Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random BSOD, multiple network connection icons, slow internet, JRT fails to run


  • This topic is locked This topic is locked
10 replies to this topic

#1 enc2guru

enc2guru

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 09 September 2014 - 01:28 PM

Recieving random BSOD and noticed multiple network connection icons in control panel and have a much slower than normal internet connection which I have noticed in any application connected to the internet, also noticed what seems to be wired LSP Entries in my log. The oly thing I have really tried is updating my ethernet drivers with no help and also have run multiple AV scans with no infection found. JRT exits prematurly stating that thier is no application it open JRT. I also have pasted the results from JRT_Debug. Thanks and any help will be greatly appreciated.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Admin at 14:08:14 on 2014-09-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1434 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files\Norton Internet Security\Engine\21.5.0.19\NIS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\21.5.0.19\NIS.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\21.5.0.19\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\21.5.0.19\ips\ipsbho.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\21.5.0.19\coieplg.dll
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
mRun: [Malwarebytes Anti-Exploit] c:\program files\malwarebytes anti-exploit\mbae.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoFileAssociate = dword:0
mPolicies-Explorer: NoCDBurning = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: DisableStatusMessages = dword:1
mPolicies-System: NoDispSettingsPage = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
LSP: REGEDIT4
.
LSP: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries]
LSP: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries\
LSP:   m33,32,\mswsock2e,dll
LSP:   
LSP:   Ha1,92,e9,03,
LSP:   Ha1,92,ea,03,
LSP:   bb,ff,
LSP:   Ha1,92,eb,03,
LSP:   m33,32,\rsvpsp2e,dll
LSP:   82,e6,9a,ec,03,
LSP:   i
LSP:   2c,0f,01,ee,cf,90,|b8,w13,
LSP:   90,|18,34,0f,01,0a,
LSP:   01,b0,2c,0f,01,b8,2c,0f,01,90,x13,
LSP:   x01,0f,01,]
LSP:   01,0f,01,b0,2c,0f,01,x01,0f,01,H05,
LSP:   13,
LSP:   2d,ff,90,|
LSP:   d7,dd,w90,1e,0f,01,
LSP:   wX05,
LSP:   ec,2a,0f,01,06,
LSP:   v13,
LSP:   |`
LSP:   90,1e,0f,01,
LSP:   82,e6,9a,ed,03,
LSP:   0f,01,ec,2a,0f,01,T05,
LSP:   28,02,91,|ff,ff,ff,ff,22,02,91,|9b,01,91,|db,01,91,|aac,80,|34,\
LSP:   {13,
LSP:   |hf6,90,|ff,ff,ff,ff,af6,90,|eb,odd,w
LSP:   c0,fb,17,
LSP:   05,
LSP:   d4,z13,
LSP:   z13,
LSP:   90,|Njdd,w87,jdd,w2c,Mdf,fh05,
LSP:   @{13,
LSP:   df,f
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1400130208328
TCP: Interfaces\{16A11898-0E45-4434-AF93-54E7636E0B72} : NameServer = 8.8.8.8,192.168.1.1
Notify: AutorunsDisabled - <no file>
SecurityProviders: SecurityProviders = msapsspc.dll, schannel.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\tf305g8r.default\
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2014-2-17 189968]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2014-7-26 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2014-7-26 40648]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1505000.013\symds.sys [2014-8-11 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1505000.013\symefa.sys [2014-8-11 936152]
R1 BHDrvx86;BHDrvx86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\bashdefs\20140821.007\BHDrvx86.sys [2014-8-27 1138480]
R1 ccSet_NIS;NIS Settings Manager;c:\windows\system32\drivers\nis\1505000.013\ccsetx86.sys [2014-8-11 127064]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\malwarebytes anti-exploit\mbae.sys [2014-6-2 44760]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2014-7-26 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2014-7-26 185672]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1505000.013\ironx86.sys [2014-8-11 206936]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\malwarebytes anti-exploit\mbae-svc.exe [2014-6-2 360592]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\21.5.0.19\nis.exe [2014-8-11 276376]
R2 WinisoCDBus;WinISO Virtual CD Drive;c:\windows\system32\drivers\WinisoCDBus.sys [2014-9-6 121600]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2014-5-15 103040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-9-9 111408]
R3 IDSxpx86;IDSxpx86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\ipsdefs\20140907.003\IDSXpx86.sys [2014-9-9 448664]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2014-8-11 105984]
R3 NAVENG;NAVENG;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\virusdefs\20140908.018\NAVENG.SYS [2014-9-9 95704]
R3 NAVEX15;NAVEX15;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\virusdefs\20140908.018\NAVEX15.SYS [2014-9-9 1636696]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2014-8-18 37888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2014-8-5 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2014-8-5 9160]
S3 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2014-7-10 121440]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\easeus\todo backup\bin\Agent.exe [2014-7-26 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2014-7-26 23624]
S4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
S4 PAExec;PAExec;c:\windows\paexec.exe -service --> c:\windows\PAExec.exe -service [?]
S4 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2014-8-25 24680]
S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
FileExt: .bat: batfile="%1" %*
FileExt: .cmd: cmdfile="%1" %*
FileExt: .com: comfile="%1" %*
FileExt: .exe: exefile="%1" %*
FileExt: .pif: piffile="%1" %*
FileExt: .scr: scrfile="%1" /S
FileExt: .reg: regfile=regedit.exe "%1"
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1
FileExt: .chm: chm.file="c:\windows\hh.exe" %1
FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1
FileExt: .inf: inffile=c:\windows\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2014-09-09 17:08:42    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.PB3O -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Harddisk0\DR0[0x8A802AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Ide\IAAStorageDevice-1[0x8A808030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
user & kernel MBR OK
.
============= FINISH: 14:08:22.14 ===============

 

 

___________________________________________________________________________________________________________________

 

 

Results from JRT_Debug.txt:

 

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>NET FILE  1>NUL 2>NUL

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>if '2' == '0' (goto gotPrivileges  )  else (goto getPrivileges  )

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>if '' == 'ELEV' (shift   & goto gotPrivileges )

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>setlocal DisableDelayedExpansion

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>set "batchPath=get.bat"

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>setlocal EnableDelayedExpansion

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>ECHO Set UAC = CreateObject("Shell.Application")   1>"C:\DOCUME~1\Admin\LOCALS~1\Temp\OEgetPrivileges.vbs"

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>ECHO UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1   1>>"C:\DOCUME~1\Admin\LOCALS~1\Temp\OEgetPrivileges.vbs"

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>"C:\DOCUME~1\Admin\LOCALS~1\Temp\OEgetPrivileges.vbs"  

C:\DOCUME~1\Admin\LOCALS~1\Temp\jrt>exit /B  


 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:01 AM

Posted 14 September 2014 - 01:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/547506 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 enc2guru

enc2guru
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 15 September 2014 - 01:22 PM

In addition to what i said the first time, everytime I restart my computer the driver installation screen pops up asking me to install what appears to be a PS2 mouse (found by searching the device id) and I have no PS2 mouse connected. Also, there seems to be 2 unknown services marked as manual which thier drivers point to a "Temp File", the Temp file no longer exisits (hidden files is endabled).

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Admin at 14:11:20 on 2014-09-15
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1554 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files\Norton Internet Security\Engine\21.5.0.19\NIS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\21.5.0.19\NIS.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\21.5.0.19\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\21.5.0.19\ips\ipsbho.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\21.5.0.19\coieplg.dll
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
mRun: [Malwarebytes Anti-Exploit] c:\program files\malwarebytes anti-exploit\mbae.exe
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoFileAssociate = dword:0
mPolicies-Explorer: NoCDBurning = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: DisableStatusMessages = dword:1
mPolicies-System: NoDispSettingsPage = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
LSP: REGEDIT4
.
LSP: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries]
LSP: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries\
LSP:   m33,32,\mswsock2e,dll
LSP:   
LSP:   Ha1,92,e9,03,
LSP:   Ha1,92,ea,03,
LSP:   bb,ff,
LSP:   Ha1,92,eb,03,
LSP:   m33,32,\rsvpsp2e,dll
LSP:   82,e6,9a,ec,03,
LSP:   i
LSP:   2c,0f,01,ee,cf,90,|b8,w13,
LSP:   90,|18,34,0f,01,0a,
LSP:   01,b0,2c,0f,01,b8,2c,0f,01,90,x13,
LSP:   x01,0f,01,]
LSP:   01,0f,01,b0,2c,0f,01,x01,0f,01,H05,
LSP:   13,
LSP:   2d,ff,90,|
LSP:   d7,dd,w90,1e,0f,01,
LSP:   wX05,
LSP:   ec,2a,0f,01,06,
LSP:   v13,
LSP:   |`
LSP:   90,1e,0f,01,
LSP:   82,e6,9a,ed,03,
LSP:   0f,01,ec,2a,0f,01,T05,
LSP:   28,02,91,|ff,ff,ff,ff,22,02,91,|9b,01,91,|db,01,91,|aac,80,|34,\
LSP:   {13,
LSP:   |hf6,90,|ff,ff,ff,ff,af6,90,|eb,odd,w
LSP:   88,2a,18,
LSP:   05,
LSP:   d4,z13,
LSP:   z13,
LSP:   90,|Njdd,w87,jdd,w2c,Mdf,fp05,
LSP:   @{13,
LSP:   df,f
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1400130208328
TCP: Interfaces\{16A11898-0E45-4434-AF93-54E7636E0B72} : NameServer = 8.8.8.8,192.168.1.1
Notify: AutorunsDisabled - <no file>
SecurityProviders: SecurityProviders = msapsspc.dll, schannel.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\tf305g8r.default\
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2014-2-17 189968]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2014-7-26 50248]
R0 EUBKMON;EUBKMON;c:\windows\system32\drivers\EUBKMON.sys [2014-7-26 40648]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1505000.013\symds.sys [2014-8-11 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1505000.013\symefa.sys [2014-8-11 936152]
R1 BHDrvx86;BHDrvx86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\bashdefs\20140912.003\BHDrvx86.sys [2014-9-12 1137368]
R1 ccSet_NIS;NIS Settings Manager;c:\windows\system32\drivers\nis\1505000.013\ccsetx86.sys [2014-8-11 127064]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\malwarebytes anti-exploit\mbae.sys [2014-6-2 44760]
R1 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2014-7-26 14920]
R1 EUFDDISK;EUFDDISK;c:\windows\system32\drivers\EuFdDisk.sys [2014-7-26 185672]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2014-7-10 121440]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1505000.013\ironx86.sys [2014-8-11 206936]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\malwarebytes anti-exploit\mbae-svc.exe [2014-6-2 360592]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\21.5.0.19\nis.exe [2014-8-11 276376]
R2 WinisoCDBus;WinISO Virtual CD Drive; [x]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2014-5-15 103040]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-9-9 111408]
R3 IDSxpx86;IDSxpx86;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\ipsdefs\20140912.001\IDSXpx86.sys [2014-9-15 448664]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2014-8-11 105984]
R3 NAVENG;NAVENG;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\virusdefs\20140913.021\NAVENG.SYS [2014-9-15 95704]
R3 NAVEX15;NAVEX15;c:\program files\norton internet security\nortondata\21.2.0.38\definitions\virusdefs\20140913.021\NAVEX15.SYS [2014-9-15 1636696]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2014-8-18 37888]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2014-8-5 13896]
S3 ERFXBKNMRXX;ERFXBKNMRXX; [x]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2014-8-5 9160]
S3 MUIHVY;MUIHVY; [x]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]
S4 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S4 EaseUS Agent;EaseUS Agent Service;c:\program files\easeus\todo backup\bin\Agent.exe [2014-7-26 68168]
S4 Guard Agent;Guard Agent Service;c:\program files\easeus\todo backup\bin\GuardAgent.exe [2014-7-26 23624]
S4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe  -run --> c:\windows\system32\hasplms.exe  -run [?]
S4 PAExec;PAExec;c:\windows\paexec.exe -service --> c:\windows\PAExec.exe -service [?]
S4 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2014-8-25 24680]
S4 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
FileExt: .bat: batfile="%1" %*
FileExt: .cmd: cmdfile="%1" %*
FileExt: .com: comfile="%1" %*
FileExt: .exe: exefile="%1" %*
FileExt: .pif: piffile="%1" %*
FileExt: .scr: scrfile="%1" /S
FileExt: .reg: regfile=regedit.exe "%1"
FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1
FileExt: .chm: chm.file="c:\windows\hh.exe" %1
FileExt: .ini: inifile=c:\windows\system32\NOTEPAD.EXE %1
FileExt: .inf: inffile=c:\windows\system32\NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2014-09-15 17:36:48    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
.
=================== ROOTKIT  ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_ rev.PB3O -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Harddisk0\DR0[0x8A7C4AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF200] -> \Device\Ide\IAAStorageDevice-1[0x8A7C6030]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a;  }
user & kernel MBR OK
.
============= FINISH: 14:11:31.26 ===============
 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 AM

Posted 16 September 2014 - 09:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#5 enc2guru

enc2guru
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 16 September 2014 - 11:27 AM

The computers performance is the same as it was during the time of my original post.  I posted the scan logs below, ADW (clean log w/all items checked) also I'm not sure if its common but I had to create and exception in NIS to get FRST to download.

Thanks again for any and all help.

 

# AdwCleaner v3.310 - Report created 16/09/2014 at 11:46:15
# Updated 12/09/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Admin - HOME
# Running from : C:\Documents and Settings\Admin\Desktop\adwcleaner_3.310.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v32.0.1 (x86 en-US)

[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [933 octets] - [16/09/2014 11:39:40]
AdwCleaner[S0].txt - [857 octets] - [16/09/2014 11:46:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [916 octets] ##########
 

 

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by Admin (administrator) on HOME on 16-09-2014 12:07:01
Running from C:\Documents and Settings\Admin\Desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.5.0.19\nis.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.5.0.19\nis.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(YourWare Solutions ™) C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [382608 2014-06-04] (Malwarebytes Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
HKLM\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [NoCDBurning] 1
HKU\S-1-5-21-789336058-1592454029-1644491937-500\...\Run: [FreeRAM XP] => C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe [1591808 2006-03-23] (YourWare Solutions ™)
HKU\S-1-5-21-789336058-1592454029-1644491937-500\...\Policies\Explorer: [NoDriveTypeAutoRun] 0xFF000000
HKU\S-1-5-21-789336058-1592454029-1644491937-500\...\Policies\Explorer: [NoInstrumentation] 1
HKU\S-1-5-21-789336058-1592454029-1644491937-500\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-789336058-1592454029-1644491937-500\...\Policies\Explorer: [NoRecentDocsHistory] 1
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Folder) -> {02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1} =>  No File
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Fully Synced) -> {CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1} =>  No File
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Not Latest Version) -> {284C090F-EB1D-4A6E-872E-6DB72E417E24} =>  No File
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Shared Folder) -> {3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.5.0.19\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.5.0.19\IPS\IPSBHO.DLL (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.5.0.19\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1400130208328
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{16A11898-0E45-4434-AF93-54E7636E0B72}: [NameServer] 8.8.8.8,192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default
FF NewTab: about:blank
FF Homepage: hxxp://www.google.com/webhp?complete=0
FF NetworkProxy: "type", 0
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll No File
FF Extension: WOT - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-05-15]
FF Extension: Classic Theme Restorer - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-05-15]
FF Extension: Copy Urls Expert - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\copy-urls-expert@kashiif-gmail.com.xpi [2014-05-15]
FF Extension: FlashDisable - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\jid0-bbA9VAawX3LMWDu668aUDrpQVXU@jetpack.xpi [2014-05-15]
FF Extension: Text Link - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\{54BB9F3F-07E5-486c-9B39-C7398B99391C}.xpi [2014-05-15]
FF Extension: NoScript - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-05-15]
FF Extension: Downloads Window - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\{a7213cf2-fa1e-4373-88ff-255d0abd3020}.xpi [2014-05-15]
FF Extension: Download YouTube Videos as MP4 - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi [2014-08-22]
FF Extension: Space Next - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\{c71ff04d-f001-1fc1-1fc1-c71ff04df005}.xpi [2014-05-15]
FF Extension: Adblock Plus - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tf305g8r.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-05-15]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.0.18\coFFPlgn [2014-09-16]
FF HKCU\...\Firefox\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Documents and Settings\Admin\Application Data\IDM\idmmzcc5
FF Extension: IDM CC - C:\Documents and Settings\Admin\Application Data\IDM\idmmzcc5 [2014-09-15]
FF HKCU\...\SeaMonkey\Extensions: [mozilla_cc@internetdownloadmanager.com] - C:\Documents and Settings\Admin\Application Data\IDM\idmmzcc5

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2014-09-12]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 EaseUS Agent; C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe [68168 2013-03-16] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
S4 Guard Agent; C:\Program Files\EaseUS\Todo Backup\bin\GuardAgent.exe [23624 2013-03-16] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
S4 hasplms; C:\WINDOWS\system32\hasplms.exe [2558464 2008-03-19] (Aladdin Knowledge Systems Ltd.)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [360592 2014-06-04] (Malwarebytes Corporation)
R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.5.0.19\NIS.exe [276376 2014-07-31] (Symantec Corporation)
S4 PAExec; C:\WINDOWS\PAExec.exe [190464 2014-09-04] (Power Admin LLC) [File not signed]
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-04-19] (Secunia)
S4 spupdsvc; C:\WINDOWS\system32\spupdsvc.exe [26144 2009-01-07] (Microsoft Corporation)
S4 ERFXBKNMRXX; No ImagePath
S4 MUIHVY; No ImagePath

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 ahcix86; C:\WINDOWS\System32\DRIVERS\ahcix86.sys [189968 2009-04-08] (Advanced Micro Devices, Inc)
R2 aksfridge; C:\WINDOWS\system32\drivers\aksfridge.sys [350720 2008-03-18] (Aladdin Knowledge Systems Ltd.)
R0 atapi; C:\WINDOWS\System32\DRIVERS\atapi.sys [86912 2002-06-25] (Microsoft Corporation) [File not signed]
S3 AtcL001; C:\WINDOWS\System32\DRIVERS\l151x86.sys [37888 2009-08-20] (Atheros Communications, Inc.) [File not signed]
R3 AtiHDAudioService; C:\WINDOWS\System32\drivers\AtihdXP3.sys [103040 2012-05-14] (Advanced Micro Devices)
R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\BASHDefs\20140912.003\BHDrvx86.sys [1137368 2014-09-12] (Symantec Corporation)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R1 ccSet_NIS; C:\WINDOWS\system32\drivers\NIS\1505000.013\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-09-13] (Symantec Corporation)
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [13896 2013-03-07] () [File not signed]
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-09-13] (Symantec Corporation)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [44760 2014-06-04] ()
R0 EUBAKUP; C:\WINDOWS\System32\drivers\eubakup.sys [50248 2013-03-16] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
R0 EUBKMON; C:\WINDOWS\System32\drivers\EUBKMON.sys [40648 2013-03-16] () [File not signed]
R1 EUDSKACS; C:\WINDOWS\system32\drivers\eudskacs.sys [14920 2013-03-16] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
R1 EUFDDISK; C:\WINDOWS\system32\drivers\EuFdDisk.sys [185672 2013-03-16] (CHENGDU YIWO Tech Development Co., Ltd) [File not signed]
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [9160 2013-03-07] () [File not signed]
S4 FTDIBUS; C:\WINDOWS\System32\drivers\ftdibus.sys [65896 2014-04-01] (FTDI Ltd.)
R2 Hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [586240 2008-02-11] (Aladdin Knowledge Systems Ltd.)
R2 Haspnt; C:\WINDOWS\system32\drivers\Haspnt.sys [47616 2014-09-04] (Aladdin Knowledge Systems) [File not signed]
S3 IDMTDI; C:\WINDOWS\System32\DRIVERS\idmtdi.sys [121440 2014-06-09] (Tonec Inc.)
R3 IDSxpx86; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\IPSDefs\20140915.001\IDSxpx86.sys [448664 2014-09-15] (Symantec Corporation)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140915.032\NAVENG.SYS [95704 2014-09-13] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.1.0.18\Definitions\VirusDefs\20140915.032\NAVEX15.SYS [1636696 2014-09-13] (Symantec Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S4 ohci1394; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [55424 2002-06-25] (Microsoft Corporation) [File not signed]
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NIS\1505000.013\SRTSP.SYS [664280 2014-07-23] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NIS\1505000.013\SRTSPX.SYS [32344 2013-09-09] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\drivers\NIS\1505000.013\SYMDS.SYS [367704 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NIS\1505000.013\SYMEFA.SYS [936152 2014-07-23] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2014-09-15] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NIS\1505000.013\Ironx86.SYS [206936 2013-09-26] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\NIS\1505000.013\SYMTDI.SYS [423256 2014-07-23] (Symantec Corporation)
S4 VD_FileDisk; C:\WINDOWS\system32\Drivers\VD_FileDisk.sys [24680 2011-01-26] (CaptainFlint Software)
S4 IntelIde; No ImagePath
S3 mcdbus; No ImagePath
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
S3 USBAAPL; No ImagePath
S2 WinisoCDBus; No ImagePath
S3 WinUSB; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-16 12:07 - 2014-09-16 12:07 - 00013601 _____ () C:\Documents and Settings\Admin\Desktop\FRST.txt
2014-09-16 12:06 - 2014-09-16 12:07 - 00000000 ____D () C:\FRST
2014-09-16 12:06 - 2014-09-16 12:06 - 00000995 _____ () C:\Documents and Settings\Admin\Desktop\AdwCleaner[S0].txt
2014-09-16 11:40 - 2014-09-16 11:40 - 00000933 _____ () C:\Documents and Settings\Admin\Desktop\AdwCleaner[R0].txt
2014-09-16 11:39 - 2014-09-16 11:46 - 00000000 ____D () C:\AdwCleaner
2014-09-16 11:30 - 2014-09-16 11:30 - 01097728 _____ (Farbar) C:\Documents and Settings\Admin\Desktop\FRST.exe
2014-09-16 11:27 - 2014-09-16 11:27 - 01373475 _____ () C:\Documents and Settings\Admin\Desktop\adwcleaner_3.310.exe
2014-09-15 23:37 - 2014-09-15 23:38 - 00000800 _____ () C:\Documents and Settings\Admin\Desktop\New Text Document (4).txt
2014-09-15 22:05 - 2014-09-15 22:20 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2014-09-15 22:05 - 2014-09-15 22:16 - 00000000 ____D () C:\WINDOWS\system32\Drivers\NIS
2014-09-15 22:05 - 2014-09-15 22:15 - 00001989 _____ () C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
2014-09-15 22:05 - 2014-09-15 22:05 - 00142936 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2014-09-15 22:05 - 2014-09-15 22:05 - 00008194 _____ () C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2014-09-15 22:05 - 2014-09-15 22:05 - 00000000 ____D () C:\Program Files\Symantec
2014-09-15 22:04 - 2014-09-15 22:15 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Norton Internet Security
2014-09-15 22:04 - 2014-09-15 22:05 - 00000000 ____D () C:\Program Files\Norton Internet Security
2014-09-15 20:12 - 2014-09-15 21:11 - 00000000 ____D () C:\-new
2014-09-15 19:10 - 2014-09-15 20:10 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\xp
2014-09-15 14:02 - 2014-09-16 10:01 - 00001824 _____ () C:\PureRa.txt
2014-09-15 13:07 - 2014-09-15 13:07 - 00000736 _____ () C:\Documents and Settings\Admin\Desktop\Notepad++.lnk
2014-09-15 13:07 - 2014-09-15 13:07 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Notepad++
2014-09-15 13:07 - 2014-09-15 13:07 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\Notepad++
2014-09-15 13:06 - 2014-09-15 13:50 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Notepad++
2014-09-15 13:06 - 2014-09-15 13:07 - 00000000 ____D () C:\Program Files\Notepad++
2014-09-15 13:00 - 2014-09-15 13:00 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-15 12:54 - 2014-09-15 13:19 - 00000205 _____ () C:\Documents and Settings\Admin\Desktop\New Text Document (12).txt
2014-09-12 02:25 - 2014-09-12 02:25 - 00000000 ____D () C:\Documents and Settings\Admin\My Documents\MPC-HC Capture
2014-09-11 21:09 - 2014-09-11 21:09 - 00000000 ____D () C:\Documents and Settings\Admin\.android
2014-09-10 15:49 - 2014-09-10 15:51 - 00004667 _____ () C:\rootkit.log
2014-09-10 01:24 - 2014-09-10 01:24 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\BleachBit
2014-09-10 00:28 - 2014-09-10 00:28 - 00000683 _____ () C:\Documents and Settings\Admin\Desktop\CUETools.lnk
2014-09-10 00:25 - 2014-09-10 00:27 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\foobar2000
2014-09-10 00:25 - 2014-09-10 00:25 - 00000786 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\foobar2000.lnk
2014-09-10 00:25 - 2014-09-10 00:25 - 00000710 _____ () C:\Documents and Settings\All Users\Desktop\foobar2000.lnk
2014-09-10 00:25 - 2014-09-10 00:25 - 00000000 ____D () C:\Program Files\foobar2000
2014-09-10 00:03 - 2014-09-10 00:03 - 00000702 _____ () C:\Documents and Settings\Admin\Desktop\DVD Identifier.lnk
2014-09-10 00:03 - 2014-09-10 00:03 - 00000000 ____D () C:\Program Files\DVD Identifier
2014-09-10 00:03 - 2014-09-10 00:03 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\DVD Identifier
2014-09-09 23:00 - 2014-09-09 23:00 - 00000000 ____D () C:\Program Files\ASIO4ALL v2
2014-09-09 23:00 - 2014-09-09 23:00 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\ASIO4ALL v2
2014-09-09 20:32 - 2014-09-09 20:32 - 00000753 _____ () C:\Documents and Settings\All Users\Desktop\Exact Audio Copy.lnk
2014-09-09 20:32 - 2014-09-09 20:32 - 00000000 ____D () C:\Program Files\Exact Audio Copy
2014-09-09 20:32 - 2014-09-09 20:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Exact Audio Copy
2014-09-09 13:51 - 2014-09-09 13:51 - 00000000 ____D () C:\Program Files\MSXML 4.0
2014-09-06 22:08 - 2014-09-06 22:14 - 00000000 ____D () C:\Program Files\WinISO Computing
2014-09-06 22:08 - 2014-09-06 22:08 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\WinISO Computing
2014-09-06 22:08 - 2014-09-06 22:08 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\WinISO Computing
2014-09-06 18:45 - 2014-09-06 18:45 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\WindSolutions
2014-09-06 18:43 - 2014-09-06 18:43 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\WindSolutions
2014-09-06 09:56 - 2014-09-07 00:38 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\dvd utilities
2014-09-05 08:28 - 2014-09-05 08:28 - 00000000 ____H () C:\WINDOWS\system32\Drivers\Msft_Kernel_WinUSB_01007.Wdf
2014-09-05 08:28 - 2010-02-19 11:00 - 01112288 _____ (Microsoft Corporation) C:\WINDOWS\system32\WdfCoInstaller01007.dll
2014-09-05 08:28 - 2010-02-19 11:00 - 00581192 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinUSBCoInstaller.dll
2014-09-05 06:43 - 2014-09-05 06:47 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\WinMount
2014-09-05 06:42 - 2014-09-05 06:42 - 00065856 _____ (WinMount International Inc) C:\WINDOWS\system32\Drivers\WMDrive.sys
2014-09-05 02:25 - 2014-09-05 02:25 - 01704993 _____ () C:\Documents and Settings\Admin\Desktop\openvpn-2.2.2-install.exe
2014-09-05 02:25 - 2014-09-05 02:25 - 00000050 _____ () C:\Documents and Settings\Admin\Desktop\ACE VPN.txt
2014-09-05 00:39 - 2014-09-05 00:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Catalyst Control Center
2014-09-05 00:38 - 2014-09-05 00:39 - 00000000 ____D () C:\Program Files\ATI Technologies
2014-09-05 00:38 - 2014-09-05 00:38 - 00000000 ____D () C:\Program Files\ATI
2014-09-05 00:38 - 2014-09-05 00:38 - 00000000 _____ () C:\WINDOWS\ativpsrm.bin
2014-09-05 00:38 - 2012-07-27 22:25 - 19660800 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atioglxx.dll
2014-09-05 00:38 - 2012-07-27 22:02 - 00442368 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\ATIDEMGX.dll
2014-09-05 00:38 - 2012-07-27 21:39 - 00212992 _____ (ATI Technologies, Inc.) C:\WINDOWS\system32\atipdlxx.dll
2014-09-05 00:38 - 2012-07-27 21:38 - 00163840 _____ (ATI Technologies, Inc.) C:\WINDOWS\system32\Oemdspif.dll
2014-09-05 00:38 - 2012-07-27 21:38 - 00043520 _____ (ATI Technologies, Inc.) C:\WINDOWS\system32\ati2edxx.dll
2014-09-05 00:38 - 2012-07-27 21:33 - 00268680 _____ () C:\WINDOWS\system32\atiapfxx.blb
2014-09-05 00:38 - 2012-07-27 21:31 - 00163840 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atiapfxx.exe
2014-09-05 00:38 - 2012-07-27 21:23 - 00241664 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atiadlxx.dll
2014-09-05 00:38 - 2012-07-27 21:13 - 00065024 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\atimpc32.dll
2014-09-05 00:38 - 2012-07-27 21:13 - 00065024 _____ (Advanced Micro Devices, Inc. ) C:\WINDOWS\system32\amdpcom32.dll
2014-09-05 00:38 - 2012-07-27 21:13 - 00053248 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\Drivers\ati2erec.dll
2014-09-05 00:38 - 2012-07-16 05:33 - 00038557 _____ () C:\WINDOWS\atiogl.xml
2014-09-05 00:38 - 2012-04-12 15:30 - 00637743 _____ () C:\WINDOWS\system32\atiicdxx.dat
2014-09-05 00:38 - 2010-08-27 14:32 - 00294912 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\ATIODE.exe
2014-09-05 00:38 - 2009-06-22 11:34 - 00045056 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\ATIODCLI.exe
2014-09-05 00:38 - 2009-05-11 17:35 - 00118784 _____ (Advanced Micro Devices, Inc.) C:\WINDOWS\system32\atibtmon.exe
2014-09-04 19:13 - 2014-09-04 19:13 - 00190464 _____ (Power Admin LLC) C:\WINDOWS\PAExec.exe
2014-09-04 15:05 - 2014-09-04 15:05 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\FLEXnet
2014-09-04 15:04 - 2014-09-16 11:47 - 08405015 _____ () C:\WINDOWS\hlktmp
2014-09-04 15:04 - 2014-09-04 15:04 - 00047616 _____ (Aladdin Knowledge Systems) C:\WINDOWS\system32\Drivers\Haspnt.sys
2014-09-04 15:04 - 2014-09-04 15:04 - 00006656 _____ (Aladdin Knowledge Systems.) C:\WINDOWS\system32\haspvdd.dll
2014-09-04 15:04 - 2014-09-04 15:04 - 00000383 _____ () C:\WINDOWS\system32\haspdos.sys
2014-09-04 15:04 - 2014-09-04 15:04 - 00000000 ____D () C:\Program Files\Common Files\Aladdin Shared
2014-09-04 15:04 - 2014-02-22 02:15 - 00002577 _____ () C:\WINDOWS\system32\config.hsp
2014-09-04 15:04 - 2013-05-01 09:03 - 00327680 _____ (Aladdin Knowledge Systems) C:\WINDOWS\system32\haspms32.dll
2014-09-04 15:04 - 2008-03-19 12:30 - 02558464 _____ (Aladdin Knowledge Systems Ltd.) C:\WINDOWS\system32\hasplms.exe
2014-09-04 15:04 - 2008-03-19 12:30 - 02558464 _____ (Aladdin Knowledge Systems Ltd.) C:\WINDOWS\system32\aksllmtp.exe
2014-09-04 15:04 - 2008-03-18 15:09 - 00350720 _____ (Aladdin Knowledge Systems Ltd.) C:\WINDOWS\system32\Drivers\aksfridge.sys
2014-09-04 15:04 - 2008-02-11 15:55 - 00586240 _____ (Aladdin Knowledge Systems Ltd.) C:\WINDOWS\system32\Drivers\hardlock.sys
2014-09-04 15:03 - 2014-09-04 15:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\FLEXnet
2014-09-02 18:40 - 2014-09-02 18:57 - 00002003 _____ () C:\Documents and Settings\Admin\Desktop\Cover Letter - Matthew Petronsky.txt
2014-09-02 18:40 - 2014-09-02 18:40 - 00002733 _____ () C:\Documents and Settings\Admin\Desktop\Resume - Matthew Petronsky.txt
2014-09-01 00:39 - 2014-09-01 00:42 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Apple Computer
2014-09-01 00:39 - 2014-09-01 00:39 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\Apple Computer
2014-09-01 00:39 - 2012-08-21 13:01 - 00026840 _____ (GEAR Software Inc.) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2014-09-01 00:38 - 2014-09-11 23:52 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-09-01 00:38 - 2014-09-11 23:52 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple Computer
2014-09-01 00:38 - 2014-09-11 23:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple
2014-09-01 00:38 - 2014-09-01 00:38 - 00000000 ____D () C:\Documents and Settings\NetworkService\Application Data\Apple Computer
2014-09-01 00:38 - 2014-09-01 00:38 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\Apple
2014-08-31 17:27 - 2014-09-15 13:36 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-08-31 16:47 - 2014-08-31 16:48 - 124358979 _____ () C:\Documents and Settings\Admin\Desktop\update.zip
2014-08-31 07:03 - 2014-08-31 07:04 - 56826856 _____ (Logitech Inc. ) C:\Documents and Settings\Admin\Desktop\setpoint460.exe
2014-08-31 01:10 - 2011-06-11 01:58 - 00773968 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcr100.dll
2014-08-31 01:10 - 2011-06-11 01:58 - 00421200 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvcp100.dll
2014-08-30 20:03 - 2014-08-30 20:03 - 00000050 _____ () C:\WINDOWS\restore.INI
2014-08-30 20:00 - 2014-08-30 20:02 - 00000060 _____ () C:\WINDOWS\settings.INI
2014-08-30 19:58 - 2014-08-30 19:58 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\ContinuousClient
2014-08-30 19:19 - 2014-08-31 00:33 - 00000000 ____D () C:\Program Files\Syncplicity
2014-08-30 19:19 - 2014-08-31 00:01 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\Syncplicity
2014-08-30 19:19 - 2014-08-30 19:19 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\EMC_Corporation
2014-08-30 19:16 - 2014-08-31 00:05 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-08-29 10:10 - 2014-08-29 10:20 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\PAR Buddy
2014-08-29 10:05 - 2014-08-29 10:05 - 00000686 _____ () C:\Documents and Settings\Admin\Desktop\Universal Extractor.lnk
2014-08-28 02:37 - 2014-09-15 15:19 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\-new
2014-08-28 01:01 - 2014-09-15 14:12 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\dds
2014-08-28 00:54 - 2014-09-16 12:06 - 00065536 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-28 00:54 - 2014-08-28 00:54 - 00000000 ____D () C:\WINDOWS\system32\windowspowershell
2014-08-28 00:54 - 2014-08-28 00:54 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
2014-08-27 23:17 - 2014-08-27 23:17 - 00000357 _____ () C:\Documents and Settings\Admin\Desktop\IDM Hosts to add.txt
2014-08-27 19:48 - 2014-08-28 03:17 - 00000000 ____D () C:\n
2014-08-27 19:00 - 2014-08-27 19:03 - 00000000 __SHD () C:\Documents and Settings\LocalService\IETldCache
2014-08-25 20:00 - 2014-08-25 20:00 - 00000000 ____D () C:\Documents and Settings\NetworkService\Start Menu\Programs\Accessories
2014-08-25 19:06 - 2014-08-27 23:27 - 00000638 _____ () C:\Documents and Settings\Admin\Desktop\nLite.lnk
2014-08-25 19:06 - 2014-08-27 23:27 - 00000000 ____D () C:\Program Files\nLite
2014-08-25 19:06 - 2014-08-27 23:27 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\nLite
2014-08-25 18:00 - 2014-08-25 18:00 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\GHISLER
2014-08-25 17:51 - 2011-01-26 18:28 - 00024680 _____ (CaptainFlint Software) C:\WINDOWS\system32\Drivers\vd_filedisk.sys
2014-08-25 17:06 - 2014-09-16 00:54 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\tools
2014-08-25 16:51 - 2014-08-27 23:26 - 00000045 _____ () C:\WINDOWS\system32\initdebug.nfo
2014-08-25 10:33 - 2014-08-25 10:33 - 00000069 _____ () C:\Documents and Settings\Admin\Desktop\LCP - CC.txt
2014-08-25 00:31 - 2014-08-25 00:35 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\Cameraxxxvggg
2014-08-24 17:16 - 2014-09-11 23:49 - 00002345 _____ () C:\Documents and Settings\Admin\Start Menu\Programs\Windows Install Clean Up.lnk
2014-08-24 17:16 - 2014-08-24 17:16 - 00000000 ____D () C:\Program Files\Windows Installer Clean Up
2014-08-24 17:16 - 2014-08-24 17:16 - 00000000 ____D () C:\Program Files\MSECACHE
2014-08-23 17:23 - 2014-08-23 17:23 - 00000007 _____ () C:\Documents and Settings\Admin\Desktop\bear.txt
2014-08-23 11:06 - 2014-08-23 11:06 - 00006934 _____ () C:\Documents and Settings\Admin\Desktop\Raven-Symone - This Is My Time.log
2014-08-23 01:53 - 2014-08-23 01:53 - 00013574 _____ () C:\Documents and Settings\Admin\Desktop\Various Artists - Confessions of a Teenage Drama Queen Movie (Soundtrack).log
2014-08-22 22:41 - 2014-08-22 23:19 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Mp3tag
2014-08-22 22:08 - 2014-08-23 11:06 - 00000000 ____D () C:\EAC
2014-08-22 22:05 - 2014-08-22 23:39 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\AccurateRip
2014-08-22 22:05 - 2014-08-22 22:05 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\EAC
2014-08-22 22:04 - 2014-08-22 22:04 - 00000654 _____ () C:\Documents and Settings\All Users\Desktop\Mp3tag.lnk
2014-08-22 22:04 - 2014-08-22 22:04 - 00000000 ____D () C:\Program Files\Mp3tag
2014-08-22 22:04 - 2014-08-22 22:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Mp3tag
2014-08-22 22:02 - 2014-08-22 22:02 - 00000851 _____ () C:\Documents and Settings\Admin\Desktop\FLAC frontend.lnk
2014-08-19 14:57 - 2014-08-19 14:57 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Adobe
2014-08-19 13:29 - 2014-09-06 11:19 - 00000000 ____D () C:\totalcmd
2014-08-19 13:29 - 2014-08-25 17:57 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\GHISLER
2014-08-19 13:29 - 2014-08-19 13:29 - 00000548 _____ () C:\Documents and Settings\Admin\Desktop\Total Commander.lnk
2014-08-19 13:29 - 2014-08-19 13:29 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\Total Commander
2014-08-19 12:36 - 2014-08-19 12:36 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Macromedia
2014-08-19 11:45 - 2014-08-19 11:45 - 00005543 _____ () C:\Documents and Settings\Admin\Desktop\MyContacts.csv
2014-08-19 11:45 - 2014-08-19 11:45 - 00002104 _____ () C:\Documents and Settings\Admin\Desktop\MyContacts.vcf
2014-08-18 20:47 - 2009-08-20 14:07 - 00037888 _____ (Atheros Communications, Inc.) C:\WINDOWS\system32\Drivers\l151x86.sys
2014-08-18 05:12 - 2014-08-18 05:12 - 00062098 _____ () C:\Documents and Settings\Admin\Desktop\Total.War.ROME.II.Hannibal.at.the.Gates-RELOADED.7z
2014-08-17 21:03 - 2014-08-17 21:03 - 00001316 _____ () C:\WINDOWS\system32\wpa.bak
2014-08-17 16:36 - 2014-08-17 16:38 - 00000026 _____ () C:\Documents and Settings\Admin\Desktop\VDROOP.txt
2014-08-17 16:33 - 2014-08-17 16:33 - 00002329 _____ () C:\Documents and Settings\Admin\Desktop\New Text Document (5).txt
2014-08-17 09:35 - 2014-08-17 09:47 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\badcaps
2014-08-17 06:19 - 2014-08-17 09:52 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\Camera

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-16 12:07 - 2014-09-16 12:07 - 00013601 _____ () C:\Documents and Settings\Admin\Desktop\FRST.txt
2014-09-16 12:07 - 2014-09-16 12:06 - 00000000 ____D () C:\FRST
2014-09-16 12:07 - 2014-02-22 02:21 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Temp
2014-09-16 12:06 - 2014-09-16 12:06 - 00000995 _____ () C:\Documents and Settings\Admin\Desktop\AdwCleaner[S0].txt
2014-09-16 12:06 - 2014-08-28 00:54 - 00065536 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-09-16 12:06 - 2014-07-19 16:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes Anti-Exploit
2014-09-16 12:06 - 2014-05-14 16:21 - 00065536 _____ () C:\WINDOWS\system32\config\Internet.evt
2014-09-16 12:06 - 2014-05-14 15:44 - 00000000 __SHD () C:\Documents and Settings\Admin\UserData
2014-09-16 12:06 - 2014-02-22 08:06 - 00065536 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
2014-09-16 12:06 - 2014-02-22 02:21 - 00000000 ____D () C:\Documents and Settings\Admin
2014-09-16 11:47 - 2014-09-04 15:04 - 08405015 _____ () C:\WINDOWS\hlktmp
2014-09-16 11:46 - 2014-09-16 11:39 - 00000000 ____D () C:\AdwCleaner
2014-09-16 11:46 - 2014-02-22 02:21 - 00000178 ___SH () C:\Documents and Settings\Admin\ntuser.ini
2014-09-16 11:40 - 2014-09-16 11:40 - 00000933 _____ () C:\Documents and Settings\Admin\Desktop\AdwCleaner[R0].txt
2014-09-16 11:30 - 2014-09-16 11:30 - 01097728 _____ (Farbar) C:\Documents and Settings\Admin\Desktop\FRST.exe
2014-09-16 11:27 - 2014-09-16 11:27 - 01373475 _____ () C:\Documents and Settings\Admin\Desktop\adwcleaner_3.310.exe
2014-09-16 10:19 - 2014-02-22 07:18 - 00000000 ____D () C:\Program Files\Defraggler
2014-09-16 10:02 - 2014-05-14 14:43 - 00000000 ____D () C:\Program Files\BleachBit
2014-09-16 10:01 - 2014-09-15 14:02 - 00001824 _____ () C:\PureRa.txt
2014-09-16 10:01 - 2014-05-15 01:00 - 00000000 __SHD () C:\Documents and Settings\NetworkService\IETldCache
2014-09-16 10:01 - 2014-02-22 02:20 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-09-16 09:57 - 2014-02-22 07:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2014-09-16 07:14 - 2014-07-23 12:13 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\XnView
2014-09-16 07:14 - 2014-02-22 07:21 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\TeraCopy
2014-09-16 06:38 - 2002-06-25 13:34 - 00001374 _____ () C:\WINDOWS\system32\wpa.dbl
2014-09-16 06:14 - 2014-05-16 09:57 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\uTorrent
2014-09-16 05:45 - 2014-07-19 08:13 - 00000000 ____D () C:\znzb
2014-09-16 05:24 - 2014-05-16 04:14 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\sabnzbd
2014-09-16 02:24 - 2014-05-18 12:20 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\QuickPar
2014-09-16 00:57 - 2014-07-19 00:48 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\archives
2014-09-16 00:56 - 2014-07-23 14:22 - 00000262 _____ () C:\Documents and Settings\Admin\Desktop\New Text Document (3).txt
2014-09-16 00:54 - 2014-08-25 17:06 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\tools
2014-09-16 00:54 - 2014-02-22 05:24 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\pp
2014-09-15 23:38 - 2014-09-15 23:37 - 00000800 _____ () C:\Documents and Settings\Admin\Desktop\New Text Document (4).txt
2014-09-15 22:58 - 2014-05-18 07:55 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\DMCache
2014-09-15 22:34 - 2014-06-18 00:42 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\TEMP
2014-09-15 22:34 - 2014-02-22 07:20 - 00000000 ____D () C:\Program Files\SpywareBlaster
2014-09-15 22:20 - 2014-09-15 22:05 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2014-09-15 22:16 - 2014-09-15 22:05 - 00000000 ____D () C:\WINDOWS\system32\Drivers\NIS
2014-09-15 22:15 - 2014-09-15 22:05 - 00001989 _____ () C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
2014-09-15 22:15 - 2014-09-15 22:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Norton Internet Security
2014-09-15 22:13 - 2014-05-14 15:41 - 00002974 _____ () C:\WINDOWS\Tasks\SCHEDLGU.TXT
2014-09-15 22:13 - 2014-02-22 02:20 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-15 22:05 - 2014-09-15 22:05 - 00142936 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2014-09-15 22:05 - 2014-09-15 22:05 - 00008194 _____ () C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2014-09-15 22:05 - 2014-09-15 22:05 - 00000000 ____D () C:\Program Files\Symantec
2014-09-15 22:05 - 2014-09-15 22:04 - 00000000 ____D () C:\Program Files\Norton Internet Security
2014-09-15 22:04 - 2014-05-12 17:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Norton
2014-09-15 21:27 - 2014-02-22 02:20 - 00237568 _____ () C:\Documents and Settings\NetworkService\NTUSER.bak
2014-09-15 21:27 - 2014-02-21 20:59 - 00262144 _____ () C:\WINDOWS\system32\config\SECURITY.bak
2014-09-15 21:27 - 2014-02-21 20:59 - 00262144 _____ () C:\WINDOWS\system32\config\SAM.bak
2014-09-15 21:27 - 2014-02-21 20:58 - 28573696 _____ () C:\WINDOWS\system32\config\software.bak
2014-09-15 21:27 - 2014-02-21 20:58 - 08650752 _____ () C:\WINDOWS\system32\config\system.bak
2014-09-15 21:27 - 2014-02-21 20:58 - 04980736 _____ () C:\WINDOWS\system32\config\default.bak
2014-09-15 21:18 - 2014-05-14 15:08 - 00004525 _____ () C:\Documents and Settings\Admin\Desktop\emals all.txt
2014-09-15 21:11 - 2014-09-15 20:12 - 00000000 ____D () C:\-new
2014-09-15 20:37 - 2014-05-12 17:40 - 00000000 ____D () C:\WINDOWS\Minidump
2014-09-15 20:37 - 2014-02-22 07:22 - 00000000 ____D () C:\Program Files\Unlocker
2014-09-15 20:10 - 2014-09-15 19:10 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\xp
2014-09-15 20:08 - 2014-07-29 14:23 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\New Folder
2014-09-15 15:19 - 2014-08-28 02:37 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\-new
2014-09-15 15:19 - 2014-05-18 07:55 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\IDM
2014-09-15 15:10 - 2014-05-15 02:43 - 00001546 _____ () C:\Documents and Settings\Admin\Desktop\MPC-HC.lnk
2014-09-15 15:10 - 2014-05-15 02:42 - 00000000 ____D () C:\Program Files\MPC-HC
2014-09-15 15:10 - 2014-05-15 02:42 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\MPC-HC
2014-09-15 14:12 - 2014-08-28 01:01 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\dds
2014-09-15 13:55 - 2014-07-23 13:50 - 00000163 _____ () C:\Documents and Settings\Admin\Desktop\74.109.196.115.txt
2014-09-15 13:51 - 2014-02-22 07:18 - 00000000 ____D () C:\Program Files\CCleaner
2014-09-15 13:50 - 2014-09-15 13:06 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Notepad++
2014-09-15 13:36 - 2014-08-31 17:27 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-09-15 13:34 - 2014-07-26 03:36 - 00000000 ____D () C:\Program Files\EaseUS
2014-09-15 13:29 - 2014-05-18 11:03 - 00000000 ____D () C:\Program Files\WinRAR
2014-09-15 13:22 - 2014-07-21 05:09 - 00000000 ____D () C:\Program Files\Internet Download Manager
2014-09-15 13:21 - 2014-07-21 05:09 - 00000696 _____ () C:\Documents and Settings\Admin\Desktop\Internet Download Manager.lnk
2014-09-15 13:19 - 2014-09-15 12:54 - 00000205 _____ () C:\Documents and Settings\Admin\Desktop\New Text Document (12).txt
2014-09-15 13:18 - 2014-05-18 11:04 - 00000692 _____ () C:\Documents and Settings\Admin\Start Menu\WinRAR.lnk
2014-09-15 13:18 - 2014-05-18 11:04 - 00000692 _____ () C:\Documents and Settings\Admin\Desktop\WinRAR.lnk
2014-09-15 13:18 - 2014-05-18 11:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
2014-09-15 13:18 - 2014-05-18 11:04 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\WinRAR
2014-09-15 13:07 - 2014-09-15 13:07 - 00000736 _____ () C:\Documents and Settings\Admin\Desktop\Notepad++.lnk
2014-09-15 13:07 - 2014-09-15 13:07 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Notepad++
2014-09-15 13:07 - 2014-09-15 13:07 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\Notepad++
2014-09-15 13:07 - 2014-09-15 13:06 - 00000000 ____D () C:\Program Files\Notepad++
2014-09-15 13:00 - 2014-09-15 13:00 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-12 02:25 - 2014-09-12 02:25 - 00000000 ____D () C:\Documents and Settings\Admin\My Documents\MPC-HC Capture
2014-09-12 02:22 - 2014-05-15 12:23 - 00000000 ____D () C:\Program Files\Recuva
2014-09-11 23:56 - 2014-02-22 07:44 - 00000000 ____D () C:\WINDOWS\system32\ReinstallBackups
2014-09-11 23:52 - 2014-09-01 00:38 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-09-11 23:52 - 2014-09-01 00:38 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple Computer
2014-09-11 23:49 - 2014-09-01 00:38 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Apple
2014-09-11 23:49 - 2014-08-24 17:16 - 00002345 _____ () C:\Documents and Settings\Admin\Start Menu\Programs\Windows Install Clean Up.lnk
2014-09-11 21:09 - 2014-09-11 21:09 - 00000000 ____D () C:\Documents and Settings\Admin\.android
2014-09-10 15:51 - 2014-09-10 15:49 - 00004667 _____ () C:\rootkit.log
2014-09-10 13:45 - 2014-02-22 07:19 - 00001638 _____ () C:\Documents and Settings\Admin\Start Menu\Programs\Update Checker.lnk
2014-09-10 13:45 - 2014-02-22 07:19 - 00001632 _____ () C:\Documents and Settings\Admin\Desktop\Update Checker.lnk
2014-09-10 01:24 - 2014-09-10 01:24 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\BleachBit
2014-09-10 01:24 - 2014-08-13 07:48 - 00000694 _____ () C:\Documents and Settings\Admin\Desktop\BleachBit.lnk
2014-09-10 00:28 - 2014-09-10 00:28 - 00000683 _____ () C:\Documents and Settings\Admin\Desktop\CUETools.lnk
2014-09-10 00:27 - 2014-09-10 00:25 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\foobar2000
2014-09-10 00:25 - 2014-09-10 00:25 - 00000786 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\foobar2000.lnk
2014-09-10 00:25 - 2014-09-10 00:25 - 00000710 _____ () C:\Documents and Settings\All Users\Desktop\foobar2000.lnk
2014-09-10 00:25 - 2014-09-10 00:25 - 00000000 ____D () C:\Program Files\foobar2000
2014-09-10 00:03 - 2014-09-10 00:03 - 00000702 _____ () C:\Documents and Settings\Admin\Desktop\DVD Identifier.lnk
2014-09-10 00:03 - 2014-09-10 00:03 - 00000000 ____D () C:\Program Files\DVD Identifier
2014-09-10 00:03 - 2014-09-10 00:03 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\DVD Identifier
2014-09-09 23:00 - 2014-09-09 23:00 - 00000000 ____D () C:\Program Files\ASIO4ALL v2
2014-09-09 23:00 - 2014-09-09 23:00 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\ASIO4ALL v2
2014-09-09 20:32 - 2014-09-09 20:32 - 00000753 _____ () C:\Documents and Settings\All Users\Desktop\Exact Audio Copy.lnk
2014-09-09 20:32 - 2014-09-09 20:32 - 00000000 ____D () C:\Program Files\Exact Audio Copy
2014-09-09 20:32 - 2014-09-09 20:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Exact Audio Copy
2014-09-09 18:30 - 2014-03-11 22:35 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\txt (new cpu)
2014-09-09 13:51 - 2014-09-09 13:51 - 00000000 ____D () C:\Program Files\MSXML 4.0
2014-09-07 00:38 - 2014-09-06 09:56 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\dvd utilities
2014-09-06 23:39 - 2014-02-21 20:50 - 00000000 ____D () C:\WINDOWS\system32\mui
2014-09-06 22:14 - 2014-09-06 22:08 - 00000000 ____D () C:\Program Files\WinISO Computing
2014-09-06 22:08 - 2014-09-06 22:08 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\WinISO Computing
2014-09-06 22:08 - 2014-09-06 22:08 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\WinISO Computing
2014-09-06 18:45 - 2014-09-06 18:45 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\WindSolutions
2014-09-06 18:43 - 2014-09-06 18:43 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\WindSolutions
2014-09-06 11:19 - 2014-08-19 13:29 - 00000000 ____D () C:\totalcmd
2014-09-06 10:12 - 2014-08-11 14:41 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\PerformanceTest
2014-09-05 08:28 - 2014-09-05 08:28 - 00000000 ____H () C:\WINDOWS\system32\Drivers\Msft_Kernel_WinUSB_01007.Wdf
2014-09-05 06:47 - 2014-09-05 06:43 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\WinMount
2014-09-05 06:42 - 2014-09-05 06:42 - 00065856 _____ (WinMount International Inc) C:\WINDOWS\system32\Drivers\WMDrive.sys
2014-09-05 04:48 - 2014-02-22 07:41 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-09-05 03:44 - 2014-05-15 02:43 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\MPC-HC
2014-09-05 02:25 - 2014-09-05 02:25 - 01704993 _____ () C:\Documents and Settings\Admin\Desktop\openvpn-2.2.2-install.exe
2014-09-05 02:25 - 2014-09-05 02:25 - 00000050 _____ () C:\Documents and Settings\Admin\Desktop\ACE VPN.txt
2014-09-05 00:39 - 2014-09-05 00:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Catalyst Control Center
2014-09-05 00:39 - 2014-09-05 00:38 - 00000000 ____D () C:\Program Files\ATI Technologies
2014-09-05 00:38 - 2014-09-05 00:38 - 00000000 ____D () C:\Program Files\ATI
2014-09-05 00:38 - 2014-09-05 00:38 - 00000000 _____ () C:\WINDOWS\ativpsrm.bin
2014-09-04 19:13 - 2014-09-04 19:13 - 00190464 _____ (Power Admin LLC) C:\WINDOWS\PAExec.exe
2014-09-04 15:05 - 2014-09-04 15:05 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\FLEXnet
2014-09-04 15:04 - 2014-09-04 15:04 - 00047616 _____ (Aladdin Knowledge Systems) C:\WINDOWS\system32\Drivers\Haspnt.sys
2014-09-04 15:04 - 2014-09-04 15:04 - 00006656 _____ (Aladdin Knowledge Systems.) C:\WINDOWS\system32\haspvdd.dll
2014-09-04 15:04 - 2014-09-04 15:04 - 00000383 _____ () C:\WINDOWS\system32\haspdos.sys
2014-09-04 15:04 - 2014-09-04 15:04 - 00000000 ____D () C:\Program Files\Common Files\Aladdin Shared
2014-09-04 15:04 - 2014-02-22 02:15 - 00002620 _____ () C:\WINDOWS\system32\CONFIG.NT
2014-09-04 15:03 - 2014-09-04 15:03 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\FLEXnet
2014-09-02 18:57 - 2014-09-02 18:40 - 00002003 _____ () C:\Documents and Settings\Admin\Desktop\Cover Letter - Matthew Petronsky.txt
2014-09-02 18:40 - 2014-09-02 18:40 - 00002733 _____ () C:\Documents and Settings\Admin\Desktop\Resume - Matthew Petronsky.txt
2014-09-01 00:42 - 2014-09-01 00:39 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Apple Computer
2014-09-01 00:39 - 2014-09-01 00:39 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\Apple Computer
2014-09-01 00:38 - 2014-09-01 00:38 - 00000000 ____D () C:\Documents and Settings\NetworkService\Application Data\Apple Computer
2014-09-01 00:38 - 2014-09-01 00:38 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\Apple
2014-08-31 16:48 - 2014-08-31 16:47 - 124358979 _____ () C:\Documents and Settings\Admin\Desktop\update.zip
2014-08-31 07:04 - 2014-08-31 07:03 - 56826856 _____ (Logitech Inc. ) C:\Documents and Settings\Admin\Desktop\setpoint460.exe
2014-08-31 03:37 - 2014-08-13 02:14 - 00000430 _____ () C:\Documents and Settings\Admin\Desktop\Local Area Connection.lnk
2014-08-31 02:58 - 2014-07-19 09:22 - 00000000 ____D () C:\Program Files\SABnzbd
2014-08-31 01:11 - 2014-06-02 02:40 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Exploit.lnk
2014-08-31 01:11 - 2014-06-02 02:40 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Exploit
2014-08-31 01:11 - 2014-06-02 02:40 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Exploit
2014-08-31 00:33 - 2014-08-30 19:19 - 00000000 ____D () C:\Program Files\Syncplicity
2014-08-31 00:20 - 2014-08-12 02:45 - 00000000 _____ () C:\JavaRa.log
2014-08-31 00:05 - 2014-08-30 19:16 - 00000000 ____D () C:\Program Files\Microsoft.NET
2014-08-31 00:01 - 2014-08-30 19:19 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\Syncplicity
2014-08-30 20:03 - 2014-08-30 20:03 - 00000050 _____ () C:\WINDOWS\restore.INI
2014-08-30 20:02 - 2014-08-30 20:00 - 00000060 _____ () C:\WINDOWS\settings.INI
2014-08-30 19:58 - 2014-08-30 19:58 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\ContinuousClient
2014-08-30 19:58 - 2014-05-14 23:36 - 00000178 ___SH () C:\Documents and Settings\LocalService\ntuser.ini
2014-08-30 19:19 - 2014-08-30 19:19 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\EMC_Corporation
2014-08-30 19:18 - 2014-02-21 21:01 - 00545164 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-08-30 19:16 - 2014-02-22 07:44 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-08-30 09:34 - 2014-02-21 20:58 - 00000223 ____H () C:\boot.ini
2014-08-29 23:21 - 2014-02-22 08:54 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Malwarebytes
2014-08-29 23:21 - 2014-02-22 07:19 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-08-29 13:01 - 2014-05-14 16:18 - 98758480 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-08-29 10:20 - 2014-08-29 10:10 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\PAR Buddy
2014-08-29 10:05 - 2014-08-29 10:05 - 00000686 _____ () C:\Documents and Settings\Admin\Desktop\Universal Extractor.lnk
2014-08-28 03:17 - 2014-08-27 19:48 - 00000000 ____D () C:\n
2014-08-28 01:03 - 2014-02-22 02:11 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-08-28 00:54 - 2014-08-28 00:54 - 00000000 ____D () C:\WINDOWS\system32\windowspowershell
2014-08-28 00:54 - 2014-08-28 00:54 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Windows PowerShell 1.0
2014-08-27 23:27 - 2014-08-25 19:06 - 00000638 _____ () C:\Documents and Settings\Admin\Desktop\nLite.lnk
2014-08-27 23:27 - 2014-08-25 19:06 - 00000000 ____D () C:\Program Files\nLite
2014-08-27 23:27 - 2014-08-25 19:06 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\nLite
2014-08-27 23:26 - 2014-08-25 16:51 - 00000045 _____ () C:\WINDOWS\system32\initdebug.nfo
2014-08-27 23:17 - 2014-08-27 23:17 - 00000357 _____ () C:\Documents and Settings\Admin\Desktop\IDM Hosts to add.txt
2014-08-27 22:12 - 2014-08-11 14:45 - 00000000 ____D () C:\Documents and Settings\Admin\My Documents\PassMark
2014-08-27 19:03 - 2014-08-27 19:00 - 00000000 __SHD () C:\Documents and Settings\LocalService\IETldCache
2014-08-27 19:00 - 2014-05-14 23:36 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-08-27 18:41 - 2014-02-22 04:14 - 00001590 _____ () C:\Documents and Settings\Admin\Desktop\Services.lnk
2014-08-27 17:58 - 2014-02-22 07:18 - 00000682 _____ () C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2014-08-25 20:00 - 2014-08-25 20:00 - 00000000 ____D () C:\Documents and Settings\NetworkService\Start Menu\Programs\Accessories
2014-08-25 20:00 - 2014-02-22 02:15 - 00023392 _____ () C:\WINDOWS\system32\nscompat.tlb
2014-08-25 20:00 - 2014-02-22 02:15 - 00016832 _____ () C:\WINDOWS\system32\amcompat.tlb
2014-08-25 19:27 - 2014-08-11 00:26 - 00000000 ____D () C:\Documents and Settings\Admin\My Documents\XP images
2014-08-25 18:00 - 2014-08-25 18:00 - 00000000 ____D () C:\Documents and Settings\Admin\Local Settings\Application Data\GHISLER
2014-08-25 17:57 - 2014-08-19 13:29 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\GHISLER
2014-08-25 17:09 - 2014-02-21 20:50 - 00000000 ____D () C:\WINDOWS\security
2014-08-25 10:33 - 2014-08-25 10:33 - 00000069 _____ () C:\Documents and Settings\Admin\Desktop\LCP - CC.txt
2014-08-25 10:23 - 2014-07-23 20:48 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2014-08-25 09:56 - 2002-06-25 13:28 - 00000231 _____ () C:\WINDOWS\system.ini
2014-08-25 00:35 - 2014-08-25 00:31 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\Cameraxxxvggg
2014-08-24 17:16 - 2014-08-24 17:16 - 00000000 ____D () C:\Program Files\Windows Installer Clean Up
2014-08-24 17:16 - 2014-08-24 17:16 - 00000000 ____D () C:\Program Files\MSECACHE
2014-08-23 17:23 - 2014-08-23 17:23 - 00000007 _____ () C:\Documents and Settings\Admin\Desktop\bear.txt
2014-08-23 11:06 - 2014-08-23 11:06 - 00006934 _____ () C:\Documents and Settings\Admin\Desktop\Raven-Symone - This Is My Time.log
2014-08-23 11:06 - 2014-08-22 22:08 - 00000000 ____D () C:\EAC
2014-08-23 01:53 - 2014-08-23 01:53 - 00013574 _____ () C:\Documents and Settings\Admin\Desktop\Various Artists - Confessions of a Teenage Drama Queen Movie (Soundtrack).log
2014-08-22 23:39 - 2014-08-22 22:05 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\AccurateRip
2014-08-22 23:19 - 2014-08-22 22:41 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Mp3tag
2014-08-22 22:05 - 2014-08-22 22:05 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\EAC
2014-08-22 22:04 - 2014-08-22 22:04 - 00000654 _____ () C:\Documents and Settings\All Users\Desktop\Mp3tag.lnk
2014-08-22 22:04 - 2014-08-22 22:04 - 00000000 ____D () C:\Program Files\Mp3tag
2014-08-22 22:04 - 2014-08-22 22:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Mp3tag
2014-08-22 22:02 - 2014-08-22 22:02 - 00000851 _____ () C:\Documents and Settings\Admin\Desktop\FLAC frontend.lnk
2014-08-22 12:16 - 2014-08-16 23:50 - 00000063 _____ () C:\Documents and Settings\Admin\Desktop\Fmacg3333.txt
2014-08-19 14:57 - 2014-08-19 14:57 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Adobe
2014-08-19 13:29 - 2014-08-19 13:29 - 00000548 _____ () C:\Documents and Settings\Admin\Desktop\Total Commander.lnk
2014-08-19 13:29 - 2014-08-19 13:29 - 00000000 ____D () C:\Documents and Settings\Admin\Start Menu\Programs\Total Commander
2014-08-19 13:28 - 2014-07-29 13:11 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\Photos
2014-08-19 12:36 - 2014-08-19 12:36 - 00000000 ____D () C:\Documents and Settings\Admin\Application Data\Macromedia
2014-08-19 11:45 - 2014-08-19 11:45 - 00005543 _____ () C:\Documents and Settings\Admin\Desktop\MyContacts.csv
2014-08-19 11:45 - 2014-08-19 11:45 - 00002104 _____ () C:\Documents and Settings\Admin\Desktop\MyContacts.vcf
2014-08-18 05:12 - 2014-08-18 05:12 - 00062098 _____ () C:\Documents and Settings\Admin\Desktop\Total.War.ROME.II.Hannibal.at.the.Gates-RELOADED.7z
2014-08-17 21:03 - 2014-08-17 21:03 - 00001316 _____ () C:\WINDOWS\system32\wpa.bak
2014-08-17 19:42 - 2014-08-11 05:21 - 00000000 ____D () C:\Program Files\Intel
2014-08-17 16:38 - 2014-08-17 16:36 - 00000026 _____ () C:\Documents and Settings\Admin\Desktop\VDROOP.txt
2014-08-17 16:33 - 2014-08-17 16:33 - 00002329 _____ () C:\Documents and Settings\Admin\Desktop\New Text Document (5).txt
2014-08-17 09:52 - 2014-08-17 06:19 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\Camera
2014-08-17 09:47 - 2014-08-17 09:35 - 00000000 ____D () C:\Documents and Settings\Admin\Desktop\badcaps

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 AM

Posted 16 September 2014 - 01:40 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Folder) -> {02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1} =>  No File
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Fully Synced) -> {CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1} =>  No File
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Not Latest Version) -> {284C090F-EB1D-4A6E-872E-6DB72E417E24} =>  No File
ShellIconOverlayIdentifiers:   Syncplicity Icon Overlay (Shared Folder) -> {3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC} =>  No File
FF Homepage: hxxp://www.google.com/webhp?complete=0
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll No File
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2014-09-12]
S4 ERFXBKNMRXX; No ImagePath
S4 MUIHVY; No ImagePath
S4 IntelIde; No ImagePath
S3 mcdbus; No ImagePath
S3 USBAAPL; No ImagePath
S2 WinisoCDBus; No ImagePath
S3 WinUSB; No ImagePath
U1 WS2IFSL; No ImagePath

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/
===

How is the computer running now?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 AM

Posted 21 September 2014 - 06:37 AM

Are you still with me?

#8 enc2guru

enc2guru
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 21 September 2014 - 06:51 PM

Hello, sorry for the delay, FRST crashed during the fix but did create a fixlog (Will post below) and securitycheck log (checkup.txt) was blank.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-09-2014
Ran by Admin at 2014-09-17 15:24:17 Run:1
Running from C:\Documents and Settings\Admin\Desktop\FRST
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse] <==== ATTENTION!
ShellIconOverlayIdentifiers: Syncplicity Icon Overlay (Folder) -> {02FCECC2-84DC-4FAA-A718-C41FFCA5B8D1} => No File
ShellIconOverlayIdentifiers: Syncplicity Icon Overlay (Fully Synced) -> {CA4FCCBF-F4B7-4DD1-861E-1F42AAD396D1} => No File
ShellIconOverlayIdentifiers: Syncplicity Icon Overlay (Not Latest Version) -> {284C090F-EB1D-4A6E-872E-6DB72E417E24} => No File
ShellIconOverlayIdentifiers: Syncplicity Icon Overlay (Shared Folder) -> {3DFC86AD-F2CC-4AdA-98DD-AC5DC84119CC} => No File
FF Homepage: hxxp://www.google.com/webhp?complete=0
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll No File
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - C:\Program Files\Internet Download Manager\IDMGCExt.crx [2014-09-12]
S4 ERFXBKNMRXX; No ImagePath
S4 MUIHVY; No ImagePath
S4 IntelIde; No ImagePath
S3 mcdbus; No ImagePath
S3 USBAAPL; No ImagePath
S2 WinisoCDBus; No ImagePath
S3 WinUSB; No ImagePath
U1 WS2IFSL; No ImagePath

End
*****************

HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\Default => Value was restored successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ Syncplicity Icon Overlay (Folder)" => Key deleted successfully.




SecurityCheck checkupl.txt log only contained:

````````````````````End of Log``````````````````````



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 AM

Posted 22 September 2014 - 07:11 AM

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Let me know what problem persists.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 AM

Posted 28 September 2014 - 08:29 AM

Are you still with me?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:01 AM

Posted 04 October 2014 - 09:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users