Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Browser.exe and teller pale tellerpale virus / rootkit /malware


  • This topic is locked This topic is locked
17 replies to this topic

#1 josephs141

josephs141

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 02 September 2014 - 07:15 PM

Hello

 

Thank you for assisting me with this issue.  Yesterday, My IBM Thinkcentre M51 desktop became infected.  I was on trusted, legitimae websites, google, yahoo, and youtube.  While watching a Frank Sinatra video I noticed background voices and advertisements. 

 

Shortly after Windows has booted, there several browser.exe processes running.  At one time more than 10 browser.exe processes are running.  Also serachprotection.exe is running.  The minute browser.exe runs, advertisments are heard.

 

There are background voices and advertisements occuring while every program is closed.  What is causing this?  How do eradicate and remove the infection?  Is this a rootkit, malware or a virus? 

 

Again, thank you for assistance with this malware problem

 

I have attached a DDS log

Attached Files

  • Attached File  dds.txt   8.81KB   1 downloads
  • Attached File  DDS.txt   8.81KB   0 downloads

Edited by josephs141, 02 September 2014 - 07:17 PM.


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 02 September 2014 - 07:18 PM

Hello,

please run a FRST scan and post the logs.
(If possible paste the contents of the logs into the thread and don't attach them. Thank you.)


Please download Farbar Recovery Scan Tool and save it to your Desktop.
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 02 September 2014 - 08:13 PM

Hello,

 

Here is the log created by Farbar Recovery Scan Tool.

Attached Files

  • Attached File  FRST.txt   27.42KB   6 downloads

Edited by josephs141, 02 September 2014 - 08:14 PM.


#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 03 September 2014 - 05:37 AM

Ok, then let's remove it:


Step 1

Please download this attached Attached File  fixlist.txt   1.5KB   15 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Start FRST with administator privileges.
  • Make sure the option Addition.txt (under Optional Scan) is checked.
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.


#5 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 03 September 2014 - 11:01 AM

Hello, Good morning Thanks very much for your prompt replies. What is your name ? Mine is J. After running FRST, the processes, searchprotection.exe, searchprotocol.exe and browser.exe are not running ! Also there is no audio in the background ! Computer performance has also returned to normal ! Thank you very much. Look at the post below this thank you post for the addition.txt log and the FRST.txt log

#6 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 03 September 2014 - 11:05 AM

FRST Log Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-09-2014 Ran by Jordy (administrator) on THINKCEN-E0811C on 03-09-2014 08:49:23 Running from C:\Documents and Settings\NEW USER\Desktop Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States) Internet Explorer Version 8 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Lenovo Group Limited) C:\WINDOWS\system32\IPSSVC.EXE (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe () C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe (Lenovo Group Limited) C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe () C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe (Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Lenovo Group Limited) C:\Program Files\Lenovo\Rescue and Recovery\br_funcs.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2010-11-29] (Apple Inc.) HKU\.DEFAULT\...\RunOnce: [nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - No File BootExecute: autocheck autochk * SmartDefragBootTime.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xB1540E1239C3CB01 HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us SearchScopes: HKCU - DefaultScope {69E6B383-D401-487E-BAF9-2DDA360F3D2C} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms} SearchScopes: HKCU - {69E6B383-D401-487E-BAF9-2DDA360F3D2C} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=242154&p={searchTerms} BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.) BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) BHO: Windows Live Toolbar Helper -> {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -> C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) Toolbar: HKLM - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) Toolbar: HKCU - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://compucom.webex.com/client/WBXclient-T29L10NSP5-16/nbr/ieatgpc.cab ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ] ShellExecuteHooks: - {56F9679E-7826-4C84-81F3-532071A8BCC5} - No File [ ] Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12 FireFox: ======== FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeLive,version=1.3 -> C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @real.com/nppl3260;version=6.0.11.2852 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF Plugin: @real.com/nppl3260;version=6.0.12.46 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF Plugin: @real.com/nprpjplug;version=6.0.12.1662 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF Plugin: @real.com/nprpjplug;version=6.0.12.46 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.) FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-07-01] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-07-01] Chrome: ======= ========================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 IPSSVC; C:\WINDOWS\system32\IPSSVC.EXE [108080 2007-01-30] (Lenovo Group Limited) R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-04-14] (Oracle Corporation) S3 MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [25824 2010-04-22] (Memeo) S3 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [243056 2007-10-15] () S4 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2010-04-30] (Memeo) S4 SgtSch2Svc; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [801888 2013-10-30] (Seagate) S3 SoundMAX Agent Service (default); C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [45056 2002-09-20] (Analog Devices, Inc.) [File not signed] S3 SUService; C:\Program Files\Lenovo\System Update\SUService.exe [28672 2011-04-18] (Lenovo Group Limited) [File not signed] S3 TTFixerService; C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [10240 2007-06-26] (NeoSmart Technologies) [File not signed] R2 TVT Backup Protection Service; C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [569344 2007-07-11] () [File not signed] R2 TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [950272 2007-07-11] (Lenovo Group Limited) [File not signed] S3 TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [1122304 2008-03-04] (Lenovo Group Limited) [File not signed] R2 tvtnetwk; C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe [45056 2007-02-08] () [File not signed] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 MidiSyn; C:\WINDOWS\System32\drivers\MidiSyn.sys [88960 2004-09-14] (Analog Devices, Inc.) R2 pmem; C:\WINDOWS\System32\drivers\pmemnt.sys [7012 2011-07-01] (Microsoft Corporation) [File not signed] R2 PROCDD; C:\WINDOWS\System32\DRIVERS\PROCDD.SYS [12080 2006-11-06] (Lenovo Group Limited) R3 senfilt; C:\WINDOWS\System32\drivers\senfilt.sys [393088 2005-10-27] (Sensaura) R0 SmartDefragDriver; C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys [15808 2013-12-24] (IObit) S3 tdrpman; C:\WINDOWS\System32\DRIVERS\tdrpman.sys [888640 2014-03-02] (Acronis International GmbH) R0 tib; C:\WINDOWS\System32\DRIVERS\tib.sys [736192 2014-03-02] (Acronis International GmbH) R0 tib_mounter; C:\WINDOWS\System32\DRIVERS\tib_mounter.sys [130488 2014-03-02] (Acronis) R3 TPM; C:\WINDOWS\System32\DRIVERS\tpm.sys [17792 2005-10-09] (Winbond Electronics Corp.) R3 TVTPktFilter; C:\WINDOWS\System32\DRIVERS\tvtpktfilter.sys [17664 2007-02-08] (Lenovo Group Limited) R0 vididr; C:\WINDOWS\System32\DRIVERS\vididr.sys [116000 2014-03-02] (Acronis International GmbH) R0 vidsflt; C:\WINDOWS\System32\DRIVERS\vidsflt.sys [85280 2014-03-02] (Acronis International GmbH) R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B}; C:\Program Files\CyberLink\PowerDVD\000.fcl [41456 2007-11-03] (Cyberlink Corp.) S3 BCASPROT; \??\C:\Program Files\Systweak\Advanced System Protector\sasprot32.sys [X] S3 catchme; \??\C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\catchme.sys [X] S0 WudfPf; C:\WINDOWS\system32\WudfPf.sys [X] S3 WudfRd; C:\WINDOWS\system32\wudfrd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-02 18:09 - 2014-09-02 18:09 - 00028976 ____H () C:\Documents and Settings\NEW USER\Desktop\Addition.txt 2014-09-02 18:05 - 2014-09-03 08:49 - 00011213 _____ () C:\Documents and Settings\NEW USER\Desktop\FRST.txt 2014-09-02 18:03 - 2014-09-03 08:49 - 00000000 ____D () C:\FRST 2014-09-02 18:02 - 2014-09-02 18:02 - 01096704 _____ (Farbar) C:\Documents and Settings\NEW USER\Desktop\FRST.exe 2014-09-02 16:27 - 2014-09-02 16:27 - 00000000 ____D () C:\SUPERDelete 2014-09-02 16:17 - 2014-09-03 08:17 - 00000514 _____ () C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task afad951e-a9d8-463c-ac25-b4ab2c5eb870.job 2014-09-02 16:17 - 2014-09-02 16:17 - 00000514 _____ () C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task c90759cd-4d51-4e9f-9524-bfb8a7843b5a.job 2014-09-02 16:17 - 2014-09-02 16:17 - 00000000 ____D () C:\Documents and Settings\NEW USER\Application Data\SUPERAntiSpyware.com 2014-09-02 16:16 - 2014-09-02 16:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2014-09-02 16:15 - 2014-09-02 16:19 - 00000000 ____D () C:\Program Files\Super AntiSpyware 2014-09-02 16:00 - 2014-09-03 08:49 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\temp 2014-09-02 16:00 - 2014-09-02 16:00 - 00014322 _____ () C:\ComboFix.txt 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\temp 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp 2014-09-02 15:34 - 2014-09-03 08:26 - 00000159 _____ () C:\WINDOWS\wiadebug.log 2014-09-02 15:34 - 2014-09-03 08:26 - 00000048 _____ () C:\WINDOWS\wiaservc.log 2014-09-02 15:34 - 2014-09-03 08:25 - 00002126 _____ () C:\WINDOWS\SchedLgU.Txt 2014-09-02 15:34 - 2014-09-02 15:34 - 00000000 ____N () C:\WINDOWS\Sti_Trace.log 2014-09-02 15:32 - 2014-09-03 08:42 - 00035701 _____ () C:\WINDOWS\WindowsUpdate.log 2014-09-02 11:36 - 2014-09-02 11:36 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\Application Data\Google 2014-09-01 09:55 - 2014-09-01 09:55 - 00002117 _____ () C:\MBAM 9-1.txt 2014-08-30 11:55 - 2014-08-30 11:55 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Dnetist 2014-08-30 11:54 - 2014-08-30 11:58 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Tinnitus 2014-08-30 11:54 - 2014-08-30 11:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Workmans Compensation 2014-08-25 15:13 - 2014-08-25 15:13 - 00000026 _____ () C:\Documents and Settings\NEW USER\Application Data\mbam.context.scan 2014-08-25 15:11 - 2014-09-01 22:13 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2014-08-25 15:10 - 2014-08-25 15:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware 2014-08-25 15:10 - 2014-05-12 07:26 - 00053208 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Water Tucson Water 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\TEP 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\SW Gas 2014-08-20 12:32 - 2014-08-20 12:32 - 00000013 _____ () C:\Documents and Settings\NEW USER\USAJOBS Ability jobs password.txt 2014-08-09 21:31 - 2014-08-09 21:31 - 00000029 _____ () C:\Documents and Settings\NEW USER\Compucom signon.txt ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-03 08:49 - 2014-09-02 18:05 - 00011213 _____ () C:\Documents and Settings\NEW USER\Desktop\FRST.txt 2014-09-03 08:49 - 2014-09-02 18:03 - 00000000 ____D () C:\FRST 2014-09-03 08:49 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\temp 2014-09-03 08:49 - 2011-07-01 18:52 - 00000000 ____D () C:\Program Files\Malware Removal Tools 2014-09-03 08:42 - 2014-09-02 15:32 - 00035701 _____ () C:\WINDOWS\WindowsUpdate.log 2014-09-03 08:27 - 2014-03-25 08:11 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job 2014-09-03 08:27 - 2014-01-21 18:48 - 00000262 _____ () C:\WINDOWS\Tasks\SmartDefrag3_Update.job 2014-09-03 08:27 - 2008-04-14 05:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl 2014-09-03 08:27 - 2007-01-29 11:36 - 00025269 _____ () C:\WINDOWS\system32\PROCDB.INI 2014-09-03 08:26 - 2014-09-02 15:34 - 00000159 _____ () C:\WINDOWS\wiadebug.log 2014-09-03 08:26 - 2014-09-02 15:34 - 00000048 _____ () C:\WINDOWS\wiaservc.log 2014-09-03 08:26 - 2010-12-25 13:08 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT 2014-09-03 08:26 - 2007-06-19 14:13 - 00000380 _____ () C:\WINDOWS\system32\IPSCtrl.INI 2014-09-03 08:25 - 2014-09-02 15:34 - 00002126 _____ () C:\WINDOWS\SchedLgU.Txt 2014-09-03 08:25 - 2010-12-25 13:09 - 00000178 ___SH () C:\Documents and Settings\NEW USER\ntuser.ini 2014-09-03 08:24 - 2011-07-01 17:38 - 00000178 __SHC () C:\Documents and Settings\Administrator\ntuser.ini 2014-09-03 08:17 - 2014-09-02 16:17 - 00000514 _____ () C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task afad951e-a9d8-463c-ac25-b4ab2c5eb870.job 2014-09-02 18:09 - 2014-09-02 18:09 - 00028976 ____H () C:\Documents and Settings\NEW USER\Desktop\Addition.txt 2014-09-02 18:02 - 2014-09-02 18:02 - 01096704 _____ (Farbar) C:\Documents and Settings\NEW USER\Desktop\FRST.exe 2014-09-02 16:27 - 2014-09-02 16:27 - 00000000 ____D () C:\SUPERDelete 2014-09-02 16:19 - 2014-09-02 16:15 - 00000000 ____D () C:\Program Files\Super AntiSpyware 2014-09-02 16:17 - 2014-09-02 16:17 - 00000514 _____ () C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task c90759cd-4d51-4e9f-9524-bfb8a7843b5a.job 2014-09-02 16:17 - 2014-09-02 16:17 - 00000000 ____D () C:\Documents and Settings\NEW USER\Application Data\SUPERAntiSpyware.com 2014-09-02 16:16 - 2014-09-02 16:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2014-09-02 16:00 - 2014-09-02 16:00 - 00014322 _____ () C:\ComboFix.txt 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\temp 2014-09-02 16:00 - 2014-09-02 16:00 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp 2014-09-02 16:00 - 2011-07-01 19:26 - 00000000 ____D () C:\Qoobox 2014-09-02 15:57 - 2008-04-14 05:00 - 00000253 _____ () C:\WINDOWS\system.ini 2014-09-02 15:34 - 2014-09-02 15:34 - 00000000 ____N () C:\WINDOWS\Sti_Trace.log 2014-09-02 15:30 - 2011-07-01 17:38 - 00000000 ____D () C:\Documents and Settings\Administrator 2014-09-02 11:36 - 2014-09-02 11:36 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\Application Data\Google 2014-09-01 22:16 - 2010-12-26 11:18 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help 2014-09-01 22:14 - 2013-11-24 08:26 - 00000000 ____D () C:\WINDOWS\system32\MRT 2014-09-01 22:13 - 2014-08-25 15:11 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2014-09-01 09:55 - 2014-09-01 09:55 - 00002117 _____ () C:\MBAM 9-1.txt 2014-08-31 10:37 - 2014-04-15 17:21 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\IKEA 2014-08-30 20:56 - 2014-05-30 14:10 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\A+ 2014-08-30 18:05 - 2014-05-10 00:58 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Compucom 2014-08-30 11:58 - 2014-08-30 11:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Tinnitus 2014-08-30 11:56 - 2011-07-01 21:40 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\My Files 2014-08-30 11:55 - 2014-08-30 11:55 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Dnetist 2014-08-30 11:55 - 2014-07-09 12:34 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Lenovo 2014-08-30 11:54 - 2014-08-30 11:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Workmans Compensation 2014-08-29 08:34 - 2014-07-06 09:38 - 00000023 _____ () C:\Documents and Settings\NEW USER\USAJOBS.txt 2014-08-25 18:14 - 2011-07-01 17:44 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware 2014-08-25 15:13 - 2014-08-25 15:13 - 00000026 _____ () C:\Documents and Settings\NEW USER\Application Data\mbam.context.scan 2014-08-25 15:11 - 2014-08-25 15:10 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware 2014-08-25 15:11 - 2011-07-01 17:55 - 00000000 ____D () C:\Documents and Settings\NEW USER\Application Data\Malwarebytes 2014-08-25 15:10 - 2011-07-01 17:44 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes 2014-08-24 10:00 - 2013-12-17 07:34 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Finance 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Water Tucson Water 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\TEP 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\SW Gas 2014-08-22 10:33 - 2014-06-19 15:09 - 00000000 ____D () C:\Documents and Settings\NEW USER\TEP 2014-08-20 12:32 - 2014-08-20 12:32 - 00000013 _____ () C:\Documents and Settings\NEW USER\USAJOBS Ability jobs password.txt 2014-08-16 11:51 - 2014-06-30 17:42 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\IBM Training 2014-08-15 11:48 - 2014-07-25 11:34 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Lexmark 2014-08-11 00:42 - 2014-06-01 13:18 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Lenovo Training 2014-08-09 21:31 - 2014-08-09 21:31 - 00000029 _____ () C:\Documents and Settings\NEW USER\Compucom signon.txt 2014-08-08 15:00 - 2014-03-25 08:11 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job 2014-08-06 13:19 - 2010-12-25 13:08 - 00000000 __SHD () C:\Documents and Settings\LocalService 2014-08-06 13:19 - 2010-12-25 12:38 - 00000000 __SHD () C:\Documents and Settings\NetworkService 2014-08-06 13:19 - 2010-12-25 12:28 - 00000000 ____D () C:\WINDOWS\Registration Files to move or delete: ==================== C:\Documents and Settings\Administrator\DelB12.bat C:\Documents and Settings\Default User\DelB12.bat C:\Documents and Settings\NEW USER\DelB12.bat ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End Of Log ============================
Addition Log Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-09-2014 Ran by Jordy at 2014-09-03 08:50:31 Running from C:\Documents and Settings\NEW USER\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe Flash Player 10 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 10.2.152.26 - Adobe Systems Incorporated) Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.44 - Adobe Systems Incorporated) Adobe Reader 9.4.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A94000000001}) (Version: 9.4.5 - Adobe Systems Incorporated) Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.6.606 - Adobe Systems, Inc.) Apple Application Support (HKLM\...\{B3575D00-27EF-49C2-B9E0-14B3D954E992}) (Version: 1.5.2 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{C23CD6DA-1958-43A5-ADD0-59396572E02E}) (Version: 3.4.1.2 - Apple Inc.) Apple Software Update (HKLM\...\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}) (Version: 2.1.3.127 - Apple Inc.) Bonjour (HKLM\...\{C2E4B5BD-32DB-4817-A060-341AB17C3F90}) (Version: 2.0.5.0 - Apple Inc.) Browser Extensions (HKCU\...\{3A787631-66A2-4634-B928-A37E73B58FB6}) (Version: 2.2 - Spigot, Inc.) <==== ATTENTION CCleaner (HKLM\...\CCleaner) (Version: 3.08 - Piriform) Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Eusing Free Registry Cleaner (HKLM\...\Eusing Free Registry Cleaner) (Version: - ) Eusing Free Registry Defrag (HKLM\...\Eusing Free Registry Defrag) (Version: - ) FL Studio 9 (HKLM\...\FL Studio 9) (Version: - Image-Line) Hardcore (HKLM\...\Hardcore) (Version: - Image-Line) HiJackThis (HKLM\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro) IL Download Manager (HKLM\...\IL Download Manager) (Version: - Image-Line) Intel® Graphics Media Accelerator Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: 6.14.10.4497 - ) iTunes (HKLM\...\{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}) (Version: 10.3.1.55 - Apple Inc.) Java 7 Update 55 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.550 - Oracle) Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden Java™ 6 Update 7 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160070}) (Version: 1.6.0.70 - Sun Microsystems, Inc.) Junk Mail filter update (Version: 14.0.8117.416 - Microsoft Corporation) Hidden K-Lite Mega Codec Pack 4.1.7 (HKLM\...\KLiteCodecPack_is1) (Version: 4.1.7 - ) Lenovo ThinkVantage Toolbox (HKLM\...\PC-Doctor for Windows) (Version: 6.0.5802.24 - PC-Doctor, Inc.) Maintenance Manager (HKLM\...\AwayTask) (Version: 3.0.5.0 - ) Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation) Memeo Instant Backup (HKLM\...\{8E666407-AC41-46a2-9692-6C7BFCBFDD37}) (Version: 4.60.0.7252 - Memeo Inc.) Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation) Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation) Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation) Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden Microsoft Choice Guard (Version: 2.0.48.0 - Microsoft Corporation) Hidden Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office 2007 Service Pack 3 (SP3) (Version: - Microsoft) Hidden Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Live Add-in 1.3 (HKLM\...\{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}) (Version: 2.0.2313.0 - Microsoft Corporation) Microsoft Office Outlook Connector (HKLM\...\{95120000-0122-0409-0000-0000000FF1CE}) (Version: 12.0.6423.1000 - Microsoft Corporation) Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office Professional Plus 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (Version: - Microsoft) Hidden Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Search Enhancement Pack (Version: 1.2.123.0 - Microsoft Corporation) Hidden Microsoft Silverlight (HKLM\...\Microsoft Silverlight) (Version: 1.0.30716.0 - Microsoft Corporation) Microsoft Silverlight (Version: 5.1.30214.0 - Microsoft Corporation) Hidden Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation) Microsoft Sync Framework Services Native v1.0 (x86) (HKLM\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30304 (HKLM\...\{C9B26742-06BE-3B75-B1DE-7B91B5956A04}) (Version: 9.0.30304 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) MSVCRT (Version: 14.0.1468.721 - Microsoft) Hidden MSXML 4.0 SP2 (KB941833) (HKLM\...\MSXML 4.0 SP2 (KB941833)) (Version: 4.20.9849.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0 - Microsoft Corporation) Hidden MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) Nero Suite (HKLM\...\NeroMultiInstaller!UninstallKey) (Version: - ) PoiZone (HKLM\...\PoiZone) (Version: - Image-Line) PowerDVD (Version: 7.3.3516.0 - CyberLink Corporation) Hidden PowerDVD Ultra (HKLM\...\InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.3.3516.0 - CyberLink Corporation) Productivity Center Supplement for ThinkCentre (HKLM\...\{D728E945-256D-4477-B377-6BBA693714AC}) (Version: 3.00b - ) QuickTime (HKLM\...\{57752979-A1C9-4C02-856B-FBB27AC4E02C}) (Version: 7.69.80.9 - Apple Inc.) Rescue and Recovery (HKLM\...\{F151F2B3-0C32-44D3-90E2-E639B8024622}) (Version: 4.10.0314.00 - Lenovo Group Limited) Sawer (HKLM\...\Sawer) (Version: - Image-Line) Seagate Dashboard (HKLM\...\{C3A11907-930D-41AC-A135-CC3B12F92011}) (Version: 1.0.0.809 - Memeo Inc.) Seagate DiscWizard (HKLM\...\{AC5BFE42-B72A-467C-B9B2-8BF77C6D4D70}) (Version: 16.0.5840 - Seagate) Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden Smart Defrag 3 (HKLM\...\Smart Defrag 3_is1) (Version: 3.0 - IObit) SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.12.01.5410 - Analog Devices) System Update (HKLM\...\{8675339C-128C-44DD-83BF-0A5D6ABD8297}) (Version: 3.14.0034 - Lenovo) ThinkVantage Productivity Center (HKLM\...\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}) (Version: 3.11 - Lenovo) ToolTipFixer 1.0.1 (HKLM\...\ToolTipFixer) (Version: 1.0.1 - NeoSmart Technologies) Toxic Biohazard (HKLM\...\Toxic Biohazard) (Version: - Image-Line) Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB2836940) (Version: 1 - Microsoft Corporation) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation) Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM\...\{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version: - Microsoft) Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version: - Microsoft) Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft) Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version: - Microsoft) Update for Microsoft Office Access 2007 Help (KB963663) (HKLM\...\{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}) (Version: - Microsoft) Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM\...\{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version: - Microsoft) Update for Microsoft Office Infopath 2007 Help (KB963662) (HKLM\...\{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{716B81B8-B13C-41DF-8EAC-7A2F656CAB63}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM\...\{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 Help (KB963677) (HKLM\...\{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{0451F231-E3E3-4943-AB9F-58EB96171784}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2883097) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{B2260BC9-D561-46EE-B33D-739CF760A2A9}) (Version: - Microsoft) Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM\...\{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version: - Microsoft) Update for Microsoft Office Publisher 2007 Help (KB963667) (HKLM\...\{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2E40DE55-B289-4C8B-8901-5D369B16814F}) (Version: - Microsoft) Update for Microsoft Office Script Editor Help (KB963671) (HKLM\...\{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version: - Microsoft) Update for Microsoft Office Word 2007 Help (KB963665) (HKLM\...\{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version: - Microsoft) Update for Windows Internet Explorer 8 (KB2447568) (HKLM\...\KB2447568-IE8) (Version: 1 - Microsoft Corporation) Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation) WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation) Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation) Windows Live Communications Platform (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation) Windows Live Essentials (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Mail (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden Windows Live Photo Gallery (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Sign-in Assistant (HKLM\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation) Windows Live Sync (HKLM\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation) Windows Live Toolbar (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation) Windows Live Writer (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - ) Windows Media Format 11 runtime (Version: - Microsoft Corporation) Hidden Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - ) Windows Media Player 11 (Version: - Microsoft Corporation) Hidden Windows Rights Management Client Backwards Compatibility SP2 (HKLM\...\Windows Rights Management Client Backwards) (Version: 5.2.70 - Microsoft) Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.70 - Microsoft) Hidden Windows Rights Management Client with Service Pack 2 (HKLM\...\Windows Rights Management Client) (Version: 5.2.70 - Microsoft) Windows Rights Management Client with Service Pack 2 (Version: 5.2.70 - Microsoft) Hidden Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-220523388-1078081533-1606980848-1003_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation) ==================== Restore Points ========================= Could not list Restore Points. Check "winmgmt" service or repair WMI. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2008-04-14 05:00 - 2014-09-02 15:57 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe Task: C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\PC-Doctor\uaclauncher.exe Task: C:\WINDOWS\Tasks\SmartDefrag3_Update.job => C:\Program Files\Smart Defrag\AutoUpdate.exe Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task afad951e-a9d8-463c-ac25-b4ab2c5eb870.job => C:\Program Files\Super AntiSpyware\SUPERAntiSpyware.exe Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task c90759cd-4d51-4e9f-9524-bfb8a7843b5a.job => C:\Program Files\Super AntiSpyware\SUPERAntiSpyware.exe ==================== Loaded Modules (whitelisted) ============= 2007-07-11 17:38 - 2007-07-11 17:38 - 00569344 _____ () C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe 2007-07-11 17:31 - 2007-07-11 17:31 - 00139264 _____ () C:\Program Files\Lenovo\Rescue and Recovery\CDRecord.dll 2007-02-08 11:40 - 2007-02-08 11:40 - 00045056 ____N () C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\48546188.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\48546188.sys => ""="Driver" ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup MSCONFIG\startupfolder: C:^Documents and Settings^NEW USER^Start Menu^Programs^Startup^Seagate Product Registration.lnk => C:\WINDOWS\pss\Seagate Product Registration.lnkStartup MSCONFIG\startupreg: AcronisTibMounterMonitor => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" MSCONFIG\startupreg: AwaySch => C:\Program Files\Lenovo\AwayTask\AwaySch.EXE MSCONFIG\startupreg: BDRegion => C:\Program Files\Cyberlink\Shared Files\brs.exe MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe MSCONFIG\startupreg: DiscWizardMonitor.exe => "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" MSCONFIG\startupreg: igfxhkcmd => C:\WINDOWS\system32\hkcmd.exe MSCONFIG\startupreg: igfxpers => C:\WINDOWS\system32\igfxpers.exe MSCONFIG\startupreg: igfxtray => C:\WINDOWS\system32\igfxtray.exe MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe" MSCONFIG\startupreg: LanguageShortcut => "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" MSCONFIG\startupreg: LPMailChecker => C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe MSCONFIG\startupreg: LPManager => C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe MSCONFIG\startupreg: Memeo Instant Backup => C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui MSCONFIG\startupreg: NeroFilterCheck => C:\WINDOWS\system32\NeroCheck.exe MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime MSCONFIG\startupreg: RemoteControl => "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" MSCONFIG\startupreg: Seagate Dashboard => C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui MSCONFIG\startupreg: Seagate Scheduler2 Service => "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" MSCONFIG\startupreg: SoundMAX => "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe" MSCONFIG\startupreg: TVT Scheduler Proxy => C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe ==================== Faulty Device Manager Devices ============= Could not list Devices. Check "winmgmt" service or repair WMI. ==================== Event log errors: ========================= Application errors: ================== Error: (09/03/2014 08:48:36 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application frst.exe, version 3.9.2014.0, faulting module frst.exe, version 3.9.2014.0, fault address 0x0001f09e. Processing media-specific event for [frst.exe!ws!] Error: (09/03/2014 08:48:16 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application frst.exe, version 3.9.2014.0, faulting module frst.exe, version 3.9.2014.0, fault address 0x0001f405. Processing media-specific event for [frst.exe!ws!] Error: (09/02/2014 10:13:36 PM) (Source: Userenv) (EventID: 1511) (User: NT AUTHORITY) Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Error: (09/02/2014 10:13:35 PM) (Source: Userenv) (EventID: 1515) (User: NT AUTHORITY) Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on. Error: (09/02/2014 10:13:35 PM) (Source: Userenv) (EventID: 1502) (User: NT AUTHORITY) Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator. DETAIL - The process cannot access the file because it is being used by another process. Error: (09/02/2014 10:13:35 PM) (Source: Userenv) (EventID: 1508) (User: NT AUTHORITY) Description: Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights. DETAIL - The process cannot access the file because it is being used by another process. for C:\Documents and Settings\LocalService\ntuser.dat Error: (09/02/2014 00:44:33 AM) (Source: Windows Search Service) (EventID: 3058) (User: ) Description: The application cannot be initialized. Context: Windows Application Details: The content index cannot be read. (0xc0041800) Error: (09/02/2014 00:44:33 AM) (Source: Windows Search Service) (EventID: 3028) (User: ) Description: The gatherer object cannot be initialized. Context: Windows Application, SystemIndex Catalog Details: The content index cannot be read. (0xc0041800) Error: (09/02/2014 00:44:33 AM) (Source: Windows Search Service) (EventID: 3029) (User: ) Description: The plug-in in cannot be initialized. Context: Windows Application, SystemIndex Catalog Details: The content index cannot be read. (0xc0041800) Error: (09/02/2014 00:44:31 AM) (Source: Windows Search Service) (EventID: 7040) (User: ) Description: The search service has detected corrupted data files in the index. The service will attempt to automatically correct this problem by rebuilding the index. Context: Windows Application, SystemIndex Catalog Details: 0xc0041801 (0xc0041801) System errors: ============= Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (08/30/2014 11:39:15 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Microsoft Office Sessions: ========================= Error: (07/07/2014 08:23:17 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 22 seconds with 0 seconds of active time. This session ended with a crash. Error: (01/27/2014 10:25:44 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 194 seconds with 120 seconds of active time. This session ended with a crash. ==================== Memory info =========================== Processor: Intel® Pentium® 4 CPU 3.20GHz Percentage of memory in use: 16% Total physical RAM: 2550.48 MB Available physical RAM: 2138.4 MB Total Pagefile: 3536.98 MB Available Pagefile: 3308.22 MB Total Virtual: 2047.88 MB Available Virtual: 1930.07 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:37.24 GB) (Free:4.95 GB) NTFS ==>[Drive with boot components (Windows XP)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 37.3 GB) (Disk ID: 96EF96EF) Partition 1: (Active) - (Size=37.2 GB) - (Type=07 NTFS) ==================== End Of Log ============================

Attached Files

  • Attached File  FRST.txt   22.73KB   1 downloads


#7 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 03 September 2014 - 11:08 AM

This is odd. After uploading or selecting a file to attach. there isn't a way to "attach" the file. The button is not available; however, the word "attach files" is there. Why is this? What caused this infection? How did I acquire it? I did not download anyfiles or visit any malicious websites. How did this great program remove this infection? How does it work? Thanks again for your assistance. J

#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 03 September 2014 - 11:10 AM

Hello J,

my name is Leo. I'm glad to hear that the fix has worked as intended.
 

What caused this infection? How did I acquire it?

It's not possible to tell in this case. But when we're done I'll give you a few security tips how to avoid such infections in general.
 

How did this great program remove this infection?

FRST executed the fixscript that I prepared after analyzing your log files.



Let's do a final check up now to see if anything else shows up:


Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!

Edited by aharonov, 03 September 2014 - 11:14 AM.


#9 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 03 September 2014 - 08:45 PM

Here is ESET found using the online scanner C:\FRST\Quarantine\C\Documents and Settings\NEW USER\Local Settings\Application Data\ValidatorVisual\ValidatorVisual.dll Win32/TrojanDownloader.Tracur.AL trojan C:\Program Files\Audio Creator Tools\FL Studio 9\flstudio_9.0.exe Win32/OpenCandy potentially unsafe application C:\Program Files\Smart Defrag\defragsetup V 2.9.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application C:\Program Files\Smart Defrag\defragsetup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application C:\WINDOWS\system32\sasnative32.exe Win32/AdvancedSystemProtector.A potentially unwanted application System startup before being infected was 20-30 seconds. Now, it is 60-70 seconds. What could be causing this? What is the next step? Thanks , Leo

#10 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 03 September 2014 - 09:55 PM

Leo, It is not possible to access windows update. When Windows update is selected, a blank page is opened, but nothing appears. Also, the user accounts screen is completely blank. You can see the green arrows and the home button; this all that is visible. What is causing this? Thanks, J

#11 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 05 September 2014 - 05:36 PM

Hi, Leo

 

Are you busy assisting other users?  Is there anything else we need to do to complete the process?  Are you still working with me on this infection?

 

Thanks

 

J



#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:32 AM

Posted 06 September 2014 - 05:55 AM

Sorry, J, I missed your replies.
When did system startup become slow? We didn't do anything that invasive that could normally cause such problems. Is the computer now generally running slower or just at startup?


Start FRST with administator privileges.
  • Make sure the option Addition.txt (under Optional Scan) is checked.
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.


#13 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 06 September 2014 - 10:14 AM

New problems surfaced after we ran the scans, FRST, ESET and the FRBR recovery scan. The User Account Control page is completely blank. You can see the two greens buttons, forward and backward plus the home page. Have tried running the regsvr scripts, bt these fail with this error code 0x008004005. The file, mshtml.dll is on my computer in the C:\Windows/system32 folder. It is not possible to acecss Microsoft or windows update. The inability to access user accounts and windows update leads me to believe the malware, virus, spyware or adware is still loading during windows startup. This infection is affecting my administrator priveleges. Is it possible I have been tunred into a standard user? What do I need to do so the user accounts page becomes available? Why is it not possible to access Windows Update or Microsoft Update The most important is accessing user accounts. Leo, is it safe to delete the folders FRST leaves on the desktop. After running the scan 5-7 folders were left on the desktop. You could not open, copy or paste these folders; deletion was the only option. Below this reply you will see the FRST log. Again, your help is appreciated and you are teaching me useful techniques J

#14 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 06 September 2014 - 10:17 AM

System startup became slow after we removed the files /tellertale/toolradio and browser.exe. There are times when the desktop will run slow for a minute or two. Startup time has increased from 20-30 seconds before infection to 60-70 seconds after cleaning.

#15 josephs141

josephs141
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:32 PM

Posted 06 September 2014 - 10:35 AM

Leo here are the logs created by FRST Do you recommend running killbox, gmer or combofix? Should these be run even if FRST does not show anything malicious? FRST log is Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-09-2014 Ran by Jordy (administrator) on THINKCEN-E0811C on 06-09-2014 08:20:00 Running from C:\Documents and Settings\NEW USER\Desktop Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States) Internet Explorer Version 8 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Lenovo Group Limited) C:\WINDOWS\system32\IPSSVC.EXE (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe () C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe (Lenovo Group Limited) C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe () C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Lenovo Group Limited) C:\Program Files\Lenovo\Rescue and Recovery\br_funcs.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2010-11-29] (Apple Inc.) HKU\.DEFAULT\...\RunOnce: [nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - No File BootExecute: autocheck autochk * SmartDefragBootTime.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.) BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation) BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) BHO: Windows Live Toolbar Helper -> {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -> C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) Toolbar: HKLM - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) Toolbar: HKCU - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation) DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://compucom.webex.com/client/WBXclient-T29L10NSP5-16/nbr/ieatgpc.cab ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ] Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12 FireFox: ======== FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeLive,version=1.3 -> C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.) FF Plugin: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @real.com/nppl3260;version=6.0.11.2852 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF Plugin: @real.com/nppl3260;version=6.0.12.46 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.) FF Plugin: @real.com/nprpjplug;version=6.0.12.1662 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF Plugin: @real.com/nprpjplug;version=6.0.12.46 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.) FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-07-01] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-07-01] Chrome: ======= ========================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 IPSSVC; C:\WINDOWS\system32\IPSSVC.EXE [108080 2007-01-30] (Lenovo Group Limited) R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-04-14] (Oracle Corporation) S3 MemeoBackgroundService; C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe [25824 2010-04-22] (Memeo) S3 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [243056 2007-10-15] () S4 SeagateDashboardService; C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [14088 2010-04-30] (Memeo) S4 SgtSch2Svc; C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe [801888 2013-10-30] (Seagate) S3 SoundMAX Agent Service (default); C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [45056 2002-09-20] (Analog Devices, Inc.) [File not signed] S3 SUService; C:\Program Files\Lenovo\System Update\SUService.exe [28672 2011-04-18] (Lenovo Group Limited) [File not signed] S3 TTFixerService; C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [10240 2007-06-26] (NeoSmart Technologies) [File not signed] R2 TVT Backup Protection Service; C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe [569344 2007-07-11] () [File not signed] R2 TVT Backup Service; C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe [950272 2007-07-11] (Lenovo Group Limited) [File not signed] S3 TVT Scheduler; C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe [1122304 2008-03-04] (Lenovo Group Limited) [File not signed] R2 tvtnetwk; C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe [45056 2007-02-08] () [File not signed] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S3 MidiSyn; C:\WINDOWS\System32\drivers\MidiSyn.sys [88960 2004-09-14] (Analog Devices, Inc.) R2 pmem; C:\WINDOWS\System32\drivers\pmemnt.sys [7012 2011-07-01] (Microsoft Corporation) [File not signed] R2 PROCDD; C:\WINDOWS\System32\DRIVERS\PROCDD.SYS [12080 2006-11-06] (Lenovo Group Limited) R3 senfilt; C:\WINDOWS\System32\drivers\senfilt.sys [393088 2005-10-27] (Sensaura) R0 SmartDefragDriver; C:\WINDOWS\System32\Drivers\SmartDefragDriver.sys [15808 2013-12-24] (IObit) S3 tdrpman; C:\WINDOWS\System32\DRIVERS\tdrpman.sys [888640 2014-03-02] (Acronis International GmbH) R0 tib; C:\WINDOWS\System32\DRIVERS\tib.sys [736192 2014-03-02] (Acronis International GmbH) R0 tib_mounter; C:\WINDOWS\System32\DRIVERS\tib_mounter.sys [130488 2014-03-02] (Acronis) R3 TPM; C:\WINDOWS\System32\DRIVERS\tpm.sys [17792 2005-10-09] (Winbond Electronics Corp.) R3 TVTPktFilter; C:\WINDOWS\System32\DRIVERS\tvtpktfilter.sys [17664 2007-02-08] (Lenovo Group Limited) R0 vididr; C:\WINDOWS\System32\DRIVERS\vididr.sys [116000 2014-03-02] (Acronis International GmbH) R0 vidsflt; C:\WINDOWS\System32\DRIVERS\vidsflt.sys [85280 2014-03-02] (Acronis International GmbH) R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B}; C:\Program Files\CyberLink\PowerDVD\000.fcl [41456 2007-11-03] (Cyberlink Corp.) S3 BCASPROT; \??\C:\Program Files\Systweak\Advanced System Protector\sasprot32.sys [X] S3 catchme; \??\C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\catchme.sys [X] S0 WudfPf; C:\WINDOWS\system32\WudfPf.sys [X] S3 WudfRd; C:\WINDOWS\system32\wudfrd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-06 08:20 - 2014-09-06 08:20 - 00010635 _____ () C:\Documents and Settings\NEW USER\Desktop\FRST.txt 2014-09-05 22:53 - 2014-09-05 22:53 - 00000060 _____ () C:\WINDOWS\setupact.log 2014-09-05 22:53 - 2014-09-05 22:53 - 00000000 _____ () C:\WINDOWS\setuperr.log 2014-09-05 21:37 - 2014-09-05 22:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2014-09-05 21:36 - 2014-09-05 22:48 - 00000000 ____D () C:\Documents and Settings\NEW USER\Desktop\mbar 2014-09-05 21:24 - 2014-09-06 08:20 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\temp 2014-09-05 21:24 - 2014-09-05 21:24 - 00101364 _____ () C:\ComboFix.txt 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\temp 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp 2014-09-04 17:09 - 2014-09-04 17:09 - 03015680 _____ (Microsoft Corporation) C:\WINDOWS\mshtml.dll 2014-09-04 15:19 - 2014-09-06 08:21 - 00000422 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{FD013292-9248-4B29-802F-3FB7DC2118A8}.job 2014-09-03 19:36 - 2008-04-14 00:00 - 01306973 _____ () C:\WINDOWS\system32\MSHTML.DL_ 2014-09-03 19:36 - 2008-04-14 00:00 - 00110157 _____ () C:\WINDOWS\system32\MSHTML.TL_ 2014-09-02 18:03 - 2014-09-06 08:20 - 00000000 ____D () C:\FRST 2014-09-02 18:02 - 2014-09-02 18:02 - 01096704 _____ (Farbar) C:\Documents and Settings\NEW USER\Desktop\FRST.exe 2014-09-02 16:27 - 2014-09-02 16:27 - 00000000 ____D () C:\SUPERDelete 2014-09-02 16:17 - 2014-09-02 16:17 - 00000000 ____D () C:\Documents and Settings\NEW USER\Application Data\SUPERAntiSpyware.com 2014-09-02 16:16 - 2014-09-02 16:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2014-09-02 16:15 - 2014-09-02 16:19 - 00000000 ____D () C:\Program Files\Super AntiSpyware 2014-09-02 15:34 - 2014-09-06 08:00 - 00000159 _____ () C:\WINDOWS\wiadebug.log 2014-09-02 15:34 - 2014-09-06 07:59 - 00000048 _____ () C:\WINDOWS\wiaservc.log 2014-09-02 15:34 - 2014-09-05 22:57 - 00003890 _____ () C:\WINDOWS\SchedLgU.Txt 2014-09-02 15:34 - 2014-09-02 15:34 - 00000000 ____N () C:\WINDOWS\Sti_Trace.log 2014-09-02 15:32 - 2014-09-06 08:01 - 00154114 _____ () C:\WINDOWS\WindowsUpdate.log 2014-09-02 11:36 - 2014-09-02 11:36 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\Application Data\Google 2014-09-01 09:55 - 2014-09-01 09:55 - 00002117 _____ () C:\MBAM 9-1.txt 2014-08-30 11:55 - 2014-08-30 11:55 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Dnetist 2014-08-30 11:54 - 2014-08-30 11:58 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Tinnitus 2014-08-30 11:54 - 2014-08-30 11:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Workmans Compensation 2014-08-25 15:13 - 2014-08-25 15:13 - 00000026 _____ () C:\Documents and Settings\NEW USER\Application Data\mbam.context.scan 2014-08-25 15:11 - 2014-09-05 21:37 - 00104664 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2014-08-25 15:10 - 2014-09-05 21:36 - 00051416 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2014-08-25 15:10 - 2014-08-25 15:11 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Water Tucson Water 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\TEP 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\SW Gas 2014-08-20 12:32 - 2014-08-20 12:32 - 00000013 _____ () C:\Documents and Settings\NEW USER\USAJOBS Ability jobs password.txt 2014-08-09 21:31 - 2014-08-09 21:31 - 00000029 _____ () C:\Documents and Settings\NEW USER\Compucom signon.txt ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-09-06 08:21 - 2014-09-04 15:19 - 00000422 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{FD013292-9248-4B29-802F-3FB7DC2118A8}.job 2014-09-06 08:20 - 2014-09-06 08:20 - 00010635 _____ () C:\Documents and Settings\NEW USER\Desktop\FRST.txt 2014-09-06 08:20 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\temp 2014-09-06 08:20 - 2014-09-02 18:03 - 00000000 ____D () C:\FRST 2014-09-06 08:18 - 2011-07-01 18:52 - 00000000 ____D () C:\Program Files\Malware Removal Tools 2014-09-06 08:01 - 2014-09-02 15:32 - 00154114 _____ () C:\WINDOWS\WindowsUpdate.log 2014-09-06 08:00 - 2014-09-02 15:34 - 00000159 _____ () C:\WINDOWS\wiadebug.log 2014-09-06 08:00 - 2008-04-14 05:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl 2014-09-06 08:00 - 2007-01-29 11:36 - 00025269 _____ () C:\WINDOWS\system32\PROCDB.INI 2014-09-06 07:59 - 2014-09-02 15:34 - 00000048 _____ () C:\WINDOWS\wiaservc.log 2014-09-06 07:59 - 2014-03-25 08:11 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job 2014-09-06 07:59 - 2014-01-21 18:48 - 00000262 _____ () C:\WINDOWS\Tasks\SmartDefrag3_Update.job 2014-09-06 07:59 - 2010-12-25 13:08 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT 2014-09-06 07:59 - 2010-12-25 12:29 - 00000000 ____D () C:\WINDOWS\system32\Restore 2014-09-06 07:59 - 2007-06-19 14:13 - 00000380 _____ () C:\WINDOWS\system32\IPSCtrl.INI 2014-09-05 22:57 - 2014-09-02 15:34 - 00003890 _____ () C:\WINDOWS\SchedLgU.Txt 2014-09-05 22:56 - 2010-12-25 13:09 - 00000178 ___SH () C:\Documents and Settings\NEW USER\ntuser.ini 2014-09-05 22:53 - 2014-09-05 22:53 - 00000060 _____ () C:\WINDOWS\setupact.log 2014-09-05 22:53 - 2014-09-05 22:53 - 00000000 _____ () C:\WINDOWS\setuperr.log 2014-09-05 22:48 - 2014-09-05 21:37 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable) 2014-09-05 22:48 - 2014-09-05 21:36 - 00000000 ____D () C:\Documents and Settings\NEW USER\Desktop\mbar 2014-09-05 22:48 - 2014-03-05 17:30 - 00001803 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk 2014-09-05 21:37 - 2014-08-25 15:11 - 00104664 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2014-09-05 21:36 - 2014-08-25 15:10 - 00051416 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys 2014-09-05 21:24 - 2014-09-05 21:24 - 00101364 _____ () C:\ComboFix.txt 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\temp 2014-09-05 21:24 - 2014-09-05 21:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp 2014-09-05 21:24 - 2011-07-01 19:26 - 00000000 ____D () C:\Qoobox 2014-09-05 21:22 - 2008-04-14 05:00 - 00000253 _____ () C:\WINDOWS\system.ini 2014-09-04 17:09 - 2014-09-04 17:09 - 03015680 _____ (Microsoft Corporation) C:\WINDOWS\mshtml.dll 2014-09-03 19:27 - 2011-07-01 17:38 - 00000178 __SHC () C:\Documents and Settings\Administrator\ntuser.ini 2014-09-03 19:14 - 2010-12-25 05:09 - 00000000 ____D () C:\WINDOWS\security 2014-09-02 18:02 - 2014-09-02 18:02 - 01096704 _____ (Farbar) C:\Documents and Settings\NEW USER\Desktop\FRST.exe 2014-09-02 16:27 - 2014-09-02 16:27 - 00000000 ____D () C:\SUPERDelete 2014-09-02 16:19 - 2014-09-02 16:15 - 00000000 ____D () C:\Program Files\Super AntiSpyware 2014-09-02 16:17 - 2014-09-02 16:17 - 00000000 ____D () C:\Documents and Settings\NEW USER\Application Data\SUPERAntiSpyware.com 2014-09-02 16:16 - 2014-09-02 16:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2014-09-02 15:34 - 2014-09-02 15:34 - 00000000 ____N () C:\WINDOWS\Sti_Trace.log 2014-09-02 15:30 - 2011-07-01 17:38 - 00000000 ____D () C:\Documents and Settings\Administrator 2014-09-02 11:36 - 2014-09-02 11:36 - 00000000 ____D () C:\Documents and Settings\NEW USER\Local Settings\Application Data\Google 2014-09-01 22:16 - 2010-12-26 11:18 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Microsoft Help 2014-09-01 22:14 - 2013-11-24 08:26 - 00000000 ____D () C:\WINDOWS\system32\MRT 2014-09-01 09:55 - 2014-09-01 09:55 - 00002117 _____ () C:\MBAM 9-1.txt 2014-08-31 10:37 - 2014-04-15 17:21 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\IKEA 2014-08-30 20:56 - 2014-05-30 14:10 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\A+ 2014-08-30 18:05 - 2014-05-10 00:58 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Compucom 2014-08-30 11:58 - 2014-08-30 11:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Tinnitus 2014-08-30 11:56 - 2011-07-01 21:40 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\My Files 2014-08-30 11:55 - 2014-08-30 11:55 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Dnetist 2014-08-30 11:55 - 2014-07-09 12:34 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Lenovo 2014-08-30 11:54 - 2014-08-30 11:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Workmans Compensation 2014-08-29 08:34 - 2014-07-06 09:38 - 00000023 _____ () C:\Documents and Settings\NEW USER\USAJOBS.txt 2014-08-25 18:14 - 2011-07-01 17:44 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware 2014-08-25 15:13 - 2014-08-25 15:13 - 00000026 _____ () C:\Documents and Settings\NEW USER\Application Data\mbam.context.scan 2014-08-25 15:11 - 2014-08-25 15:10 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware 2014-08-25 15:11 - 2011-07-01 17:55 - 00000000 ____D () C:\Documents and Settings\NEW USER\Application Data\Malwarebytes 2014-08-25 15:10 - 2011-07-01 17:44 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes 2014-08-24 10:00 - 2013-12-17 07:34 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Finance 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Water Tucson Water 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\TEP 2014-08-22 10:54 - 2014-08-22 10:54 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\SW Gas 2014-08-22 10:33 - 2014-06-19 15:09 - 00000000 ____D () C:\Documents and Settings\NEW USER\TEP 2014-08-20 12:32 - 2014-08-20 12:32 - 00000013 _____ () C:\Documents and Settings\NEW USER\USAJOBS Ability jobs password.txt 2014-08-16 11:51 - 2014-06-30 17:42 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\IBM Training 2014-08-15 11:48 - 2014-07-25 11:34 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Lexmark 2014-08-11 00:42 - 2014-06-01 13:18 - 00000000 ____D () C:\Documents and Settings\NEW USER\My Documents\Lenovo Training 2014-08-09 21:31 - 2014-08-09 21:31 - 00000029 _____ () C:\Documents and Settings\NEW USER\Compucom signon.txt 2014-08-08 15:00 - 2014-03-25 08:11 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job Files to move or delete: ==================== C:\Documents and Settings\Administrator\DelB12.bat C:\Documents and Settings\Default User\DelB12.bat C:\Documents and Settings\NEW USER\DelB12.bat ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End Of Log ============================ Addition log Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-09-2014 Ran by Jordy at 2014-09-06 08:21:10 Running from C:\Documents and Settings\NEW USER\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Adobe Flash Player 10 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 10.2.152.26 - Adobe Systems Incorporated) Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.44 - Adobe Systems Incorporated) Adobe Reader 9.4.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A94000000001}) (Version: 9.4.5 - Adobe Systems Incorporated) Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.6.606 - Adobe Systems, Inc.) Apple Application Support (HKLM\...\{B3575D00-27EF-49C2-B9E0-14B3D954E992}) (Version: 1.5.2 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{C23CD6DA-1958-43A5-ADD0-59396572E02E}) (Version: 3.4.1.2 - Apple Inc.) Apple Software Update (HKLM\...\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}) (Version: 2.1.3.127 - Apple Inc.) Bonjour (HKLM\...\{C2E4B5BD-32DB-4817-A060-341AB17C3F90}) (Version: 2.0.5.0 - Apple Inc.) CCleaner (HKLM\...\CCleaner) (Version: 3.08 - Piriform) Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC) Eusing Free Registry Cleaner (HKLM\...\Eusing Free Registry Cleaner) (Version: - ) Eusing Free Registry Defrag (HKLM\...\Eusing Free Registry Defrag) (Version: - ) FL Studio 9 (HKLM\...\FL Studio 9) (Version: - Image-Line) Hardcore (HKLM\...\Hardcore) (Version: - Image-Line) HiJackThis (HKLM\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro) IL Download Manager (HKLM\...\IL Download Manager) (Version: - Image-Line) Intel® Graphics Media Accelerator Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: 6.14.10.4497 - ) iTunes (HKLM\...\{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}) (Version: 10.3.1.55 - Apple Inc.) Java 7 Update 55 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217045FF}) (Version: 7.0.550 - Oracle) Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden Java™ 6 Update 7 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160070}) (Version: 1.6.0.70 - Sun Microsystems, Inc.) Junk Mail filter update (Version: 14.0.8117.416 - Microsoft Corporation) Hidden K-Lite Mega Codec Pack 4.1.7 (HKLM\...\KLiteCodecPack_is1) (Version: 4.1.7 - ) Lenovo ThinkVantage Toolbox (HKLM\...\PC-Doctor for Windows) (Version: 6.0.5802.24 - PC-Doctor, Inc.) Maintenance Manager (HKLM\...\AwayTask) (Version: 3.0.5.0 - ) Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation) Memeo Instant Backup (HKLM\...\{8E666407-AC41-46a2-9692-6C7BFCBFDD37}) (Version: 4.60.0.7252 - Memeo Inc.) Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation) Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation) Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation) Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden Microsoft Choice Guard (Version: 2.0.48.0 - Microsoft Corporation) Hidden Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office 2007 Service Pack 3 (SP3) (Version: - Microsoft) Hidden Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Live Add-in 1.3 (HKLM\...\{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}) (Version: 2.0.2313.0 - Microsoft Corporation) Microsoft Office Outlook Connector (HKLM\...\{95120000-0122-0409-0000-0000000FF1CE}) (Version: 12.0.6423.1000 - Microsoft Corporation) Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office Professional Plus 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (Version: - Microsoft) Hidden Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft Search Enhancement Pack (Version: 1.2.123.0 - Microsoft Corporation) Hidden Microsoft Silverlight (HKLM\...\Microsoft Silverlight) (Version: 1.0.30716.0 - Microsoft Corporation) Microsoft Silverlight (Version: 5.1.30214.0 - Microsoft Corporation) Hidden Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation) Microsoft Sync Framework Services Native v1.0 (x86) (HKLM\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30304 (HKLM\...\{C9B26742-06BE-3B75-B1DE-7B91B5956A04}) (Version: 9.0.30304 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) MSVCRT (Version: 14.0.1468.721 - Microsoft) Hidden MSXML 4.0 SP2 (KB941833) (HKLM\...\MSXML 4.0 SP2 (KB941833)) (Version: 4.20.9849.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0 - Microsoft Corporation) Hidden MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) Nero Suite (HKLM\...\NeroMultiInstaller!UninstallKey) (Version: - ) PoiZone (HKLM\...\PoiZone) (Version: - Image-Line) PowerDVD (Version: 7.3.3516.0 - CyberLink Corporation) Hidden PowerDVD Ultra (HKLM\...\InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.3.3516.0 - CyberLink Corporation) Productivity Center Supplement for ThinkCentre (HKLM\...\{D728E945-256D-4477-B377-6BBA693714AC}) (Version: 3.00b - ) QuickTime (HKLM\...\{57752979-A1C9-4C02-856B-FBB27AC4E02C}) (Version: 7.69.80.9 - Apple Inc.) Rescue and Recovery (HKLM\...\{F151F2B3-0C32-44D3-90E2-E639B8024622}) (Version: 4.10.0314.00 - Lenovo Group Limited) Sawer (HKLM\...\Sawer) (Version: - Image-Line) Seagate Dashboard (HKLM\...\{C3A11907-930D-41AC-A135-CC3B12F92011}) (Version: 1.0.0.809 - Memeo Inc.) Seagate DiscWizard (HKLM\...\{AC5BFE42-B72A-467C-B9B2-8BF77C6D4D70}) (Version: 16.0.5840 - Seagate) Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden Smart Defrag 3 (HKLM\...\Smart Defrag 3_is1) (Version: 3.0 - IObit) SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.12.01.5410 - Analog Devices) System Update (HKLM\...\{8675339C-128C-44DD-83BF-0A5D6ABD8297}) (Version: 3.14.0034 - Lenovo) ThinkVantage Productivity Center (HKLM\...\{CF5737AF-8550-4546-A69B-0EA9EF5A9B55}) (Version: 3.11 - Lenovo) ToolTipFixer 1.0.1 (HKLM\...\ToolTipFixer) (Version: 1.0.1 - NeoSmart Technologies) Toxic Biohazard (HKLM\...\Toxic Biohazard) (Version: - Image-Line) Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) Update for Microsoft .NET Framework 3.5 SP1 (KB2836940) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB2836940) (Version: 1 - Microsoft Corporation) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation) Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM\...\{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version: - Microsoft) Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version: - Microsoft) Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft) Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version: - Microsoft) Update for Microsoft Office Access 2007 Help (KB963663) (HKLM\...\{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}) (Version: - Microsoft) Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM\...\{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version: - Microsoft) Update for Microsoft Office Infopath 2007 Help (KB963662) (HKLM\...\{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{716B81B8-B13C-41DF-8EAC-7A2F656CAB63}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM\...\{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 Help (KB963677) (HKLM\...\{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{0451F231-E3E3-4943-AB9F-58EB96171784}) (Version: - Microsoft) Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2883097) 32-Bit Edition (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{B2260BC9-D561-46EE-B33D-739CF760A2A9}) (Version: - Microsoft) Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM\...\{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version: - Microsoft) Update for Microsoft Office Publisher 2007 Help (KB963667) (HKLM\...\{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2E40DE55-B289-4C8B-8901-5D369B16814F}) (Version: - Microsoft) Update for Microsoft Office Script Editor Help (KB963671) (HKLM\...\{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version: - Microsoft) Update for Microsoft Office Word 2007 Help (KB963665) (HKLM\...\{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version: - Microsoft) Update for Windows Internet Explorer 8 (KB2447568) (HKLM\...\KB2447568-IE8) (Version: 1 - Microsoft Corporation) Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation) WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation) Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation) Windows Live Communications Platform (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation) Windows Live Essentials (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Mail (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden Windows Live Photo Gallery (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Sign-in Assistant (HKLM\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation) Windows Live Sync (HKLM\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation) Windows Live Toolbar (Version: 14.0.8117.416 - Microsoft Corporation) Hidden Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation) Windows Live Writer (Version: 14.0.8117.0416 - Microsoft Corporation) Hidden Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - ) Windows Media Format 11 runtime (Version: - Microsoft Corporation) Hidden Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - ) Windows Media Player 11 (Version: - Microsoft Corporation) Hidden Windows Rights Management Client Backwards Compatibility SP2 (HKLM\...\Windows Rights Management Client Backwards) (Version: 5.2.70 - Microsoft) Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.70 - Microsoft) Hidden Windows Rights Management Client with Service Pack 2 (HKLM\...\Windows Rights Management Client) (Version: 5.2.70 - Microsoft) Windows Rights Management Client with Service Pack 2 (Version: 5.2.70 - Microsoft) Hidden Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-220523388-1078081533-1606980848-1003_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation) ==================== Restore Points ========================= Could not list Restore Points. Check "winmgmt" service or repair WMI. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2008-04-14 05:00 - 2014-09-02 15:57 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe Task: C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\PC-Doctor\uaclauncher.exe Task: C:\WINDOWS\Tasks\SmartDefrag3_Update.job => C:\Program Files\Smart Defrag\AutoUpdate.exe Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{FD013292-9248-4B29-802F-3FB7DC2118A8}.job => C:\WINDOWS\system32\msfeedssync.exe ==================== Loaded Modules (whitelisted) ============= 2007-07-11 17:38 - 2007-07-11 17:38 - 00569344 _____ () C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe 2007-07-11 17:31 - 2007-07-11 17:31 - 00139264 _____ () C:\Program Files\Lenovo\Rescue and Recovery\CDRecord.dll 2007-02-08 11:40 - 2007-02-08 11:40 - 00045056 ____N () C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\48546188.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\48546188.sys => ""="Driver" ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup MSCONFIG\startupfolder: C:^Documents and Settings^NEW USER^Start Menu^Programs^Startup^Seagate Product Registration.lnk => C:\WINDOWS\pss\Seagate Product Registration.lnkStartup MSCONFIG\startupreg: AcronisTibMounterMonitor => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" MSCONFIG\startupreg: AwaySch => C:\Program Files\Lenovo\AwayTask\AwaySch.EXE MSCONFIG\startupreg: BDRegion => C:\Program Files\Cyberlink\Shared Files\brs.exe MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe MSCONFIG\startupreg: DiscWizardMonitor.exe => "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe" MSCONFIG\startupreg: igfxhkcmd => C:\WINDOWS\system32\hkcmd.exe MSCONFIG\startupreg: igfxpers => C:\WINDOWS\system32\igfxpers.exe MSCONFIG\startupreg: igfxtray => C:\WINDOWS\system32\igfxtray.exe MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe" MSCONFIG\startupreg: LanguageShortcut => "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" MSCONFIG\startupreg: LPMailChecker => C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe MSCONFIG\startupreg: LPManager => C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe MSCONFIG\startupreg: Memeo Instant Backup => C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui MSCONFIG\startupreg: NeroFilterCheck => C:\WINDOWS\system32\NeroCheck.exe MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime MSCONFIG\startupreg: RemoteControl => "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" MSCONFIG\startupreg: Seagate Dashboard => C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui MSCONFIG\startupreg: Seagate Scheduler2 Service => "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe" MSCONFIG\startupreg: SoundMAX => "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe" MSCONFIG\startupreg: TVT Scheduler Proxy => C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe ==================== Faulty Device Manager Devices ============= Could not list Devices. Check "winmgmt" service or repair WMI. ==================== Event log errors: ========================= Application errors: ================== Error: (09/05/2014 09:47:47 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x0014c493. Processing media-specific event for [iexplore.exe!ws!] Error: (09/04/2014 04:52:21 PM) (Source: Outlook) (EventID: 35) (User: ) Description: Failed to determine if the store is in the crawl scope (error=0x80040154). Error: (09/04/2014 04:52:21 PM) (Source: Outlook) (EventID: 34) (User: ) Description: Failed to get the Crawl Scope Manager with error=0x80040154. Error: (09/04/2014 04:52:17 PM) (Source: Outlook) (EventID: 35) (User: ) Description: Failed to determine if the store is in the crawl scope (error=0x80040154). Error: (09/04/2014 04:52:17 PM) (Source: Outlook) (EventID: 34) (User: ) Description: Failed to get the Crawl Scope Manager with error=0x80040154. Error: (09/03/2014 07:57:31 PM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x0014c493. Processing media-specific event for [iexplore.exe!ws!] Error: (09/03/2014 00:17:20 PM) (Source: Outlook) (EventID: 35) (User: ) Description: Failed to determine if the store is in the crawl scope (error=0x80040154). Error: (09/03/2014 00:17:20 PM) (Source: Outlook) (EventID: 34) (User: ) Description: Failed to get the Crawl Scope Manager with error=0x80040154. Error: (09/03/2014 00:17:15 PM) (Source: Outlook) (EventID: 35) (User: ) Description: Failed to determine if the store is in the crawl scope (error=0x80040154). Error: (09/03/2014 00:17:15 PM) (Source: Outlook) (EventID: 34) (User: ) Description: Failed to get the Crawl Scope Manager with error=0x80040154. System errors: ============= Error: (09/04/2014 03:19:52 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:52 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:52 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:52 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:52 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:51 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:51 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Error: (09/04/2014 03:19:22 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: %%1058 Microsoft Office Sessions: ========================= Error: (07/07/2014 08:23:17 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 22 seconds with 0 seconds of active time. This session ended with a crash. Error: (01/27/2014 10:25:44 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 194 seconds with 120 seconds of active time. This session ended with a crash. ==================== Memory info =========================== Processor: Intel® Pentium® 4 CPU 3.20GHz Percentage of memory in use: 15% Total physical RAM: 2550.48 MB Available physical RAM: 2151.75 MB Total Pagefile: 3536.92 MB Available Pagefile: 3327.53 MB Total Virtual: 2047.88 MB Available Virtual: 1932.86 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:37.24 GB) (Free:5.03 GB) NTFS ==>[Drive with boot components (Windows XP)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 37.3 GB) (Disk ID: 96EF96EF) Partition 1: (Active) - (Size=37.2 GB) - (Type=07 NTFS) ==================== End Of Log ============================ Do you recommend running killbox, gmer or combofix? Should these be run even if FRST does not show anything malicious? Thanks, Leo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users