Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very stubborn infection on old XP machine.


  • Please log in to reply
28 replies to this topic

#1 gaheller

gaheller

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 08 June 2014 - 10:16 AM

Hello!

 

I'm trying to remove an infection from an old XP laptop.  I'm very hesitant to just re-install because I'm using this computer to edit a movie, and it took me weeks and weeks of research and trial and error to find all the codecs and virtualdub addons and such to do this for free, and commercial editing software is both espensive and keeps wanting to re-compress stuff I don't want re-compressed.  I realize this computer will never be secure, but if I can ever get it clean I will simply keep it off the internet as I don't need the internet to edit this movie.

 

Anyhow, I searched this forum for info and have tried a few things.  So far it's only gotten better, but I'm still having the problem where one or another of the system processes shuts down and then XPAuthority tries to reboot my machine.  I can stop it from doing so with "shudown -a" but then the computer just gets slower and slower until I can do almost nothing.

 

I have been able to successfully run MalwareBytes software and ComboFix.  I figured I had enough experience with computers to do that on my own.  Both found, removed and fixed various things.  I can post logs if you like, but neither completely solved the problem.

 

I am unable to run ESET or Hijackthis.  ESET hangs at an empty browser window while waiting for the scanner to load, Hijackthis uses an msi installer and the msi functionality has been compromised, I get an error when I try to install it.

 

This laptop has been off mostly for many years, so I never managed to get it upgraded to SP3.  I should upgrade to SP3 now but am unable to do that either.  It hangs when trying to detect the current configuration.  I've left it for hours and it never gets anwhere.

 

What else should I try?



BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:14 AM

Posted 10 June 2014 - 02:50 AM

Hello and Welcome on board gaheller :welcome:,

my Name is Machiavelli and I will assist you with your problem.
If you booted into safe mode on your computer then print my instructions!
I'm in the 'Malware Staff Team' and will provide you with advice:

To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!
 
 

I have been able to successfully run MalwareBytes software and ComboFix. I figured I had enough experience with computers to do that on my own. Both found, removed and fixed various things. I can post logs if you like, but neither completely solved the problem.

Please post the Logs.
 

Hijackthis uses an msi installer and the msi functionality has been compromised, I get an error when I try to install it.

Which error?

Please download FRST (by Farbar) from the link below and save it to your Desktop.
 

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 10 June 2014 - 05:08 PM

This is going to be a number of messages, so I don't lose track of all your questions and instructions, I'll start at the beginning.  I've been running MalwareByes on this laptop since 2011, hoping eventually it would figure out what bug it had caught, so I have many logs.  Here are my guesses as to the ones you will find most interesting.  Most recently the scan turned up clean.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.06.06.11

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
J :: ARKEN-LAP [limited]

6/8/2014 5:23:07 AM
mbam-log-2014-06-08 (05-23-07).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 319790
Time elapsed: 1 hour(s), 27 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

Here is the longest log from when I ran it this weekend.  I did have vuze installed on this laptop long ago, but apparently it left some things behind:

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.06.06.11

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
J :: ARKEN-LAP [limited]

6/6/2014 4:38:03 PM
mbam-log-2014-06-06 (16-38-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232557
Time elapsed: 33 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCR\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCR\SearchToolbarLib.CSearchToolbarImpl.1 (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCR\SearchToolbarLib.CSearchToolbarImpl (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCR\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{1CD373D1-C4E7-4AA2-9B0A-D9A35025B460} (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Vuze_Remote (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Vuze_Remote (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vuze_Remote Toolbar (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.

Registry Values Detected: 10
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data: ƒRB‡Ô7Cº¶«ƒT¨W -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data: Search Toolbar -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data: ž2ºP•‰I³ò—2é-Ì -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data: Vuze Remote Toolbar -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data:  -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{ba14329e-9550-4989-b3f2-9732e92d17cc} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ba14329e-9550-4989-b3f2-9732e92d17cc} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 34
C:\Documents and Settings\J\Local Settings\Application Data\Conduit\CT2504091 (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\AddedAppDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\DefualtImages (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\DetectedAppDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\EngineFirstTimeDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog\Images (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarUntrustedAppsApprovalDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAddedAppDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAppApprovalDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAppPendingDialog (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\EmailNotifier (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\ExternalComponent (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Logs (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\MyStuffApps (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091 (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\AppsMetaData (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\DynamicDialogs (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\ToolbarLogin (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\ToolbarSettings (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_en-us (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_en-us\ToolbarTranslation (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Rss (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\SearchInNewTab (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\UserDefinedItems (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote\Logs (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.

Files Detected: 125
C:\Program Files\Search Toolbar\SearchToolbar.dll (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\prxtbVuz0.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\ldrtbVuz0.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\tbVuze.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\ThirdPartyComponents.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\toolbar.cfg (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_About_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Browse_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Contact_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Hide_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_bankImages_ConduitEngine_ContextMenu_LikeIcon_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_MoreFromPublisher_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_More_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Options_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Privacy_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_upgrade_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_SearchEngines_images_search_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_SearchEngines_news_icon_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_SearchEngines_site_search_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_MarketPlace_40_543_40d79af3-dd82-4256-902c-0d3d39ad5543_Thumbnail_634592210631512474_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_Rss_xml-4-rssIcons-633590057687175000_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Refresh_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_shrink_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_633802669919925000_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_633808694045275000_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_633809126480237500_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_633820122725725000_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_633995607281715000_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_633997096343121250_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_634001364341241250_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_91_250_CT2504091_Images_Email_xml-2-Classic-633609893622793750_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_Conduit_com_bankImages_ConduitEngine_ContextMenu_Upgrade_png.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_about_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_clear_history_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_contact_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_help_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_home_page_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_options_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_privacy_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\CacheIcons\http___storage_conduit_com_images_main_menu_refresh_gif.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\DialogsAPI.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\excanvas.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\generalDialogStyle.css (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\PIE.htc (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\RoundedCorners.css (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\RoundedCornersIE9.css (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\settings.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\version.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\AddedAppDialog\app-added.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\AddedAppDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\DefualtImages\icon.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\DetectedAppDialog\app-2go.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\DetectedAppDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\EngineFirstTimeDialog\EngineFirstTimeDialog.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\EngineFirstTimeDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\EngineFirstTimeDialog\right-click.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog\SearchProtector.css (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog\SearchProtector.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog\Images\info.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog\Images\ok-on.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\SearchProtectorDialog\Images\ok.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\ToolbarFirstTimeDialog.css (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\ToolbarFirstTimeDialog.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\app-store-icon.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\arrow.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\divider.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\emailNotifier.gif (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\facebook.png (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\radio.GIF (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\Thumbs.db (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\truste_welcome.GIF (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarFirstTimeDialog\images\weather.GIF (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarUntrustedAppsApprovalDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\ToolbarUntrustedAppsApprovalDialog\ToolbarUntrustedAppsApprovalDialog.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAddedAppDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAddedAppDialog\UT-app-dialog-added.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAppApprovalDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAppApprovalDialog\UT-app-dialog-needs-your-approval.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAppPendingDialog\main.html (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Dialogs\UntrustedAppPendingDialog\UT-app-dialog-is-waiting.js (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\EmailNotifier\AccountTypes.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\EmailNotifier\aol.com.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\EmailNotifier\comcast.net.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\EmailNotifier\google.com.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\EmailNotifier\hotmail.com.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\EmailNotifier\yahoo.com.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\ExternalComponent\http___contextmenu_toolbar_conduit-services_com__name=GottenApps&locale=en-us.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\ExternalComponent\http___contextmenu_toolbar_conduit-services_com__name=OtherApps&locale=en-us.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\ExternalComponent\http___contextmenu_toolbar_conduit-services_com__name=SharedApps&locale=en-us.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\ExternalComponent\http___contextmenu_toolbar_conduit-services_com__name=Toolbar&locale=en-us.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\AppsMetaData\data.bck.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\AppsMetaData\data.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\DynamicDialogs\data.bck.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\DynamicDialogs\data.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\ToolbarLogin\data.bck.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\ToolbarLogin\data.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\ToolbarSettings\data.bck.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_CT2504091\ToolbarSettings\data.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_en-us\ToolbarTranslation\data.bck.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Repository\conduit_CT2504091_en-us\ToolbarTranslation\data.txt (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Rss\http___blog_vuze_com_index_php_feed_.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Rss\http___blog_vuze_com_index_php_feed__structured.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\Rss\http___twitter_com_statuses_user_timeline_15653840_rss.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\J\Local Settings\Application Data\Vuze_Remote\SearchInNewTab\SearchInNewTabContent.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote\ldrtbVuz0.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote\tbVuze.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Vuze_Remote\toolbar.cfg (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\GottenAppsContextMenu.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\ldrtbVuz0.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\OtherAppsContextMenu.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\prxtbVuze.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\SharedAppsContextMenu.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\tbVuz0.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\tbVuze.dll (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\toolbar.cfg (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\ToolbarContextMenu.xml (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\uninstall.exe (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\Vuze_RemoteToolbarHelper.exe (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
C:\Program Files\Vuze_Remote\Vuze_RemoteToolbarHelper1.exe (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.

(end)

 

After seeing that, I made sure vuze was completely uninstalled and its directory deleted, and ran a further scan which turned up a few more things:
 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.06.06.11

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
J :: ARKEN-LAP [limited]

6/6/2014 5:36:57 PM
mbam-log-2014-06-06 (17-36-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 232419
Time elapsed: 26 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 10
HKCR\CLSID\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCR\SearchToolbarLib.CSearchToolbarImpl.1 (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCR\SearchToolbarLib.CSearchToolbarImpl (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Quarantined and deleted successfully.
HKCR\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Vuze_Remote (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Vuze_Remote (PUP.Optional.VuzeRemoteTB.A) -> Quarantined and deleted successfully.

Registry Values Detected: 10
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data: ƒRB‡Ô7Cº¶«ƒT¨W -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data: Search Toolbar -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data: ž2ºP•‰I³ò—2é-Ì -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data: Vuze Remote Toolbar -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{BA14329E-9550-4989-B3F2-9732E92D17CC} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data:  -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{ba14329e-9550-4989-b3f2-9732e92d17cc} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ba14329e-9550-4989-b3f2-9732e92d17cc} (PUP.Optional.VuzeRemoteTB.A) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9D425283-D487-4337-BAB6-AB8354A81457} (PUP.Optional.SearchToolbar) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

Since then I've run 3 more scans.  The last two came up clean, the other one found two things:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.06.06.11

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
J :: ARKEN-LAP [limited]

6/6/2014 6:21:07 PM
mbam-log-2014-06-06 (18-21-07).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 285166
Time elapsed: 2 hour(s), 1 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} (PUP.Optional.Conduit) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\Conduit\Community Alerts\Alert0.dll (PUP.Optional.Conduit) -> Quarantined and deleted successfully.

(end)
 

 

If you want any of the logs from past years as well, let me know.

 

Next  I'm going to try to chase down the combofix logs



#4 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 10 June 2014 - 05:30 PM

FYI: Here is the text of the message I still get after running the computer for a few minutes:

 

"Services and Controller App has encountered a problem and needs to close.  We are sorry for the inconvenience"

 

Sometimes it is a different program.  If it's a different one I'll let you know which one.  Either way this is followed by an attempt to forcibly reboot the machine which I can stop through 'shutdown -a'

 

On to the Combofix logs.  Here's the most recent:

 

ComboFix 14-06-10.01 - J 06/10/2014   2:38.8.1 - x86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.447.165 [GMT -5:00]

Running from: c:\random.exe

 * Created a new restore point

.

.

(((((((((((((((((((((((((   Files Created from 2014-05-10 to 2014-06-10  )))))))))))))))))))))))))))))))

.

.

2014-06-09 17:41 . 2014-06-10 06:40    --------    d-----w-    C:\random

2014-06-08 09:30 . 2014-06-08 09:31    1402880    ----a-w-    c:\documents and settings\J\HiJackThis.msi

2014-06-08 07:18 . 2014-06-08 07:18    --------    d-s---w-    c:\windows\Cookies

2014-06-06 22:29 . 2014-06-06 22:29    54016    ----a-w-    c:\windows\system32\drivers\jdao.sys

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CARPService"="carpserv.exe" [2003-05-21 4608]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-11 149280]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

.

c:\docume~1\J\Start Menu\Programs\Startup\

OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:*:Disabled:Bonjour

"23:TCP"= 23:TCP:Telnet

.

R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [2/4/2007 6:13 AM 26624]

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [11/18/2009 9:33 AM 291328]

R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [11/18/2009 9:33 AM 244608]

R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [10/17/2003 1:38 PM 16512]

S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [11/27/2001 5:46 PM 10880]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

.

Contents of the 'Scheduled Tasks' folder

.

2014-06-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-746137067-854245398-1003Core.job

- c:\documents and settings\J\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-10 21:05]

.

2014-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-746137067-854245398-1003UA.job

- c:\documents and settings\J\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-10 21:05]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

TCP: DhcpNameServer = 192.168.30.1

FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\w9qk1xxc.default-1397073564527\

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-VirtualCloneDrive - c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2014-06-10 05:44

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...  

.

scanning hidden autostart entries ...

.

scanning hidden files ...  

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]

"value"="?\04\00\18\16\00\0a?"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]

"5E7CEC10DF0760D4F8DAFB12FDC06CCD"=""

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\McAfee\HackerWatch\HWAPI.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Sony\MD Simple Burner\NetMDSB.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\carpserv.exe

c:\program files\OpenOffice.org 3\program\soffice.exe

c:\program files\OpenOffice.org 3\program\soffice.bin

c:\windows\system32\dwwin.exe

.

**************************************************************************

.

Completion time: 2014-06-10  05:48:45 - machine was rebooted

ComboFix-quarantined-files.txt  2014-06-10 10:48

ComboFix2.txt  2014-06-10 06:40

ComboFix3.txt  2014-06-08 08:18

ComboFix4.txt  2014-06-08 06:34

.

Pre-Run: 343,977,984 bytes free

Post-Run: 364,187,648 bytes free

.

- - End Of File - - D6FF7CDC4BBE5C15190E99C0E79689FA

8F558EB6672622401DA993E1E865C861
 

 

 

I have 3 older logs from previous attempts to run it, but before that I uninstalled and reinstalled it, so I don't have logs from before that.  If you want to see any of the 3 I do have, let me know.



#5 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 10 June 2014 - 05:36 PM

The error I get when I try to run any msi installer, but most importantly the one for hijaackthis  is:

 

The windows installer service could not be accessed.

This can occur if you are running Windows in safe

mode, or if the Windows installer is not correctly

installed.  Contact your support personnel for assistance.

 

I am not running in safe mode.



#6 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 10 June 2014 - 05:58 PM

Okay, I downloaded FRST and tried to run it as an administrator, but it prompts me for a password.  Unfortunately, either the bug has changed the Administrator password, or I simply can't remember it.  This used to be my wife's laptop, so I've left her a message to see if she remembers it.  If and when I am able to run FRST, I'll post the logs.



#7 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:14 AM

Posted 11 June 2014 - 03:05 AM

OK I will wait for the FRST Logs.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#8 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 11 June 2014 - 12:15 PM

I have found the administrator password, but I am still unable to run FRST, as far as I can tell.  When I right-click and select "Run as Administrator" then type in the password, a text box briefly comes up and then immediately disappears.  If I set the program to not close on exit, then I see the message: "This program cannot be run from DOS mode."  I tried re-downloading FRST.exe and in fact the new download was a different size than the old one, but it exhibits the same behavior.  As far as I know I am not trying to run the program in DOS mode.  I'm launching it from my desktop via the GUI.  BUt I still get that message.  Let me know what I should try next.



#9 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 11 June 2014 - 12:23 PM

Perhaps this will help you figure out what's going on.  I just noticed that if I download FRST to one of my other machines it has an icon and when you hover over it you see relevant info about the program, who wrote it, etcetera.  However, on the infected machine, the icon displayed is the standard DOS program icon, and hovering over it shows no information whatsoever.  I will try naming it something else and running it from another directory, and see if that makes a difference.



#10 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 11 June 2014 - 12:27 PM

That appears to have done the trick.  This is some tricky little bug I've got.  I'll post the logs when the scan is done.



#11 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 11 June 2014 - 12:39 PM

Here are the contents of FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:11-06-2014 01
Ran by Administrator (administrator) on ARKEN-LAP on 11-06-2014 07:20:32
Running from C:\
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 6
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
(McAfee, Inc.) C:\Program Files\McAfee\MPF\MpfSrv.exe
(Sony Corporation) C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Farbar) C:\GARP.EXE


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [CARPService] => C:\WINDOWS\system32\carpserv.exe [4608 2003-05-21] (Conexant Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Java\jre6\bin\jusched.exe [149280 2009-11-10] (Sun Microsystems, Inc.)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [335872 2004-05-15] (ATI Technologies, Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2008-10-15] (Adobe Systems Incorporated)
Startup: C:\Documents and Settings\J\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
URLSearchHook: ATTENTION ==> Default URLSearchHook is missing.
StartMenuInternet: IEXPLORE.EXE - C:\PROGRA~1\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.30.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @movenetworks.com/Quantum Media Player - C:\Documents and Settings\J\Application Data\Move Networks\plugins\npqmp071701000002.dll (Move Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeploytk.dll (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPSibelius.dll ()
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009-11-10]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []

========================== Services (Whitelisted) =================

S3 Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [163840 2006-01-05] (Alex Feinman) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2009-11-10] (Sun Microsystems, Inc.)
R2 McAfee HackerWatch Service; C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe [554600 2006-11-08] (McAfee, Inc.)
R2 MpfService; C:\Program Files\McAfee\MPF\MPFSrv.exe [833064 2006-11-10] (McAfee, Inc.)
S3 MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [53337 2005-01-26] (Sony Corporation) [File not signed]
R2 NetMDSB; C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe [782336 2005-01-15] (Sony Corporation) [File not signed]
S3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [53337 2005-01-26] (Sony Corporation) [File not signed]
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [69718 2005-01-26] (Sony Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

S3 aliadwdm; C:\WINDOWS\System32\drivers\ac97ali.sys [231552 2002-08-28] (Acer Laboratories Inc.)
R3 ALiIRDA; C:\WINDOWS\System32\DRIVERS\alifir.sys [26624 2001-08-17] (Acer Laboratories Inc.)
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [341760 2004-08-04] (Broadcom Corporation)
R3 CALIAUD; C:\WINDOWS\System32\drivers\caliaud.sys [291328 2002-11-05] (Conexant Systems Inc.)
R3 CALIHALA; C:\WINDOWS\System32\drivers\calihal.sys [244608 2002-11-05] (Conexant Systems Inc.)
S3 DfuUsb; C:\WINDOWS\System32\DRIVERS\DFUUsb.sys [10880 2001-11-27] (Texas Instruments) [File not signed]
R3 DP83815; C:\WINDOWS\System32\DRIVERS\DP83815.SYS [16512 2003-10-17] (National Semiconductor Corp.)
R1 ElbyCDIO; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [26024 2009-12-17] (Elaborate Bytes AG)
S3 FA312; C:\WINDOWS\System32\DRIVERS\FA312nd5.sys [16074 2001-08-17] (NETGEAR Corp.)
R3 HSFHWALI; C:\WINDOWS\System32\DRIVERS\HSFHWALI.sys [179712 2003-05-21] (Conexant Systems, Inc.)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2014-06-10] (Malwarebytes Corporation)
R1 MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [100952 2006-10-30] (McAfee, Inc.)
R3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [10368 2005-11-03] (Padus, Inc.) [File not signed]
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2007-02-04] (Sonic Solutions) [File not signed]
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
S3 rt2870; C:\WINDOWS\System32\DRIVERS\rt2870.sys [1139040 2010-12-27] (Ralink Technology, Corp.)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [28624 2010-05-24] () [File not signed]
R2 StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [30592 2003-05-21] (Conexant Systems, Inc.)
R3 VClone; C:\WINDOWS\System32\DRIVERS\VClone.sys [29696 2009-08-09] (Elaborate Bytes AG) [File not signed]
S3 catchme; \??\C:\random441r\catchme.sys [X]
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96256 2004-08-03] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-11 07:20 - 2014-06-11 07:21 - 00009204 _____ () C:\FRST.txt
2014-06-11 07:20 - 2014-06-11 07:20 - 00000000 ____D () C:\FRST
2014-06-11 07:14 - 2014-06-11 07:14 - 01073152 _____ (Farbar) C:\GARP.EXE
2014-06-11 06:48 - 2014-06-11 06:48 - 00002855 _____ () C:\Documents and Settings\J\Desktop\FRST.PIF
2014-06-11 06:41 - 2014-06-11 07:21 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-06-11 06:41 - 2014-06-11 07:03 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-06-11 06:41 - 2014-06-11 06:41 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-06-11 06:41 - 2007-02-04 12:26 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-06-11 06:41 - 2007-02-04 12:26 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-06-11 06:41 - 2007-02-04 12:26 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-06-10 12:34 - 2014-06-10 12:29 - 01182864 _____ () C:\Documents and Settings\J\Desktop\FRST.exe
2014-06-10 12:29 - 2014-06-11 07:01 - 01073152 _____ (Farbar) C:\Documents and Settings\J\FRST.exe
2014-06-10 11:40 - 2014-06-10 11:40 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2014-06-10 05:48 - 2014-06-11 07:21 - 00000000 ____D () C:\Documents and Settings\J\Local Settings\temp
2014-06-10 05:48 - 2014-06-10 05:48 - 00005999 _____ () C:\ComboFix.txt
2014-06-10 05:48 - 2014-06-10 05:48 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-06-10 05:44 - 2014-06-11 07:20 - 00000374 _____ () C:\WINDOWS\system32\Drivers\etc\hosts.ics
2014-06-10 02:00 - 2014-06-10 05:48 - 00000000 ____D () C:\random441r
2014-06-09 12:41 - 2014-06-10 01:40 - 00000000 ____D () C:\random
2014-06-08 04:30 - 2014-06-08 04:31 - 01402880 _____ () C:\Documents and Settings\J\HiJackThis.msi
2014-06-07 19:51 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-06-07 19:51 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-06-07 19:51 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-06-07 19:51 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-06-07 19:51 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-06-07 19:51 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-06-07 19:51 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-06-07 19:51 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-06-07 19:51 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-06-07 19:46 - 2014-06-10 05:48 - 00000000 ____D () C:\Qoobox
2014-06-07 19:44 - 2014-06-10 01:53 - 05205915 ____R (Swearware) C:\random.exe
2014-06-07 08:12 - 2014-06-07 08:12 - 00000000 _RSHD () C:\cmdcons
2014-06-07 08:12 - 2007-03-14 00:59 - 00000211 _____ () C:\Boot.bak
2014-06-07 08:12 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-06-07 06:07 - 2014-06-07 19:46 - 00000000 ____D () C:\WINDOWS\erdnt
2014-06-06 17:29 - 2014-06-06 17:29 - 00054016 _____ () C:\WINDOWS\system32\Drivers\jdao.sys

==================== One Month Modified Files and Folders =======

2014-06-11 07:21 - 2014-06-11 07:20 - 00009204 _____ () C:\FRST.txt
2014-06-11 07:21 - 2014-06-11 06:41 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-06-11 07:21 - 2014-06-10 05:48 - 00000000 ____D () C:\Documents and Settings\J\Local Settings\temp
2014-06-11 07:21 - 2007-02-08 12:21 - 01329394 _____ () C:\WINDOWS\WindowsUpdate.log
2014-06-11 07:20 - 2014-06-11 07:20 - 00000000 ____D () C:\FRST
2014-06-11 07:20 - 2014-06-10 05:44 - 00000374 _____ () C:\WINDOWS\system32\Drivers\etc\hosts.ics
2014-06-11 07:20 - 2007-02-06 11:17 - 00018484 _____ () C:\WINDOWS\system32\Config.MPF
2014-06-11 07:19 - 2007-04-10 22:46 - 00000000 __SHD () C:\WINDOWS\CSC
2014-06-11 07:19 - 2007-02-04 12:26 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-06-11 07:19 - 2007-02-04 06:13 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-06-11 07:19 - 2007-02-04 06:13 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-06-11 07:19 - 2003-03-31 07:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-06-11 07:14 - 2014-06-11 07:14 - 01073152 _____ (Farbar) C:\GARP.EXE
2014-06-11 07:03 - 2014-06-11 06:41 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-06-11 07:01 - 2014-06-10 12:29 - 01073152 _____ (Farbar) C:\Documents and Settings\J\FRST.exe
2014-06-11 06:48 - 2014-06-11 06:48 - 00002855 _____ () C:\Documents and Settings\J\Desktop\FRST.PIF
2014-06-11 06:41 - 2014-06-11 06:41 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-06-11 06:41 - 2012-02-10 16:05 - 00000910 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-746137067-854245398-1003Core.job
2014-06-11 05:23 - 2012-02-10 16:05 - 00000962 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-746137067-854245398-1003UA.job
2014-06-10 12:41 - 2007-02-04 12:33 - 00000178 ___SH () C:\Documents and Settings\J\ntuser.ini
2014-06-10 12:29 - 2014-06-10 12:34 - 01182864 _____ () C:\Documents and Settings\J\Desktop\FRST.exe
2014-06-10 12:29 - 2007-02-04 12:33 - 00000000 ____D () C:\Documents and Settings\J
2014-06-10 11:40 - 2014-06-10 11:40 - 00040776 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2014-06-10 05:48 - 2014-06-10 05:48 - 00005999 _____ () C:\ComboFix.txt
2014-06-10 05:48 - 2014-06-10 05:48 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-06-10 05:48 - 2014-06-10 02:00 - 00000000 ____D () C:\random441r
2014-06-10 05:48 - 2014-06-07 19:46 - 00000000 ____D () C:\Qoobox
2014-06-10 05:44 - 2003-03-31 07:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-06-10 05:01 - 2009-11-16 20:53 - 00057643 _____ () C:\WINDOWS\KB960859.log
2014-06-10 04:49 - 2007-04-15 22:33 - 00603100 _____ () C:\WINDOWS\setupapi.log
2014-06-10 04:34 - 2007-03-15 12:33 - 00026444 _____ () C:\WINDOWS\KB929969.log
2014-06-10 01:53 - 2014-06-07 19:44 - 05205915 ____R (Swearware) C:\random.exe
2014-06-10 01:40 - 2014-06-09 12:41 - 00000000 ____D () C:\random
2014-06-09 21:23 - 2007-02-04 12:31 - 00032124 _____ () C:\WINDOWS\SchedLgU.Txt
2014-06-08 04:31 - 2014-06-08 04:30 - 01402880 _____ () C:\Documents and Settings\J\HiJackThis.msi
2014-06-08 03:30 - 2007-02-04 12:31 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-06-08 01:28 - 2007-02-04 12:23 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-06-07 19:46 - 2014-06-07 06:07 - 00000000 ____D () C:\WINDOWS\erdnt
2014-06-07 17:25 - 2007-03-13 23:43 - 00937757 _____ () C:\WINDOWS\svcpack.log
2014-06-07 16:01 - 2011-06-29 18:09 - 00000000 ____D () C:\wgdafd
2014-06-07 08:12 - 2014-06-07 08:12 - 00000000 _RSHD () C:\cmdcons
2014-06-07 08:12 - 2007-02-04 06:08 - 00000327 __RSH () C:\boot.ini
2014-06-07 05:51 - 2012-03-08 08:22 - 00000600 _____ () C:\Documents and Settings\J\PUTTY.RND
2014-06-06 21:16 - 2012-02-10 16:07 - 00002252 _____ () C:\Documents and Settings\J\Desktop\Google Chrome.lnk
2014-06-06 17:35 - 2007-02-06 11:06 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\McAfee
2014-06-06 17:29 - 2014-06-06 17:29 - 00054016 _____ () C:\WINDOWS\system32\Drivers\jdao.sys
2014-06-06 16:31 - 2012-01-24 08:22 - 00000784 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-06-06 16:31 - 2011-04-24 17:38 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-06-06 16:31 - 2011-04-24 17:38 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
2014-06-06 16:30 - 2007-02-06 11:06 - 00000000 ____D () C:\Program Files\McAfee
2014-06-06 16:30 - 2007-02-06 11:06 - 00000000 ____D () C:\Program Files\Common Files\McAfee

Files to move or delete:
====================
C:\Documents and Settings\J\FRST.exe
C:\Documents and Settings\J\pingit.bat


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

Here is the contents of Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:11-06-2014 01
Ran by Administrator at 2014-06-11 07:22:08
Running from C:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================


==================== Installed Programs ======================

Adobe Flash Player 10 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 10.0.45.2 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.1.102.55 - Adobe Systems Incorporated)
Adobe Reader 8.1.3 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A81300000003}) (Version: 8.1.3 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Advanced DVD Player (HKLM\...\Advanced DVD Player_is1) (Version:  - Excellent Technology Exchange)
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1008 - )
ATI Control Panel (HKLM\...\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}) (Version: 6.14.10.5102 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.003.3-040515a-016016C - )
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
Avidemux 2.5 (HKLM\...\Avidemux 2.5) (Version: 2.5.4.6714 - )
AviSynth 2.5 (HKLM\...\AviSynth) (Version:  - )
Broadcom 802.11 Driver (HKLM\...\Broadcom 802.11b Network Adapter) (Version:  - )
Canon MP450 (HKLM\...\{CF23AFD7-3078-4134-8823-EBF6D1FE6FAD}) (Version:  - )
Cdrdao 1.2.3 (HKLM\...\Cdrdao_is1) (Version:  - Cdrdao Developer Team)
Conexant 56K ACLink Modem (HKLM\...\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_0850103C) (Version:  - )
Conexant AC-Link Audio (HKLM\...\Conexant PCI Audio) (Version:  - )
Diablo II (HKLM\...\Diablo II) (Version:  - Blizzard Entertainment)
DP8381x 10/100 PCI Network Adapter Driver (Version: 2.00.0000 - National Semiconductor 10/100 Ethernet Driver) Hidden
ffdshow [rev 3154] [2009-12-09] (HKLM\...\ffdshow_is1) (Version: 1.0 - )
FileZilla Client 3.7.4.1 (HKLM\...\FileZilla Client) (Version: 3.7.4.1 - Tim Kosse)
Free Download Manager 3.8 (HKLM\...\Free Download Manager_is1) (Version:  - FreeDownloadManager.ORG)
GIMP 2.6.7 (HKLM\...\WinGimp-2.0_is1) (Version:  - )
ImageMagick 6.5.8-8 Q8 (2010-01-01) (HKLM\...\ImageMagick 6.5.8 Q8_is1) (Version: 6.5.8 - ImageMagick Studio LLC)
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.6.0 - LIGHTNING UK!)
ISO Recorder (HKLM\...\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}) (Version: 2.0.0 - Alex Feinman)
J2SE Runtime Environment 5.0 Update 11 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0150110}) (Version: 1.5.0.110 - Sun Microsystems, Inc.)
Java™ 6 Update 16 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216016FF}) (Version: 6.0.160 - Sun Microsystems, Inc.)
MainConcept MJPEG Codec (HKLM\...\InstallShield_{805A7890-3138-44E4-8DAA-480C55516989}) (Version: 3.02.0004.0000 - MainConcept AG)
MainConcept MJPEG Codec (Version: 3.02.0004.0000 - MainConcept AG) Hidden
MainConcept MJPG software codec (Remove Only) (HKLM\...\MCMJPG) (Version:  - )
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
MD Simple Burner 2.0.05 (HKLM\...\{47E09785-B2FB-11D5-B8EE-00B0D0D26B88}) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Games for Windows - LIVE Redistributable (HKLM\...\{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}) (Version: 2.0.687.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50917.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Management Objects (HKLM\...\{F5E87B12-3C27-452F-8E78-21D42164FD83}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP1 Design Tools English (HKLM\...\{0C19D563-5F25-4621-BF10-01F741BD283F}) (Version: 3.5.5692.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP1 English (HKLM\...\{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}) (Version: 3.5.5692.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
MinGW 5.1.6 (HKLM\...\MinGW) (Version: 5.1.6 - MinGW)
MKVtoolnix 4.7.0 (HKLM\...\MKVtoolnix) (Version: 4.7.0 - Moritz Bunkus)
Mozilla Firefox 28.0 (x86 en-US) (HKLM\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 28.0 - Mozilla)
MP3 Splitter (HKLM\...\MP3 Splitter_is1) (Version:  - )
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
No-IP DUC (HKLM\...\NoIPDUC) (Version: 3.0.4 - Vitalwerks Internet Solutions LLC)
OpenMG Limited Patch 4.1-05-13-31-01 (HKLM\...\OpenMG HotFix4.1-05-13-31-01) (Version:  - )
OpenMG Secure Module 4.1.00 (HKLM\...\InstallShield_{2F151B50-B434-4838-B51D-70442EBA093E}) (Version: 4.1.00.13261 - Sony Corporation)
OpenMG Secure Module 4.1.00 (Version: 4.1.00.13261 - Sony Corporation) Hidden
OpenOffice.org 3.1 (HKLM\...\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}) (Version: 3.1.9420 - OpenOffice.org)
PDF Image Extraction Wizard 5.01 (HKLM\...\PDF Image Extraction Wizard_is1) (Version:  - RL Vision)
QuickTime Alternative 3.2.2 (HKLM\...\QuicktimeAlt_is1) (Version: 3.2.2 - )
Ralink RT2870 Wireless LAN Card (HKLM\...\{28DA7D8B-F9A4-4F18-8AA0-551B1E084D0D}) (Version: 1.5.11.0 - Ralink)
RarZilla Free Unrar (HKLM\...\RarZilla Free Unrar) (Version: 2.90 - Philipp Winterberg)
SMPlayer 0.6.8 (HKLM\...\SMPlayer) (Version: 0.6.8 - RVM)
Some PDF Image Extractr 1.5 (HKLM\...\Some PDF Image Extract_is1) (Version:  - SomePDF.com)
Sophocles (Remove Only) (HKLM\...\Sophocles2) (Version:  - )
Sophocles 2003   (Remove Only) (HKLM\...\Sophocles) (Version:  - )
SQL Server System CLR Types (HKLM\...\{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}) (Version: 10.0.1600.22 - Microsoft Corporation)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB908531) (HKLM\...\KB908531) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB910437) (HKLM\...\KB910437) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB911280) (HKLM\...\KB911280) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB925720) (HKLM\...\KB925720) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB976749) (HKLM\...\KB976749) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB978207) (HKLM\...\KB978207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB980182) (HKLM\...\KB980182) (Version: 1 - Microsoft Corporation)
VirtualCloneDrive (HKLM\...\VirtualCloneDrive) (Version:  - Elaborate Bytes)
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Installer 3.1 (KB893803) (HKLM\...\KB893803v2) (Version: 3.1 - Microsoft Corporation)
Windows Media Format Runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Windows XP Hotfix - KB873339 (HKLM\...\KB873339) (Version: 20041117.092459 - Microsoft Corporation)
Windows XP Hotfix - KB885835 (HKLM\...\KB885835) (Version: 20041027.181713 - Microsoft Corporation)
Windows XP Hotfix - KB885836 (HKLM\...\KB885836) (Version: 20041028.173203 - Microsoft Corporation)
Windows XP Hotfix - KB888302 (HKLM\...\KB888302) (Version: 20041207.111426 - Microsoft Corporation)
Windows XP Hotfix - KB890859 (HKLM\...\KB890859) (Version: 1 - Microsoft Corporation)
Windows XP Hotfix - KB891781 (HKLM\...\KB891781) (Version: 20050110.165439 - Microsoft Corporation)
Windows XP Service Pack 2 (HKLM\...\Windows XP Service Pack) (Version: 20040803.231319 - Microsoft Corporation)
x264vfw - H.264/MPEG-4 AVC codec (remove only) (HKLM\...\x264vfw) (Version:  - )

==================== Restore Points  =========================

10-06-2014 18:46:59 System Checkpoint

==================== Hosts content: ==========================

2003-03-31 07:00 - 2014-06-10 05:43 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-746137067-854245398-1003Core.job => C:\Documents and Settings\J\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-602162358-746137067-854245398-1003UA.job => C:\Documents and Settings\J\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============


==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== EXE Association (whitelisted) =============



HKU\S-1-5-21-602162358-746137067-854245398-1003\Software\Classes\exefile: "%1" %* <===== ATTENTION!

==================== MSCONFIG/TASK MANAGER disabled items =========


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/11/2014 06:49:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]

Error: (06/10/2014 00:49:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]

Error: (06/10/2014 00:06:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]

Error: (06/10/2014 11:48:35 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]

Error: (06/10/2014 05:52:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]

Error: (06/10/2014 05:44:25 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application NetMDSB.exe, version 2.0.5.25150, faulting module NetMDSB.exe, version 2.0.5.25150, fault address 0x000553b2.
Processing media-specific event for [NetMDSB.exe!ws!]

Error: (06/10/2014 01:44:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]

Error: (06/10/2014 01:35:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application NetMDSB.exe, version 2.0.5.25150, faulting module NetMDSB.exe, version 2.0.5.25150, fault address 0x00055982.
Processing media-specific event for [NetMDSB.exe!ws!]

Error: (06/08/2014 03:38:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]

Error: (06/08/2014 03:21:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application services.exe, version 5.1.2600.3520, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x00019736.
Processing media-specific event for [services.exe!ws!]


System errors:
=============
Error: (06/10/2014 05:49:29 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MD Simple Burner Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/10/2014 01:41:03 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MD Simple Burner Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/08/2014 03:13:53 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MD Simple Burner Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/08/2014 01:33:15 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MD Simple Burner Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/07/2014 03:34:33 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MD Simple Burner Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/07/2014 00:11:21 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MD Simple Burner Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (06/07/2014 00:07:01 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The System Restore Service service terminated with the following error:
%%2

Error: (06/07/2014 00:07:00 PM) (Source: SRService) (EventID: 104) (User: )
Description: The System Restore initialization process failed.

Error: (06/07/2014 11:50:45 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The System Restore Service service terminated with the following error:
%%2

Error: (06/07/2014 11:50:44 AM) (Source: SRService) (EventID: 104) (User: )
Description: The System Restore initialization process failed.


Microsoft Office Sessions:
=========================
Error: (06/11/2014 06:49:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736

Error: (06/10/2014 00:49:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736

Error: (06/10/2014 00:06:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736

Error: (06/10/2014 11:48:35 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736

Error: (06/10/2014 05:52:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736

Error: (06/10/2014 05:44:25 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: NetMDSB.exe2.0.5.25150NetMDSB.exe2.0.5.25150000553b2

Error: (06/10/2014 01:44:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736

Error: (06/10/2014 01:35:59 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: NetMDSB.exe2.0.5.25150NetMDSB.exe2.0.5.2515000055982

Error: (06/08/2014 03:38:06 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736

Error: (06/08/2014 03:21:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: services.exe5.1.2600.3520ntdll.dll5.1.2600.352000019736


==================== Memory info ===========================

Percentage of memory in use: 54%
Total physical RAM: 446.98 MB
Available physical RAM: 201.33 MB
Total Pagefile: 1057.51 MB
Available Pagefile: 880.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1935.46 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:27.83 GB) (Free:0.3 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive e: (New Volume) (Fixed) (Total:28.05 GB) (Free:0.06 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 56 GB) (Disk ID: AE32AE32)
Partition 1: (Active) - (Size=28 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=28 GB) - (Type=OF Extended)

==================== End Of Log ============================



#12 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:14 AM

Posted 11 June 2014 - 01:06 PM

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#13 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 11 June 2014 - 03:46 PM

Okay here's the AdwCleaner log:

 

# AdwCleaner v3.212 - Report created 11/06/2014 at 10:26:34
# Updated 05/06/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 2 (32 bits)
# Username : J - ARKEN-LAP
# Running from : C:\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\DOCUME~1\J\Local Settings\Application Data\Conduit

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Toolbar
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4250488A-CB24-0893-C066-B1AEA57BCFF2}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine

***** [ Browsers ] *****

-\\ Internet Explorer v6.0.2900.2180


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\DOCUME~1\J\Application Data\Mozilla\Firefox\Profiles\w9qk1xxc.default-1397073564527\prefs.js ]


-\\ Google Chrome v

[ File : C:\DOCUME~1\J\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [1564 octets] - [11/06/2014 10:24:37]
AdwCleaner[S0].txt - [1507 octets] - [11/06/2014 10:26:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1567 octets] ##########
 

 

Now running MBAM rootkit detection.  I'll let you know how that goes.



#14 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 11 June 2014 - 05:43 PM

MBAM doesn't seem to have found anything new.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/11/2014
Scan Time: 10:50:40 AM
Logfile: mbamlog.txt
Administrator: No

Version: 2.00.2.1012
Malware Database: v2014.06.11.08
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: J

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 270103
Time Elapsed: 52 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Deep Rootkit Scan: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Running JRT now.



#15 gaheller

gaheller
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 11 June 2014 - 09:11 PM

I'm having some difficulty getting JRT to complete.  First it reports a "bad module" and asks me to reboot.  I'm not entirely sure I did the right thing by saying yes, because after it reboots the JRT window comes up but doesn't display anything.  It just sits there with a cursor blinking in the left-hand corner.  I'll let it go overnight and see if anything comes up.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users