014-05-23 16:38:34    8073384    ----a-w-    c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\mozilla firefox\plugins\npqtplugin.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin5.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin4.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin3.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin2.dll
2014-05-16 18:27:54    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin.dll
2014-05-08 16:52:02    145408    ----a-w-    c:\windows\system32\javacpl.cpl
2014-05-08 16:51:56    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-30 00:30:42    --------    d-----w-    c:\documents and settings\administrator\application data\DropboxMaster
2014-04-26 17:38:35    --------    d-----w-    c:\windows\system32\MRT
.
==================== Find3M  ====================
.
2014-05-26 14:52:43    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-16 18:28:32    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-05-16 18:28:31    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-03 13:51:06    50648    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-04-03 13:50:56    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-06 17:59:23    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 17:59:22    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-03-06 17:59:22    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-03-06 17:59:22    1469440    ------w-    c:\windows\system32\inetcpl.cpl
2014-03-06 00:46:54    385024    ----a-w-    c:\windows\system32\html.iec
2014-02-26 01:59:05    13312    ------w-    c:\windows\system32\xp_eos.exe
.
============= FINISH: 11:32:02.94 ===============
 



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 31 May 2014 - 07:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post a Malwarebytes log so that I can see what we are dealing with.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

#3 ProblemWithOlaf

ProblemWithOlaf
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 01 June 2014 - 12:06 AM

Hi nasdaq,

 

Thanks very much for offering to help. I really appreciate it.

 

I ran AdwCleaner.exe (See report below), but wasn't sure which items might be false positives that I'd want to keep as per instructions. For example, the "ebay.lnk" shortcut is a shortcut I made for a folder I use (but I don't need the shortcut)

 

I don't recognize any of the registry entries.

 

Do you see anything here that I *shouldn't* remove?

 

I'll wait to hear back before I run the scan again and clean it.

 

I have posted the most recent MB log below as well.

 

Thanks!

 

 

 

 

# AdwCleaner v3.211 - Report created 01/06/2014 at 00:47:53
# Updated 26/05/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - OLAF
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner_3.211.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Documents and Settings\Administrator\Desktop\eBay.lnk
Folder Found : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AskSearch

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Found : HKLM\Software\Description
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bunkvxce.default-1399910637187\prefs.js ]


[ File : C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\t1ontc8c.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2457 octets] - [01/06/2014 00:47:53]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2517 octets] ##########

 

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/1/2014
Scan Time: 1:03:56 AM
Logfile: MBAM-2014-05-31.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.31.01
Rootkit Database: v2014.05.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 301852
Time Elapsed: 17 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5577, , [18d5e176d6a5af87d5124bff35ce946c]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 01 June 2014 - 07:44 AM



I ran AdwCleaner.exe (See report below), but wasn't sure which items might be false positives that I'd want to keep as per instructions. For example, the "ebay.lnk" shortcut is a shortcut I made for a folder I use (but I don't need the shortcut)

Clean everything with the AdwCleaner tool.
===


In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:5577 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===

Please run the FRST tool and post the logs for my review.

#5 ProblemWithOlaf

ProblemWithOlaf
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 01 June 2014 - 03:12 PM

Hi nasdaq,

 

Thanks again for the reply.

 

I ran AdwCleaner and did the clean (posted below).

I ran FRST and pasted FRST.txt below, and attached Addition.txt

I checked IE (no changes necessary)

I checked FF and chose "autodetect", but wasn't sure why I need any proxy at all.

 

Please let me know what else I should do next.

Thanks!

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-06-2014 01
Ran by Administrator (administrator) on OLAF on 01-06-2014 16:01:28
Running from C:\Documents and Settings\Administrator\Desktop\Bleeping Computer 2014-06-01
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\WINDOWS\system32\netdde.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(American Power Conversion Corporation) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
(Elavon) C:\Program Files\NOVA\viaWARP\WARP_Service.exe
() C:\Program Files\Symantec\WinFax\wfxmod32.exe
() C:\Program Files\NOVA\viaWARP\viawarp_ssl.exe
(Microsoft Corporation) C:\WINDOWS\system32\fxssvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Realtek) C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
() C:\UPS\WSTD\UPSNA1Msgr.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(HP) C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe
(Hewlett-Packard Co.) C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
() C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Macrovision Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
(SanDisk Corporation) C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
(Microsoft Corporation) C:\Program Files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe
(United Parcel Service, Inc.) C:\UPS\WSTD\WSTDMessaging.exe
(Microsoft Corporation) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(Dropbox, Inc.) C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe
() C:\Program Files\Microsoft Office\Office\OSA.EXE
(American Power Conversion Corporation) C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16806912 2008-08-18] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [57344 2008-08-18] (Realtek Semiconductor Corp.)
HKLM\...\Run: [8169Diag] => C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe [909312 2008-02-26] (Realtek)
HKLM\...\Run: [ATICCC] => C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [45056 2005-08-12] (ATI Technologies Inc.)
HKLM\...\Run: [NA1Messenger] => C:\UPS\WSTD\UPSNA1Msgr.exe [24576 2012-03-02] ()
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-02-11] (Intel Corporation)
HKLM\...\Run: [dscactivate] => C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [16384 2008-03-11] ( )
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2010-02-05] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [40376 2011-09-07] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640440 2010-09-22] (Adobe Systems Inc.)
HKLM\...\Run: [Adobe_ID0ENQBO] => C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4Tray.exe [378224 2008-08-15] (Adobe Systems Incorporated)
HKLM\...\Run: [Share-to-Web Namespace Daemon] => c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [69632 2002-04-17] (Hewlett-Packard)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-03] (CANON INC.)
HKLM\...\Run: [ArcSoft Connection Service] => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Run: [ToolBoxFX] => C:\Program Files\Hewlett-Packard\ToolBoxFX\bin\HPTLBXFX.exe [49152 2006-06-15] (HP)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [49152 2005-02-16] (Hewlett-Packard Co.)
HKLM\...\Run: [hpbdfawep] => C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
HKLM\...\Run: [DivXUpdate] => C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-28] ()
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [205336 2011-11-11] (Logitech Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [UserFaultCheck] => %systemroot%\system32\dumprep 0 -u
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-3394948068-354880341-3553192288-500\...\Run: [ISUSPM] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [218032 2006-09-11] (Macrovision Corporation)
HKU\S-1-5-21-3394948068-354880341-3553192288-500\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
HKU\S-1-5-21-3394948068-354880341-3553192288-500\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3394948068-354880341-3553192288-500\...\Run: [SansaDispatch] => C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe [613888 2013-03-17] (SanDisk Corporation)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
ShortcutTarget: Microsoft Find Fast.lnk -> C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Office Startup.lnk
ShortcutTarget: Office Startup.lnk -> C:\Program Files\Microsoft Office\Office\OSA.EXE ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
ShortcutTarget: APC UPS Status.lnk -> C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
ShortcutTarget: Service Manager.lnk -> C:\Program Files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip Messaging Utility.lnk
ShortcutTarget: UPS WorldShip Messaging Utility.lnk -> C:\UPS\WSTD\WSTDMessaging.exe (United Parcel Service, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\UPS WorldShip PLD Reminder Utility.lnk
ShortcutTarget: UPS WorldShip PLD Reminder Utility.lnk -> C:\UPS\WSTD\wstdPldReminder.exe (UPS)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USSMB/1
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/sphome.aspx
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {B32BDA5B-CA8A-40E3-BA77-28FDB63E4943} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bunkvxce.default-1399910637187
FF Homepage: https://my.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8051.1204 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.4.53 - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Acrobat - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Extension: Tabs on Bottom (Australis) - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bunkvxce.default-1399910637187\Extensions\jid1-OesGFwaQGIBASw@jetpack.xpi [2014-05-17]
FF Extension: Adblock Plus - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bunkvxce.default-1399910637187\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-05-13]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} [2014-05-09]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011-07-23]

========================== Services (Whitelisted) =================

R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S3 Adobe Version Cue CS4; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [288112 2010-02-05] (Adobe Systems Incorporated)
R2 APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [176193 2005-12-12] (American Power Conversion Corporation)
S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2005-12-11] ()
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-04-14] (Oracle Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe [227232 2010-01-15] (McAfee, Inc.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R2 MSSQL$UPSWSDBSERVER; C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [9158656 2008-12-18] (Microsoft Corporation)
S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [73728 2005-05-03] (Microsoft Corporation)
S3 SQLAgent$UPSWSDBSERVER; C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE [323584 2005-05-03] (Microsoft Corporation)
R2 WarpService; C:\Program Files\NOVA\viaWARP\WARP_SERVICE.exe [1533336 2010-01-20] (Elavon)
R2 wfxsvc; C:\WINDOWS\system32\WFXSVC.EXE [90112 1997-03-01] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

S3 61883; C:\WINDOWS\System32\DRIVERS\61883.sys [48128 2008-04-14] (Microsoft Corporation)
S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R1 AFS2K; C:\WINDOWS\system32\Drivers\AFS2K.sys [35840 2004-10-07] (Oak Technology Inc.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [16384 2004-07-09] (Microsoft Corporation)
R3 Diag69xp; C:\WINDOWS\System32\Drivers\Diag69xp.sys [11264 2007-12-03] (Realtek Semiconductor Corporation)
R2 DLABMFSM; C:\WINDOWS\System32\Drivers\DLABMFSM.SYS [37360 2007-07-23] (Roxio)
R2 DLABOIOM; C:\WINDOWS\System32\Drivers\DLABOIOM.SYS [32848 2007-07-23] (Roxio)
R2 DLADResM; C:\WINDOWS\System32\Drivers\DLADResM.SYS [9104 2007-07-23] (Roxio)
R2 DLAIFS_M; C:\WINDOWS\System32\Drivers\DLAIFS_M.SYS [108752 2007-07-23] (Roxio)
R2 DLAOPIOM; C:\WINDOWS\System32\Drivers\DLAOPIOM.SYS [27216 2007-07-23] (Roxio)
R2 DLAPoolM; C:\WINDOWS\System32\Drivers\DLAPoolM.SYS [16304 2007-07-23] (Roxio)
R2 DLAUDFAM; C:\WINDOWS\System32\Drivers\DLAUDFAM.SYS [93552 2007-07-23] (Roxio)
R2 DLAUDF_M; C:\WINDOWS\System32\Drivers\DLAUDF_M.SYS [98448 2007-07-23] (Roxio)
R3 HPFXBULK; C:\WINDOWS\System32\drivers\hpfxbulk.sys [9344 2006-04-04] (Hewlett Packard)
R2 LANPkt; C:\WINDOWS\System32\DRIVERS\LANPkt.sys [8960 2007-11-20] (Realtek Semiconductor Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [110296 2014-06-01] (Malwarebytes Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10112 2004-07-09] (Microsoft Corporation)
S3 RTLVLAN; C:\WINDOWS\System32\DRIVERS\RTLVLAN.SYS [16640 2007-11-20] (Realtek Semiconductor Corporation)
S3 sonypvs1; C:\WINDOWS\System32\DRIVERS\sonypvs1.sys [102220 2006-10-30] (Sony Corporation)
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-01 16:01 - 2014-06-01 16:01 - 00000000 ____D () C:\FRST
2014-06-01 15:57 - 2014-06-01 16:01 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Bleeping Computer 2014-06-01
2014-06-01 00:47 - 2014-06-01 15:48 - 00000000 ____D () C:\AdwCleaner
2014-05-30 20:56 - 2014-05-30 20:56 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Amazon.com  Buying Choices  Panasonic RX-D55GC-K Boombox – High Power MP3 CD AM_ FM Radio Cassette Recorder with USB & Music Port High Quality Sound with 2-Way 4-Speaker (Black)_files
2014-05-16 14:32 - 2014-05-16 14:33 - 00000751 _____ () C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
2014-05-16 14:27 - 2014-05-16 14:27 - 00001636 _____ () C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
2014-05-16 14:27 - 2014-05-16 14:27 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
2014-05-16 14:26 - 2014-05-16 14:27 - 00000000 ____D () C:\Program Files\QuickTime
2014-05-12 12:04 - 2014-05-12 12:04 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Old Firefox Data
2014-05-09 15:34 - 2014-06-01 00:45 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-08 12:52 - 2014-04-14 20:05 - 00264616 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-05-08 12:52 - 2014-04-14 19:47 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-05-08 12:51 - 2014-05-08 12:51 - 00004157 _____ () C:\WINDOWS\system32\jupdate-1.7.0_55-b14.log
2014-05-08 12:51 - 2014-05-08 12:51 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-05-08 12:51 - 2014-04-14 20:13 - 00094632 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-05-08 12:51 - 2014-04-14 20:05 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-05-08 12:51 - 2014-04-14 20:04 - 00175016 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-05-08 12:27 - 2014-05-08 12:29 - 00012366 _____ () C:\WINDOWS\KB2964358-IE8.log

==================== One Month Modified Files and Folders =======

2014-06-01 16:01 - 2014-06-01 16:01 - 00000000 ____D () C:\FRST
2014-06-01 16:01 - 2014-06-01 15:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Bleeping Computer 2014-06-01
2014-06-01 16:01 - 2011-04-08 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Dropbox
2014-06-01 16:01 - 2010-07-10 11:02 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-06-01 16:00 - 2008-04-25 17:28 - 01527617 _____ () C:\WINDOWS\WindowsUpdate.log
2014-06-01 15:59 - 2011-04-08 13:20 - 00000000 ___RD () C:\My Dropbox
2014-06-01 15:57 - 2014-04-29 20:30 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\DropboxMaster
2014-06-01 15:57 - 2009-08-27 12:43 - 00000199 _____ () C:\WINDOWS\wstdUPSWSHIP.INI
2014-06-01 15:52 - 2014-04-28 09:32 - 00000238 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-06-01 15:52 - 2014-04-21 20:17 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-06-01 15:52 - 2013-02-11 20:59 - 00000294 _____ () C:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3394948068-354880341-3553192288-500.job
2014-06-01 15:52 - 2010-04-22 14:23 - 00000294 _____ () C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-3394948068-354880341-3553192288-500.job
2014-06-01 15:52 - 2008-04-25 17:32 - 00032584 _____ () C:\WINDOWS\SchedLgU.Txt
2014-06-01 15:52 - 2008-04-25 12:16 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-06-01 15:52 - 2008-04-25 12:16 - 00001003 _____ () C:\WINDOWS\win.ini
2014-06-01 15:52 - 2008-04-25 05:25 - 00000157 _____ () C:\WINDOWS\wiadebug.log
2014-06-01 15:51 - 2008-04-25 17:32 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-06-01 15:51 - 2008-04-25 05:25 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-06-01 15:49 - 2009-08-26 09:15 - 00524288 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
2014-06-01 15:48 - 2014-06-01 00:47 - 00000000 ____D () C:\AdwCleaner
2014-06-01 15:03 - 2012-10-19 22:55 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-06-01 01:48 - 2014-04-21 19:57 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-06-01 01:43 - 2014-04-21 19:57 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-01 01:43 - 2012-07-12 12:13 - 00000809 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-06-01 00:45 - 2014-05-09 15:34 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-05-31 22:02 - 2010-07-10 11:02 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-05-30 20:56 - 2014-05-30 20:56 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Amazon.com  Buying Choices  Panasonic RX-D55GC-K Boombox – High Power MP3 CD AM_ FM Radio Cassette Recorder with USB & Music Port High Quality Sound with 2-Way 4-Speaker (Black)_files
2014-05-30 19:52 - 2013-02-11 20:59 - 00000302 _____ () C:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3394948068-354880341-3553192288-500.job
2014-05-30 19:52 - 2010-04-22 14:23 - 00000302 _____ () C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-3394948068-354880341-3553192288-500.job
2014-05-29 21:58 - 2012-04-08 19:19 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\vlc
2014-05-29 21:51 - 2012-05-07 19:34 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-05-29 21:51 - 2009-08-24 22:46 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird
2014-05-29 10:11 - 2008-04-25 17:26 - 00000000 ____D () C:\WINDOWS\system32\FxsTmp
2014-05-29 09:52 - 2010-01-19 17:35 - 00006915 _____ () C:\WINDOWS\Administrator8.xlb
2014-05-27 18:21 - 2011-04-08 13:20 - 00001084 _____ () C:\Documents and Settings\Administrator\Desktop\Dropbox.lnk
2014-05-27 18:21 - 2011-04-08 13:18 - 00000000 ____D () C:\Documents and Settings\Administrator\Start Menu\Programs\Dropbox
2014-05-16 14:33 - 2014-05-16 14:32 - 00000751 _____ () C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
2014-05-16 14:32 - 2012-04-08 19:19 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
2014-05-16 14:28 - 2012-08-11 21:05 - 00692400 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-05-16 14:28 - 2011-07-23 16:41 - 00070832 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-05-16 14:28 - 2009-08-25 17:44 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2014-05-16 14:27 - 2014-05-16 14:27 - 00001636 _____ () C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
2014-05-16 14:27 - 2014-05-16 14:27 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
2014-05-16 14:27 - 2014-05-16 14:26 - 00000000 ____D () C:\Program Files\QuickTime
2014-05-16 14:26 - 2010-05-11 09:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple Computer
2014-05-12 12:04 - 2014-05-12 12:04 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\Old Firefox Data
2014-05-12 07:26 - 2014-04-21 19:57 - 00053208 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-05-12 07:25 - 2010-07-02 13:25 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-05-08 15:00 - 2014-04-28 09:32 - 00000232 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-05-08 12:51 - 2014-05-08 12:51 - 00004157 _____ () C:\WINDOWS\system32\jupdate-1.7.0_55-b14.log
2014-05-08 12:51 - 2014-05-08 12:51 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-05-08 12:51 - 2009-07-23 13:34 - 00000000 ____D () C:\Program Files\Java
2014-05-08 12:29 - 2014-05-08 12:27 - 00012366 _____ () C:\WINDOWS\KB2964358-IE8.log
2014-05-08 12:29 - 2009-08-27 14:42 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-05-08 12:29 - 2009-07-23 13:30 - 00108304 _____ () C:\WINDOWS\updspapi.log
2014-05-08 12:29 - 2008-04-25 05:22 - 01785426 _____ () C:\WINDOWS\iis6.log
2014-05-08 12:29 - 2008-04-25 05:22 - 01578896 _____ () C:\WINDOWS\FaxSetup.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00773660 _____ () C:\WINDOWS\ocgen.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00725633 _____ () C:\WINDOWS\tsoc.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00532810 _____ () C:\WINDOWS\comsetup.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00494394 _____ () C:\WINDOWS\msmqinst.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00323557 _____ () C:\WINDOWS\ntdtcsetup.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00274613 _____ () C:\WINDOWS\netfxocm.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00108887 _____ () C:\WINDOWS\MedCtrOC.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00087129 _____ () C:\WINDOWS\ocmsn.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00078948 _____ () C:\WINDOWS\msgsocm.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00078733 _____ () C:\WINDOWS\tabletoc.log
2014-05-08 12:29 - 2008-04-25 05:22 - 00001355 _____ () C:\WINDOWS\imsins.log
2014-05-04 20:18 - 2009-08-28 12:12 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\uTorrent

Files to move or delete:
====================
C:\Documents and Settings\Administrator\hpothb07.dat


Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\temp\DivXSetup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpa14es9.dll
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u39-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u51-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u55-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\lowproc.exe
C:\Documents and Settings\Administrator\Local Settings\temp\MSETUP4.EXE
C:\Documents and Settings\Administrator\Local Settings\temp\NEW8FE2.tmp.exe
C:\Documents and Settings\Administrator\Local Settings\temp\Quarantine.exe
C:\Documents and Settings\Administrator\Local Settings\temp\setup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\stubhelper.dll
C:\Documents and Settings\Administrator\Local Settings\temp\utt171.tmp.exe
C:\Documents and Settings\Steve\Local Settings\temp\FP_PL_PFS_INSTALLER.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

 

# AdwCleaner v3.211 - Report created 01/06/2014 at 15:48:54
# Updated 26/05/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - OLAF
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner_3.211.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AskSearch
File Deleted : C:\Documents and Settings\Administrator\Desktop\eBay.lnk

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKLM\Software\Description
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v29.0.1 (en-US)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bunkvxce.default-1399910637187\prefs.js ]


[ File : C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\t1ontc8c.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2597 octets] - [01/06/2014 00:47:53]
AdwCleaner[R1].txt - [2657 octets] - [01/06/2014 15:47:55]
AdwCleaner[S0].txt - [2614 octets] - [01/06/2014 15:48:54]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2674 octets] ##########
 

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 02 June 2014 - 07:20 AM

I checked FF and chose "autodetect", but wasn't sure why I need any proxy at all.

Select No Proxy.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
HKLM\...\Run: [] => [X]
SearchScopes: HKLM - DefaultScope value is missing.
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
C:\Documents and Settings\Administrator\Local Settings\temp\DivXSetup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpa14es9.dll
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u39-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u51-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u55-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\lowproc.exe
C:\Documents and Settings\Administrator\Local Settings\temp\MSETUP4.EXE
C:\Documents and Settings\Administrator\Local Settings\temp\NEW8FE2.tmp.exe
C:\Documents and Settings\Administrator\Local Settings\temp\setup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\stubhelper.dll
C:\Documents and Settings\Administrator\Local Settings\temp\utt171.tmp.exe
C:\Documents and Settings\Steve\Local Settings\temp\FP_PL_PFS_INSTALLER.e
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Let me know if the problem persists.

#7 ProblemWithOlaf

ProblemWithOlaf
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 02 June 2014 - 07:25 PM

Hi nasdaq,

 

I ran FRST, but I copied the code from e-mail (not the site) and one of the lines had a CR, so it didn't execute.  Sorry about that.  The log is below.

 

I also ran Security Check; log is below.

 

Please let me know what else I should do. Many thanks!

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:02-06-2014
Ran by Administrator at 2014-06-02 20:18:23 Run:1
Running from C:\Documents and Settings\Administrator\Desktop\Bleeping Computer 2014-06-01
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKLM\...\Run: [] => [X]
SearchScopes: HKLM - DefaultScope value is missing.
FF Plugin
ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
C:\Documents and Settings\Administrator\Local Settings\temp\DivXSetup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpa14es9.dll
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u30-windows-i586-iftw-rv.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u39-windows-i586-iftw.exe
C:\Documents
and Settings\Administrator\Local Settings\temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u51-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u55-windows-i586-iftw.exe
C:\Documents and Settings\Administrator\Local Settings\temp\lowproc.exe
C:\Documents and Settings\Administrator\Local Settings\temp\MSETUP4.EXE
C:\Documents and Settings\Administrator\Local Settings\temp\NEW8FE2.tmp.exe
C:\Documents and Settings\Administrator\Local Settings\temp\setup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\stubhelper.dll
C:\Documents and Settings\Administrator\Local Settings\temp\utt171.tmp.exe
C:\Documents and Settings\Steve\Local Settings\temp\FP_PL_PFS_INSTALLER.e
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

End
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\DivXSetup.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpa14es9.dll => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u22-windows-i586-iftw-rv.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u24-windows-i586-iftw-rv.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u26-windows-i586-iftw-rv.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u30-windows-i586-iftw-rv.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u37-windows-i586-iftw.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-6u39-windows-i586-iftw.exe => Moved successfully.
"C:\Documents" => File/Directory not found.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u25-windows-i586-iftw.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\lowproc.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\MSETUP4.EXE => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\NEW8FE2.tmp.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\setup.exe => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\stubhelper.dll => Moved successfully.
C:\Documents and Settings\Administrator\Local Settings\temp\utt171.tmp.exe => Moved successfully.
"C:\Documents and Settings\Steve\Local Settings\temp\FP_PL_PFS_INSTALLER.e" => File/Directory not found.
C:\Documents and Settings\All Users\Application Data\TEMP => ":D1B5B4F1" ADS removed successfully.

==== End of Fixlog ====

 

 Results of screen317's Security Check version 0.99.83  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 55  
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player     13.0.0.214  
 Adobe Reader 9  
 Adobe Reader XI  
 Mozilla Firefox (29.0.1)
 Mozilla Thunderbird (24.5.0)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 34% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 03 June 2014 - 07:12 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u60.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 55
===

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

===

How is the computer running now?

#9 ProblemWithOlaf

ProblemWithOlaf
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 June 2014 - 09:22 AM

Hi nasdaq,

 

1) I installed Java 7u60 successfully

 

2) Because of an extra CR in the fixlist.txt, one earlier Java installation did not get removed:

C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u17-windows-i586-iftw.exe

It's still in there - should we remove this?

 

3) Flash is up-to-date.

 

4) I just ran another MalwareBytes scan, and it still comes up (see below)

 

Please let me know what else I should do. 

 

Thanks!

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/3/2014
Scan Time: 9:56:44 AM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.03.05
Rootkit Database: v2014.06.02.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 303952
Time Elapsed: 21 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5577, , [8d252f44d2a96dc9ddeabb978d7634cc]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 03 June 2014 - 12:27 PM

Because of an extra CR in the fixlist.txt, one earlier Java installation did not get removed:
C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u17-windows-i586-iftw.exe


Yes!
---

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :regfind
    127.0.0.1:5577
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.






#11 ProblemWithOlaf

ProblemWithOlaf
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 June 2014 - 01:22 PM

Hi nasdaq,

 

I tried running SystemLook.exe (with the code snippet) 3x but it crashed.  "Microsoft encountered an error..."  I'm not using the 64-bit version (I'm on XP).

 

Also, how do I go about removing C:\Documents and Settings\Administrator\Local Settings\temp\jre-7u17-windows-i586-iftw.exe that got missed?

 

Thanks!



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 03 June 2014 - 01:44 PM


Can you run regedit.exe FROM the Start > run box.

The Registry tool should open.
Search for this string. 127.0.0.1:5577

If found Highlight the key and Export it.
You will find the Export function on the menu.
==

If you are not at ease with exporting the key.
Just let it go.

The reference in the registry is just a malformed key and nothing bad can come of it.

#13 ProblemWithOlaf

ProblemWithOlaf
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 03 June 2014 - 02:12 PM

Regedit.exe did not find 127.0.0.1:5577.

 

Also, should I not worry about the jre-7u17-windows-i586-iftw.exe that never got removed?

 

Thanks...



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 AM

Posted 04 June 2014 - 06:36 AM

If the file is still in the \temp folder it now doing any this.
Do not run the file as it would install an old version of Java.

Try to delete it.

#15 ProblemWithOlaf

ProblemWithOlaf
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 06 June 2014 - 06:24 AM

Hi,

I deleted the jre-7u17-windows-i586-iftw.exe file. The PUP.Bad.Proxy is still showing up in MalwareBytes (see below).

Any other suggestions?
Thanks!

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/6/2014
Scan Time: 3:27:16 AM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.06.03
Rootkit Database: v2014.06.02.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 304573
Time Elapsed: 11 min, 57 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUM.Bad.Proxy, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, http=127.0.0.1:5577, Quarantined, [c774ef86e4972a0ca8e1df77e1228c74]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users