Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager shows dllhost.exe & deurnwrha.exe many times


  • This topic is locked This topic is locked
9 replies to this topic

#1 DesignMaster

DesignMaster

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 18 September 2014 - 10:06 AM

There have been similar posts that a MALWARE RESPONSE TEAM MEMBER (aharonov) has solved for others using FARBAR RECOVERY SCAN TOOL.  I would like assistance running this same tool and interpreting the results.  This would be followed up with more advice.
 
Here is a link to a similar post so you can see what I am after here.  http://www.bleepingcomputer.com/forums/t/525236/30-dllhostexe32-com-surrogate-processes-running-cant-kill/
 
I open the task manager and go to Processes and the files will come and go.  Some times none some times upwards of twenty occurances and using a pile of memory.  I just checked it again and the Deurnwrha.exe has 8 running eating as much as 586,623k of memory each.  rundll32.exe is another goofy one but it my be legitamate.  I attached a shot of what it looks like.
 
There is info about "Should I run OTL and post a log of that?  I will wait for instruction...dds logs attached" in the above linked post.  I have no idea what OTL and dds logs are so you will have to provide guidance on how to perform some of the diagnostic functions and such.  This is my very first post on this sight so I am fumbling around a bit.  Hell, it took me twenty minutes just to figure out how to creat a new posted question.
 
Again, the member stated above was very helpful solving similar issues and I hope he/she or and equal can help me out here.
 
Running windows XP and recently switched to google chrome.  I started having the problem when I did an update to a flash player or such (sorry, dont recall the exact name of it.  The damn thing also installed Search Protect.exe and Web Protect.exe files in the program files directory.  There is also a process running by the name MyOSProtect.exe that is part of this junk.  I did a search for the files mentioned above and appended the file names with -delete and then rebooted.  This at least shut them down to where my computer with actually function again.  It took about 4 hours today to just get it running well enought to post to this sight.
 
There was four files in the c\windows\prefetch folder with differing file names that started with deurnwrha.exe that seems to be associated with this crap as well.
 
Hopefully enough info to get on with a fix.  Oh, I just finished installing and running malwarebytes free version and it quarantined a file that I could not see its full name.  I run it in safe mode so my screen settings had things so big that it did not fit on the screen fully.  Here is what I could read ional.ConduitSearchProtect.  Again this is more of the same associated junk.
 
Any help would be greatly appriciated.  I have two such computers with similar issues running like complete dogs.  Thanks in advance.

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 18 September 2014 - 10:11 AM

Hi,

please run a FRST scan:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 DesignMaster

DesignMaster
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 18 September 2014 - 10:19 AM

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-09-2014
Ran by Todd (administrator) on CDTMT-PC on 18-09-2014 08:40:55
Running from C:\Documents and Settings\Todd\Desktop
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
(IDT, Inc.) C:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\Deurnwrha.exe
(Google Inc.) C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\Deurnwrha.exe
(Google Inc.) C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\Deurnwrha.exe
(Google Inc.) C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\Deurnwrha.exe
(Google Inc.) C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\Deurnwrha.exe
(Google Inc.) C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\Deurnwrha.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [483422 2009-03-12] (IDT, Inc.)
HKLM\...\Run: [Logitech Hardware Abstraction Layer] => KHALMNPR.EXE
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKU\.DEFAULT\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
HKU\.DEFAULT\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe [247968 2012-01-09] (Adobe Systems, Inc.)
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\Run: [Ggujyzvvb] => rundll32.exe "C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft Help\Ggujyzvvb.dll",DllRegisterServer
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\MountPoints2: {5f3e825f-8359-11e0-91a5-0019d1a50581} - F:\LaunchU3.exe -a
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\MountPoints2: {f413aa0c-c6bc-11e1-91c4-0019d1a50581} - E:\LaunchU3.exe -a
AppInit_DLLs: C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll File Not Found
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M147FAD95-066A-4B43-BC90-F6376773F8D0&SearchSource=58&CUI=&UM=6&UP=SPFAFEEABD-6F6C-46F3-BDB8-AEEA4FC745B0&q={searchTerms}&SSPV=
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M147FAD95-066A-4B43-BC90-F6376773F8D0&SearchSource=58&CUI=&UM=6&UP=SPFAFEEABD-6F6C-46F3-BDB8-AEEA4FC745B0&q={searchTerms}&SSPV=
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303499554875
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
Winsock: Catalog9 01 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 02 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 26 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Tcpip\Parameters: [DhcpNameServer] 69.144.127.53 24.247.15.53 68.116.46.115

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Todd\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-01-09]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-12-29]

Chrome:
=======
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [266295 2006-07-25] (Broadcom Corporation.) [File not signed]
S3 CoordinatorServiceHost; C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [89192 2012-10-06] (Dassault Systèmes SolidWorks Corp.)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-12-29] (Flexera Software, Inc.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2012-01-09] (Sun Microsystems, Inc.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2799808 2005-09-23] (Microsoft Corporation)
R2 Orbiter; C:/Program Files/ORBTR/orbiter.dll [492496 2014-09-10] (Client Connect LTD)
S4 ProtectMonitor; C:\monitorsvc.exe [34244 2014-09-02] () [File not signed]
S3 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2013-12-29] (SolidWorks) [File not signed]
R2 STacSV; c:\program files\idt\intelxpv_v103\wdm\STacSV.exe [254036 2009-03-12] (IDT, Inc.)
S2 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE [X]
S3 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 btaudio; C:\WINDOWS\System32\drivers\btaudio.sys [328285 2006-06-12] (Broadcom Corporation.) [File not signed]
S3 BTDriver; C:\WINDOWS\System32\DRIVERS\btport.sys [30427 2006-06-12] (Broadcom Corporation.) [File not signed]
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [851642 2006-08-01] (Broadcom Corporation.) [File not signed]
S3 btwhid; C:\WINDOWS\System32\DRIVERS\btwhid.sys [45779 2006-09-11] (Broadcom Corporation.) [File not signed]
S3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [65784 2006-06-12] (Broadcom Corporation.) [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-18] (Malwarebytes Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R1 pcwatch; C:\WINDOWS\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
R3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [245248 2005-11-24] (Ralink Technology, Corp.)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1550613 2009-03-12] (IDT, Inc.)
S4 IntelIde; No ImagePath
S3 LMouKE; system32\DRIVERS\LMouKE.Sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-18 08:40 - 2014-09-18 08:41 - 00013059 _____ () C:\Documents and Settings\Todd\Desktop\FRST.txt
2014-09-18 08:39 - 2014-09-18 08:41 - 00000000 ____D () C:\FRST
2014-09-18 08:38 - 2014-09-18 08:39 - 01097728 _____ (Farbar) C:\Documents and Settings\Todd\Desktop\FRST.exe
2014-09-17 23:46 - 2014-09-17 23:46 - 01123572 _____ () C:\Documents and Settings\Todd\My Documents\Task Manager Shot.tif
2014-09-17 23:39 - 2014-09-17 23:39 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager sample.bmp
2014-09-17 23:38 - 2014-09-17 23:38 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager.bmp
2014-09-17 20:39 - 2014-09-18 08:32 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-09-17 20:39 - 2014-09-17 20:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-17 20:38 - 2014-09-17 20:39 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-17 20:38 - 2014-09-17 20:38 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-09-17 20:38 - 2014-05-12 07:26 - 00053208 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-09-17 20:38 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-09-17 20:36 - 2014-09-17 21:13 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-09-17 20:36 - 2014-09-17 20:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-09-17 20:36 - 2014-09-17 20:36 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-09-17 20:36 - 2012-05-10 19:03 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-09-17 20:36 - 2011-04-22 15:47 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Macromedia
2014-09-17 20:36 - 2011-04-22 06:12 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-09-17 20:36 - 2011-04-22 06:12 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-09-17 20:36 - 2011-04-22 06:12 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-09-17 20:32 - 2014-09-17 20:03 - 17292760 _____ (Malwarebytes Corporation ) C:\Program Files\mbam-setup-2.0.2.1012.exe
2014-09-17 10:03 - 2014-09-17 10:03 - 00000149 _____ () C:\Documents and Settings\Todd\My Documents\plot.log
2014-09-17 09:15 - 2014-09-17 09:15 - 01619084 _____ () C:\Documents and Settings\Todd\My Documents\nbsco UPS Canopy A2000.dwg
2014-09-10 21:10 - 2014-09-10 21:10 - 00009744 _____ () C:\WINDOWS\system32\MyOSProtect.ini
2014-09-10 21:10 - 2014-09-10 21:10 - 00002312 _____ () C:\WINDOWS\system32\MyOSProtectOff.ini
2014-09-10 21:10 - 2014-09-01 12:29 - 00019840 _____ () C:\WINDOWS\system32\Drivers\pcwatch.sys
2014-09-10 21:10 - 2014-09-01 12:28 - 00304776 _____ (MyOSCompany) C:\WINDOWS\system32\MyOSProtect.dll
2014-09-10 21:09 - 2014-09-17 06:37 - 00000000 ____D () C:\Program Files\Web Protect-delete
2014-09-10 21:09 - 2014-09-10 21:09 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\SearchProtect
2014-09-10 21:08 - 2014-09-18 08:01 - 00000000 ____D () C:\Program Files\ORBTR
2014-09-10 21:08 - 2014-09-10 21:09 - 00000000 ____D () C:\Program Files\SearchProtect-delete
2014-09-10 12:40 - 2014-09-15 21:00 - 00946352 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-09-09 13:47 - 2014-09-09 13:47 - 02041002 _____ () C:\Documents and Settings\Todd\My Documents\Steel Smith Test Options.bmp
2014-09-04 05:29 - 2014-09-03 17:34 - 10013818 _____ () C:\Documents and Settings\Todd\My Documents\13.120_Baltic_Assembly_073.dwf
2014-09-02 13:55 - 2014-09-02 13:55 - 00487483 _____ () C:\monitor.exe
2014-09-02 13:55 - 2014-09-02 13:55 - 00034244 _____ () C:\monitorsvc.exe
2014-08-25 13:38 - 2014-09-10 16:46 - 00327680 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-08-25 13:38 - 2014-08-26 20:49 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-25 11:21 - 2014-08-25 11:21 - 00000000 ____D () C:\Documents and Settiy Internet Files
2014-08-25 11:20 - 2014-08-25 12:53 - 00065536 _____ () C:\WINDOWS\system32\config\Windows .evt
2014-08-25 11:20 - 2014-08-25 12:53 - 00065536 _____ () C:\WINDOWS\system32\config\Microsof.evt
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\system32\GroupPolicy
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-18 08:41 - 2014-09-18 08:40 - 00013059 _____ () C:\Documents and Settings\Todd\Desktop\FRST.txt
2014-09-18 08:41 - 2014-09-18 08:39 - 00000000 ____D () C:\FRST
2014-09-18 08:41 - 2011-04-22 06:27 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Temp
2014-09-18 08:39 - 2014-09-18 08:38 - 01097728 _____ (Farbar) C:\Documents and Settings\Todd\Desktop\FRST.exe
2014-09-18 08:32 - 2014-09-17 20:39 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-09-18 08:09 - 2013-11-30 12:52 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-09-18 08:06 - 2014-01-24 16:21 - 00000512 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1060284298-484061587-725345543-1004.job
2014-09-18 08:01 - 2014-09-10 21:08 - 00000000 ____D () C:\Program Files\ORBTR
2014-09-18 08:00 - 2011-04-22 06:11 - 01680951 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-18 07:59 - 2014-03-27 15:42 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-09-18 07:59 - 2011-04-22 06:24 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-18 07:59 - 2011-04-21 13:33 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-09-18 07:59 - 2011-04-21 13:33 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-09-18 00:01 - 2011-04-22 06:27 - 00000278 ___SH () C:\Documents and Settings\Todd\ntuser.ini
2014-09-18 00:01 - 2011-04-22 06:27 - 00000000 ____D () C:\Documents and Settings\Todd
2014-09-18 00:01 - 2011-04-22 06:24 - 00032548 _____ () C:\WINDOWS\SchedLgU.Txt
2014-09-17 23:46 - 2014-09-17 23:46 - 01123572 _____ () C:\Documents and Settings\Todd\My Documents\Task Manager Shot.tif
2014-09-17 23:39 - 2014-09-17 23:39 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager sample.bmp
2014-09-17 23:38 - 2014-09-17 23:38 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager.bmp
2014-09-17 21:13 - 2014-09-17 20:36 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-09-17 21:13 - 2011-04-22 14:58 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB969059$
2014-09-17 20:46 - 2011-04-22 06:16 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-09-17 20:39 - 2014-09-17 20:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-17 20:39 - 2014-09-17 20:38 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-17 20:39 - 2014-09-17 20:36 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-09-17 20:38 - 2014-09-17 20:38 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-09-17 20:36 - 2014-09-17 20:36 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-09-17 20:03 - 2014-09-17 20:32 - 17292760 _____ (Malwarebytes Corporation ) C:\Program Files\mbam-setup-2.0.2.1012.exe
2014-09-17 10:03 - 2014-09-17 10:03 - 00000149 _____ () C:\Documents and Settings\Todd\My Documents\plot.log
2014-09-17 09:15 - 2014-09-17 09:15 - 01619084 _____ () C:\Documents and Settings\Todd\My Documents\nbsco UPS Canopy A2000.dwg
2014-09-17 07:05 - 2012-04-11 19:34 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\CutePDF Writer
2014-09-17 07:05 - 2011-04-22 15:49 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Temp
2014-09-17 07:02 - 2013-12-29 12:53 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft Help
2014-09-17 06:44 - 2004-08-04 06:00 - 00000675 _____ () C:\WINDOWS\win.ini
2014-09-17 06:44 - 2004-08-04 06:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-09-17 06:37 - 2014-09-10 21:09 - 00000000 ____D () C:\Program Files\Web Protect-delete
2014-09-16 07:53 - 2004-08-04 06:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-09-15 21:00 - 2014-09-10 12:40 - 00946352 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-09-15 15:17 - 2014-03-20 16:24 - 00000000 ____D () C:\SW AUTO-RECOVERY
2014-09-15 15:17 - 2013-12-29 14:35 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\SolidWorks
2014-09-15 11:11 - 2014-03-20 16:23 - 00000000 ____D () C:\SW AUTO-BACK UP
2014-09-15 10:56 - 2013-12-29 13:01 - 00002569 _____ () C:\Documents and Settings\All Users\Desktop\SolidWorks 2012.lnk
2014-09-15 10:56 - 2013-12-29 12:33 - 00000000 ____D () C:\Documents and Settings\Todd\Application Data\SolidWorks
2014-09-11 11:02 - 2011-05-20 21:40 - 00000000 ____D () C:\Documents and Settings\Todd\Application Data\U3
2014-09-11 10:55 - 2013-09-16 08:00 - 00277600 _____ () C:\WINDOWS\setupapi.log
2014-09-10 21:23 - 2011-04-22 06:10 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-09-10 21:10 - 2014-09-10 21:10 - 00009744 _____ () C:\WINDOWS\system32\MyOSProtect.ini
2014-09-10 21:10 - 2014-09-10 21:10 - 00002312 _____ () C:\WINDOWS\system32\MyOSProtectOff.ini
2014-09-10 21:09 - 2014-09-10 21:09 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\SearchProtect
2014-09-10 21:09 - 2014-09-10 21:08 - 00000000 ____D () C:\Program Files\SearchProtect-delete
2014-09-10 16:46 - 2014-08-25 13:38 - 00327680 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-09-10 16:46 - 2013-09-16 08:01 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-09-10 16:45 - 2011-04-22 14:56 - 98758480 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-09-10 14:43 - 2013-12-29 20:26 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-09-09 13:47 - 2014-09-09 13:47 - 02041002 _____ () C:\Documents and Settings\Todd\My Documents\Steel Smith Test Options.bmp
2014-09-08 15:33 - 2014-03-27 15:42 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-09-05 12:05 - 2014-03-19 10:40 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\SolidWorks Pack and Go Back ups
2014-09-03 17:34 - 2014-09-04 05:29 - 10013818 _____ () C:\Documents and Settings\Todd\My Documents\13.120_Baltic_Assembly_073.dwf
2014-09-02 13:55 - 2014-09-02 13:55 - 00487483 _____ () C:\monitor.exe
2014-09-02 13:55 - 2014-09-02 13:55 - 00034244 _____ () C:\monitorsvc.exe
2014-09-01 12:29 - 2014-09-10 21:10 - 00019840 _____ () C:\WINDOWS\system32\Drivers\pcwatch.sys
2014-09-01 12:28 - 2014-09-10 21:10 - 00304776 _____ (MyOSCompany) C:\WINDOWS\system32\MyOSProtect.dll
2014-08-29 09:34 - 2011-04-22 06:16 - 00000178 ___SH () C:\Documents and Settings\NetworkService\ntuser.ini
2014-08-26 20:49 - 2014-08-25 13:38 - 00065536 _____ () C:\WINDOWS\system32\config\EventForwarding-Operational.Evt
2014-08-25 12:53 - 2014-08-25 11:20 - 00065536 _____ () C:\WINDOWS\system32\config\Windows .evt
2014-08-25 12:53 - 2014-08-25 11:20 - 00065536 _____ () C:\WINDOWS\system32\config\Microsof.evt
2014-08-25 11:27 - 2011-04-21 13:25 - 00000000 ____D () C:\WINDOWS\security
2014-08-25 11:21 - 2014-08-25 11:21 - 00000000 ____D () C:\Documents and Settiy Internet Files
2014-08-25 11:21 - 2013-12-29 12:49 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-08-25 11:21 - 2011-04-22 06:08 - 00000000 ___RD () C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2014-08-25 11:21 - 2011-04-21 13:31 - 01390311 _____ () C:\WINDOWS\FaxSetup.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00673662 _____ () C:\WINDOWS\ocgen.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00533447 _____ () C:\WINDOWS\tsoc.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00470311 _____ () C:\WINDOWS\comsetup.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00283347 _____ () C:\WINDOWS\ntdtcsetup.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00218545 _____ () C:\WINDOWS\iis6.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00076970 _____ () C:\WINDOWS\ocmsn.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00069622 _____ () C:\WINDOWS\msgsocm.log
2014-08-25 11:21 - 2011-04-21 13:31 - 00001374 _____ () C:\WINDOWS\imsins.log
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 __HDC () C:\WINDOWS\$968930Uinstall_KB968930$
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\system32\winrm
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\system32\WindowsPowerShell
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\system32\GroupPolicy
2014-08-25 11:20 - 2014-08-25 11:20 - 00000000 ____D () C:\WINDOWS\$NtUninstallKB968930$
2014-08-25 11:20 - 2011-04-21 13:25 - 00000000 ____D () C:\WINDOWS\Help
2014-08-21 10:52 - 2014-01-15 14:35 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\SHARE DOCUMENTS - PC
2014-08-19 10:14 - 2013-12-29 13:40 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\SolidWorks

Some content of TEMP:
====================
C:\Documents and Settings\Todd\Local Settings\Temp\acslpkp.dll
C:\Documents and Settings\Todd\Local Settings\Temp\G2MInstallerExtractor.exe
C:\Documents and Settings\Todd\Local Settings\Temp\GfxDbMash.dll
C:\Documents and Settings\Todd\Local Settings\Temp\nanzysy.dll
C:\Documents and Settings\Todd\Local Settings\Temp\SpOrder.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 12-09-2014
Ran by Todd at 2014-09-18 08:42:28
Running from C:\Documents and Settings\Todd\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Disabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.6.0.19140 - Adobe Systems Incorporated)
Adobe AIR (Version: 2.6.0.19140 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.1.102.55 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.0.1.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.1) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.1 - Adobe Systems Incorporated)
AnswerWorks Runtime (HKLM\...\AnswerWorks) (Version:  - )
AutoCAD 2002 (HKLM\...\{5783F2D7-0101-0409-0000-0060B0CE6BBA}) (Version: 15.0.6.030 - Autodesk)
Citrix Online Launcher (HKLM\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
Disney's Magic Artist (HKLM\...\DisneysMagicArtistDeinstKey) (Version:  - )
GoToMeeting 6.4.2.1669 (HKCU\...\GoToMeeting) (Version: 6.4.2.1669 - CitrixOnline)
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
IDT Audio (HKLM\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.20001.0 - IDT)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 0.0.0.0000 - Intel Corporation)
Intel® Network Connections 15.3.68.0 (HKLM\...\{D5558268-0050-4B95-AD5E-426960E1EFE1}) (Version: 15.3.68.0 - Intel)
Intel® Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Java Auto Updater (Version: 2.0.6.1 - Sun Microsystems, Inc.) Hidden
Java™ 6 Update 30 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216030FF}) (Version: 6.0.300 - Oracle)
join.me (HKCU\...\JoinMe) (Version: 1.13.1.118 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)
Microsoft IntelliPoint 8.2 (Version: 8.20.468.0 - Microsoft Corporation) Hidden
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9 (Version:  - Microsoft Corporation) Hidden
Microsoft Office 2003 Web Components (HKLM\...\{90120000-00A4-0409-0000-0000000FF1CE}) (Version: 12.0.6213.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Small Business Edition 2003 (HKLM\...\{91CA0409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Applications - ENU (HKLM\...\Microsoft Visual Studio 2005 Tools for Applications - ENU) (Version:  - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Applications - ENU (Version: 8.0.50727.146 - Microsoft Corporation) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Search Protect (HKLM\...\SearchProtect) (Version: 2.17.2.3 - Client Connect LTD) <==== ATTENTION
SmartMusic 2012a (HKLM\...\SmartMusic 2012a) (Version: 14.1.6 - MakeMusic)
SolidWorks 2012 SP05 (HKLM\...\SolidWorks Installation Manager 20120-40500-1100-200) (Version: 20.5.0.80 - SolidWorks Corporation)
SolidWorks 2012 SP05 (Version: 20.150.80 - SolidWorks) Hidden
SolidWorks eDrawings 2012 SP05 (Version: 12.5.114 - Dassault Systèmes SolidWorks Corp.) Hidden
SolidWorks Explorer 2012 SP05 (Version: 20.50.80 - SolidWorks Corporation) Hidden
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2447568) (HKLM\...\KB2447568-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2641690) (HKLM\...\KB2641690) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2863058) (HKLM\...\KB2863058) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
Web Protect for Windows (HKLM\...\wp-adinject-adk) (Version: 10.0.0 - Web Protect) <==== ATTENTION
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
WIDCOMM Bluetooth Software (HKLM\...\{3F4EC965-28EF-45C3-B063-04B25D4E9679}) (Version: 5.0.1.2701 - Logitech)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Media Player 11 (Version:  - Microsoft Corporation) Hidden
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1060284298-484061587-725345543-1004_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1298\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points  =========================

11-09-2014 03:23:06 System Checkpoint
12-09-2014 15:17:52 System Checkpoint
15-09-2014 11:09:31 Software Distribution Service 3.0
16-09-2014 14:04:46 Software Distribution Service 3.0
18-09-2014 03:26:15 Software Distribution Service 3.0

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 06:00 - 2004-08-04 06:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1060284298-484061587-725345543-1004.job => C:\Program Files\Citrix\GoToMeeting\1669\g2mupdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2011-04-22 15:51 - 2009-11-05 08:39 - 00087552 _____ () C:\WINDOWS\system32\cpwmon2k.dll
2004-08-04 06:00 - 2008-04-14 05:41 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2004-08-04 06:00 - 2008-04-14 05:42 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2014-09-17 07:05 - 2014-09-17 07:05 - 08537928 _____ () C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\36.0.1985.143\pdf.dll
2014-09-17 07:05 - 2014-09-17 07:05 - 00353096 _____ () C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\36.0.1985.143\ppGoogleNaClPluginChrome.dll
2014-09-17 07:04 - 2014-09-17 07:04 - 01732936 _____ () C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\36.0.1985.143\ffmpegsumo.dll
2014-09-17 07:05 - 2014-09-17 07:05 - 14669128 _____ () C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf\Obgmxdsk\36.0.1985.143\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pcwatch.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pcwatch.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SolidWorks Background Downloader.lnk => C:\WINDOWS\pss\SolidWorks Background Downloader.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: GoToMeeting => "C:\Program Files\Citrix\GoToMeeting\1298\g2mstart.exe" "/Trigger RunAtLogon"
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (09/18/2014 08:01:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application deurnwrha.exe, version 36.0.1985.143, faulting module ggujyzvvb.dll, version 7.0.2.113, fault address 0x00011eab.
Processing media-specific event for [deurnwrha.exe!ws!]

Error: (09/16/2014 07:55:21 AM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: EventType mptelemetry, P1 2152759308, P2 unspecified, P3 scanfile, P4 4.5.216.0, P5 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P6 unspecified, P7 unspecified, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (09/10/2014 10:57:17 AM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P2 4.5.216.0, P3 timeout, P4 1.1.10904.0, P5 fixed, P6 2 _ 2048, P7 5 _ not boot, P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (09/08/2014 10:49:55 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (09/08/2014 10:49:55 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Error: (09/08/2014 10:40:51 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (09/07/2014 09:29:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module mshtml.dll, version 8.0.6001.23588, fault address 0x0014c493.
Processing media-specific event for [iexplore.exe!ws!]

Error: (09/02/2014 04:11:44 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket -1070636444.

Error: (09/02/2014 04:10:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application SLDWORKS.exe, version 20.5.0.80, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (09/02/2014 01:27:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module flash11e.ocx, version 11.1.102.55, fault address 0x001a0e8f.
Processing media-specific event for [iexplore.exe!ws!]

System errors:
=============
Error: (09/18/2014 08:42:59 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MyOSProtect service failed to start due to the following error:
%%2

Error: (09/18/2014 08:42:59 AM) (Source: DCOM) (EventID: 10005) (User: CDTMT-PC)
Description: DCOM got error "%MyOSProtect" attempting to start the service MyOSProtect with arguments "-Service"
in order to run the server:
{94B83936-77EA-4708-8FC5-F3BBC55C2A32}

Error: (09/18/2014 08:42:54 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MyOSProtect service failed to start due to the following error:
%%2

Error: (09/18/2014 08:42:54 AM) (Source: DCOM) (EventID: 10005) (User: CDTMT-PC)
Description: DCOM got error "%MyOSProtect" attempting to start the service MyOSProtect with arguments "-Service"
in order to run the server:
{94B83936-77EA-4708-8FC5-F3BBC55C2A32}

Error: (09/18/2014 08:42:45 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MyOSProtect service failed to start due to the following error:
%%2

Error: (09/18/2014 08:42:45 AM) (Source: DCOM) (EventID: 10005) (User: CDTMT-PC)
Description: DCOM got error "%MyOSProtect" attempting to start the service MyOSProtect with arguments "-Service"
in order to run the server:
{94B83936-77EA-4708-8FC5-F3BBC55C2A32}

Error: (09/18/2014 08:42:31 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MyOSProtect service failed to start due to the following error:
%%2

Error: (09/18/2014 08:42:31 AM) (Source: DCOM) (EventID: 10005) (User: CDTMT-PC)
Description: DCOM got error "%MyOSProtect" attempting to start the service MyOSProtect with arguments "-Service"
in order to run the server:
{94B83936-77EA-4708-8FC5-F3BBC55C2A32}

Error: (09/18/2014 08:42:15 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MyOSProtect service failed to start due to the following error:
%%2

Error: (09/18/2014 08:42:15 AM) (Source: DCOM) (EventID: 10005) (User: CDTMT-PC)
Description: DCOM got error "%MyOSProtect" attempting to start the service MyOSProtect with arguments "-Service"
in order to run the server:
{94B83936-77EA-4708-8FC5-F3BBC55C2A32}

Microsoft Office Sessions:
=========================
Error: (09/18/2014 08:01:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: deurnwrha.exe36.0.1985.143ggujyzvvb.dll7.0.2.11300011eab

Error: (09/16/2014 07:55:21 AM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: mptelemetry2152759308unspecifiedscanfile4.5.216.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)unspecifiedunspecifiedNILNILNIL

Error: (09/10/2014 10:57:17 AM) (Source: MPSampleSubmission) (EventID: 5000) (User: )
Description: mptelemetrymicrosoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)4.5.216.0timeout1.1.10904.0fixed2 _ 20485 _ not bootNILNILNIL

Error: (09/08/2014 10:49:55 AM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation.

Error: (09/08/2014 10:49:55 AM) (Source: crypt32) (EventID: 8) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (09/08/2014 10:40:51 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (09/07/2014 09:29:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702mshtml.dll8.0.6001.235880014c493

Error: (09/02/2014 04:11:44 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: -1070636444

Error: (09/02/2014 04:10:07 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: SLDWORKS.exe20.5.0.80hungapp0.0.0.000000000

Error: (09/02/2014 01:27:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702flash11e.ocx11.1.102.55001a0e8f

==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU E6750 @ 2.66GHz
Percentage of memory in use: 76%
Total physical RAM: 2020.35 MB
Available physical RAM: 483.7 MB
Total Pagefile: 4897.42 MB
Available Pagefile: 3473.94 MB
Total Virtual: 2047.88 MB
Available Virtual: 1921.08 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:298.08 GB) (Free:273.9 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: 7D617D61)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 18 September 2014 - 10:35 AM

Ok, please do the following:


Step 1

Please download this attached Attached File  fixlist.txt   2.88KB   6 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#5 DesignMaster

DesignMaster
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 28 September 2014 - 11:35 PM

Note that I moved all of the files such as FRST.EXE and such to a new folder so they are not on the desktop per your original save to location request.  Having them on the desk top is messy.  I hope this does not pose a problem of any sorts.  Below are the file results you requested.  I was getting error messages about "your computer has encountered a problem an the program will have to shut down..." or something of the sort.  However, I think I got it to run correctly this last time.  Sorry for such a slow response.  This computer issue has really put a damper on my ability to get things done using this computer.

 

Fixlog.txt

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-09-2014 02
Ran by Todd at 2014-09-28 22:00:46 Run:2
Running from C:\Documents and Settings\Todd\My Documents\Computer Maintenance\Bleeping Computer
Loaded Profile: Todd (Available profiles: Todd & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
CloseProcesses:
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <===== ATTENTION
HKLM\...99B7938DA9E4}\LocalServer32: [Default-wmiprvse]  <==== ATTENTION!
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\Run: [Ggujyzvvb] => rundll32.exe "C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft Help\Ggujyzvvb.dll",DllRegisterServer
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft Help\Ggujyzvvb.dll
AppInit_DLLs: C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll File Not Found
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M147FAD95-066A-4B43-BC90-F6376773F8D0&SearchSource=58&CUI=&UM=6&UP=SPFAFEEABD-6F6C-46F3-BDB8-AEEA4FC745B0&q={searchTerms}&SSPV=
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=M147FAD95-066A-4B43-BC90-F6376773F8D0&SearchSource=58&CUI=&UM=6&UP=SPFAFEEABD-6F6C-46F3-BDB8-AEEA4FC745B0&q={searchTerms}&SSPV=
Winsock: Catalog9 01 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 02 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 26 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S4 ProtectMonitor; C:\monitorsvc.exe [34244 2014-09-02] () [File not signed]
C:\monitorsvc.exe
C:\monitor.exe
C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf
S3 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]
C:\Program Files\Web Protect
R1 pcwatch; C:\WINDOWS\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
C:\WINDOWS\system32\Drivers\pcwatch.sys
2014-09-10 21:10 - 2014-09-10 21:10 - 00009744 _____ () C:\WINDOWS\system32\MyOSProtect.ini
2014-09-10 21:10 - 2014-09-10 21:10 - 00002312 _____ () C:\WINDOWS\system32\MyOSProtectOff.ini
2014-09-10 21:09 - 2014-09-10 21:09 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\SearchProtect
2014-09-10 21:08 - 2014-09-18 08:01 - 00000000 ____D () C:\Program Files\ORBTR
2014-09-10 21:08 - 2014-09-10 21:09 - 00000000 ____D () C:\Program Files\SearchProtect-delete
2014-09-10 21:09 - 2014-09-17 06:37 - 00000000 ____D () C:\Program Files\Web Protect-delete
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pcwatch.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pcwatch.sys => ""="Driver" <==== ATTENTION
EmptyTemp:
*****************

Processes closed successfully.
[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] => No subkey with invalid name found.
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\Default => Value was restored successfully.
HKU\S-1-5-21-1060284298-484061587-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run\\Ggujyzvvb => Value not found.
"C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft Help\Ggujyzvvb.dll" => File/Directory not found.
"C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll" => Value Data not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}" => Key not found.
"HKCR\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}" => Key not found.
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001" => Error deleting key. The key could be protected.
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002" => Error deleting key. The key could be protected.
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000026" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKCU\SOFTWARE\Policies\Google" => Key deleted successfully.
ProtectMonitor => Service deleted successfully.
Could not move "C:\monitorsvc.exe" => Scheduled to move on reboot.
"C:\monitor.exe" => File/Directory not found.
C:\Documents and Settings\Todd\Local Settings\Application Data\Temp\pnfwhhjewf => Moved successfully.
MyOSProtect => Error deleting Service
C:\Program Files\Web Protect => Moved successfully.
pcwatch => Unable to stop service
pcwatch => Error deleting Service
Could not move "C:\WINDOWS\system32\Drivers\pcwatch.sys" => Scheduled to move on reboot.
C:\WINDOWS\system32\MyOSProtect.ini => Moved successfully.
C:\WINDOWS\system32\MyOSProtectOff.ini => Moved successfully.
"C:\Documents and Settings\Todd\Local Settings\Application Data\SearchProtect" => File/Directory not found.
"C:\Program Files\ORBTR" => File/Directory not found.
"C:\Program Files\SearchProtect-delete" => File/Directory not found.
"C:\Program Files\Web Protect-delete" => File/Directory not found.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\pcwatch.sys" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect" => Key not found.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\pcwatch.sys" => Key deleted successfully.
EmptyTemp: => Removed 2.5 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-09-28 22:09:43)<=

 

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-09-2014 02
Ran by Todd (administrator) on CDTMT-PC on 28-09-2014 22:26:23
Running from C:\Documents and Settings\Todd\My Documents\Computer Maintenance\Bleeping Computer
Loaded Profile: Todd (Available profiles: Todd & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
(IDT, Inc.) C:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [483422 2009-03-12] (IDT, Inc.)
HKLM\...\Run: [Logitech Hardware Abstraction Layer] => KHALMNPR.EXE
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^wH4AAA==n{F+2im'xh,)mDk-+or8%mYvEUmDb2ORUtVsJbIStrVc+e'*+* Y.zPhxlc3XwC NAx\bDKU:xO?DDrUT/ (the data entry has 32372 more characters). <==== ATTENTION!
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\MountPoints2: {5f3e825f-8359-11e0-91a5-0019d1a50581} - F:\LaunchU3.exe -a
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\MountPoints2: {f413aa0c-c6bc-11e1-91c4-0019d1a50581} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe [247968 2012-01-09] (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303499554875
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
Winsock: Catalog9 01 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 02 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 26 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Tcpip\Parameters: [DhcpNameServer] 69.144.127.53 24.247.15.53 68.116.46.115

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Todd\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-01-09]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-12-29]

Chrome:
=======
CHR CustomProfile: C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-18]
CHR Extension: (Google Drive) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-18]
CHR Extension: (YouTube) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-18]
CHR Extension: (Google Search) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-18]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-25]
CHR Extension: (Gmail) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-18]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [266295 2006-07-25] (Broadcom Corporation.) [File not signed]
S3 CoordinatorServiceHost; C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [89192 2012-10-06] (Dassault Systèmes SolidWorks Corp.)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-12-29] (Flexera Software, Inc.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2012-01-09] (Sun Microsystems, Inc.)
S4 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2799808 2005-09-23] (Microsoft Corporation)
S3 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2013-12-29] (SolidWorks) [File not signed]
R2 STacSV; c:\program files\idt\intelxpv_v103\wdm\STacSV.exe [254036 2009-03-12] (IDT, Inc.)
S2 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE [X]
S3 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 btaudio; C:\WINDOWS\System32\drivers\btaudio.sys [328285 2006-06-12] (Broadcom Corporation.) [File not signed]
S3 BTDriver; C:\WINDOWS\System32\DRIVERS\btport.sys [30427 2006-06-12] (Broadcom Corporation.) [File not signed]
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [851642 2006-08-01] (Broadcom Corporation.) [File not signed]
S3 btwhid; C:\WINDOWS\System32\DRIVERS\btwhid.sys [45779 2006-09-11] (Broadcom Corporation.) [File not signed]
S3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [65784 2006-06-12] (Broadcom Corporation.) [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R1 pcwatch; C:\WINDOWS\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
S3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [245248 2005-11-24] (Ralink Technology, Corp.)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1550613 2009-03-12] (IDT, Inc.)
S4 IntelIde; No ImagePath
S3 LMouKE; system32\DRIVERS\LMouKE.Sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-28 21:54 - 2014-09-28 21:55 - 00002947 _____ () C:\Documents and Settings\Todd\Desktop\fixlist.txt
2014-09-18 11:48 - 2014-09-18 11:48 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Google
2014-09-18 11:44 - 2014-09-28 21:54 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\Computer Maintenance
2014-09-18 08:42 - 2014-09-18 08:43 - 00021780 _____ () C:\Documents and Settings\Todd\Desktop\Addition.txt
2014-09-18 08:40 - 2014-09-18 08:43 - 00028271 _____ () C:\Documents and Settings\Todd\Desktop\FRST.txt
2014-09-18 08:39 - 2014-09-28 22:26 - 00000000 ____D () C:\FRST
2014-09-18 08:38 - 2014-09-18 08:39 - 01097728 _____ (Farbar) C:\Documents and Settings\Todd\Desktop\FRST.exe
2014-09-17 23:46 - 2014-09-17 23:46 - 01123572 _____ () C:\Documents and Settings\Todd\My Documents\Task Manager Shot.tif
2014-09-17 23:39 - 2014-09-17 23:39 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager sample.bmp
2014-09-17 23:38 - 2014-09-17 23:38 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager.bmp
2014-09-17 20:39 - 2014-09-18 09:38 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-09-17 20:39 - 2014-09-17 20:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-17 20:38 - 2014-09-17 20:39 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-17 20:38 - 2014-09-17 20:38 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-09-17 20:38 - 2014-05-12 07:26 - 00053208 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-09-17 20:38 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-09-17 20:36 - 2014-09-17 21:13 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-09-17 20:36 - 2014-09-17 20:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-09-17 20:36 - 2014-09-17 20:36 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-09-17 20:36 - 2012-05-10 19:03 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-09-17 20:36 - 2011-04-22 15:47 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Macromedia
2014-09-17 20:36 - 2011-04-22 06:12 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-09-17 20:36 - 2011-04-22 06:12 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-09-17 20:36 - 2011-04-22 06:12 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-09-17 20:32 - 2014-09-17 20:03 - 17292760 _____ (Malwarebytes Corporation ) C:\Program Files\mbam-setup-2.0.2.1012.exe
2014-09-17 10:03 - 2014-09-17 10:03 - 00000149 _____ () C:\Documents and Settings\Todd\My Documents\plot.log
2014-09-17 09:15 - 2014-09-17 09:15 - 01619084 _____ () C:\Documents and Settings\Todd\My Documents\nbsco UPS Canopy A2000.dwg
2014-09-10 21:10 - 2014-09-01 12:29 - 00019840 _____ () C:\WINDOWS\system32\Drivers\pcwatch.sys
2014-09-10 21:10 - 2014-09-01 12:28 - 00304776 _____ (MyOSCompany) C:\WINDOWS\system32\MyOSProtect.dll
2014-09-10 12:40 - 2014-09-15 21:00 - 00946352 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-09-09 13:47 - 2014-09-09 13:47 - 02041002 _____ () C:\Documents and Settings\Todd\My Documents\Steel Smith Test Options.bmp
2014-09-04 05:29 - 2014-09-03 17:34 - 10013818 _____ () C:\Documents and Settings\Todd\My Documents\13.120_Baltic_Assembly_073.dwf
2014-09-02 13:55 - 2014-09-02 13:55 - 00034244 _____ () C:\monitorsvc.exe
2014-09-02 12:21 - 2014-09-02 12:21 - 00634880 _____ () C:\DirectControl.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-28 22:26 - 2011-04-22 06:27 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Temp
2014-09-28 22:19 - 2013-11-30 12:52 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-09-28 22:19 - 2011-04-22 06:16 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-09-28 22:11 - 2011-04-22 06:11 - 01813618 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-28 22:09 - 2014-03-27 15:42 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-09-28 22:09 - 2011-04-22 06:27 - 00000278 ___SH () C:\Documents and Settings\Todd\ntuser.ini
2014-09-28 22:09 - 2011-04-22 06:27 - 00000000 ____D () C:\Documents and Settings\Todd
2014-09-28 22:09 - 2011-04-22 06:24 - 00032548 _____ () C:\WINDOWS\SchedLgU.Txt
2014-09-28 22:09 - 2011-04-22 06:24 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-28 22:09 - 2011-04-22 06:24 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2014-09-28 22:09 - 2011-04-21 13:33 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-09-28 22:09 - 2011-04-21 13:33 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-09-28 22:06 - 2014-01-24 16:21 - 00000512 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1060284298-484061587-725345543-1004.job
2014-09-28 22:01 - 2011-04-22 15:49 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Temp
2014-09-28 21:43 - 2004-08-04 06:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-09-25 07:17 - 2013-12-29 12:53 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft Help
2014-09-22 00:41 - 2011-04-22 15:16 - 00231568 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2014-09-18 11:59 - 2013-09-16 08:00 - 00278230 _____ () C:\WINDOWS\setupapi.log
2014-09-18 10:15 - 2004-08-04 06:00 - 00000675 _____ () C:\WINDOWS\win.ini
2014-09-18 10:15 - 2004-08-04 06:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-09-18 09:48 - 2011-04-22 06:10 - 00019214 _____ () C:\WINDOWS\wmsetup.log
2014-09-17 21:13 - 2011-04-22 14:58 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB969059$
2014-09-17 07:05 - 2012-04-11 19:34 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\CutePDF Writer
2014-09-15 15:17 - 2014-03-20 16:24 - 00000000 ____D () C:\SW AUTO-RECOVERY
2014-09-15 15:17 - 2013-12-29 14:35 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\SolidWorks
2014-09-15 11:11 - 2014-03-20 16:23 - 00000000 ____D () C:\SW AUTO-BACK UP
2014-09-15 10:56 - 2013-12-29 13:01 - 00002569 _____ () C:\Documents and Settings\All Users\Desktop\SolidWorks 2012.lnk
2014-09-15 10:56 - 2013-12-29 12:33 - 00000000 ____D () C:\Documents and Settings\Todd\Application Data\SolidWorks
2014-09-11 11:02 - 2011-05-20 21:40 - 00000000 ____D () C:\Documents and Settings\Todd\Application Data\U3
2014-09-10 21:23 - 2011-04-22 06:10 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-09-10 16:46 - 2014-08-25 13:38 - 00327680 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-09-10 16:46 - 2013-09-16 08:01 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-09-10 16:45 - 2011-04-22 14:56 - 98758480 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-09-10 14:43 - 2013-12-29 20:26 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-09-08 15:33 - 2014-03-27 15:42 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-09-05 12:05 - 2014-03-19 10:40 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\SolidWorks Pack and Go Back ups
2014-08-29 09:34 - 2011-04-22 06:16 - 00000178 ___SH () C:\Documents and Settings\NetworkService\ntuser.ini

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================



#6 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 29 September 2014 - 02:00 AM

Ok, one more round:


Step 1

Please download this attached Attached File  fixlist.txt   647bytes   2 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button. Allow the reboot.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.


Step 2

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


#7 DesignMaster

DesignMaster
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:16 PM

Posted 30 September 2014 - 12:30 PM

This is from the bottom of the Fixlog.txt file.  I trust you are making progress in getting my computer cleaned up.  However, are these files giving you issues as far as getting rid of them or fixing them? They are the ones I deemed "bastard-files" when I first investigated my computer issues.  I could not delete, move, rename or such if I remember correctly any of these files.

 

"C:\WINDOWS\system32\MyOSProtect.dll" => File could not move.
"C:\WINDOWS\system32\Drivers\pcwatch.sys" => File could not move.
"C:\monitorsvc.exe" => File could not move.

 

Here are the latest versions of the files you need...  I really appriciate your help and paitence with these issues.

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-09-2014 02
Ran by Todd at 2014-09-30 11:05:54 Run:4
Running from C:\Documents and Settings\Todd\My Documents\Computer Maintenance\Bleeping Computer
Loaded Profile: Todd (Available profiles: Todd & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
CloseProcesses:
HKLM\...99B7938DA9E4}\LocalServer32: [a] #@~^wH4AAA==n{F+2im'xh,)mDk-+or8%mYvEUmDb2ORUtVsJbIStrVc+e'*+* Y.zPhxlc3XwC NAx\bDKU:xO?DDrUT/ (the data entry has 32372 more characters). <==== ATTENTION!
CMD: netsh winsock reset
C:\WINDOWS\system32\MyOSProtect.dll
S3 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]
R1 pcwatch; C:\WINDOWS\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
C:\WINDOWS\system32\Drivers\pcwatch.sys
2014-09-02 13:55 - 2014-09-02 13:55 - 00034244 _____ () C:\monitorsvc.exe
2014-09-02 12:21 - 2014-09-02 12:21 - 00634880 _____ () C:\DirectControl.exe

*****************

Processes closed successfully.
HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\\a => Value not found.

=========  netsh winsock reset =========

Unable to reset the Winsock Catalog.
Access is denied.

 

========= End of CMD: =========

Could not move "C:\WINDOWS\system32\MyOSProtect.dll" => Scheduled to move on reboot.
MyOSProtect => Error deleting Service
pcwatch => Unable to stop service
pcwatch => Error deleting Service
Could not move "C:\WINDOWS\system32\Drivers\pcwatch.sys" => Scheduled to move on reboot.
Could not move "C:\monitorsvc.exe" => Scheduled to move on reboot.
C:\DirectControl.exe => Moved successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-09-30 11:06:52)<=

"C:\WINDOWS\system32\MyOSProtect.dll" => File could not move.
"C:\WINDOWS\system32\Drivers\pcwatch.sys" => File could not move.
"C:\monitorsvc.exe" => File could not move.

==== End of Fixlog ====

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-09-2014 02
Ran by Todd (administrator) on CDTMT-PC on 30-09-2014 11:14:22
Running from C:\Documents and Settings\Todd\My Documents\Computer Maintenance\Bleeping Computer
Loaded Profile: Todd (Available profiles: Todd & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
(IDT, Inc.) C:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [483422 2009-03-12] (IDT, Inc.)
HKLM\...\Run: [Logitech Hardware Abstraction Layer] => KHALMNPR.EXE
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\MountPoints2: {5f3e825f-8359-11e0-91a5-0019d1a50581} - F:\LaunchU3.exe -a
HKU\S-1-5-21-1060284298-484061587-725345543-1004\...\MountPoints2: {f413aa0c-c6bc-11e1-91c4-0019d1a50581} - E:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [437160 2007-02-26] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe [247968 2012-01-09] (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1303499554875
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file:///C:/Program%20Files/AutoCAD%202002/AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} file:///C:/Program%20Files/AutoCAD%202002/InstBanr.ocx
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/InstFred.ocx
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file:///C:/Program%20Files/AutoCAD%202002/AcPreview.ocx
Winsock: Catalog9 01 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 02 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Winsock: Catalog9 26 C:\WINDOWS\system32\MyOSProtect.dll [304776] (MyOSCompany)
Tcpip\Parameters: [DhcpNameServer] 69.144.127.53 24.247.15.53 68.116.46.115

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Todd\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2012-01-09]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-12-29]

Chrome:
=======
CHR CustomProfile: C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-18]
CHR Extension: (Google Drive) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-18]
CHR Extension: (YouTube) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-18]
CHR Extension: (Google Search) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-18]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-25]
CHR Extension: (Gmail) - C:\Documents and Settings\Todd\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-18]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 btwdins; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [266295 2006-07-25] (Broadcom Corporation.) [File not signed]
S3 CoordinatorServiceHost; C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [89192 2012-10-06] (Dassault Systèmes SolidWorks Corp.)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1044816 2013-12-29] (Flexera Software, Inc.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2012-01-09] (Sun Microsystems, Inc.)
S4 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S4 msvsmon80; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2799808 2005-09-23] (Microsoft Corporation)
S3 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2013-12-29] (SolidWorks) [File not signed]
R2 STacSV; c:\program files\idt\intelxpv_v103\wdm\STacSV.exe [254036 2009-03-12] (IDT, Inc.)
S2 LBTServ; C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE [X]
S3 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 btaudio; C:\WINDOWS\System32\drivers\btaudio.sys [328285 2006-06-12] (Broadcom Corporation.) [File not signed]
S3 BTDriver; C:\WINDOWS\System32\DRIVERS\btport.sys [30427 2006-06-12] (Broadcom Corporation.) [File not signed]
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [851642 2006-08-01] (Broadcom Corporation.) [File not signed]
S3 btwhid; C:\WINDOWS\System32\DRIVERS\btwhid.sys [45779 2006-09-11] (Broadcom Corporation.) [File not signed]
S3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [65784 2006-06-12] (Broadcom Corporation.) [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R1 pcwatch; C:\WINDOWS\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
S3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [245248 2005-11-24] (Ralink Technology, Corp.)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1550613 2009-03-12] (IDT, Inc.)
S4 IntelIde; No ImagePath
S3 LMouKE; system32\DRIVERS\LMouKE.Sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-28 21:54 - 2014-09-28 21:55 - 00002947 _____ () C:\Documents and Settings\Todd\Desktop\fixlist.txt
2014-09-18 11:48 - 2014-09-18 11:48 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Google
2014-09-18 11:44 - 2014-09-28 21:54 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\Computer Maintenance
2014-09-18 08:42 - 2014-09-18 08:43 - 00021780 _____ () C:\Documents and Settings\Todd\Desktop\Addition.txt
2014-09-18 08:40 - 2014-09-18 08:43 - 00028271 _____ () C:\Documents and Settings\Todd\Desktop\FRST.txt
2014-09-18 08:39 - 2014-09-30 11:14 - 00000000 ____D () C:\FRST
2014-09-18 08:38 - 2014-09-18 08:39 - 01097728 _____ (Farbar) C:\Documents and Settings\Todd\Desktop\FRST.exe
2014-09-17 23:46 - 2014-09-17 23:46 - 01123572 _____ () C:\Documents and Settings\Todd\My Documents\Task Manager Shot.tif
2014-09-17 23:39 - 2014-09-17 23:39 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager sample.bmp
2014-09-17 23:38 - 2014-09-17 23:38 - 01205846 _____ () C:\Documents and Settings\Todd\My Documents\task manager.bmp
2014-09-17 20:39 - 2014-09-18 09:38 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-09-17 20:39 - 2014-09-17 20:39 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-17 20:38 - 2014-09-17 20:39 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-17 20:38 - 2014-09-17 20:38 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-09-17 20:38 - 2014-05-12 07:26 - 00053208 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-09-17 20:38 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-09-17 20:36 - 2014-09-17 21:13 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-09-17 20:36 - 2014-09-17 20:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-09-17 20:36 - 2014-09-17 20:36 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-09-17 20:36 - 2012-05-10 19:03 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2014-09-17 20:36 - 2011-04-22 15:47 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Macromedia
2014-09-17 20:36 - 2011-04-22 06:12 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2014-09-17 20:36 - 2011-04-22 06:12 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2014-09-17 20:36 - 2011-04-22 06:12 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2014-09-17 20:32 - 2014-09-17 20:03 - 17292760 _____ (Malwarebytes Corporation ) C:\Program Files\mbam-setup-2.0.2.1012.exe
2014-09-17 10:03 - 2014-09-17 10:03 - 00000149 _____ () C:\Documents and Settings\Todd\My Documents\plot.log
2014-09-17 09:15 - 2014-09-17 09:15 - 01619084 _____ () C:\Documents and Settings\Todd\My Documents\nbsco UPS Canopy A2000.dwg
2014-09-10 21:10 - 2014-09-01 12:29 - 00019840 _____ () C:\WINDOWS\system32\Drivers\pcwatch.sys
2014-09-10 21:10 - 2014-09-01 12:28 - 00304776 _____ (MyOSCompany) C:\WINDOWS\system32\MyOSProtect.dll
2014-09-10 12:40 - 2014-09-15 21:00 - 00946352 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-09-09 13:47 - 2014-09-09 13:47 - 02041002 _____ () C:\Documents and Settings\Todd\My Documents\Steel Smith Test Options.bmp
2014-09-04 05:29 - 2014-09-03 17:34 - 10013818 _____ () C:\Documents and Settings\Todd\My Documents\13.120_Baltic_Assembly_073.dwf
2014-09-02 13:55 - 2014-09-02 13:55 - 00034244 _____ () C:\monitorsvc.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-30 11:14 - 2011-04-22 06:27 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Temp
2014-09-30 11:08 - 2011-04-22 06:11 - 01859371 _____ () C:\WINDOWS\WindowsUpdate.log
2014-09-30 11:07 - 2011-04-21 13:33 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-09-30 11:07 - 2011-04-21 13:33 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2014-09-30 11:06 - 2014-03-27 15:42 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-09-30 11:06 - 2014-01-24 16:21 - 00000512 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1060284298-484061587-725345543-1004.job
2014-09-30 11:06 - 2011-04-22 06:27 - 00000278 ___SH () C:\Documents and Settings\Todd\ntuser.ini
2014-09-30 11:06 - 2011-04-22 06:24 - 00032406 _____ () C:\WINDOWS\SchedLgU.Txt
2014-09-30 11:06 - 2011-04-22 06:24 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-09-30 07:31 - 2013-11-30 12:52 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2014-09-30 07:31 - 2011-04-22 06:16 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\Temp
2014-09-28 22:41 - 2011-04-22 06:27 - 00000000 ____D () C:\Documents and Settings\Todd
2014-09-28 22:09 - 2011-04-22 06:24 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\Temp
2014-09-28 22:01 - 2011-04-22 15:49 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Temp
2014-09-28 21:43 - 2004-08-04 06:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-09-25 07:17 - 2013-12-29 12:53 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft Help
2014-09-22 00:41 - 2011-04-22 15:16 - 00231568 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2014-09-18 11:59 - 2013-09-16 08:00 - 00278230 _____ () C:\WINDOWS\setupapi.log
2014-09-18 10:15 - 2004-08-04 06:00 - 00000675 _____ () C:\WINDOWS\win.ini
2014-09-18 10:15 - 2004-08-04 06:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-09-18 09:48 - 2011-04-22 06:10 - 00019214 _____ () C:\WINDOWS\wmsetup.log
2014-09-17 21:13 - 2011-04-22 14:58 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB969059$
2014-09-17 07:05 - 2012-04-11 19:34 - 00000000 ____D () C:\Documents and Settings\Todd\Local Settings\Application Data\CutePDF Writer
2014-09-15 15:17 - 2014-03-20 16:24 - 00000000 ____D () C:\SW AUTO-RECOVERY
2014-09-15 15:17 - 2013-12-29 14:35 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\SolidWorks
2014-09-15 11:11 - 2014-03-20 16:23 - 00000000 ____D () C:\SW AUTO-BACK UP
2014-09-15 10:56 - 2013-12-29 13:01 - 00002569 _____ () C:\Documents and Settings\All Users\Desktop\SolidWorks 2012.lnk
2014-09-15 10:56 - 2013-12-29 12:33 - 00000000 ____D () C:\Documents and Settings\Todd\Application Data\SolidWorks
2014-09-11 11:02 - 2011-05-20 21:40 - 00000000 ____D () C:\Documents and Settings\Todd\Application Data\U3
2014-09-10 21:23 - 2011-04-22 06:10 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-09-10 16:46 - 2014-08-25 13:38 - 00327680 _____ () C:\WINDOWS\system32\config\WindowsPowerShell.evt
2014-09-10 16:46 - 2013-09-16 08:01 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-09-10 16:45 - 2011-04-22 14:56 - 98758480 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-09-10 14:43 - 2013-12-29 20:26 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-09-08 15:33 - 2014-03-27 15:42 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-09-05 12:05 - 2014-03-19 10:40 - 00000000 ____D () C:\Documents and Settings\Todd\My Documents\SolidWorks Pack and Go Back ups

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================



#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 30 September 2014 - 04:16 PM

Yes these are "bastard-files" indeed that have a very strong self-protection. So we have to use the big cannon the delete them.



Step 1
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Drivers to delete:
    pcwatch
    MyOSProtect
    
    Files to delete:
    C:\WINDOWS\system32\MyOSProtect.dll
    C:\WINDOWS\system32\Drivers\pcwatch.sys
    C:\monitorsvc.exe
    C:\DirectControl.exe
    
    Programs to launch on reboot:
    cmd.exe /c netsh winsock reset
  • In the avenger window, click the Paste Script from Clipboard button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


Step 2

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.

Edited by aharonov, 30 September 2014 - 04:16 PM.


#9 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 04 October 2014 - 09:30 AM

I haven't heard from you for some time now.
Do you still need help?

#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:16 AM

Posted 12 October 2014 - 01:21 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users