Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-Virus Has Been Prevented By A Software Restriction Policy


  • This topic is locked This topic is locked
11 replies to this topic

#1 budz78

budz78

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 01 January 2015 - 03:52 PM

When starting computer I get this "Restriction Policy"window that is causing my BitDefender Anti-Virus not to run. I ran Malwarebyts and it picked up a Trojan but did not get rid of it. I am running Windows XP SP3. I ran th DDS program like instructed and attached are the results. Can you help me remove whatever this is? Thanks

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Dad at 15:26:52 on 2015-01-01
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1279.568 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
C:\Program Files\ASUS\Printer Utilities\UsbService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
mStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Bitdefender Wallet: {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - c:\program files\bitdefender\bitdefender\pmbxie.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Bitdefender Wallet Agent] "c:\program files\bitdefender\bitdefender\pmbxag.exe"
uRun: [Bitdefender Wallet] "c:\program files\bitdefender\bitdefender\pwdmanui.exe" --hidden --nowizard
uRun: [Bitdefender Wallet Application Agent] "c:\program files\bitdefender\bitdefender\bdapppassmgr.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_12_0_0_44_ActiveX.exe -update activex
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [Bitdefender Wallet Agent] "c:\program files\bitdefender\bitdefender\pmbxag.exe"
dRun: [Bitdefender Wallet] "c:\program files\bitdefender\bitdefender\pwdmanui.exe" --hidden --nowizard
dRun: [Bitdefender Wallet Application Agent] "c:\program files\bitdefender\bitdefender\bdapppassmgr.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: DisallowRun = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{5F626E98-A6DD-4AD8-A787-5EC00921F05D} : DHCPNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad\application data\mozilla\firefox\profiles\v7wp6yps.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_152.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 03:00; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2014-8-15 1073160]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-4-21 70912]
R2 UPDATESRV;Bitdefender Desktop Update Service;c:\program files\bitdefender\bitdefender\updatesrv.exe [2014-2-15 54424]
R2 UsbService;ASUS Virtual MFP Service;c:\program files\asus\printer utilities\UsbService.exe [2013-2-20 217088]
R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [2013-2-27 32896]
R3 avchv;avchv Function Driver;c:\windows\system32\drivers\avchv.sys [2014-2-15 242504]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [2013-2-20 66432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2014-8-15 528248]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-12-27 84248]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-11-3 114904]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys --> c:\windows\system32\drivers\motoandroid.sys [?]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-12-27 182680]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile="c:\windows\system32\NOTEPAD.EXE" %1
FileExt: .chm: Applications\RealPlay.exe="c:\program files\real\realplayer\realplay.exe" "%1" [UserChoice]
FileExt: .ini: inifile="c:\windows\system32\NOTEPAD.EXE" %1
FileExt: .inf: inffile="c:\windows\system32\NOTEPAD.EXE" %1
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
.
=============== Created Last 30 ================
.
2015-01-01 15:22:53 408280 ----a-w- c:\windows\system32\drivers\trufos.sys
2015-01-01 15:22:53 165744 ----a-w- c:\windows\system32\drivers\gzflt.sys
2015-01-01 15:02:11 -------- d-----w- C:\FRST
2015-01-01 14:48:55 61759 ----a-w- c:\documents and settings\all users\application data\1420123727.bdinstall.bin
2015-01-01 14:33:33 172266 ----a-w- c:\documents and settings\all users\application data\1420122752.bdinstall.bin
2015-01-01 14:30:01 174175 ----a-w- c:\documents and settings\all users\application data\1420122568.bdinstall.bin
2015-01-01 14:27:20 172932 ----a-w- c:\documents and settings\all users\application data\1420122410.bdinstall.bin
2015-01-01 14:26:49 92172 ----a-w- c:\documents and settings\all users\application data\1420122404.bdinstall.bin
.
==================== Find3M  ====================
.
2015-01-01 15:15:04 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-09 11:40:34 1073160 ----a-w- c:\windows\system32\drivers\avc3.sys
2014-11-21 11:14:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14:06 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-12 16:35:09 10992704 -c--a-w- c:\program files\HRBlock_DeluxeSE_2011_Update_B.exe
.
============= FINISH: 15:28:35.82 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 budz78

budz78
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 04 January 2015 - 01:57 PM

I'm not sure how long it takes for someone to respond. Is there something else I could do in the meantime? I have not been using my computer for fear of my anti-virus not running.



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,764 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 AM

Posted 06 January 2015 - 03:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/561746 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 budz78

budz78
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 06 January 2015 - 04:17 PM

Hi , I still need help. I get a message stating "  Anti-Virus has been prevented by a software restriction policy". This prevents my BitDefender Anti-Virus from running. I ran Malwarebytes and it showed some sort of Trojan I can't remember what one. I am running WindowsXP 32 Bit. I do have the original Windows CD. I have not did anything since this was originally posted. Here are my results from DDS

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Dad at 16:11:30 on 2015-01-06
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1279.695 [GMT -5:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
C:\Program Files\ASUS\Printer Utilities\UsbService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
mStart Page = about:blank
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Bitdefender Wallet: {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} - c:\program files\bitdefender\bitdefender\pmbxie.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - <orphaned>
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
EB: Adobe PDF: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Bitdefender Wallet Agent] "c:\program files\bitdefender\bitdefender\pmbxag.exe"
uRun: [Bitdefender Wallet] "c:\program files\bitdefender\bitdefender\pwdmanui.exe" --hidden --nowizard
uRun: [Bitdefender Wallet Application Agent] "c:\program files\bitdefender\bitdefender\bdapppassmgr.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_12_0_0_44_ActiveX.exe -update activex
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [Bitdefender Wallet Agent] "c:\program files\bitdefender\bitdefender\pmbxag.exe"
dRun: [Bitdefender Wallet] "c:\program files\bitdefender\bitdefender\pwdmanui.exe" --hidden --nowizard
dRun: [Bitdefender Wallet Application Agent] "c:\program files\bitdefender\bitdefender\bdapppassmgr.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: DisallowRun = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{5F626E98-A6DD-4AD8-A787-5EC00921F05D} : DHCPNameServer = 192.168.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dad\application data\mozilla\firefox\profiles\v7wp6yps.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_152.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: !HIDDEN! 2009-09-02 03:00; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2014-8-15 1073160]
R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-4-21 70912]
R2 UPDATESRV;Bitdefender Desktop Update Service;c:\program files\bitdefender\bitdefender\updatesrv.exe [2014-2-15 54424]
R2 UsbService;ASUS Virtual MFP Service;c:\program files\asus\printer utilities\UsbService.exe [2013-2-20 217088]
R3 anvsnddrv;AnvSoft Virtual Sound Device;c:\windows\system32\drivers\anvsnddrv.sys [2013-2-27 32896]
R3 avchv;avchv Function Driver;c:\windows\system32\drivers\avchv.sys [2014-2-15 242504]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [2013-2-20 66432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2014-8-15 528248]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2013-12-27 84248]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-11-3 114904]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys --> c:\windows\system32\drivers\motoandroid.sys [?]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2013-12-27 182680]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile="c:\windows\system32\NOTEPAD.EXE" %1
FileExt: .chm: Applications\RealPlay.exe="c:\program files\real\realplayer\realplay.exe" "%1" [UserChoice]
FileExt: .ini: inifile="c:\windows\system32\NOTEPAD.EXE" %1
FileExt: .inf: inffile="c:\windows\system32\NOTEPAD.EXE" %1
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
.
=============== Created Last 30 ================
.
2015-01-01 15:22:53 408280 ----a-w- c:\windows\system32\drivers\trufos.sys
2015-01-01 15:22:53 165744 ----a-w- c:\windows\system32\drivers\gzflt.sys
2015-01-01 15:02:11 -------- d-----w- C:\FRST
2015-01-01 14:48:55 61759 ----a-w- c:\documents and settings\all users\application data\1420123727.bdinstall.bin
2015-01-01 14:33:33 172266 ----a-w- c:\documents and settings\all users\application data\1420122752.bdinstall.bin
2015-01-01 14:30:01 174175 ----a-w- c:\documents and settings\all users\application data\1420122568.bdinstall.bin
2015-01-01 14:27:20 172932 ----a-w- c:\documents and settings\all users\application data\1420122410.bdinstall.bin
2015-01-01 14:26:49 92172 ----a-w- c:\documents and settings\all users\application data\1420122404.bdinstall.bin
.
==================== Find3M  ====================
.
2015-01-01 15:15:04 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-09 11:40:34 1073160 ----a-w- c:\windows\system32\drivers\avc3.sys
2014-11-21 11:14:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14:06 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-12 16:35:09 10992704 -c--a-w- c:\program files\HRBlock_DeluxeSE_2011_Update_B.exe
.
============= FINISH: 16:12:17.65 ===============

 

 

 

.
 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 AM

Posted 07 January 2015 - 11:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#6 budz78

budz78
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 07 January 2015 - 03:25 PM

Hi, Thanks for helping me out. Here are the files you asked for.

 

# AdwCleaner v4.106 - Report created 07/01/2015 at 15:01:23
# Updated 21/12/2014 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Dad - PAIN
# Running from : C:\Documents and Settings\Dad\Desktop\adwcleaner_4.106.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Documents and Settings\Mom\Application Data\iWin

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v30.0 (en-US)

*************************

AdwCleaner[R0].txt - [17261 octets] - [05/02/2014 11:13:49]
AdwCleaner[R1].txt - [1146 octets] - [08/02/2014 17:01:53]
AdwCleaner[R2].txt - [5157 octets] - [21/02/2014 15:48:18]
AdwCleaner[R3].txt - [1455 octets] - [05/03/2014 13:22:15]
AdwCleaner[R4].txt - [3741 octets] - [12/06/2014 16:12:09]
AdwCleaner[R5].txt - [1421 octets] - [07/01/2015 15:01:23]
AdwCleaner[S0].txt - [17061 octets] - [05/02/2014 11:15:51]
AdwCleaner[S1].txt - [1208 octets] - [08/02/2014 17:06:05]
AdwCleaner[S2].txt - [5334 octets] - [21/02/2014 15:50:40]
AdwCleaner[S3].txt - [1520 octets] - [05/03/2014 13:24:08]
AdwCleaner[S4].txt - [3842 octets] - [12/06/2014 16:13:50]

########## EOF - C:\AdwCleaner\AdwCleaner[R5].txt - [1782 octets] ##########

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-01-2015
Ran by Dad (administrator) on PAIN on 07-01-2015 15:13:53
Running from C:\Documents and Settings\Dad\Desktop
Loaded Profile: Dad (Available profiles: Dad & Mom & Buddy & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\PnkBstrA.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe
() C:\Program Files\ASUS\Printer Utilities\UsbService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
(Macrovision Europe Ltd.) C:\DOCUME~1\Dad\LOCALS~1\temp\Adobelm_Cleanup.0001
(Adobe Systems) C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
(Macrovision Europe Ltd.) C:\DOCUME~1\Dad\LOCALS~1\temp\Adobelm_Cleanup.0001
(RealNetworks, Inc.) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [TkBellExe] => C:\Program Files\Common Files\Real\Update_OB\realsched.exe [198160 2009-09-19] (RealNetworks, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\ESET <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Bitdefender\Bitdefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\BitDefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2014-12-09] (Bitdefender)
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2014-08-15] (Bitdefender)
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2014-08-15] (Bitdefender)
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_12_0_0_44_ActiveX.exe [840584 2014-02-17] (Adobe Systems Incorporated)
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Policies\Explorer: [DisallowRun] 0
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Agent] => C:\Program Files\Bitdefender\Bitdefender\pmbxag.exe [482392 2014-12-09] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet] => C:\Program Files\Bitdefender\Bitdefender\pwdmanui.exe [901608 2014-08-15] (Bitdefender)
HKU\S-1-5-18\...\Run: [Bitdefender Wallet Application Agent] => C:\Program Files\Bitdefender\Bitdefender\bdapppassmgr.exe [615256 2014-08-15] (Bitdefender)
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} =>  No File
AlternateShell:

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1454471165-1563985344-725345543-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Bitdefender Wallet -> {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -> C:\Program Files\Bitdefender\Bitdefender\pmbxie.dll (Bitdefender)
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
BHO: BitComet Helper -> {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} -> C:\Program Files\BitComet\tools\BitCometBHO_1.2.8.7.dll (BitComet)
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: MSN Toolbar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKLM - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - No Name - {343db173-0e5a-4f2a-b7bb-71a49085d70e} -  No File
Toolbar: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v7wp6yps.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_9_900_152.dll ()
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_33 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.448 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.3.448 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprjplug.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Extension: Move Media Player - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v7wp6yps.default\Extensions\moveplayer@movenetworks.com [2009-03-27]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v7wp6yps.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011-12-11]
FF Extension: New Tab Homepage - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v7wp6yps.default\Extensions\{66E978CD-981F-47DF-AC42-E3CF417C1467} [2013-06-05]
FF Extension: Adobe DLM (powered by getPlus®) - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v7wp6yps.default\Extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [2010-08-20]
FF Extension: No Name - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v7wp6yps.default\Extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}-trash [2012-06-13]
FF Extension: Adblock Plus - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\v7wp6yps.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-06-29]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-04-02]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext
FF Extension: RealPlayer Browser Record Plugin - C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext [2009-09-19]
FF HKLM\...\Firefox\Extensions: [ffpwdman@bitdefender.com] - C:\Program Files\Bitdefender\Bitdefender\ffpwdman
FF Extension: Bitdefender Wallet - C:\Program Files\Bitdefender\Bitdefender\ffpwdman [2014-02-15]
FF HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Firefox\Extensions: [{6293e750-886b-4020-9374-59fae9b04ca4}] - C:\Program Files\LyricsParty\130.xpi

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [ccahoghmggldkcdjiebjkidpfongdfbl] - C:\Program Files\Bitdefender\Bitdefender\pmbxcr.crx [2014-02-15]
CHR HKLM\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\Dad\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]
CHR HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\Dad\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2008-12-27] (Adobe Systems) [File not signed]
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-19] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-01-19] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed]
S3 NetSvc; C:\Program Files\Intel\NCS\Sync\NetSvc.exe [143360 2003-03-03] (Intel® Corporation) [File not signed]
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [76888 2012-06-08] ()
R2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender\updatesrv.exe [54424 2014-08-15] (Bitdefender)
R2 UsbService; C:\Program Files\ASUS\Printer Utilities\UsbService.exe [217088 2010-08-10] () [File not signed]
S4 VSSERV; C:\Program Files\Bitdefender\Bitdefender\vsserv.exe [1302784 2014-12-09] (Bitdefender)
S2 Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [X]
S2 NVSvc; %SystemRoot%\system32\nvsvc32.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 anvsnddrv; C:\WINDOWS\System32\drivers\anvsnddrv.sys [32896 2011-11-28] (AnvSoft Inc.) [File not signed]
R0 avc3; C:\WINDOWS\System32\DRIVERS\avc3.sys [1073160 2014-12-09] (BitDefender)
R3 avchv; C:\WINDOWS\System32\DRIVERS\avchv.sys [242504 2012-11-02] (BitDefender)
S3 avckf; C:\WINDOWS\System32\DRIVERS\avckf.sys [528248 2014-08-15] (BitDefender)
R1 bdftdif; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdftdif.sys [130640 2011-11-14] (BitDefender LLC)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 COMMONFX.DLL; C:\WINDOWS\System32\COMMONFX.DLL [126976 2003-02-20] (Creative Technology Ltd)
S3 CT20XUT.DLL; C:\WINDOWS\System32\CT20XUT.DLL [164608 2007-04-12] (Creative Technology Ltd.)
S3 CTAUDFX.DLL; C:\WINDOWS\System32\CTAUDFX.DLL [495616 2003-02-20] (Creative Technology Ltd)
S3 ctdvda2k; C:\WINDOWS\System32\drivers\ctdvda2k.sys [287920 2003-03-27] (Creative Technology Ltd)
S3 CTEAPSFX.DLL; C:\WINDOWS\System32\CTEAPSFX.DLL [168192 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPFX.DLL; C:\WINDOWS\System32\CTEDSPFX.DLL [280320 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPIO.DLL; C:\WINDOWS\System32\CTEDSPIO.DLL [128768 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPSY.DLL; C:\WINDOWS\System32\CTEDSPSY.DLL [323328 2007-04-12] (Creative Technology Ltd)
S3 CTERFXFX.DLL; C:\WINDOWS\System32\CTERFXFX.DLL [94976 2007-04-12] (Creative Technology Ltd)
S3 CTEXFIFX.DLL; C:\WINDOWS\System32\CTEXFIFX.DLL [1317632 2007-04-12] (Creative Technology Ltd.)
S3 CTHWIUT.DLL; C:\WINDOWS\System32\CTHWIUT.DLL [66816 2007-04-12] (Creative Technology Ltd.)
S3 CTSBLFX.DLL; C:\WINDOWS\System32\CTSBLFX.DLL [655360 2003-02-20] (Creative Technology Ltd)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [823616 2003-03-26] (Creative Technology Ltd)
R3 hap16v2k; C:\WINDOWS\System32\drivers\hap16v2k.sys [141536 2003-03-26] (Creative Technology Ltd)
S3 hap17v2k; C:\WINDOWS\System32\drivers\hap17v2k.sys [189736 2007-04-10] (Creative Technology Ltd)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2006-12-06] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2006-12-06] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2006-12-06] (HP)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-01] (Malwarebytes Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R1 OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [13632 2001-08-22] (Dell Computer Corporation) [File not signed]
R2 PfModNT; C:\WINDOWS\System32\drivers\PfModNT.sys [15840 2003-03-06] (Creative Technology Ltd.)
R2 Prvflder; C:\WINDOWS\System32\DRIVERS\prvflder.sys [70912 2006-04-21] (Windows ® 2000 DDK provider)
S3 usbbus; C:\WINDOWS\System32\DRIVERS\lgusbbus.sys [12672 2007-04-09] (LG Electronics Inc.)
S3 UsbDiag; C:\WINDOWS\System32\DRIVERS\lgusbdiag.sys [21248 2007-04-09] (LG Electronics Inc.)
S3 USBModem; C:\WINDOWS\System32\DRIVERS\lgusbmodem.sys [22912 2007-04-09] (LG Electronics Inc.)
R3 vuhub; C:\WINDOWS\System32\DRIVERS\vuhub.sys [66432 2007-12-20] ()
U0 gzflt; No ImagePath
S4 IntelIde; No ImagePath
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 mbr; \??\C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-07 15:13 - 2015-01-07 15:14 - 00018937 _____ () C:\Documents and Settings\Dad\Desktop\FRST.txt
2015-01-07 15:12 - 2015-01-07 15:12 - 01115648 _____ (Farbar) C:\Documents and Settings\Dad\Desktop\FRST.exe
2015-01-07 15:11 - 2015-01-07 15:11 - 00001862 _____ () C:\Documents and Settings\Dad\Desktop\AdwCleaner[R5].txt
2015-01-07 14:59 - 2015-01-07 14:59 - 02173952 _____ () C:\Documents and Settings\Dad\Desktop\adwcleaner_4.106.exe
2015-01-06 16:12 - 2015-01-06 16:12 - 00015445 _____ () C:\Documents and Settings\Dad\Desktop\attach.txt
2015-01-06 16:12 - 2015-01-06 16:12 - 00010123 _____ () C:\Documents and Settings\Dad\Desktop\dds.txt
2015-01-01 15:25 - 2015-01-01 15:25 - 00688992 ____R (Swearware) C:\Documents and Settings\Dad\Desktop\dds.com
2015-01-01 10:22 - 2015-01-01 10:22 - 00408280 _____ (BitDefender S.R.L.) C:\WINDOWS\system32\Drivers\trufos.sys
2015-01-01 10:22 - 2015-01-01 10:22 - 00165744 _____ (BitDefender LLC) C:\WINDOWS\system32\Drivers\gzflt.sys
2015-01-01 10:02 - 2015-01-07 15:13 - 00000000 ____D () C:\FRST
2015-01-01 09:58 - 2014-12-12 00:46 - 04187592 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\Dad\Desktop\TDSSKiller.exe
2015-01-01 09:48 - 2015-01-01 09:48 - 00061759 _____ () C:\Documents and Settings\All Users\Application Data\1420123727.bdinstall.bin
2015-01-01 09:33 - 2015-01-01 09:33 - 00172266 _____ () C:\Documents and Settings\All Users\Application Data\1420122752.bdinstall.bin
2015-01-01 09:30 - 2015-01-01 09:30 - 00174175 _____ () C:\Documents and Settings\All Users\Application Data\1420122568.bdinstall.bin
2015-01-01 09:27 - 2015-01-01 09:27 - 00172932 _____ () C:\Documents and Settings\All Users\Application Data\1420122410.bdinstall.bin
2015-01-01 09:26 - 2015-01-01 09:26 - 00092172 _____ () C:\Documents and Settings\All Users\Application Data\1420122404.bdinstall.bin
2014-12-30 10:11 - 2014-12-30 10:11 - 00006323 _____ () C:\Documents and Settings\Mom\Local Settings\Application Data\gxxdgumv
2014-12-28 11:26 - 2015-01-01 11:01 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-12-28 11:26 - 2015-01-01 11:01 - 00000048 _____ () C:\WINDOWS\wiaservc.log
2014-12-28 11:26 - 2014-12-28 11:26 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2014-12-28 11:25 - 2015-01-07 07:22 - 00153687 _____ () C:\WINDOWS\WindowsUpdate.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-07 15:14 - 2009-04-20 10:22 - 00000000 ____D () C:\Documents and Settings\Dad\Local Settings\temp
2015-01-07 15:05 - 2014-02-05 11:13 - 00000000 ____D () C:\AdwCleaner
2015-01-04 14:48 - 2008-12-25 06:35 - 00000178 __SHC () C:\Documents and Settings\Mom\ntuser.ini
2015-01-04 14:40 - 2009-04-20 10:22 - 00000000 ____D () C:\Documents and Settings\Mom\Local Settings\temp
2015-01-04 14:40 - 2009-02-17 19:34 - 00178882 ____C () C:\WINDOWS\system32\nvapps.xml
2015-01-03 19:41 - 2012-03-22 12:33 - 00000284 ____C () C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2015-01-02 14:49 - 2009-01-07 01:17 - 00000000 ____D () C:\Documents and Settings\Dad\My Documents\Password Agent
2015-01-01 11:01 - 2008-12-20 17:12 - 00000006 ___HC () C:\WINDOWS\Tasks\SA.DAT
2015-01-01 11:01 - 2003-07-21 05:20 - 00000218 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-01 11:00 - 2010-03-05 00:12 - 00000288 ____C () C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2015-01-01 11:00 - 2010-03-05 00:12 - 00000288 ____C () C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2015-01-01 11:00 - 2008-12-20 18:19 - 00001080 ____C () C:\WINDOWS\system32\settingsbkup.sfm
2015-01-01 11:00 - 2008-12-20 18:19 - 00001080 ____C () C:\WINDOWS\system32\settings.sfm
2015-01-01 11:00 - 2008-12-20 17:17 - 00032636 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-01 10:59 - 2008-12-20 17:20 - 00000178 __SHC () C:\Documents and Settings\Dad\ntuser.ini
2015-01-01 10:15 - 2014-11-03 17:51 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-01 08:50 - 2003-07-16 15:53 - 00002206 ____C () C:\WINDOWS\system32\wpa.dbl
2014-12-31 02:43 - 2008-12-20 17:11 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-12-31 02:38 - 2014-02-24 15:06 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2492386$
2014-12-31 02:37 - 2008-12-25 06:35 - 00000000 ____D () C:\Documents and Settings\Mom
2014-12-31 02:35 - 2011-03-11 02:52 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-12-27 21:58 - 2014-11-03 17:50 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-27 21:58 - 2014-02-06 12:06 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-27 21:47 - 2014-02-16 17:04 - 00661573 _____ () C:\Documents and Settings\Dad\debug.log
2014-12-27 20:59 - 2003-07-16 15:51 - 00000681 ____C () C:\WINDOWS\win.ini
2014-12-18 11:11 - 2008-12-20 17:20 - 00000000 ____D () C:\Documents and Settings\Dad
2014-12-12 16:20 - 2013-07-12 07:07 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-12-12 16:09 - 2008-12-20 18:50 - 109818608 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-12-09 06:40 - 2014-08-15 06:35 - 01073160 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avc3.sys

Files to move or delete:
====================
C:\Documents and Settings\Dad\udownload.dat

Some content of TEMP:
====================
C:\Documents and Settings\Mom\Local Settings\temp\CitrixOnlineLauncher.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 AM

Posted 08 January 2015 - 08:42 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\ESET <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Bitdefender\Bitdefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\BitDefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} =>  No File
AlternateShell:
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKLM - No Name - {343db173-0e5a-4f2a-b7bb-71a49085d70e} -  No File
Toolbar: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Firefox\Extensions: [{6293e750-886b-4020-9374-59fae9b04ca4}] - C:\Program Files\LyricsParty\130.xpi
CHR HKLM\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\Dad\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]
CHR HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\Dad\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]
S2 Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [X]
S2 NVSvc; %SystemRoot%\system32\nvsvc32.exe [X]
U0 gzflt; No ImagePath
S4 IntelIde; No ImagePath
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
U3 mbr; \??\C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys [X]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:1A15E356
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:4CD3F344
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A3B8F70C
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A4E7D25F
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:BF3D62E7
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:CE3AADB7
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:F89F2593
AlternateDataStreams: C:\Documents and Settings\Dad\Desktop\FSS.exe:BDU
AlternateDataStreams: C:\Documents and Settings\Dad\Desktop\JRT.exe:BDU
AlternateDataStreams: C:\Documents and Settings\Dad\Desktop\Speccy.exe:BDU
C:\Program Files\LyricsParty

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#8 budz78

budz78
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 08 January 2015 - 10:26 PM

This seemed to help get my BitDefender running but it says "it's not responding contact customer support" I have restarted the computer with no luck. It also says it vsserv.exe is unavailable at the moment and it seem to load very slowly to get this message.

Here are the results from the programs.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-01-2015
Ran by Dad at 2015-01-08 21:40:07 Run:2
Running from C:\Documents and Settings\Dad\Desktop
Loaded Profile: Dad (Available profiles: Dad & Mom & Buddy & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\ESET <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Bitdefender\Bitdefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\avg8 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\BitDefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} =>  No File
AlternateShell:
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
SearchScopes: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKLM - No Name - {343db173-0e5a-4f2a-b7bb-71a49085d70e} -  No File
Toolbar: HKU\S-1-5-21-1454471165-1563985344-725345543-1004 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Firefox\Extensions: [{6293e750-886b-4020-9374-59fae9b04ca4}] - C:\Program Files\LyricsParty\130.xpi
CHR HKLM\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\Dad\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]
CHR HKU\S-1-5-21-1454471165-1563985344-725345543-1004\...\Chrome\Extension: [nemfjadlboooiffmcelkafilagddogim] - C:\Documents and Settings\Dad\Local Settings\Application Data\CRE\nemfjadlboooiffmcelkafilagddogim.crx [Not Found]
S2 Creative Service for CDROM Access; C:\WINDOWS\System32\CTsvcCDA.exe [X]
S2 NVSvc; %SystemRoot%\system32\nvsvc32.exe [X]
U0 gzflt; No ImagePath
S4 IntelIde; No ImagePath
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
U3 mbr; \??\C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys [X]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:1A15E356
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:4CD3F344
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A3B8F70C
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A4E7D25F
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:BF3D62E7
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:CE3AADB7
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:F89F2593
AlternateDataStreams: C:\Documents and Settings\Dad\Desktop\FSS.exe:BDU
AlternateDataStreams: C:\Documents and Settings\Dad\Desktop\JRT.exe:BDU
AlternateDataStreams: C:\Documents and Settings\Dad\Desktop\Speccy.exe:BDU
C:\Program Files\LyricsParty

End
*****************

Processes closed successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSharedOverlay" => Key deleted successfully.
HKCR\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => Key not found.
hklm\System\CurrentControlSet\Control\SafeBoot\\AlternateShell => Value was restored successfully.
"HKU\S-1-5-21-1454471165-1563985344-725345543-1004\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-1454471165-1563985344-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => Key deleted successfully.
HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{343db173-0e5a-4f2a-b7bb-71a49085d70e} => value deleted successfully.
HKCR\CLSID\{343db173-0e5a-4f2a-b7bb-71a49085d70e} => Key not found.
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} => value deleted successfully.
HKCR\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825} => Key not found.
"HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0" => Key deleted successfully.
HKU\S-1-5-21-1454471165-1563985344-725345543-1004\Software\Mozilla\Firefox\Extensions\\{6293e750-886b-4020-9374-59fae9b04ca4} => value deleted successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\nemfjadlboooiffmcelkafilagddogim" => Key deleted successfully.
"HKU\S-1-5-21-1454471165-1563985344-725345543-1004\SOFTWARE\Google\Chrome\Extensions\nemfjadlboooiffmcelkafilagddogim" => Key deleted successfully.
Creative Service for CDROM Access => Service deleted successfully.
NVSvc => Service deleted successfully.
gzflt => Service deleted successfully.
IntelIde => Service deleted successfully.
motandroidusb => Service deleted successfully.
mbr => Service deleted successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":1A15E356" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":4CD3F344" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":A3B8F70C" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":A4E7D25F" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":A8ADE5D8" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":BF3D62E7" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":CE3AADB7" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":DFC5A2B2" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":F89F2593" ADS removed successfully.
C:\Documents and Settings\Dad\Desktop\FSS.exe => ":BDU" ADS removed successfully.
C:\Documents and Settings\Dad\Desktop\JRT.exe => ":BDU" ADS removed successfully.
C:\Documents and Settings\Dad\Desktop\Speccy.exe => ":BDU" ADS removed successfully.
"C:\Program Files\LyricsParty" => File/Directory not found.

The system needed a reboot.

==== End of Fixlog 21:40:07 ====

 

 

 Results of screen317's Security Check version 0.99.93 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 ESET Online Scanner v3  
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File 
 Out of date HijackThis  installed!
 HijackThis 2.0.2   
  Adobe Flash Player  11.9.900.152 Flash Player out of Date! 
 Mozilla Firefox 30.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Bitdefender Bitdefender updatesrv.exe 
 Bitdefender Bitdefender pmbxag.exe 
 Bitdefender Bitdefender bdapppassmgr.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 30% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 AM

Posted 09 January 2015 - 09:14 AM

This seemed to help get my BitDefender running but it says "it's not responding contact customer support" I have restarted the computer with no luck. It also says it vsserv.exe is unavailable at the moment and it seem to load very slowly to get this message


What is the vsserv.exe process?
http://www.bitdefender.com/support/what-is-the-vsserv-exe-process-1116.html

Refer to this article if all fails then contact their support.
Link on the page.

===

Out of date HijackThis installed!
HijackThis 2.0.2

Remove this expired tool. Use the Farbar tool from now on to report problems.
===

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
===

Total Fragmentation on Drive C:: 30% Defragment your hard drive soon! (Do NOT defrag if SSD!)


Defrag you computer.
How to:
http://support.microsoft.com/kb/314848

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#10 budz78

budz78
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 12 January 2015 - 06:16 PM

I've did all that you asked. I am in the process of trying to resolve the vsserv.exe with BitDefender. I did uninstall and reinstall to no avail. I'll keep you updated



#11 budz78

budz78
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 25 January 2015 - 04:49 PM

Bitdefender resolved their issue. Everything seems good now, thanks for your help

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,521 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 AM

Posted 26 January 2015 - 08:49 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users