Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zbot or Zeus and do not know how to Remove it!


  • This topic is locked This topic is locked
49 replies to this topic

#1 wpetti

wpetti

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 01 July 2014 - 12:12 PM

Hello.

 

My computer was running slow, pages crashing randomly. I decided to run some scans.

 

HitMan scan shows Trojan.CrytRedl.Gen.3 (Engine A) is on my computer.

 

HitMan scan this also turned up this: dmdchbutxqpxuiq.sys

 

Malwarebytes does not pick up the trojan, nor does Norton  Internet Security

 

My computer has been having pages crash randomly. Sometimes a weird symbol box with frown face appears indicating a page cannot be accessed. 

 

If anyone knows how to remove this virus please share!

 

Thank you,

 

wpetti

 

Scan results from DDS:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/10/2009 8:54:54 AM
System Uptime: 7/1/2014 8:39:07 AM (3 hours ago)
.
Motherboard: Dell Inc. |  | 0J584C
Processor: Intel® Core™2 Duo CPU     E4600  @ 2.40GHz | Socket 775 | 2394/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 65 GiB total, 27.835 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 7.56 GiB free.
E: is CDROM (CDFS)
P: is NetworkDisk (NTFS) - 10 GiB total, 0.451 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Image File Execution Options =============
.
IFEO: Your Image File Name Here without a path - ntsd -d
.
==== Installed Programs ======================
.
.
==== End Of File ===========================
 
 


BC AdBot (Login to Remove)

 


m

#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:02 PM

Posted 01 July 2014 - 02:35 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Regards,

Georgi


cXfZ4wS.png


#3 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 02 July 2014 - 11:46 AM

Additional scan result of Farbar Recovery Scan Tool (x86) Version:01-07-2014
Ran by Wells Pettibone at 2014-07-02 11:44:18
Running from C:\Documents and Settings\Wells Pettibone\Local Settings\Temporary Internet Files\Content.IE5\G8JCGBHY
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: BitDefender Antivirus (Disabled - Up to date) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Norton Internet Security (Disabled - Up to date) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: BitDefender Firewall (Disabled) {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Norton Internet Security (Disabled) {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
 
==================== Installed Programs ======================
 
Acrobat.com (HKLM\...\{6D8D64BE-F500-55B6-705D-DFD08AFE0624}) (Version: 1.7.186 - Adobe Systems Incorporated)
Act4Advisors v 3.5 Workstation (HKLM\...\Act4Advisors v 3.5 Workstation) (Version: 3.5 - Allied Financial Software, Inc. )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe AIR (Version: 3.1.0.4880 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\{1F5E5F2E-5E61-431D-B796-58CCC6B68E28}) (Version: 14.0.0.125 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM\...\{C4B32291-F7B2-4BEC-BA4D-4195676A08CC}) (Version: 14.0.0.125 - Adobe Systems Incorporated)
Adobe Reader X (10.1.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.10 - Adobe Systems Incorporated)
Adobe SVG Viewer 3.0 (HKLM\...\Adobe SVG Viewer) (Version:  3.0 - )
Advanced WindowsCare Personal (HKLM\...\Advanced WindowsCare V2 Personal_is1) (Version: 2.9.0 - IObit)
Apple Application Support (HKLM\...\{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AT&T Unified Messaging (HKLM\...\AT&T Unified Messaging) (Version:  - )
ATI Catalyst Registration (HKLM\...\{72736F5F-520D-472A-88CC-7B02872FD34E}) (Version: 2.00.0000 - ATI Technologies Inc.)
ATI Display Driver (Omega 3.8.442) (HKLM\...\ATI Display Driver) (Version: 8.442-071204a1-055811C-ATI-OMEGA - )
Auslogics BoostSpeed (HKLM\...\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1) (Version: 5.5 - Auslogics Software Pty Ltd)
Auslogics Disk Defrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: version 3.2 - Auslogics Software Pty Ltd)
Bonjour (HKLM\...\{07287123-B8AC-41CE-8346-3D777245C35B}) (Version: 1.0.106 - Apple Inc.)
Brother HL-4040CN (HKLM\...\{B6FDDB5F-6DFD-44BB-83E4-6BF03CBE3B34}) (Version: 1.00 - Brother)
Casper 4.0 (HKLM\...\{D2E3E551-8691-40FA-BF6F-44204CB79A9D}) (Version: 4.0.1270 - Future Systems Solutions, Inc.)
Catalyst Control Center Core Implementation (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Full Existing (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Full New (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Light (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Previews Common (Version: 2008.0602.2243.38732 - ATI) Hidden
CCC Help English (Version: 2008.0602.2242.38732 - ATI) Hidden
ccc-core-preinstall (Version: 2008.0602.2243.38732 - ATI) Hidden
ccc-core-static (Version: 2008.0602.2243.38732 - ATI) Hidden
ccc-utility (Version: 2008.0602.2243.38732 - ATI) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 3.11 - Piriform)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Dell Laser MFP 1815 Software Uninstall (HKLM\...\Dell Laser MFP 1815) (Version:  - DELL Inc.)
Dimensional Returns 2 (HKLM\...\{BCB73D0C-51B6-47FD-ACC1-42A038C5F1A8}) (Version: 2.004.0031 - Dimensional)
Dimensional Returns 2 Data (HKLM\...\{EDBA2BEE-564F-49E8-8000-4F100DADB7A6}) (Version: 1.002.0033 - dimensional)
EASEUS Partition Master 9.0.0 Home Edition (HKLM\...\EASEUS Partition Master Home Edition_is1) (Version:  - EASEUS)
Glary Utilities 2.38.0.1288 (HKLM\...\Glary Utilities_is1) (Version: 2.38.0.1288 - Glarysoft Ltd)
Google Chrome (HKCU\...\Google Chrome) (Version: 35.0.1916.153 - Google Inc.)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
GoToAssist 8.0.0.514 (HKLM\...\GoToAssist) (Version:  - )
GoToMeeting 6.3.0.1415 (HKCU\...\GoToMeeting) (Version: 6.3.0.1415 - CitrixOnline)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.220 - SurfRight B.V.)
IncredibleCharts Pro (HKLM\...\{134959C1-E63F-11D5-87EF-444553540000}_is1) (Version:  - Vizhon Corporation)
InstallIQ Updater (HKLM\...\{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}) (Version: 1.4.3.0 - W3i, LLC)
Java™ 6 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216045FF}) (Version: 6.0.450 - Oracle)
join.me (HKCU\...\JoinMe) (Version: 1.8.0.108 - LogMeIn, Inc.)
Junxure Desktop (HKLM\...\{879FFED4-A41B-4486-8F9E-87CAE3B37516}) (Version: 9.5.1.0 - CRM Software, Inc.)
Junxure Outlook Addin (HKLM\...\{0B0DFAB9-A3C8-489D-B1FC-8EBB606ED7B3}) (Version: 3.0.7 - CRM Software)
JxPublicObject (HKLM\...\{913E1F2D-5A32-4D18-B983-640374D81448}) (Version: 1.0.0 - CRM Software)
Laser App Enterprise (HKLM\...\Laser App Enterprise) (Version: 10.0.0.31 - Laser App Software Inc.)
Laser App Enterprise (Version: 10.0.0.31 - Laser App Software Inc.) Hidden
LogMeIn (HKLM\...\{7F831576-6246-42C7-B523-55B3F96509CC}) (Version: 4.0.784 - LogMeIn, Inc.)
MailStore Home 4.0.6.4088 (HKLM\...\MailStore Home_is1) (Version: 4.0.6.4088 - deepinvent Software GmbH)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft ActiveSync (HKLM\...\{99052DB7-9592-4522-A558-5417BBAD48EE}) (Version: 4.5.5096.0 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Internationalized Domain Names Mitigation APIs (Version:  - Microsoft Corporation) Hidden
Microsoft National Language Support Downlevel APIs (Version:  - Microsoft Corporation) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Live Meeting 2007 (HKLM\...\{E30E7561-A466-4393-B8BF-FD93E733EF3C}) (Version: 8.0.6362.202 - Microsoft Corporation)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Small Business 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Software Update for Web Folders  (English) 12 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2005 Express Edition (ACT7) (Version: 9.4.5000.00 - Microsoft Corporation) Hidden
Microsoft SQL Server Native Client (HKLM\...\{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{E7084B89-69E0-46B3-A118-8F99D06988CD}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package (HKLM\...\Microsoft Visual J# 2.0 Redistributable Package) (Version:  - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727 - Microsoft Corporation) Hidden
Mozilla Firefox 24.6.0 (x86 en-US) (HKLM\...\Mozilla Firefox 24.6.0 (x86 en-US)) (Version: 24.6.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 24.6.0 - Mozilla)
MPC-HC 1.7.0 (HKLM\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version: 1.7.0.7858 - MPC-HC Team)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB954459) (HKLM\...\{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}) (Version: 6.20.1099.0 - Microsoft Corporation)
MultiRes (remove only) (HKLM\...\MultiRes (remove only)) (Version:  - )
Norton Internet Security (HKLM\...\NIS) (Version: 20.5.0.28 - Symantec Corporation)
Norton Management (HKLM\...\MCLIENT) (Version: 3.2.2.12 - Symantec Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
PortfolioCenter (HKLM\...\InstallShield_{0E81279D-CC2B-4FE6-B103-8A1B948AFED2}) (Version: 4.55.500.6 - Schwab Performance Technologies)
PortfolioCenter (Version: 4.55.500.6 - Schwab Performance Technologies) Hidden
PortfolioCenter Management Console (HKLM\...\InstallShield_{6C2ADBE2-429C-42CA-AA13-9557EFF62D0B}) (Version: 4.55.500.6 - Schwab Performance Technologies)
PortfolioCenter Management Console (Version: 4.55.500.6 - Schwab Performance Technologies) Hidden
Principia (HKLM\...\{0B962238-F67B-4498-8093-71C75F090F76}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{43CE8D1A-08A9-4917-A211-C5B99338C638}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{4FE32CC3-02AE-49D7-A2EF-B4F54011625F}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{625A04D4-47DB-40C1-A8C9-4556AAA24894}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{7200E359-03B3-4787-954F-8CFE745B8F25}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{83E08F63-F860-449A-BE27-30389484E527}) (Version: 4.0 - Morningstar)
Privacy Guardian 4.1 (HKLM\...\Privacy Guardian_is1) (Version: 4.1 - PC Tools)
Privacy Master personal privacy software. (HKCU\...\Privacy Master) (Version: 03.09.07.0000 - Webroot Software)
QuuSoft Uninstaller v2010.1.3 (HKLM\...\QuuSoft Uninstaller_is1) (Version: 2010.1.3 - QuuSoft.com, Inc.)
Radeon Omega Drivers v4.8.442 Setup Files and Tools (HKLM\...\Radeon Omega Drivers for Windows XP/2kv4.8.442) (Version: v4.8.442 - Omegadrivers.net)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (HKLM\...\{C9BED750-1211-4480-B1A5-718A3BE15525}) (Version: 1.16.0000 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.5532 - Realtek Semiconductor Corp.)
Schwab Data Delivery (HKCU\...\ebb9ba9810bf3c43) (Version: 1.10.2930.114 - Charles Schwab - Schwab Data Delivery)
SchwabLink Desktop (HKLM\...\{83287AA0-14B2-11D5-95ED-00C04FBE860F}) (Version:  - )
Secunia PSI (2.0.0.4003) (HKLM\...\Secunia PSI) (Version: 2.0.0.4003 - Secunia)
Setup Support for Weatherbug 1.0 (HKLM\...\Setup Support for Weatherbug) (Version: 1.0 - Sono Control Inc.)
Setup1 (HKLM\...\{8CA3DCAB-6B41-4E5F-B5B2-8DED37CDF1CC}) (Version: 1.0.0 - Default Company Name)
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002) (HKLM\...\{09959E11-AD5D-408E-96AF-E3346954D6B8}) (Version: 1.0.0 - Microsoft)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002) (HKLM\...\{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}) (Version: 1.0.0 - Microsoft)
Skins (Version: 2008.0602.2243.38732 - ATI) Hidden
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
TeamViewer 7 (HKLM\...\TeamViewer 7) (Version: 7.0.12313 - TeamViewer)
Uninstall Dell PC Fax (HKLM\...\{11A80E40-621F-489C-A626-58886B60FEAC}) (Version:  - Dell Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM\...\{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2881065) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{B7EF38F7-1D58-4085-A9A4-0F6C69A5AA1E}) (Version:  - Microsoft)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows Internet Explorer 8 (KB976662) (HKLM\...\KB976662-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB978506) (HKLM\...\KB978506-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB980182) (HKLM\...\KB980182-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
WebEx Recorder and Player (HKLM\...\{1A3F6AD7-7A95-439B-BF54-F418C7CC6380}) (Version: 3.29.3201 - Cisco WebEx LLC)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows 7 Upgrade Advisor (HKLM\...\{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}) (Version: 2.0.5000.0 - Microsoft Corporation)
Windows Essentials Media Codec Pack 4.0 [32-Bit] (HKLM\...\Windows Essentials Media Codec Pack) (Version: 4.0 - Media Codec)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Media Player 11 (Version:  - Microsoft Corporation) Hidden
Xvid 1.2.1 final uninstall (HKLM\...\Xvid_is1) (Version: 1.2 - Xvid team (Koepi))
Yahoo! Install Manager (HKLM\...\YInstHelper) (Version:  - )
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
2004-08-04 05:00 - 2009-04-09 10:19 - 00311498 ____N C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com
127.0.0.1 www.123simsen.com
 
There are 1000 more lines.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\Auslogics BoostSpeed Integrator Start On Wells Pettibone Logon.job => C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1220945662-515967899-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\1415\g2mupdate.exe
Task: C:\WINDOWS\Tasks\GlaryInitialize.job => C:\Program Files\Glary Utilities\initialize.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-515967899-839522115-1003Core.job => C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-515967899-839522115-1003UA.job => C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Hard Drive Backup.job => C:\Program Files\Future Systems Solutions\Casper 4.0\CASPER.EXE
Task: C:\WINDOWS\Tasks\Laser App Enterprise Updates.job => ?
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Windows Codec Update Service.job => C:\Program Files\Essentials Codec Pack\WECPUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2008-06-27 08:54 - 2007-03-14 14:36 - 00094208 ____N () C:\WINDOWS\system32\DellFaxPort_x86.dll
2014-05-01 18:19 - 2012-05-30 09:51 - 00699280 ____R () C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\20.5.0.28\wincfi39.dll
2009-02-26 13:46 - 2009-02-26 13:46 - 00064344 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
2011-06-22 11:46 - 2011-06-22 11:46 - 00434016 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
2013-07-10 18:07 - 2013-07-10 18:07 - 00756888 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
2014-05-01 18:19 - 2012-05-30 09:51 - 00699280 ____R () C:\Program Files\Norton Internet Security\Engine\20.5.0.28\wincfi39.dll
2014-06-13 23:23 - 2014-06-05 08:58 - 04217672 _____ () C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\pdf.dll
2014-06-13 23:23 - 2014-06-05 08:58 - 00414536 _____ () C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\ppGoogleNaClPluginChrome.dll
2014-06-13 23:23 - 2014-06-05 08:58 - 01732424 _____ () C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:28003E4D
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Principia Online Update.lnk => C:\WINDOWS\pss\Principia Online Update.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk => C:\WINDOWS\pss\Secunia PSI Tray.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => 
MSCONFIG\startupreg: Alcmtr => ALCMTR.EXE
MSCONFIG\startupreg: BDAgent => 
MSCONFIG\startupreg: BDMCon => 
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: Diagnostic Manager => 
MSCONFIG\startupreg: Everything => 
MSCONFIG\startupreg: InstallIQUpdater => "C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSCONFIG\startupreg: RTHDCPL => RTHDCPL.EXE
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: Weather => C:\Program Files\AWS\WeatherBug\Weather.exe 1
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/02/2014 11:10:18 AM) (Source: Outlook) (EventID: 35) (User: )
Description: Failed to determine if the store is in the crawl scope (error=0x8007043c).
 
Error: (07/02/2014 11:10:18 AM) (Source: Outlook) (EventID: 34) (User: )
Description: Failed to get the Crawl Scope Manager with error=0x8007043c.
 
Error: (07/02/2014 11:10:14 AM) (Source: Outlook) (EventID: 35) (User: )
Description: Failed to determine if the store is in the crawl scope (error=0x8007043c).
 
Error: (07/02/2014 11:10:14 AM) (Source: Outlook) (EventID: 34) (User: )
Description: Failed to get the Crawl Scope Manager with error=0x8007043c.
 
Error: (07/02/2014 11:10:09 AM) (Source: Microsoft Office 12) (EventID: 2001) (User: )
Description: Rejected Safe Mode action : Microsoft Office Outlook.
 
Error: (06/10/2014 10:26:44 AM) (Source: Microsoft Office 12) (EventID: 2000) (User: )
Description: Accepted Safe Mode action : Microsoft Office Outlook.
 
Error: (06/29/2014 09:50:00 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 24.5.0.5224, faulting module mozalloc.dll, version 24.5.0.5224, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]
 
Error: (06/27/2014 04:52:00 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (05/21/2014 11:30:00 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (05/09/2014 04:59:32 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
 
System errors:
=============
Error: (06/10/2014 02:03:39 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/09/2014 06:54:26 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/09/2014 09:33:48 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/09/2014 03:12:15 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/08/2014 08:59:03 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/07/2014 05:26:41 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/06/2014 11:07:41 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/06/2014 00:25:43 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/06/2014 02:46:43 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/05/2014 07:36:25 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
 
Microsoft Office Sessions:
=========================
Error: (03/03/2014 10:08:01 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 40526 seconds with 840 seconds of active time.  This session ended with a crash.
 
Error: (02/10/2014 02:38:13 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 442016 seconds with 18360 seconds of active time.  This session ended with a crash.
 
Error: (04/19/2013 10:53:41 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 40071 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (09/21/2012 10:00:07 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6661.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 174398 seconds with 6660 seconds of active time.  This session ended with a crash.
 
Error: (08/10/2012 02:21:43 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6661.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 185528 seconds with 21180 seconds of active time.  This session ended with a crash.
 
Error: (07/09/2012 09:38:19 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6607.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 247600 seconds with 5520 seconds of active time.  This session ended with a crash.
 
Error: (05/09/2012 03:53:42 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6607.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2425 seconds with 660 seconds of active time.  This session ended with a crash.
 
Error: (02/23/2012 00:32:00 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 173632 seconds with 8520 seconds of active time.  This session ended with a crash.
 
Error: (02/07/2012 04:50:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 11876 seconds with 4020 seconds of active time.  This session ended with a crash.
 
Error: (12/20/2011 11:50:14 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 87576 seconds with 7020 seconds of active time.  This session ended with a crash.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 77%
Total physical RAM: 2046.1 MB
Available physical RAM: 463.88 MB
Total Pagefile: 3937.46 MB
Available Pagefile: 2210.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1930.07 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:64.66 GB) (Free:27.4 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (DATA) (Fixed) (Total:9.83 GB) (Free:7.56 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive p: () (Network) (Total:9.83 GB) (Free:0.45 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 41AB2316)
Partition 1: (Active) - (Size=65 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=OF Extended)
 
==================== End Of Log ============================
 
Thanks,
 
wpetti


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:02 PM

Posted 02 July 2014 - 12:27 PM

Hi,

 

Where is the FRST.txt ?

 

 

Regards,

Georgi


cXfZ4wS.png


#5 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 02 July 2014 - 01:41 PM

Please try this:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:01-07-2014
Ran by Wells Pettibone at 2014-07-02 11:44:18
Running from C:\Documents and Settings\Wells Pettibone\Local Settings\Temporary Internet Files\Content.IE5\G8JCGBHY
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: BitDefender Antivirus (Disabled - Up to date) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Norton Internet Security (Disabled - Up to date) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: BitDefender Firewall (Disabled) {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Norton Internet Security (Disabled) {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
 
==================== Installed Programs ======================
 
Acrobat.com (HKLM\...\{6D8D64BE-F500-55B6-705D-DFD08AFE0624}) (Version: 1.7.186 - Adobe Systems Incorporated)
Act4Advisors v 3.5 Workstation (HKLM\...\Act4Advisors v 3.5 Workstation) (Version: 3.5 - Allied Financial Software, Inc. )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe AIR (Version: 3.1.0.4880 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 14 ActiveX (HKLM\...\{1F5E5F2E-5E61-431D-B796-58CCC6B68E28}) (Version: 14.0.0.125 - Adobe Systems Incorporated)
Adobe Flash Player 14 Plugin (HKLM\...\{C4B32291-F7B2-4BEC-BA4D-4195676A08CC}) (Version: 14.0.0.125 - Adobe Systems Incorporated)
Adobe Reader X (10.1.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.10 - Adobe Systems Incorporated)
Adobe SVG Viewer 3.0 (HKLM\...\Adobe SVG Viewer) (Version:  3.0 - )
Advanced WindowsCare Personal (HKLM\...\Advanced WindowsCare V2 Personal_is1) (Version: 2.9.0 - IObit)
Apple Application Support (HKLM\...\{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AT&T Unified Messaging (HKLM\...\AT&T Unified Messaging) (Version:  - )
ATI Catalyst Registration (HKLM\...\{72736F5F-520D-472A-88CC-7B02872FD34E}) (Version: 2.00.0000 - ATI Technologies Inc.)
ATI Display Driver (Omega 3.8.442) (HKLM\...\ATI Display Driver) (Version: 8.442-071204a1-055811C-ATI-OMEGA - )
Auslogics BoostSpeed (HKLM\...\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1) (Version: 5.5 - Auslogics Software Pty Ltd)
Auslogics Disk Defrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: version 3.2 - Auslogics Software Pty Ltd)
Bonjour (HKLM\...\{07287123-B8AC-41CE-8346-3D777245C35B}) (Version: 1.0.106 - Apple Inc.)
Brother HL-4040CN (HKLM\...\{B6FDDB5F-6DFD-44BB-83E4-6BF03CBE3B34}) (Version: 1.00 - Brother)
Casper 4.0 (HKLM\...\{D2E3E551-8691-40FA-BF6F-44204CB79A9D}) (Version: 4.0.1270 - Future Systems Solutions, Inc.)
Catalyst Control Center Core Implementation (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Full Existing (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Full New (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Light (Version: 2008.0602.2243.38732 - ATI) Hidden
Catalyst Control Center Graphics Previews Common (Version: 2008.0602.2243.38732 - ATI) Hidden
CCC Help English (Version: 2008.0602.2242.38732 - ATI) Hidden
ccc-core-preinstall (Version: 2008.0602.2243.38732 - ATI) Hidden
ccc-core-static (Version: 2008.0602.2243.38732 - ATI) Hidden
ccc-utility (Version: 2008.0602.2243.38732 - ATI) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 3.11 - Piriform)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Dell Laser MFP 1815 Software Uninstall (HKLM\...\Dell Laser MFP 1815) (Version:  - DELL Inc.)
Dimensional Returns 2 (HKLM\...\{BCB73D0C-51B6-47FD-ACC1-42A038C5F1A8}) (Version: 2.004.0031 - Dimensional)
Dimensional Returns 2 Data (HKLM\...\{EDBA2BEE-564F-49E8-8000-4F100DADB7A6}) (Version: 1.002.0033 - dimensional)
EASEUS Partition Master 9.0.0 Home Edition (HKLM\...\EASEUS Partition Master Home Edition_is1) (Version:  - EASEUS)
Glary Utilities 2.38.0.1288 (HKLM\...\Glary Utilities_is1) (Version: 2.38.0.1288 - Glarysoft Ltd)
Google Chrome (HKCU\...\Google Chrome) (Version: 35.0.1916.153 - Google Inc.)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
GoToAssist 8.0.0.514 (HKLM\...\GoToAssist) (Version:  - )
GoToMeeting 6.3.0.1415 (HKCU\...\GoToMeeting) (Version: 6.3.0.1415 - CitrixOnline)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.220 - SurfRight B.V.)
IncredibleCharts Pro (HKLM\...\{134959C1-E63F-11D5-87EF-444553540000}_is1) (Version:  - Vizhon Corporation)
InstallIQ Updater (HKLM\...\{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}) (Version: 1.4.3.0 - W3i, LLC)
Java™ 6 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216045FF}) (Version: 6.0.450 - Oracle)
join.me (HKCU\...\JoinMe) (Version: 1.8.0.108 - LogMeIn, Inc.)
Junxure Desktop (HKLM\...\{879FFED4-A41B-4486-8F9E-87CAE3B37516}) (Version: 9.5.1.0 - CRM Software, Inc.)
Junxure Outlook Addin (HKLM\...\{0B0DFAB9-A3C8-489D-B1FC-8EBB606ED7B3}) (Version: 3.0.7 - CRM Software)
JxPublicObject (HKLM\...\{913E1F2D-5A32-4D18-B983-640374D81448}) (Version: 1.0.0 - CRM Software)
Laser App Enterprise (HKLM\...\Laser App Enterprise) (Version: 10.0.0.31 - Laser App Software Inc.)
Laser App Enterprise (Version: 10.0.0.31 - Laser App Software Inc.) Hidden
LogMeIn (HKLM\...\{7F831576-6246-42C7-B523-55B3F96509CC}) (Version: 4.0.784 - LogMeIn, Inc.)
MailStore Home 4.0.6.4088 (HKLM\...\MailStore Home_is1) (Version: 4.0.6.4088 - deepinvent Software GmbH)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft ActiveSync (HKLM\...\{99052DB7-9592-4522-A558-5417BBAD48EE}) (Version: 4.5.5096.0 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Internationalized Domain Names Mitigation APIs (Version:  - Microsoft Corporation) Hidden
Microsoft National Language Support Downlevel APIs (Version:  - Microsoft Corporation) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Live Meeting 2007 (HKLM\...\{E30E7561-A466-4393-B8BF-FD93E733EF3C}) (Version: 8.0.6362.202 - Microsoft Corporation)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Small Business 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Software Update for Web Folders  (English) 12 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2005 Express Edition (ACT7) (Version: 9.4.5000.00 - Microsoft Corporation) Hidden
Microsoft SQL Server Native Client (HKLM\...\{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{E7084B89-69E0-46B3-A118-8F99D06988CD}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package (HKLM\...\Microsoft Visual J# 2.0 Redistributable Package) (Version:  - Microsoft Corporation)
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727 - Microsoft Corporation) Hidden
Mozilla Firefox 24.6.0 (x86 en-US) (HKLM\...\Mozilla Firefox 24.6.0 (x86 en-US)) (Version: 24.6.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 24.6.0 - Mozilla)
MPC-HC 1.7.0 (HKLM\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version: 1.7.0.7858 - MPC-HC Team)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB954459) (HKLM\...\{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}) (Version: 6.20.1099.0 - Microsoft Corporation)
MultiRes (remove only) (HKLM\...\MultiRes (remove only)) (Version:  - )
Norton Internet Security (HKLM\...\NIS) (Version: 20.5.0.28 - Symantec Corporation)
Norton Management (HKLM\...\MCLIENT) (Version: 3.2.2.12 - Symantec Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
PortfolioCenter (HKLM\...\InstallShield_{0E81279D-CC2B-4FE6-B103-8A1B948AFED2}) (Version: 4.55.500.6 - Schwab Performance Technologies)
PortfolioCenter (Version: 4.55.500.6 - Schwab Performance Technologies) Hidden
PortfolioCenter Management Console (HKLM\...\InstallShield_{6C2ADBE2-429C-42CA-AA13-9557EFF62D0B}) (Version: 4.55.500.6 - Schwab Performance Technologies)
PortfolioCenter Management Console (Version: 4.55.500.6 - Schwab Performance Technologies) Hidden
Principia (HKLM\...\{0B962238-F67B-4498-8093-71C75F090F76}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{43CE8D1A-08A9-4917-A211-C5B99338C638}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{4FE32CC3-02AE-49D7-A2EF-B4F54011625F}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{625A04D4-47DB-40C1-A8C9-4556AAA24894}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{7200E359-03B3-4787-954F-8CFE745B8F25}) (Version: 4.0 - Morningstar)
Principia (HKLM\...\{83E08F63-F860-449A-BE27-30389484E527}) (Version: 4.0 - Morningstar)
Privacy Guardian 4.1 (HKLM\...\Privacy Guardian_is1) (Version: 4.1 - PC Tools)
Privacy Master personal privacy software. (HKCU\...\Privacy Master) (Version: 03.09.07.0000 - Webroot Software)
QuuSoft Uninstaller v2010.1.3 (HKLM\...\QuuSoft Uninstaller_is1) (Version: 2010.1.3 - QuuSoft.com, Inc.)
Radeon Omega Drivers v4.8.442 Setup Files and Tools (HKLM\...\Radeon Omega Drivers for Windows XP/2kv4.8.442) (Version: v4.8.442 - Omegadrivers.net)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (HKLM\...\{C9BED750-1211-4480-B1A5-718A3BE15525}) (Version: 1.16.0000 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.5532 - Realtek Semiconductor Corp.)
Schwab Data Delivery (HKCU\...\ebb9ba9810bf3c43) (Version: 1.10.2930.114 - Charles Schwab - Schwab Data Delivery)
SchwabLink Desktop (HKLM\...\{83287AA0-14B2-11D5-95ED-00C04FBE860F}) (Version:  - )
Secunia PSI (2.0.0.4003) (HKLM\...\Secunia PSI) (Version: 2.0.0.4003 - Secunia)
Setup Support for Weatherbug 1.0 (HKLM\...\Setup Support for Weatherbug) (Version: 1.0 - Sono Control Inc.)
Setup1 (HKLM\...\{8CA3DCAB-6B41-4E5F-B5B2-8DED37CDF1CC}) (Version: 1.0.0 - Default Company Name)
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002) (HKLM\...\{09959E11-AD5D-408E-96AF-E3346954D6B8}) (Version: 1.0.0 - Microsoft)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002) (HKLM\...\{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}) (Version: 1.0.0 - Microsoft)
Skins (Version: 2008.0602.2243.38732 - ATI) Hidden
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
TeamViewer 7 (HKLM\...\TeamViewer 7) (Version: 7.0.12313 - TeamViewer)
Uninstall Dell PC Fax (HKLM\...\{11A80E40-621F-489C-A626-58886B60FEAC}) (Version:  - Dell Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM\...\{90120000-001A-0409-0000-0000000FF1CE}_SMALLBUSINESSR_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2881065) 32-Bit Edition (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{B7EF38F7-1D58-4085-A9A4-0F6C69A5AA1E}) (Version:  - Microsoft)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows Internet Explorer 8 (KB976662) (HKLM\...\KB976662-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB978506) (HKLM\...\KB978506-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB980182) (HKLM\...\KB980182-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
WebEx Recorder and Player (HKLM\...\{1A3F6AD7-7A95-439B-BF54-F418C7CC6380}) (Version: 3.29.3201 - Cisco WebEx LLC)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows 7 Upgrade Advisor (HKLM\...\{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}) (Version: 2.0.5000.0 - Microsoft Corporation)
Windows Essentials Media Codec Pack 4.0 [32-Bit] (HKLM\...\Windows Essentials Media Codec Pack) (Version: 4.0 - Media Codec)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Media Player 11 (Version:  - Microsoft Corporation) Hidden
Xvid 1.2.1 final uninstall (HKLM\...\Xvid_is1) (Version: 1.2 - Xvid team (Koepi))
Yahoo! Install Manager (HKLM\...\YInstHelper) (Version:  - )
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
2004-08-04 05:00 - 2009-04-09 10:19 - 00311498 ____N C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com
127.0.0.1 www.123simsen.com
 
There are 1000 more lines.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AppleSoftwareUpdate.job => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: C:\WINDOWS\Tasks\Auslogics BoostSpeed Integrator Start On Wells Pettibone Logon.job => C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1220945662-515967899-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\1415\g2mupdate.exe
Task: C:\WINDOWS\Tasks\GlaryInitialize.job => C:\Program Files\Glary Utilities\initialize.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-515967899-839522115-1003Core.job => C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-515967899-839522115-1003UA.job => C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Hard Drive Backup.job => C:\Program Files\Future Systems Solutions\Casper 4.0\CASPER.EXE
Task: C:\WINDOWS\Tasks\Laser App Enterprise Updates.job => ?
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Windows Codec Update Service.job => C:\Program Files\Essentials Codec Pack\WECPUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2008-06-27 08:54 - 2007-03-14 14:36 - 00094208 ____N () C:\WINDOWS\system32\DellFaxPort_x86.dll
2014-05-01 18:19 - 2012-05-30 09:51 - 00699280 ____R () C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\20.5.0.28\wincfi39.dll
2009-02-26 13:46 - 2009-02-26 13:46 - 00064344 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
2011-06-22 11:46 - 2011-06-22 11:46 - 00434016 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
2013-07-10 18:07 - 2013-07-10 18:07 - 00756888 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
2014-05-01 18:19 - 2012-05-30 09:51 - 00699280 ____R () C:\Program Files\Norton Internet Security\Engine\20.5.0.28\wincfi39.dll
2014-06-13 23:23 - 2014-06-05 08:58 - 04217672 _____ () C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\pdf.dll
2014-06-13 23:23 - 2014-06-05 08:58 - 00414536 _____ () C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\ppGoogleNaClPluginChrome.dll
2014-06-13 23:23 - 2014-06-05 08:58 - 01732424 _____ () C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:28003E4D
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Principia Online Update.lnk => C:\WINDOWS\pss\Principia Online Update.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk => C:\WINDOWS\pss\Secunia PSI Tray.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => 
MSCONFIG\startupreg: Alcmtr => ALCMTR.EXE
MSCONFIG\startupreg: BDAgent => 
MSCONFIG\startupreg: BDMCon => 
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: Diagnostic Manager => 
MSCONFIG\startupreg: Everything => 
MSCONFIG\startupreg: InstallIQUpdater => "C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSCONFIG\startupreg: RTHDCPL => RTHDCPL.EXE
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: Weather => C:\Program Files\AWS\WeatherBug\Weather.exe 1
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/02/2014 11:10:18 AM) (Source: Outlook) (EventID: 35) (User: )
Description: Failed to determine if the store is in the crawl scope (error=0x8007043c).
 
Error: (07/02/2014 11:10:18 AM) (Source: Outlook) (EventID: 34) (User: )
Description: Failed to get the Crawl Scope Manager with error=0x8007043c.
 
Error: (07/02/2014 11:10:14 AM) (Source: Outlook) (EventID: 35) (User: )
Description: Failed to determine if the store is in the crawl scope (error=0x8007043c).
 
Error: (07/02/2014 11:10:14 AM) (Source: Outlook) (EventID: 34) (User: )
Description: Failed to get the Crawl Scope Manager with error=0x8007043c.
 
Error: (07/02/2014 11:10:09 AM) (Source: Microsoft Office 12) (EventID: 2001) (User: )
Description: Rejected Safe Mode action : Microsoft Office Outlook.
 
Error: (06/10/2014 10:26:44 AM) (Source: Microsoft Office 12) (EventID: 2000) (User: )
Description: Accepted Safe Mode action : Microsoft Office Outlook.
 
Error: (06/29/2014 09:50:00 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 24.5.0.5224, faulting module mozalloc.dll, version 24.5.0.5224, fault address 0x0000119c.
Processing media-specific event for [plugin-container.exe!ws!]
 
Error: (06/27/2014 04:52:00 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (05/21/2014 11:30:00 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
Error: (05/09/2014 04:59:32 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.
 
 
System errors:
=============
Error: (06/10/2014 02:03:39 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/09/2014 06:54:26 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/09/2014 09:33:48 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/09/2014 03:12:15 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/08/2014 08:59:03 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/07/2014 05:26:41 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/06/2014 11:07:41 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/06/2014 00:25:43 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/06/2014 02:46:43 AM) (Source: 0) (EventID: 4) (User: )
Description: 
 
Error: (06/05/2014 07:36:25 PM) (Source: 0) (EventID: 4) (User: )
Description: 
 
 
Microsoft Office Sessions:
=========================
Error: (03/03/2014 10:08:01 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 40526 seconds with 840 seconds of active time.  This session ended with a crash.
 
Error: (02/10/2014 02:38:13 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 442016 seconds with 18360 seconds of active time.  This session ended with a crash.
 
Error: (04/19/2013 10:53:41 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 40071 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (09/21/2012 10:00:07 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6661.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 174398 seconds with 6660 seconds of active time.  This session ended with a crash.
 
Error: (08/10/2012 02:21:43 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6661.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 185528 seconds with 21180 seconds of active time.  This session ended with a crash.
 
Error: (07/09/2012 09:38:19 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6607.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 247600 seconds with 5520 seconds of active time.  This session ended with a crash.
 
Error: (05/09/2012 03:53:42 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6607.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 2425 seconds with 660 seconds of active time.  This session ended with a crash.
 
Error: (02/23/2012 00:32:00 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 173632 seconds with 8520 seconds of active time.  This session ended with a crash.
 
Error: (02/07/2012 04:50:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 11876 seconds with 4020 seconds of active time.  This session ended with a crash.
 
Error: (12/20/2011 11:50:14 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 87576 seconds with 7020 seconds of active time.  This session ended with a crash.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 77%
Total physical RAM: 2046.1 MB
Available physical RAM: 463.88 MB
Total Pagefile: 3937.46 MB
Available Pagefile: 2210.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1930.07 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:64.66 GB) (Free:27.4 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (DATA) (Fixed) (Total:9.83 GB) (Free:7.56 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive p: () (Network) (Total:9.83 GB) (Free:0.45 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: 41AB2316)
Partition 1: (Active) - (Size=65 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=10 GB) - (Type=OF Extended)
 
==================== End Of Log ============================
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-07-2014
Ran by Wells Pettibone (administrator) on PETTIBON-1AE062 on 02-07-2014 13:38:47
Running from C:\Documents and Settings\Wells Pettibone\desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Norton Management\Engine\3.2.2.12\ccsvchst.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\20.5.0.28\ccsvchst.exe
(Secunia) C:\Program Files\Secunia\PSI\psia.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Symantec Corporation) C:\Program Files\Norton Management\Engine\3.2.2.12\ccsvchst.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\20.5.0.28\ccsvchst.exe
(Auslogics) C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(Microsoft Corporation) C:\Program Files\Microsoft ActiveSync\wcescomm.exe
(Microsoft Corporation) C:\PROGRA~1\MI3AA1~1\rapimgr.exe
(Laser App Software Inc.) C:\Program Files\Laser App Enterprise\uformagent.exe
(Microsoft Corporation) C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(MediaCodec.Org) C:\Program Files\Essentials Codec Pack\WECPUpdate.exe
(Google Inc.) C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2008-07-24] (LogMeIn, Inc.)
HKLM\...\Run: [AtiPTA] => C:\WINDOWS\system32\atiptaxx.exe [344064 2006-02-21] (ATI Technologies, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKU\.DEFAULT\...\Run: [DWQueuedReporting] => C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [434080 2011-07-27] (Microsoft Corporation)
HKU\S-1-5-21-1220945662-515967899-839522115-1003\...\Run: [H/PC Connection Agent] => C:\Program Files\Microsoft ActiveSync\wcescomm.exe [1289000 2006-11-13] (Microsoft Corporation)
HKU\S-1-5-21-1220945662-515967899-839522115-1003\...\Run: [LaserAppUpdate] => C:\Program Files\Laser App Enterprise\uformagent.exe [1598560 2012-05-24] (Laser App Software Inc.)
HKU\S-1-5-21-1220945662-515967899-839522115-1003\...\Run: [Google Update] => C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [116648 2012-07-18] (Google Inc.)
HKU\S-1-5-21-1220945662-515967899-839522115-1003\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1220945662-515967899-839522115-1003\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 0
HKU\S-1-5-21-1220945662-515967899-839522115-1003\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk
ShortcutTarget: Principia Online Update.lnk -> C:\Program Files\Morningstar\Principia\schedupd.exe ()
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\20.5.0.28\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\20.5.0.28\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\20.5.0.28\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 24.217.0.5 24.178.162.3 24.247.15.53
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default
FF Homepage: google.com
FF Keyword.URL: hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_125.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=10.9.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 - C:\Program Files\Yahoo!\Common\npyaxmpb.dll No File
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcdec.dll (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atgpcext.dll (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\atmccli.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ieatgpc.dll (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npatgpc.dll (WebEx Communications, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ptexmeet.dll (WebEx Communications Inc.)
FF SearchPlugin: C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\searchplugins\bing-zugo.xml
FF SearchPlugin: C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\searchplugins\duckduckgo-1.xml
FF SearchPlugin: C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\searchplugins\duckduckgo.xml
FF Extension: GoogleSharing - C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\Extensions\googlesharing@extension.thoughtcrime.org [2011-08-23]
FF Extension: IE Tab - C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\Extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9} [2013-05-06]
FF Extension: DuckDuckGo Plus - C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2013-07-30]
FF Extension: Adblock Plus - C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-06-14]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} [2014-05-06]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} [2014-05-06]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-02-18]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2013-04-23]
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\IPSFF
FF Extension: Norton Vulnerability Protection - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\IPSFF [2013-10-09]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\coFFPlgn
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\coFFPlgn [2014-07-02]
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.153\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll No File
CHR Plugin: (Norton Confidential) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.5.4.6_0\npcoplgn.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (ActiveTouch General Plugin Container) - C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll (WebEx Communications, Inc)
CHR Plugin: (2007 Microsoft Office system) - C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Google Update) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Norton Identity Safe for Google Chrome™) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bejnhdlplbjhffionohbdnpcbobfejcc [2014-05-12]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-27]
CHR Extension: (YouTube) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-07-18]
CHR Extension: (Google Search) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-07-18]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-24]
CHR Extension: (Gmail) - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-07-18]
CHR HKLM\...\Chrome\Extension: [bejnhdlplbjhffionohbdnpcbobfejcc] - C:\Program Files\Norton Internet Security\Engine\20.5.0.28\Exts\Chrome.crx [2014-05-01]
CHR StartMenuInternet: Google Chrome - C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
R2 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [495616 2007-12-04] (ATI Technologies Inc.) [File not signed]
S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2007-09-28] () [File not signed]
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106248 2014-06-30] (SurfRight B.V.)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [158128 2013-04-23] (Sun Microsystems, Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 MCLIENT; C:\Program Files\Norton Management\Engine\3.2.2.12\ccSvcHst.exe [143928 2012-12-04] (Symantec Corporation)
R2 MSSQL$ACT7; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [44384 2010-12-10] (Microsoft Corporation)
R2 NIS; C:\Program Files\Norton Internet Security\Engine\20.5.0.28\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
R2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [994360 2011-10-14] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-10-14] (Secunia)
 
==================== Drivers (Whitelisted) ====================
 
R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2782208 2007-12-05] (ATI Technologies Inc.) [File not signed]
R1 atitray; C:\Program Files\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [17952 2007-11-05] () [File not signed]
R2 Atmuni; C:\WINDOWS\System32\DRIVERS\atmuni.sys [352256 2004-08-04] (Microsoft Corporation)
R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20140606.001\BHDrvx86.sys [1101616 2014-05-09] (Symantec Corporation)
R1 ccSet_MCLIENT; C:\WINDOWS\system32\drivers\MCLIENT\0302020.00C\ccSetx86.sys [134304 2012-10-03] (Symantec Corporation)
R1 ccSet_NIS; C:\WINDOWS\system32\drivers\NIS\1405000.01C\ccSetx86.sys [134744 2013-04-15] (Symantec Corporation)
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2004-12-13] (Adaptec, Inc.) [File not signed]
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-10] (Symantec Corporation)
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [13192 2011-07-29] () [File not signed]
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-06-10] (Symantec Corporation)
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [8456 2011-07-29] () [File not signed]
S3 HdAudAddService; C:\WINDOWS\System32\drivers\AtiHdAud.sys [84992 2006-12-29] (ATI Research Inc.) [File not signed]
R3 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20140701.001\IDSxpx86.sys [383120 2014-03-25] (Symantec Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [110296 2014-07-02] (Malwarebytes Corporation)
S3 MfeAVFK; C:\WINDOWS\System32\drivers\MfeAVFK.sys [79304 2007-12-01] (McAfee, Inc.)
S3 MfeBOPK; C:\WINDOWS\System32\drivers\MfeBOPK.sys [35240 2007-12-01] (McAfee, Inc.)
R1 mfehidk; C:\WINDOWS\System32\drivers\mfehidk.sys [201320 2007-12-01] (McAfee, Inc.)
S3 MfeRKDK; C:\WINDOWS\System32\drivers\MfeRKDK.sys [33832 2007-12-01] (McAfee, Inc.)
R1 mfetdik; C:\WINDOWS\System32\drivers\mfetdik.sys [55016 2007-12-01] (McAfee, Inc.)
R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20140702.001\NAVENG.SYS [93272 2014-01-03] (Symantec Corporation)
R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20140702.001\NAVEX15.SYS [1612376 2014-01-03] (Symantec Corporation)
R1 netfilter; C:\WINDOWS\System32\drivers\netfilter.sys [47488 2014-02-13] (NetFilterSDK.com) [File not signed]
R3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
R2 Rawwan; C:\WINDOWS\System32\DRIVERS\rawwan.sys [34432 2004-08-04] (Microsoft Corporation)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NIS\1405000.01C\SRTSP.SYS [603224 2013-05-16] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NIS\1405000.01C\SRTSPX.SYS [32344 2013-03-04] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\drivers\NIS\1405000.01C\SYMDS.SYS [367704 2013-05-21] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NIS\1405000.01C\SYMEFA.SYS [934488 2013-05-23] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142496 2013-10-30] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NIS\1405000.01C\Ironx86.SYS [175264 2013-03-04] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\NIS\1405000.01C\SYMTDI.SYS [396760 2013-04-24] (Symantec Corporation)
S3 aaga6aa; \SystemRoot\System32\drivers\aaga6aa.sys [X]
S2 DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys [X]
S4 IntelIde; No ImagePath
S3 joo0f14; \SystemRoot\System32\drivers\joo0f14.sys [X]
S4 LMIRfsClientNP; No ImagePath
U5 P3; C:\Windows\System32\Drivers\P3.sys [42752 2008-04-14] (Microsoft Corporation)
S3 RkHit; \??\C:\WINDOWS\system32\drivers\RKHit.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
S2 SSPORT; \??\C:\WINDOWS\system32\Drivers\SSPORT.sys [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
U1 WS2IFSL; 
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-07-02 13:38 - 2014-07-02 13:39 - 00024998 _____ () C:\Documents and Settings\Wells Pettibone\desktop\FRST.txt
2014-07-02 11:42 - 2014-07-02 13:38 - 00000000 ____D () C:\FRST
2014-07-02 11:41 - 2014-07-02 11:41 - 01073664 _____ (Farbar) C:\Documents and Settings\Wells Pettibone\desktop\FRST.exe
2014-07-02 11:14 - 2014-07-02 11:16 - 00006038 _____ () C:\Documents and Settings\Wells Pettibone\desktop\Rkill.txt
2014-07-01 11:11 - 2014-07-01 11:11 - 00000999 _____ () C:\Documents and Settings\Wells Pettibone\desktop\attach.txt
2014-07-01 08:41 - 2014-07-01 08:41 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-07-01 08:41 - 2014-07-01 08:41 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-07-01 08:41 - 2014-07-01 08:41 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2014-06-30 11:22 - 2014-07-02 11:08 - 00032528 _____ () C:\WINDOWS\SchedLgU.Txt
2014-06-30 11:06 - 2014-06-30 11:06 - 01942776 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Wells Pettibone\desktop\rkill.exe
2014-06-30 11:05 - 2014-06-30 11:05 - 00000000 ____D () C:\Program Files\HitmanPro
2014-06-30 11:05 - 2014-06-30 11:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
2014-06-30 11:03 - 2014-06-30 11:17 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-06-30 11:03 - 2014-06-30 11:04 - 10278752 _____ (SurfRight B.V.) C:\Documents and Settings\Wells Pettibone\desktop\HitmanPro.exe
2014-06-30 11:00 - 2014-06-30 11:06 - 01016261 _____ (Thisisu) C:\Documents and Settings\Wells Pettibone\desktop\JRT.exe
2014-06-30 10:56 - 2014-06-30 10:56 - 00000706 __RSH () C:\Documents and Settings\Administrator\ntuser.pol
2014-06-30 10:54 - 2014-07-02 12:29 - 00126319 _____ () C:\WINDOWS\WindowsUpdate.log
2014-06-30 10:52 - 2014-07-02 11:14 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-06-30 10:52 - 2014-06-30 10:52 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-06-30 10:22 - 2014-06-30 10:22 - 00448512 _____ (OldTimer Tools) C:\Documents and Settings\Wells Pettibone\desktop\TFC.exe
2014-06-30 10:20 - 2014-06-30 10:20 - 01346519 _____ () C:\Documents and Settings\Wells Pettibone\desktop\AdwCleaner.exe
2014-06-30 09:02 - 2014-07-02 11:46 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-06-30 09:01 - 2014-06-30 09:01 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-06-30 09:01 - 2014-06-30 09:01 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-30 09:01 - 2014-05-12 07:26 - 00053208 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-06-24 17:46 - 2014-06-24 17:46 - 00000288 _____ () C:\{64043D83-DA7E-4305-A836-9A6480D4F18E}
 
==================== One Month Modified Files and Folders =======
 
2014-07-02 13:39 - 2014-07-02 13:38 - 00024998 _____ () C:\Documents and Settings\Wells Pettibone\desktop\FRST.txt
2014-07-02 13:39 - 2009-01-13 19:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\TEMP
2014-07-02 13:39 - 2008-06-19 09:12 - 00000000 ____D () C:\Documents and Settings\Wells Pettibone\Local Settings\Temp
2014-07-02 13:38 - 2014-07-02 11:42 - 00000000 ____D () C:\FRST
2014-07-02 13:32 - 2010-09-23 11:43 - 00000904 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-02 13:28 - 2012-07-18 11:21 - 00001018 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-515967899-839522115-1003UA.job
2014-07-02 13:26 - 2012-03-30 09:22 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-07-02 12:56 - 2011-09-06 17:30 - 00000284 _____ () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2014-07-02 12:40 - 2014-04-17 15:41 - 00000534 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1220945662-515967899-839522115-1003.job
2014-07-02 12:29 - 2014-06-30 10:54 - 00126319 _____ () C:\WINDOWS\WindowsUpdate.log
2014-07-02 12:17 - 2010-02-22 03:32 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-07-02 12:02 - 2012-10-17 13:26 - 00000368 _____ () C:\WINDOWS\Tasks\Windows Codec Update Service.job
2014-07-02 11:46 - 2014-06-30 09:02 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-07-02 11:41 - 2014-07-02 11:41 - 01073664 _____ (Farbar) C:\Documents and Settings\Wells Pettibone\desktop\FRST.exe
2014-07-02 11:29 - 2009-08-28 16:14 - 00000332 _____ () C:\WINDOWS\Tasks\GlaryInitialize.job
2014-07-02 11:28 - 2014-03-27 09:12 - 00000242 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-07-02 11:28 - 2013-01-22 11:34 - 00000428 _____ () C:\WINDOWS\Tasks\Auslogics BoostSpeed Integrator Start On Wells Pettibone Logon.job
2014-07-02 11:28 - 2010-09-23 11:43 - 00000900 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-02 11:28 - 2004-08-04 05:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-07-02 11:27 - 2014-01-27 10:28 - 00000739 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Client.lnk
2014-07-02 11:27 - 2014-01-27 10:28 - 00000727 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-07-02 11:27 - 2008-06-19 09:12 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-07-02 11:25 - 2014-02-21 16:38 - 00000000 ____D () C:\AdwCleaner
2014-07-02 11:25 - 2008-06-19 09:13 - 00000178 ___SH () C:\Documents and Settings\Wells Pettibone\ntuser.ini
2014-07-02 11:16 - 2014-07-02 11:14 - 00006038 _____ () C:\Documents and Settings\Wells Pettibone\desktop\Rkill.txt
2014-07-02 11:14 - 2014-06-30 10:52 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-07-02 11:08 - 2014-06-30 11:22 - 00032528 _____ () C:\WINDOWS\SchedLgU.Txt
2014-07-02 10:58 - 2009-01-05 17:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\LogMeIn
2014-07-02 10:57 - 2012-05-22 14:57 - 00000598 _____ () C:\WINDOWS\Tasks\Hard Drive Backup.job
2014-07-01 21:28 - 2012-07-18 11:21 - 00000966 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-515967899-839522115-1003Core.job
2014-07-01 12:54 - 2008-07-16 15:59 - 00000465 _____ () C:\WINDOWS\BRWMARK.INI
2014-07-01 11:11 - 2014-07-01 11:11 - 00000999 _____ () C:\Documents and Settings\Wells Pettibone\desktop\attach.txt
2014-07-01 08:41 - 2014-07-01 08:41 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-07-01 08:41 - 2014-07-01 08:41 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-07-01 08:41 - 2014-07-01 08:41 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2014-06-30 13:20 - 2009-03-04 15:13 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Norton
2014-06-30 11:17 - 2014-06-30 11:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-06-30 11:06 - 2014-06-30 11:06 - 01942776 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Wells Pettibone\desktop\rkill.exe
2014-06-30 11:06 - 2014-06-30 11:00 - 01016261 _____ (Thisisu) C:\Documents and Settings\Wells Pettibone\desktop\JRT.exe
2014-06-30 11:05 - 2014-06-30 11:05 - 00000000 ____D () C:\Program Files\HitmanPro
2014-06-30 11:05 - 2014-06-30 11:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\HitmanPro
2014-06-30 11:04 - 2014-06-30 11:03 - 10278752 _____ (SurfRight B.V.) C:\Documents and Settings\Wells Pettibone\desktop\HitmanPro.exe
2014-06-30 10:57 - 2009-04-09 09:52 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-06-30 10:56 - 2014-06-30 10:56 - 00000706 __RSH () C:\Documents and Settings\Administrator\ntuser.pol
2014-06-30 10:56 - 2009-04-09 09:52 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-06-30 10:52 - 2014-06-30 10:52 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-06-30 10:38 - 2013-02-08 11:46 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2014-06-30 10:22 - 2014-06-30 10:22 - 00448512 _____ (OldTimer Tools) C:\Documents and Settings\Wells Pettibone\desktop\TFC.exe
2014-06-30 10:20 - 2014-06-30 10:20 - 01346519 _____ () C:\Documents and Settings\Wells Pettibone\desktop\AdwCleaner.exe
2014-06-30 09:01 - 2014-06-30 09:01 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-06-30 09:01 - 2014-06-30 09:01 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-30 09:01 - 2012-02-23 16:46 - 00000795 _____ () C:\Documents and Settings\All Users\desktop\Malwarebytes Anti-Malware.lnk
2014-06-30 09:01 - 2009-10-28 16:51 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-06-30 09:01 - 2009-04-09 10:16 - 00000000 ____D () C:\Documents and Settings\Wells Pettibone\Application Data\Malwarebytes
2014-06-30 09:01 - 2009-04-09 10:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-06-30 08:51 - 2008-06-19 09:12 - 00000000 ____D () C:\Documents and Settings\Wells Pettibone
2014-06-29 03:00 - 2012-07-03 10:14 - 00000310 _____ () C:\WINDOWS\Tasks\Laser App Enterprise Updates.job
2014-06-24 17:46 - 2014-06-24 17:46 - 00000288 _____ () C:\{64043D83-DA7E-4305-A836-9A6480D4F18E}
2014-06-13 23:23 - 2014-04-24 16:22 - 00002362 _____ () C:\Documents and Settings\Wells Pettibone\desktop\Google Chrome.lnk
2014-06-12 03:22 - 2013-02-25 09:41 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-06-12 03:05 - 2008-06-19 10:31 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help
2014-06-12 03:04 - 2013-08-15 03:07 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-06-12 03:02 - 2008-06-19 10:13 - 92708840 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-06-11 15:16 - 2012-03-30 09:22 - 00699056 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-06-11 15:16 - 2011-07-21 16:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-06-11 15:13 - 2014-05-06 10:03 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-06-11 15:13 - 2011-08-24 10:15 - 00000738 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2014-06-09 20:47 - 2014-03-27 09:12 - 00000236 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-06-06 15:10 - 2009-01-05 17:02 - 00000000 ____D () C:\Program Files\LogMeIn
2014-06-06 14:01 - 2009-01-05 17:02 - 00086888 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2014-06-06 14:01 - 2009-01-05 17:02 - 00085832 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2014-06-06 14:01 - 2009-01-05 17:02 - 00031560 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIport.dll
 
Files to move or delete:
====================
C:\Documents and Settings\Wells Pettibone\GoToAssist_chat2way__320_en.exe
C:\Documents and Settings\Wells Pettibone\jagex_cl_runescape_LIVE.dat
C:\Documents and Settings\Wells Pettibone\jagex_runescape_preferences.dat
 
 
Some content of TEMP:
====================
C:\Documents and Settings\Wells Pettibone\Local Settings\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:02 PM

Posted 02 July 2014 - 02:53 PM

Hello,

 

I didn't notice any traces of Zbot on your computer.

 

 

Registry Editor / Cleaner Warning !!


The following is referring to

Auslogics BoostSpeed
Glary Utilities 2.38.0.1288
Advanced WindowsCare Personal
CCleaner
.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:

  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.


For more information about why you should avoid using a such programs please take a look here => Registry Cleaners and System Tweaking Tools

 

 

Also you have a lot of leftovers from Bitdefender and Mcafee... Download and run the appropriate uninstaller to get rid of them:

 

http://www.bitdefender.com/site/Downloads/uninstallIntro/uninstall_consumer_paid.html

http://service.mcafee.com/FAQDocument.aspx?id=TS101331

 

 

Also you should download and save Farbar Recovery Scan Tool to your desktop!!!

Currently you ran the tool from your browser:

 

Running from C:\Documents and Settings\Wells Pettibone\Local Settings\Temporary Internet Files\Content.IE5\G8JCGBHY

 

Please download the following file => [attachment=151951:fixlist.txt] and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#7 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 02 July 2014 - 03:54 PM

thank you. The 32 bit version is the correct FRST for my computer and here is the Fix Scan result (Fixlog.txt)

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:01-07-2014
Ran by Wells Pettibone at 2014-07-02 15:51:59 Run:1
Running from C:\Documents and Settings\Wells Pettibone\desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
SearchScopes: HKLM - DefaultScope value is missing.
FF Extension: DuckDuckGo Plus - C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi [2013-07-30]
S3 aaga6aa; \SystemRoot\System32\drivers\aaga6aa.sys [X]
S3 joo0f14; \SystemRoot\System32\drivers\joo0f14.sys [X]
S3 RkHit; \??\C:\WINDOWS\system32\drivers\RKHit.sys [X]
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:07BF512B
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:28003E4D
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
cmd: type C:\Documents and Settings\Wells Pettibone\desktop\Rkill.txt
cmd: type C:\Documents and Settings\All Users\Application Data\HitmanPro\*.*
Folder: C:\{64043D83-DA7E-4305-A836-9A6480D4F18E}
C:\Documents and Settings\Administrator\Local Settings\Temp
end
*****************
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{461fc775-35b6-4d0b-9ff3-af280bfaba83}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{461fc775-35b6-4d0b-9ff3-af280bfaba83}'=> Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{461fc775-35b6-4d0b-9ff3-af280bfaba83}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{461fc775-35b6-4d0b-9ff3-af280bfaba83}'=> Key not found.
C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\Extensions\jid1-ZAdIEUB7XOzOJw@jetpack.xpi => Moved successfully.
aaga6aa => Service deleted successfully.
joo0f14 => Service deleted successfully.
RkHit => Service deleted successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => Moved successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => Moved successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":07BF512B" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":28003E4D" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":A8ADE5D8" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":DFC5A2B2" ADS removed successfully.
 
=========  type C:\Documents and Settings\Wells Pettibone\desktop\Rkill.txt =========
 
The system cannot find the file specified.
Error occurred while processing: C:\Documents.
The system cannot find the file specified.
Error occurred while processing: and.
The system cannot find the path specified.
 
========= End of CMD: =========
 
 
=========  type C:\Documents and Settings\All Users\Application Data\HitmanPro\*.* =========
 
The system cannot find the file specified.
Error occurred while processing: C:\Documents.
The system cannot find the file specified.
Error occurred while processing: and.
The system cannot find the path specified.
 
========= End of CMD: =========
 
 
========================= Folder: C:\{64043D83-DA7E-4305-A836-9A6480D4F18E} ========================
 
The path is not a directory.
C:\Documents and Settings\Administrator\Local Settings\Temp => Moved successfully.
 
==== End of Fixlog ====


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:02 PM

Posted 02 July 2014 - 04:06 PM

Hello,

 

Please post the content of the following logs

 

C:\Documents and Settings\Wells Pettibone\desktop\Rkill.txt
 
C:\Documents and Settings\All Users\Application Data\HitmanPro\Logs (and open the latest report and copy/paste the results in your next reply).
 
Also if you don't recognize this file => C:\{64043D83-DA7E-4305-A836-9A6480D4F18E} go ahead and delete it.
 
Regards,
Georgi

cXfZ4wS.png


#9 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 02 July 2014 - 05:08 PM

RKill Log:

 

Rkill 2.6.7 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/02/2014 04:09:50 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\WINDOWS\system32\Ati2evxx.exe (PID: 1484) [WD-HEUR]
 * C:\WINDOWS\system32\Ati2evxx.exe (PID: 1928) [WD-HEUR]
 * C:\Documents and Settings\Wells Pettibone\Desktop\FRST.exe (PID: 38072) [UP-HEUR]
 
3 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * System Restore Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
   "DisableSR" = dword:00000001
 
 * Windows Firewall Disabled
 
   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000
 
Checking Windows Service Integrity: 
 
 * System Restore Service (srservice) is not Running.
   Startup Type set to: Automatic
 
 * System Restore Filter Driver (sr) is not Running.
   Startup Type set to: Disabled
 
 * UPS [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 100sexlinks.com
  127.0.0.1 www.100sexlinks.com
 
  20 out of 10772 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 07/02/2014 04:10:28 PM
Execution time: 0 hours(s), 0 minute(s), and 38 seconds(s)
 

 

 

 

Hitman Log:

 

HitmanPro 3.7.9.220
www.hitmanpro.com
 
   Computer name . . . . : PETTIBON-1AE062
   Windows . . . . . . . : 5.1.3.2600.X86/2
   User name . . . . . . : PETTIBON-1AE062\Wells Pettibone
   License . . . . . . . : Free
 
   Scan date . . . . . . : 2014-07-02 16:13:21
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 50m 41s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 1
   Traces  . . . . . . . : 64
 
   Objects scanned . . . : 916,414
   Files scanned . . . . : 21,533
   Remnants scanned  . . : 99,050 files / 795,831 keys
 
Malware _____________________________________________________________________
 
   C:\WINDOWS\system32\drivers\dmbchwbutxqpxuiq.sys
      Size . . . . . . . : 41,984 bytes
      Age  . . . . . . . : 1861.9 days (2009-05-27 18:18:13)
      Entropy  . . . . . : 7.7
      SHA-256  . . . . . : 1C86F5DC7D6A7D1A6F8EEA119BB4047EA2204A03BC944CF3550994F27DC8B312
    > G Data . . . . . . : Trojan.CryptRedol.Gen.3 (Engine A)
      Fuzzy  . . . . . . : 158.0
 
 
Suspicious files ____________________________________________________________
 
   C:\Documents and Settings\Wells Pettibone\Desktop\FRST.exe
      Size . . . . . . . : 1,073,664 bytes
      Age  . . . . . . . : 0.2 days (2014-07-02 11:41:24)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 3D7FFC4816AA3622DFAB37B102FFC36C2B1096DCDBA6E98183655778A1E4DFB7
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      References
         HKU\S-1-5-21-1220945662-515967899-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Wells Pettibone\Desktop\FRST.exe
 
   C:\Documents and Settings\Wells Pettibone\Desktop\FRST64.exe
      Size . . . . . . . : 2,083,840 bytes
      Age  . . . . . . . : 0.0 days (2014-07-02 15:52:45)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 38521AD5A90A95513DF394E9086F182F4AB22E2BA8315C018C1A82BF18D3B01E
      Needs elevation  . : Yes
      Source URL . . . . : hxxp://download.bleepingcomputer.com/dl/cd0924665fab962fea8b11ef1600368a/53b47110/windows/security/security-utilities/f/farbar-recovery-scan-tool/64/FRST64.exe
      Fuzzy  . . . . . . : 19.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file is downloaded from the Internet to this computer.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      References
         HKU\S-1-5-21-1220945662-515967899-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Wells Pettibone\Desktop\FRST64.exe
      Forensic Cluster
          0.0s C:\Documents and Settings\Wells Pettibone\desktop\FRST64.exe
          0.0s C:\Documents and Settings\Wells Pettibone\desktop\FRST64.exe
 
   C:\WINDOWS\system32\THREED20.OCX
      Size . . . . . . . : 331,032 bytes
      Age  . . . . . . . : 575.1 days (2012-12-04 12:35:19)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 55FA48CB7CC27DBE3C629F907D129B25550D46E3B553FB25F4D530FC8E397655
      Product  . . . . . : ActiveThreed
      Publisher  . . . . : Sheridan Software Systems, Inc.
      Description  . . . : ActiveThreed Controls
      Version  . . . . . : 2.01.0015
      Copyright  . . . . : Copyright(c) 1991-1997 Sheridan Software Systems, Inc.
      RSA Key Size . . . : 512
      LanguageID . . . . : 1033
      Authenticode . . . : Self-signed
      Fuzzy  . . . . . . : 26.0
         Program is code signed with a weak certificate. This is common to malware.
         Program is code self-signed.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
 
Potential Unwanted Programs _________________________________________________
 
   ask.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data
 
   HKU\S-1-5-21-1220945662-515967899-839522115-1003\Software\Classes\AppID\secman.DLL\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003\Software\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003\Software\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003\Software\Classes\secman.OutlookSecurityManager.1\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003\Software\Classes\secman.OutlookSecurityManager\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003_Classes\AppID\secman.DLL\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003_Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003_Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003_Classes\secman.OutlookSecurityManager.1\ (Babylon)
   HKU\S-1-5-21-1220945662-515967899-839522115-1003_Classes\secman.OutlookSecurityManager\ (Babylon)
 
Cookies _____________________________________________________________________
 
   C:\Documents and Settings\Wells Pettibone\Application Data\Mozilla\Firefox\Profiles\90hmwpfi.default\cookies.sqlite:adlegend.com
   C:\Documents and Settings\Wells Pettibone\Cookies\4SZ81401.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\786NM3CT.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\9C95VLLQ.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\ERS0ZD4N.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\H88BX4JM.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\IHCOB2DW.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\J720H8SQ.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\JLMGCQHN.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\JRYSOI1G.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\JXXYYSHZ.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\M83HJDAU.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\MCHESP4T.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\OBTYZ85A.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\OI5KIYIU.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\QQHQKYLL.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\UZ62UBP3.txt
   C:\Documents and Settings\Wells Pettibone\Cookies\V62XXNYV.txt
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:247realmedia.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:2o7.net
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ad.mlnadvertising.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.bridgetrack.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.creative-serving.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ads.yahoo.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:adserving.autotrader.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:burstnet.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:hearstmagazines.112.2o7.net
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:interclick.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:questionmarket.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:realmedia.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:specificclick.net
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:statse.webtrendslive.com
   C:\Documents and Settings\Wells Pettibone\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
 
 
 
Re File Referenced by you above, I do not recognize it but that does not mean anything...what I mean is it could be legit but I would have no way of knowing. If it is a trogan or something how would I know (I am a non techie).
 
C:\{64043D83-DA7E-4305-A836-9A6480D4F18E
 
if I can live without it, how can I remove it? Thanks. W


#10 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 02 July 2014 - 05:11 PM

Georgi

 

I may have been unclear re HitmanPro. I do not have the paid registered version, so I cannot delete a file (like the one you reference above) through that program.Thanks.

 

Wells



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:02 PM

Posted 03 July 2014 - 03:58 AM

Hello,

 

 

Backup Your Registry
 

 

Now download the following file and save it to your desktop:
 

[attachment=151975:fix.reg]

 

Now double click on it. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

Next please post a new log from Rkill.

 

As for the following file => C:\{64043D83-DA7E-4305-A836-9A6480D4F18E

 

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\{64043D83-DA7E-4305-A836-9A6480D4F18E

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

Please post the link to the results page rather than the contents of the page itself (its a little easier for me to read).

 

 

 

Also please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    dmbchwbutxqpxuiq
    :regfind
    dmbchwbutxqpxuiq
    :reg
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services /s

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 

 

Regards,

Georgi


cXfZ4wS.png


#12 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 03 July 2014 - 11:58 AM

Rkill 2.6.7 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 07/03/2014 11:56:27 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\WINDOWS\system32\Ati2evxx.exe (PID: 1344) [WD-HEUR]
 * C:\WINDOWS\system32\Ati2evxx.exe (PID: 1836) [WD-HEUR]
 
2 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * System Restore Service (srservice) is not Running.
   Startup Type set to: Automatic
 
 * System Restore Filter Driver (sr) is not Running.
   Startup Type set to: Boot
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 100sexlinks.com
  127.0.0.1 www.100sexlinks.com
 
  20 out of 10772 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 07/03/2014 11:57:32 AM
Execution time: 0 hours(s), 1 minute(s), and 5 seconds(s)


#13 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 03 July 2014 - 12:07 PM

https://www.virustotal.com/en/file/33758b7e4b7085ca151a9f91add81208e5327d3157c0f1e48ac2e89f50623b91/analysis/1404407080/



#14 wpetti

wpetti
  • Topic Starter

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 03 July 2014 - 12:26 PM

Gorgi

 

Every time I try to paste SystemLook.txt into this box it crashes my page. can I paste a Word file here? I was able to save the .txt file by pasting it into Word doc. 


that file is apparently huge? the word file went on forever...like hundreds of pages of text



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,285 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:02:02 PM

Posted 03 July 2014 - 12:41 PM

Hello,

 

I guess it's because the file is too big. Please zip the file and upload the archive here => http://zippyshare.com/ and then post a link to the log in your next reply.

 

Thanks! :)

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users