Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP SP3 **Software Restriction Policy** Rootkit(?) Help Needed


  • This topic is locked This topic is locked
64 replies to this topic

#1 42pumpers

42pumpers

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 12 January 2015 - 02:49 PM

I have an infected machine and am seeking step-by-step help if possible.  I've reviewed a number of threads for similar infections and they all seem incident-specific, so thought a new thread was the best approach.  Symptoms were extremely slow Internet response, I discovered a repetitive svchost instance pegging CPU use at 100%.  Persisted across reboots.  Have Glary Utilities and CC Cleaner and accepted fixes prior to the DDS log below.  Access to AVG is "prevented by a software restriction policy."

 

Any help appreciated!  Thanks!

 

DDS.txt

=====================

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by ttaylor at 14:33:25 on 2015-01-12
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1061 [GMT -5:00]
.
AV: AVG update module *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG_UI] "c:\program files\avg\avg2015\avgui.exe" /TRAYONLY
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [{9d21b418-cc27-32bd-8aba-6066373dbc3b}] "c:\documents and settings\all users\application data\microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}\{9d21b418-cc27-32bd-8aba-6066373dbc3b}.exe"
mExplorerRun: [{9d21b418-cc27-32bd-8aba-6066373dbc3b}] "c:\documents and settings\all users\application data\microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}\{9d21b418-cc27-32bd-8aba-6066373dbc3b}.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235146434447
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235146535754
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.6067592593
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 172.20.210.101 208.67.220.220
TCP: Interfaces\{ABCB7551-1866-4CB9-992A-B661166DCDF3} : DHCPNameServer = 172.20.210.101 208.67.220.220
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\39.0.2171.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ttaylor.tmlnew\application data\mozilla\firefox\profiles\o8o3yjli.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1212152.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 154904]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 230680]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 98584]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 27416]
R0 BootDefragDriver;BootDefragDriver;c:\windows\system32\drivers\BootDefragDriver.sys [2013-11-7 13056]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2014-6-18 121624]
R1 AVGIDSDriverl;AVGIDSDriverl;c:\windows\system32\drivers\avgidsdriverlx.sys [2014-12-8 192792]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 21272]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 192792]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 200984]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2011-4-25 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-10-10 120088]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2015\avgidsagent.exe [2014-12-18 3432976]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2015\avgwdsvc.exe [2014-12-18 298080]
R2 NetAlrt;NetAlrt;c:\windows\system32\drivers\Netalrt.sys [2002-5-7 39680]
R2 PlatAlrt;PlatAlrt;c:\windows\system32\drivers\platalrt.sys [2002-5-7 23744]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-10-7 113728]
S4 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2002-5-8 212992]
.
=============== File Associations ===============
.
ShellExec: FRONTPG.EXE: edit=c:\progra~1\micros~2\office\FRONTPG.EXE
.
=============== Created Last 30 ================
.
2015-01-12 18:38:03 -------- d-----w- c:\documents and settings\ttaylor.tmlnew\application data\AVG2015
2015-01-12 18:30:04 -------- d-----w- c:\documents and settings\all users\application data\AVG2015
2015-01-12 18:26:52 -------- d-----w- c:\documents and settings\ttaylor.tmlnew\local settings\application data\Avg2015
.
==================== Find3M  ====================
.
2015-01-12 18:15:14 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-09 02:25:22 192792 ----a-w- c:\windows\system32\drivers\avgidsdriverlx.sys
2014-11-19 02:41:58 154904 ----a-w- c:\windows\system32\drivers\avgidshx.sys
.
============= FINISH: 14:34:47.65 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:59 PM

Posted 12 January 2015 - 06:16 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:59 PM

Posted 12 January 2015 - 06:16 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#4 42pumpers

42pumpers
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 13 January 2015 - 08:57 AM

Georgi,

 

Thank you for helping me.  I understand your instructions and will do my best to follow them.  The FarBar results are included as instructed.  NOTE that this is after a system reboot.  The machine would not respond at all this morning.  i had an error window showing an "unknown software exception" in module explore.exe.

============================

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-01-2015 02
Ran by ttaylor (administrator) on STATION14 on 13-01-2015 08:34:38
Running from C:\Documents and Settings\ttaylor.TMLNEW\Desktop
Loaded Profiles: ttaylor & UpdatusUser (Available profiles: foutersky & mtaylor & ttaylor & tmladmin & Fran Outersky & UpdatusUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(Microsoft Corporation) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Apple Computer, Inc.) C:\Program Files\QuickTime\qttask.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelliType] => C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [94208 2002-03-21] (Microsoft Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [{9d21b418-cc27-32bd-8aba-6066373dbc3b}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}\{9d21b418-cc27-32bd-8aba-6066373dbc3b}.exe [269369 2015-01-13] ()
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [77824 2004-03-01] (Apple Computer, Inc.)
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\AVG2013 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [{9d21b418-cc27-32bd-8aba-6066373dbc3b}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}\{9d21b418-cc27-32bd-8aba-6066373dbc3b}.exe [269369 2015-01-13] ( ())
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5625624 2014-01-06] (SUPERAntiSpyware)
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [RSA3022797993] => C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\ttaylor.TMLNEW\Application Data\Microsoft\Crypto\RSA\RSA3022797993.dll",DllInitialize
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [Ibttsoft] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Oddnics\njctegzttozsk.dll"
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [] => regsvr32.exe "C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Effdtion\njctegzttozsk.dll"
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
Startup: C:\Documents and Settings\Foutersky\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe ()
BootExecute: autocheck autochk *  BootDefrag.exeC:\PROGRA~1\AVG\AVG2015\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://smbusiness.dellnet.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,First Home Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
Toolbar: HKU\.DEFAULT -> No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -  No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235146535754
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.6067592593
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

FireFox:
========
FF ProfilePath: C:\Documents and Settings\ttaylor.TMLNEW\Application Data\Mozilla\Firefox\Profiles\o8o3yjli.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1212152.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_45 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\.DEFAULT: @adobe.com/Acrobat,version=5.1 -> C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll No File
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2014-06-08]

Chrome:
=======
CHR Profile: C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Google\Chrome\User Data\Default

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)
S4 ASFAgent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [212992 2002-05-08] (Intel Corporation) [File not signed]
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
S4 Iap; C:\Program Files\Dell\OpenManage\Client\Iap.exe [163840 2002-04-04] (Dell Computer Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [158128 2014-06-08] (Sun Microsystems, Inc.)
S4 NMSSvc; C:\WINDOWS\System32\NMSSvc.exe [1118208 2002-07-30] (Intel Corporation) [File not signed]
S3 COMSysApp; C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 SwPrv; C:\WINDOWS\System32\dllhost.exe /Processid:{261FF5D6-55B3-4D28-8348-7DBC93E219F0}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [17005 2002-08-14] (Adaptec) [File not signed]
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [192792 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [154904 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [192792 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [230680 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [98584 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [200984 2014-10-10] (AVG Technologies CZ, s.r.o.)
S3 basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [67167 2001-08-17] (Conexant)
R0 BootDefragDriver; C:\WINDOWS\System32\drivers\BootDefragDriver.sys [13056 2013-10-23] (<Glarysoft Ltd>)
R1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [61424 2002-12-17] (Roxio) [File not signed]
R1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [23436 2002-12-17] (Roxio) [File not signed]
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [241152 2002-12-17] (Roxio) [File not signed]
S3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [25898 2003-05-12] (Roxio) [File not signed]
R3 E1000; C:\WINDOWS\System32\DRIVERS\e1000325.sys [99840 2002-11-12] (Intel Corporation)
S3 EL90XBC; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [66591 2001-08-17] (3Com Corporation)
R2 Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [289887 2001-08-17] (Conexant)
R2 Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [115807 2001-08-17] (Conexant)
S3 hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [542879 2001-08-17] (Conexant)
S3 i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [161020 2004-08-04] (Intel® Corporation)
S3 iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [12415 2004-08-04] (Intel® Corporation)
S3 iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [12127 2004-08-04] (Intel® Corporation)
S3 iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [11775 2004-08-04] (Intel® Corporation)
S3 iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [12063 2004-08-04] (Intel® Corporation)
S3 iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [19455 2004-08-04] (Intel® Corporation)
S3 iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [29311 2004-08-04] (Intel® Corporation)
S3 iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [19551 2004-08-04] (Intel® Corporation)
S3 iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [33599 2004-08-04] (Intel® Corporation)
S3 iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [23615 2004-08-04] (Intel® Corporation)
S3 IPFilter; C:\WINDOWS\System32\DRIVERS\IPFilter.sys [11136 2002-04-11] (Microsoft Corporation)
S2 IPSECEXT; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [113728 2001-08-09] (Nortel Networks) [File not signed]
R3 IPSECSHM; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [113728 2001-08-09] (Nortel Networks) [File not signed]
R3 itchfltr; C:\WINDOWS\System32\DRIVERS\itchfltr.sys [12640 2002-11-14] (Logitech, Inc.)
R2 K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [391199 2001-08-17] (Conexant)
R3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [30630 2003-05-12] (Roxio) [File not signed]
R2 NetAlrt; C:\WINDOWS\System32\drivers\NetAlrt.sys [39680 2002-05-07] (Intel Corporation) [File not signed]
S3 NMSCFG; C:\WINDOWS\System32\drivers\NMSCFG.SYS [9868 2002-07-30] (Intel Corporation) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation)
R2 PlatAlrt; C:\WINDOWS\System32\drivers\PlatAlrt.sys [23744 2002-05-07] (Intel Corporation) [File not signed]
R1 pwd_2k; C:\WINDOWS\system32\Drivers\pwd_2k.sys [143834 2003-05-12] (Roxio) [File not signed]
S3 Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [57471 2001-08-17] (Conexant)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [199711 2001-08-17] (Conexant)
R2 Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [50751 2001-08-17] (Conexant)
R1 UdfReadr_xp; C:\WINDOWS\system32\Drivers\UdfReadr_xp.sys [206464 2003-05-12] (Roxio) [File not signed]
R2 V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [488383 2001-08-17] (Conexant)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [108736 2003-01-14] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [78272 2003-01-14] (Intel Corporation)
S3 BS3022797993; \??\C:\DOCUME~1\TTAYLO~1.TML\LOCALS~1\Temp\NTFS.sys [X]
S3 bvrp_pci; No ImagePath
S3 iAimTV2; System32\DRIVERS\wATV03nt.sys [X]
S3 PalmUSBD; system32\drivers\PalmUSBD.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: Ip6FwHlp -> No Registry Path.

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 08:34 - 2015-01-13 08:38 - 00020009 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\FRST.txt
2015-01-13 08:34 - 2015-01-13 08:35 - 00000000 ____D () C:\FRST
2015-01-13 08:27 - 2015-01-13 08:27 - 01115648 _____ (Farbar) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\FRST.exe
2015-01-13 08:20 - 2015-01-13 08:20 - 00054156 ____H () C:\WINDOWS\QTFont.qfn
2015-01-13 08:20 - 2015-01-13 08:20 - 00001409 _____ () C:\WINDOWS\QTFont.for
2015-01-13 03:32 - 2015-01-13 03:32 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Effdtion
2015-01-13 03:28 - 2015-01-13 03:51 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Oddnics
2015-01-13 03:11 - 2015-01-13 03:11 - 00000664 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\d3d9caps.tmp
2015-01-12 17:44 - 2015-01-13 08:18 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}
2015-01-12 14:36 - 2015-01-12 14:36 - 00012440 _____ () C:\Documents and Settings\ttaylor.TMLNEW\My Documents\attach.txt
2015-01-12 14:36 - 2015-01-12 14:36 - 00011461 _____ () C:\Documents and Settings\ttaylor.TMLNEW\My Documents\dds.txt
2015-01-12 14:34 - 2015-01-12 14:34 - 00012440 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\attach.txt
2015-01-12 14:34 - 2015-01-12 14:34 - 00011461 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\dds.txt
2015-01-12 14:32 - 2015-01-12 14:32 - 00688992 ____R (Swearware) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\dds.com
2015-01-12 13:47 - 2015-01-12 19:10 - 00000664 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\d3d9caps.dat
2015-01-12 13:38 - 2015-01-12 13:38 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Application Data\AVG2015
2015-01-12 13:33 - 2015-01-12 13:33 - 00000702 _____ () C:\Documents and Settings\All Users\Desktop\AVG 2015.lnk
2015-01-12 13:31 - 2015-01-12 13:33 - 00007598 _____ () C:\WINDOWS\setupapi.log
2015-01-12 13:30 - 2015-01-12 13:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-12 13:26 - 2015-01-12 13:37 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Avg2015
2015-01-12 13:26 - 2015-01-12 13:26 - 04637504 _____ (AVG Technologies) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\avg_free_stb_all_2015_5557_cnet.exe
2015-01-12 12:56 - 2015-01-12 12:56 - 00045144 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\cc_20150112_125614.reg
2015-01-07 09:30 - 2015-01-13 08:37 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 08:43 - 2009-02-13 13:00 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Temp
2015-01-13 08:19 - 2005-10-06 15:34 - 01392572 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-13 08:18 - 2014-06-04 13:52 - 00000226 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-13 08:18 - 2014-06-04 12:53 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-13 08:18 - 2013-11-07 11:28 - 00000324 _____ () C:\WINDOWS\Tasks\GlaryInitialize 3.job
2015-01-13 08:18 - 2003-05-15 18:40 - 00000120 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2015-01-13 08:18 - 2003-05-12 18:25 - 00001170 _____ () C:\WINDOWS\system32\WPA.DBL
2015-01-13 08:18 - 2002-09-03 13:29 - 00000159 _____ () C:\WINDOWS\WIADEBUG.LOG
2015-01-13 08:18 - 2002-09-03 13:29 - 00000049 _____ () C:\WINDOWS\WIASERVC.LOG
2015-01-13 08:17 - 2003-05-12 18:27 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-13 08:15 - 2009-02-13 13:00 - 00000278 ___SH () C:\Documents and Settings\ttaylor.TMLNEW\NTUSER.INI
2015-01-13 08:15 - 2009-02-13 13:00 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW
2015-01-13 08:15 - 2003-05-12 18:27 - 00032636 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-13 07:16 - 2014-06-04 12:53 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-13 07:05 - 2011-11-07 10:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-01-13 02:03 - 2003-05-12 18:12 - 00000000 ____D () C:\WINDOWS\SECURITY
2015-01-12 14:51 - 2011-11-07 09:30 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2015-01-12 13:40 - 2002-09-03 13:42 - 00112584 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-01-12 13:38 - 2011-11-07 10:06 - 00000000 ____D () C:\Program Files\AVG
2015-01-12 13:36 - 2014-11-19 09:06 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2015-01-12 13:36 - 2012-06-02 09:52 - 00000000 ___HD () C:\$AVG
2015-01-12 13:21 - 2003-05-12 18:27 - 00000278 ___SH () C:\Documents and Settings\Administrator\NTUSER.INI
2015-01-12 13:15 - 2014-06-04 12:03 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-12 12:33 - 2013-11-07 11:28 - 00000000 ____D () C:\Program Files\Glary Utilities 3
2015-01-12 10:01 - 2005-10-07 13:21 - 00002497 _____ () C:\Documents and Settings\All Users\Desktop\Microsoft Outlook.lnk
2015-01-12 10:01 - 2002-09-03 13:36 - 00000382 _____ () C:\WINDOWS\WIN.INI
2015-01-07 09:25 - 2003-05-12 18:11 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-12-15 10:19 - 2014-06-04 12:55 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk

Some content of TEMP:
====================
C:\Documents and Settings\Foutersky\Local Settings\Temp\Luninst.dll
C:\Documents and Settings\mhennessy\Local Settings\Temp\GLB1A2B.EXE


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:59 PM

Posted 14 January 2015 - 08:07 AM

Hello,

 

 

I am sorry for the delay. One of my hard disks died, so I needed some time to replace it.

You forgot to post the Addition.txt.

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi




 


cXfZ4wS.png


#6 42pumpers

42pumpers
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 14 January 2015 - 09:19 AM

Thank you, Georgi.  Sorry about the file - this computer runs so slowly it is difficult to work on right now.  I will post addition.txt here and then proceed with your latest instructions.

 

Attached Files



#7 42pumpers

42pumpers
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 14 January 2015 - 12:09 PM

OK, Georgi, FRST has bombed out with an error. The error window reads:

Msg: explorer.exe - Application Error
-------------------------------------
The instruction at "0x3c8cc303" referenced memory at "0x0000005c". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program

I can view the Farbar Recovery Scan Tool window behind this error window. It shows the current operation as:

Deleting temporary files: C:\DOCUME~1\TTAYLO~1\LOCALS~1\TEMPOR~1\Content.IE5


I'm not going to do anything until I receive further instructions from you.

Thanks.

#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:59 PM

Posted 14 January 2015 - 01:38 PM

Hi,

 

Please try to run the fix from safe mode.

https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true

 

Thanks!

 

Regards,

Georgi


cXfZ4wS.png


#9 42pumpers

42pumpers
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 14 January 2015 - 03:06 PM

OK.  I think we got the same error, although I did not see the explore.exe error message window so cannot be certain.  I got a message that said "unfortunately FRST.EXE has encounted a problem and needs to close." with no options (other than to send a report to Microsoft, which I did not do).

 

There is a FIXLOG, which I'm including here.  I will await further instructions.  (By the way, Internet response is normal under SAFE Mode).

---------------------------------------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-01-2015 01
Ran by ttaylor at 2015-01-14 14:36:18 Run:2
Running from C:\Documents and Settings\ttaylor.TMLNEW\Desktop
Loaded Profiles: ttaylor (Available profiles: foutersky & mtaylor & ttaylor & tmladmin & Fran Outersky & UpdatusUser & Administrator)
Boot Mode: Safe Mode (with Networking)

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKLM\...\Run: [{9d21b418-cc27-32bd-8aba-6066373dbc3b}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}\{9d21b418-cc27-32bd-8aba-6066373dbc3b}.exe [269369 2015-01-13] ()
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\AVG2013 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\SUPERAntiSpyware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM\...\Policies\Explorer\Run: [{9d21b418-cc27-32bd-8aba-6066373dbc3b}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}\{9d21b418-cc27-32bd-8aba-6066373dbc3b}.exe [269369 2015-01-13] ( ())
C:\Documents and Settings\All Users\Application Data\Microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [RSA3022797993] => C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\ttaylor.TMLNEW\Application Data\Microsoft\Crypto\RSA\RSA3022797993.dll",DllInitialize
C:\Documents and Settings\ttaylor.TMLNEW\Application Data\Microsoft\Crypto\RSA\RSA3022797993.dll
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [Ibttsoft] => C:\WINDOWS\system32\regsvr32.exe "C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Oddnics\njctegzttozsk.dll"
C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Oddnics
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [] => regsvr32.exe "C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Effdtion\njctegzttozsk.dll"
C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Effdtion
Folder: C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}
EmptyTemp:
end
*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\{9d21b418-cc27-32bd-8aba-6066373dbc3b} => value deleted successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{9d21b418-cc27-32bd-8aba-6066373dbc3b} => value deleted successfully.
"C:\Documents and Settings\All Users\Application Data\Microsoft\{9d21b418-cc27-32bd-8aba-6066373dbc3b}" => File/Directory not found.
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\Software\Microsoft\Windows\CurrentVersion\Run\\RSA3022797993 => Value not found.
"C:\Documents and Settings\ttaylor.TMLNEW\Application Data\Microsoft\Crypto\RSA\RSA3022797993.dll" => File/Directory not found.
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\Software\Microsoft\Windows\CurrentVersion\Run\\Ibttsoft => Value not found.
"C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Oddnics" => File/Directory not found.
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value not found.
"C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Effdtion" => File/Directory not found.

========================= Folder: C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9} ========================


====== End of Folder: ======
 



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:59 PM

Posted 15 January 2015 - 07:30 AM

Hello,

 

Please boot back in Normal Mode and then delete your version of frst.exe and download the latest one from the link below:

Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that Addition.txt is ticked before you press the Scan button.
  • Press Scan button.
  • It will make two logs (FRST.txt and Addition.txt) in the same directory the tool is run. Please copy and paste them to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#11 42pumpers

42pumpers
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 15 January 2015 - 12:18 PM

OK, Georgi, here are the new files.  Just FYI - it has taken almost an hour to be able to log in and post this here.  The machine is VERY slow.  Multiple instances of a process calles czodlik.exe pegging CPU.  When I tried to come here, using Firefox, I kept getting repetitive Google Chrome sessions.  I could not access these sessions, just could see them on the taskbar.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-01-2015
Ran by ttaylor (administrator) on STATION14 on 15-01-2015 09:03:49
Running from C:\Documents and Settings\ttaylor.TMLNEW\Desktop
Loaded Profiles: ttaylor & UpdatusUser (Available profiles: foutersky & mtaylor & ttaylor & tmladmin & Fran Outersky & UpdatusUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V5.20-delta.exe
(Apple Computer, Inc.) C:\Program Files\QuickTime\qttask.exe
(Microsoft Corporation) E:\7f1780de8421bebc4a556c1394cee1bf\mrtstub.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\MRT.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\wuauclt.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelliType] => C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [94208 2002-03-21] (Microsoft Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [77824 2004-03-01] (Apple Computer, Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5625624 2014-01-06] (SUPERAntiSpyware)
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [FictAyoh] => regsvr32.exe "C:\Documents and Settings\All Users\Application Data\FictAyoh\CaxjArbo.led"
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
Startup: C:\Documents and Settings\Foutersky\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe ()
BootExecute: autocheck autochk *  BootDefrag.exeC:\PROGRA~1\AVG\AVG2015\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://smbusiness.dellnet.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,First Home Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
Toolbar: HKU\.DEFAULT -> No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -  No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235146535754
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.6067592593
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 172.20.210.101 208.67.220.220

FireFox:
========
FF ProfilePath: C:\Documents and Settings\ttaylor.TMLNEW\Application Data\Mozilla\Firefox\Profiles\o8o3yjli.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1212152.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_45 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\.DEFAULT: @adobe.com/Acrobat,version=5.1 -> C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll No File
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2014-06-08]

Chrome:
=======
CHR Profile: C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Google\Chrome\User Data\Default

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)
S4 ASFAgent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [212992 2002-05-08] (Intel Corporation) [File not signed]
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
S4 Iap; C:\Program Files\Dell\OpenManage\Client\Iap.exe [163840 2002-04-04] (Dell Computer Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [158128 2014-06-08] (Sun Microsystems, Inc.)
S4 NMSSvc; C:\WINDOWS\System32\NMSSvc.exe [1118208 2002-07-30] (Intel Corporation) [File not signed]
S3 SwPrv; C:\WINDOWS\System32\dllhost.exe /Processid:{261FF5D6-55B3-4D28-8348-7DBC93E219F0}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [17005 2002-08-14] (Adaptec) [File not signed]
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [192792 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [154904 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [192792 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [230680 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [98584 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [200984 2014-10-10] (AVG Technologies CZ, s.r.o.)
S3 basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [67167 2001-08-17] (Conexant)
R0 BootDefragDriver; C:\WINDOWS\System32\drivers\BootDefragDriver.sys [13056 2013-10-23] (<Glarysoft Ltd>)
R1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [61424 2002-12-17] (Roxio) [File not signed]
R1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [23436 2002-12-17] (Roxio) [File not signed]
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [241152 2002-12-17] (Roxio) [File not signed]
S3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [25898 2003-05-12] (Roxio) [File not signed]
R3 E1000; C:\WINDOWS\System32\DRIVERS\e1000325.sys [99840 2002-11-12] (Intel Corporation)
S3 EL90XBC; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [66591 2001-08-17] (3Com Corporation)
R2 Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [289887 2001-08-17] (Conexant)
R2 Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [115807 2001-08-17] (Conexant)
S3 hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [542879 2001-08-17] (Conexant)
S3 i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [161020 2004-08-04] (Intel® Corporation)
S3 iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [12415 2004-08-04] (Intel® Corporation)
S3 iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [12127 2004-08-04] (Intel® Corporation)
S3 iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [11775 2004-08-04] (Intel® Corporation)
S3 iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [12063 2004-08-04] (Intel® Corporation)
S3 iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [19455 2004-08-04] (Intel® Corporation)
S3 iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [29311 2004-08-04] (Intel® Corporation)
S3 iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [19551 2004-08-04] (Intel® Corporation)
S3 iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [33599 2004-08-04] (Intel® Corporation)
S3 iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [23615 2004-08-04] (Intel® Corporation)
S3 IPFilter; C:\WINDOWS\System32\DRIVERS\IPFilter.sys [11136 2002-04-11] (Microsoft Corporation)
S2 IPSECEXT; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [113728 2001-08-09] (Nortel Networks) [File not signed]
R3 IPSECSHM; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [113728 2001-08-09] (Nortel Networks) [File not signed]
R3 itchfltr; C:\WINDOWS\System32\DRIVERS\itchfltr.sys [12640 2002-11-14] (Logitech, Inc.)
R2 K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [391199 2001-08-17] (Conexant)
R3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [30630 2003-05-12] (Roxio) [File not signed]
R1 MpKsl431b1999; C:\WINDOWS\system32\MpEngineStore\MpKsl431b1999.sys [39464 2015-01-15] (Microsoft Corporation)
R2 NetAlrt; C:\WINDOWS\System32\drivers\NetAlrt.sys [39680 2002-05-07] (Intel Corporation) [File not signed]
S3 NMSCFG; C:\WINDOWS\System32\drivers\NMSCFG.SYS [9868 2002-07-30] (Intel Corporation) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation)
R2 PlatAlrt; C:\WINDOWS\System32\drivers\PlatAlrt.sys [23744 2002-05-07] (Intel Corporation) [File not signed]
R1 pwd_2k; C:\WINDOWS\system32\Drivers\pwd_2k.sys [143834 2003-05-12] (Roxio) [File not signed]
S3 Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [57471 2001-08-17] (Conexant)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [199711 2001-08-17] (Conexant)
R2 Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [50751 2001-08-17] (Conexant)
R1 UdfReadr_xp; C:\WINDOWS\system32\Drivers\UdfReadr_xp.sys [206464 2003-05-12] (Roxio)
R2 V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [488383 2001-08-17] (Conexant)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [108736 2003-01-14] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [78272 2003-01-14] (Intel Corporation)
S3 BS3022797993; \??\C:\DOCUME~1\TTAYLO~1.TML\LOCALS~1\Temp\NTFS.sys [X]
S3 bvrp_pci; No ImagePath
S3 iAimTV2; System32\DRIVERS\wATV03nt.sys [X]
S3 PalmUSBD; system32\drivers\PalmUSBD.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: Ip6FwHlp -> No Registry Path.

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 09:03 - 2015-01-15 09:05 - 00018371 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\FRST.txt
2015-01-15 09:01 - 2015-01-15 09:01 - 01116672 _____ (Farbar) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\FRST.exe
2015-01-15 08:55 - 2015-01-15 08:55 - 00000000 ____D () C:\WINDOWS\system32\MpEngineStore
2015-01-14 14:21 - 2015-01-14 14:21 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\FictAyoh
2015-01-13 08:34 - 2015-01-15 09:04 - 00000000 ____D () C:\FRST
2015-01-13 08:20 - 2015-01-15 08:48 - 00054156 ____H () C:\WINDOWS\QTFont.qfn
2015-01-13 08:20 - 2015-01-13 08:20 - 00001409 _____ () C:\WINDOWS\QTFont.for
2015-01-13 03:11 - 2015-01-13 03:11 - 00000664 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\d3d9caps.tmp
2015-01-12 17:44 - 2015-01-15 08:45 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}
2015-01-12 14:36 - 2015-01-12 14:36 - 00012440 _____ () C:\Documents and Settings\ttaylor.TMLNEW\My Documents\attach.txt
2015-01-12 14:36 - 2015-01-12 14:36 - 00011461 _____ () C:\Documents and Settings\ttaylor.TMLNEW\My Documents\dds.txt
2015-01-12 14:34 - 2015-01-12 14:34 - 00012440 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\attach.txt
2015-01-12 14:34 - 2015-01-12 14:34 - 00011461 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\dds.txt
2015-01-12 14:32 - 2015-01-12 14:32 - 00688992 ____R (Swearware) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\dds.com
2015-01-12 13:47 - 2015-01-12 19:10 - 00000664 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\d3d9caps.dat
2015-01-12 13:38 - 2015-01-12 13:38 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Application Data\AVG2015
2015-01-12 13:33 - 2015-01-12 13:33 - 00000702 _____ () C:\Documents and Settings\All Users\Desktop\AVG 2015.lnk
2015-01-12 13:31 - 2015-01-12 13:33 - 00007598 _____ () C:\WINDOWS\setupapi.log
2015-01-12 13:30 - 2015-01-12 13:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-12 13:26 - 2015-01-12 13:37 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Avg2015
2015-01-12 13:26 - 2015-01-12 13:26 - 04637504 _____ (AVG Technologies) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\avg_free_stb_all_2015_5557_cnet.exe
2015-01-12 12:56 - 2015-01-12 12:56 - 00045144 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\cc_20150112_125614.reg
2015-01-07 09:30 - 2015-01-14 16:01 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 09:05 - 2009-02-13 13:00 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Temp
2015-01-15 09:03 - 2005-10-06 15:34 - 01444997 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-15 08:51 - 2003-05-12 18:12 - 00000000 ____D () C:\WINDOWS\SECURITY
2015-01-15 08:49 - 2014-06-04 13:27 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-15 08:48 - 2005-10-06 18:39 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-15 08:46 - 2003-05-12 18:25 - 00001170 _____ () C:\WINDOWS\system32\WPA.DBL
2015-01-15 08:45 - 2014-06-04 13:52 - 00000226 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-15 08:45 - 2014-06-04 12:53 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-15 08:45 - 2013-11-07 11:28 - 00000324 _____ () C:\WINDOWS\Tasks\GlaryInitialize 3.job
2015-01-15 08:45 - 2003-05-15 18:40 - 00000120 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2015-01-15 08:45 - 2002-09-03 13:29 - 00000159 _____ () C:\WINDOWS\WIADEBUG.LOG
2015-01-15 08:45 - 2002-09-03 13:29 - 00000049 _____ () C:\WINDOWS\WIASERVC.LOG
2015-01-15 08:43 - 2003-05-12 18:27 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-15 08:42 - 2009-02-13 13:00 - 00000278 ___SH () C:\Documents and Settings\ttaylor.TMLNEW\NTUSER.INI
2015-01-14 14:11 - 2009-02-13 13:00 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW
2015-01-14 14:11 - 2003-05-12 18:27 - 00032644 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-14 13:16 - 2014-06-04 12:53 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-14 09:51 - 2010-12-27 15:05 - 00000000 ____D () C:\Documents and Settings\MTaylor.TMLNEW\Local Settings\Temp
2015-01-14 09:49 - 2011-08-05 14:15 - 00000000 ____D () C:\Documents and Settings\foutersky.TMLNEW\Local Settings\Temp
2015-01-14 09:32 - 2013-02-08 16:12 - 00000178 ___SH () C:\Documents and Settings\UpdatusUser\NTUSER.INI
2015-01-14 08:45 - 2003-05-15 18:40 - 00000000 __SHD () C:\WINDOWS\CSC
2015-01-13 07:05 - 2011-11-07 10:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-01-12 14:51 - 2011-11-07 09:30 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2015-01-12 13:40 - 2002-09-03 13:42 - 00112584 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-01-12 13:38 - 2011-11-07 10:06 - 00000000 ____D () C:\Program Files\AVG
2015-01-12 13:36 - 2014-11-19 09:06 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2015-01-12 13:36 - 2012-06-02 09:52 - 00000000 ___HD () C:\$AVG
2015-01-12 13:21 - 2003-05-12 18:27 - 00000278 ___SH () C:\Documents and Settings\Administrator\NTUSER.INI
2015-01-12 13:15 - 2014-06-04 12:03 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-12 12:33 - 2013-11-07 11:28 - 00000000 ____D () C:\Program Files\Glary Utilities 3
2015-01-12 10:01 - 2005-10-07 13:21 - 00002497 _____ () C:\Documents and Settings\All Users\Desktop\Microsoft Outlook.lnk
2015-01-12 10:01 - 2002-09-03 13:36 - 00000382 _____ () C:\WINDOWS\WIN.INI
2015-01-07 09:25 - 2003-05-12 18:11 - 00000000 ____D () C:\WINDOWS\system32\Restore

Some content of TEMP:
====================
C:\Documents and Settings\Foutersky\Local Settings\Temp\Luninst.dll
C:\Documents and Settings\mhennessy\Local Settings\Temp\GLB1A2B.EXE


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-01-2015
Ran by ttaylor at 2015-01-15 09:06:58
Running from C:\Documents and Settings\ttaylor.TMLNEW\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG update module (Disabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Active@ KillDisk (HKLM\...\{7A5E940E-017E-47F8-9D0D-62D49C8D18ED}) (Version: 7.0.4 - LSoft Technologies)
Adobe Acrobat 6.0.1 Standard (HKLM\...\{AC76BA86-1033-0000-BA7E-000000000001}) (Version: 006.000.001 - Adobe Systems)
Adobe Download Manager (Remove Only) (HKLM\...\AdobeESD) (Version:  - )
Adobe Flash Player 13 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.2.152 - Adobe Systems, Inc.)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5645 - AVG Technologies)
AVG 2015 (Version: 15.0.4260 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5645 - AVG Technologies) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 4.04 - Piriform)
Citrix online plug-in - web (HKLM\...\CitrixOnlinePluginPackWeb) (Version: 12.1.44.1 - Citrix Systems, Inc.)
Conexant HSF V92 56K Data Fax PCI Modem (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2013&SUBSYS_021213E0) (Version:  - )
Dell Solution Center (HKLM\...\{11F1920A-56A2-4642-B6E0-3B31A12C9288}) (Version: 1.00.0000 - Dell)
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.04.000 - BVRP Software, Inc)
Easy CD Creator 5 Basic (HKLM\...\{609F7AC8-C510-11D4-A788-009027ABA5D0}) (Version: 5.3.4.21 - Roxio Inc)
Extra EPC 6.4 (Local - Laptop) (HKLM\...\Extra EPC 6.4 (Local - Laptop)) (Version:  - )
Glary Utilities 3.9.4 (HKLM\...\Glary Utilities 3) (Version: 3.9.4.144 - Glarysoft Ltd)
Google Chrome (HKLM\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Help and Support Customization (Version: 1.00.0000 - Dell) Hidden
hp deskjet 5100 series (HKLM\...\hp deskjet 5100 series_Driver) (Version:  - )
hp print screen utility (HKLM\...\hp print screen utility) (Version:  - )
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
Intel® PRO Ethernet Adapter and Software (HKLM\...\PROSet) (Version:  - )
Intel® PROSet II (HKLM\...\{01A4AEDE-F219-49A2-B855-16A016EAF9A4}) (Version: 2.01.0021 - Intel)
Intel® Pro Alerting Agent, Version 3.0.0 (HKLM\...\{6797B492-3814-4129-AD07-C727D23FB5BF}) (Version: 3.0.0 - Intel® Corporation)
Intel® PRO Network Adapters WMI Provider (2.0) (HKLM\...\{4C701994-43D2-4B7B-A548-C6E6C224D9A9}) (Version:  - )
Java™ 6 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216045FF}) (Version: 6.0.450 - Oracle)
Logitech Desktop Messenger (HKLM\...\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}) (Version:  - )
Logitech iTouch Software (HKLM\...\{036AA4D4-6D32-11D4-9875-00105ACE7734}) (Version:  - )
Logitech Resource Center (HKLM\...\Logitech Resource Center) (Version:  - )
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft Office 2000 Premium (HKLM\...\{00000409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Modem Helper (HKLM\...\{7F142D56-3326-11D5-B229-002078017FBF}) (Version:  - )
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
MultipleIEs (HKLM\...\MultipleIEs_is1) (Version:  - )
NetWaiting (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 2.07.100 - BVRP Software, Inc)
Nortel Networks Contivity VPN Client (HKLM\...\{EF964A78-078C-11D1-B7A7-0000C0134CE6}) (Version:  - )
NVIDIA nView 136.53 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 136.53 - NVIDIA Corporation)
NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
OMCI (HKLM\...\{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}) (Version: 7.00.0316 - Dell Computer Corporation)
QuickTime (HKLM\...\QuickTime) (Version:  - )
Shockwave (HKLM\...\Shockwave) (Version:  - )
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1018 - SUPERAntiSpyware.com)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinZip (HKLM\...\WinZip) (Version:  9.0  (6028) - WinZip Computing, Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1093456198-2636295700-2182331995-1121_Classes\CLSID\{CBCC9F47-FF62-4AFF-91FD-8810DFE4C4B1}\InprocServer32 -> C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}\NativeHooks.dll (Microsoft Corporation)

==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2002-08-29 05:00 - 2011-11-07 19:21 - 00438069 ____R C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GlaryInitialize 3.job => C:\Program Files\Glary Utilities 3\Initialize.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2013-02-08 16:11 - 2013-01-03 06:43 - 00357224 _____ () C:\Program Files\NVIDIA Corporation\nview\nvshell.dll
2002-04-04 12:56 - 2002-04-04 12:56 - 00122880 _____ () C:\Program Files\Dell\OpenManage\Client\IndiProv.dll
2003-05-13 12:28 - 2013-01-02 01:49 - 01292288 _____ () C:\WINDOWS\System32\quartz.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk => C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk => C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk => C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2001 Delivery Agent.lnk => C:\WINDOWS\pss\QuickBooks 2001 Delivery Agent.lnkCommon Startup
MSCONFIG\startupreg: AdaptecDirectCD => "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
MSCONFIG\startupreg: DeviceDiscovery => C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
MSCONFIG\startupreg: HotKeysCmds => C:\WINDOWS\System32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\WINDOWS\System32\igfxtray.exe
MSCONFIG\startupreg: Logitech Utility => Logi_MwX.Exe
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: zBrowser Launcher => C:\Program Files\Logitech\iTouch\iTouch.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-297852753-3701901453-2039432856-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Fran Outersky (S-1-5-21-297852753-3701901453-2039432856-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Fran Outersky
Guest (S-1-5-21-297852753-3701901453-2039432856-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-297852753-3701901453-2039432856-1004 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-297852753-3701901453-2039432856-1002 - Limited - Disabled)
SUPPORT_3f151ab9 (S-1-5-21-297852753-3701901453-2039432856-1003 - Limited - Disabled)
UpdatusUser (S-1-5-21-297852753-3701901453-2039432856-1006 - Limited - Enabled) => %SystemDrive%\Documents and Settings\UpdatusUser

==================== Faulty Device Manager Devices =============

Name: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Description: Intel® 82845G/GL/GE/PE/GV Graphics Controller
Class Guid: {4D36E968-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel Corporation
Service: ialm
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/14/2015 02:50:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 14.1.2015.1, faulting module frst.exe, version 14.1.2015.1, fault address 0x0001f3de.
Processing media-specific event for [frst.exe!ws!]

Error: (01/14/2015 09:57:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 12.1.2015.0, faulting module frst.exe, version 12.1.2015.0, fault address 0x0001f400.
Processing media-specific event for [frst.exe!ws!]

Error: (01/14/2015 08:48:07 AM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

Error: (01/14/2015 08:48:07 AM) (Source: Userenv) (EventID: 1054) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (01/14/2015 08:48:04 AM) (Source: Userenv) (EventID: 1054) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (01/13/2015 08:36:11 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (01/13/2015 08:36:11 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (01/13/2015 08:14:41 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 34.0.5.5443, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/13/2015 08:12:56 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 34.0.5.5443, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/12/2015 05:00:48 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.


System errors:
=============
Error: (01/14/2015 00:49:08 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:13 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:13 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:11 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:11 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:08 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:08 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:08 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:08 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}

Error: (01/14/2015 00:48:08 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service Iap with arguments "-Service"
in order to run the server:
{B0C61A79-0870-4BE4-9153-9CCAF422E31F}


Microsoft Office Sessions:
=========================
Error: (01/14/2015 02:50:05 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe14.1.2015.1frst.exe14.1.2015.10001f3de

Error: (01/14/2015 09:57:10 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe12.1.2015.0frst.exe12.1.2015.00001f400

Error: (01/14/2015 08:48:07 AM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (01/14/2015 08:48:07 AM) (Source: Userenv) (EventID: 1054) (User: NT AUTHORITY)
Description: The specified domain either does not exist or could not be contacted.

Error: (01/14/2015 08:48:04 AM) (Source: Userenv) (EventID: 1054) (User: NT AUTHORITY)
Description: The specified domain either does not exist or could not be contacted.

Error: (01/13/2015 08:36:11 AM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (01/13/2015 08:36:11 AM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (01/13/2015 08:14:41 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe34.0.5.5443hungapp0.0.0.000000000

Error: (01/13/2015 08:12:56 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe34.0.5.5443hungapp0.0.0.000000000

Error: (01/12/2015 05:00:48 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: The RPC server is unavailable.


==================== Memory info ===========================

Processor:  Intel® Pentium® 4 CPU 2.40GHz
Percentage of memory in use: 49%
Total physical RAM: 2045.89 MB
Available physical RAM: 1028 MB
Total Pagefile: 2280.1 MB
Available Pagefile: 1086.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1921.5 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:18.61 GB) (Free:3.32 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive e: (Local Disk) (Fixed) (Total:18.64 GB) (Free:18.55 GB) NTFS
Drive m: () (Network) (Total:204.72 GB) (Free:54.25 GB)
Drive s: () (Network) (Total:204.72 GB) (Free:54.25 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 18.6 GB) (Disk ID: 9DC96E9E)
Partition 1: (Not Active) - (Size=31 MB) - (Type=DE)
Partition 2: (Active) - (Size=18.6 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 18.6 GB) (Disk ID: 511C053B)
Partition 1: (Active) - (Size=18.6 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:59 PM

Posted 15 January 2015 - 12:45 PM

Hi,

 

 

I think that we are on the right track.

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi

 


cXfZ4wS.png


#13 42pumpers

42pumpers
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 15 January 2015 - 02:07 PM

Its encouraging to hear you think we are on the right track!  At least FRST executed properely this time - 33 minutes, ended with a msg that computer w/b restarted to complete the fix.  Upon reboot, I got a "fix completed" msg.  I have seen none of this before.

 

Whatever the bug is, it is still here and spawning however.  Up to 20 or so czodtlik.exe processes.

 

I will await your next instruction.

--------------------------------------------------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 15-01-2015
Ran by ttaylor at 2015-01-15 13:12:03 Run:3
Running from C:\Documents and Settings\ttaylor.TMLNEW\Desktop
Loaded Profiles: ttaylor & UpdatusUser (Available profiles: foutersky & mtaylor & ttaylor & tmladmin & Fran Outersky & UpdatusUser & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [FictAyoh] => regsvr32.exe "C:\Documents and Settings\All Users\Application Data\FictAyoh\CaxjArbo.led"
C:\Documents and Settings\All Users\Application Data\FictAyoh
C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}
CustomCLSID: HKU\S-1-5-21-1093456198-2636295700-2182331995-1121_Classes\CLSID\{CBCC9F47-FF62-4AFF-91FD-8810DFE4C4B1}\InprocServer32 -> C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}\NativeHooks.dll (Microsoft Corporation)
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
emptytemp:
end
*****************

Processes closed successfully.
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\Software\Microsoft\Windows\CurrentVersion\Run\\FictAyoh => value deleted successfully.
C:\Documents and Settings\All Users\Application Data\FictAyoh => Moved successfully.

"C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}" directory move:

Could not move "C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9}" directory. => Scheduled to move on reboot.

"HKU\S-1-5-21-1093456198-2636295700-2182331995-1121_Classes\CLSID\{CBCC9F47-FF62-4AFF-91FD-8810DFE4C4B1}" => Key deleted successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => Moved successfully.
C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => Moved successfully.
EmptyTemp: => Removed 834.3 MB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-01-15 13:47:51)<=

C:\Documents and Settings\All Users\Application Data\{C7C147DC-580B-4A9C-8F1A-B8FB46972AE9} => Is moved successfully.

==== End of Fixlog 13:47:51 ====



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:01:59 PM

Posted 15 January 2015 - 02:59 PM

Hi,

 

Please reboot the computer and run a new scan with FRST and then post the results.

Please don't manually close the malicious processes. I want to see their location to be able deal with them.

Thanks!

 

 

Regards,

Georgi


cXfZ4wS.png


#15 42pumpers

42pumpers
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:59 AM

Posted 15 January 2015 - 03:45 PM

Thanks for sticking with this, Geogi.  Here you go.  Just so you know, I had a hard stop blue screen error referencing the same memory address - 0x0000005c - on first reboot.  Instructions said reboot again, which I did via power button.  Then I proceeded with scan.

-------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-01-2015
Ran by ttaylor (administrator) on STATION14 on 15-01-2015 15:31:00
Running from C:\Documents and Settings\ttaylor.TMLNEW\Desktop
Loaded Profiles: ttaylor & UpdatusUser (Available profiles: foutersky & mtaylor & ttaylor & tmladmin & Fran Outersky & UpdatusUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Apple Computer, Inc.) C:\Program Files\QuickTime\qttask.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Intuit, Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBLaunch.exe
(Microsoft Corporation) C:\WINDOWS\SYSTEM32\regsvr32.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe
(Google Inc.) C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Xoqlryl\czodtlik.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IntelliType] => C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [94208 2002-03-21] (Microsoft Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [77824 2004-03-01] (Apple Computer, Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5625624 2014-01-06] (SUPERAntiSpyware)
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [znhmogcjakp] => regsvr32.exe /s "C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\MFAData\znhmogcjakp.dll"
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\...\Run: [FictAyoh] => regsvr32.exe "C:\Documents and Settings\All Users\Application Data\FictAyoh\CaxjArbo.led"
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
Startup: C:\Documents and Settings\Foutersky\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe ()
BootExecute: autocheck autochk *  BootDefrag.exeC:\PROGRA~1\AVG\AVG2015\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,First Home Page = http://smbusiness.dellnet.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-1093456198-2636295700-2182331995-1121\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,First Home Page = http://smbusiness.dellnet.com/
HKU\S-1-5-21-297852753-3701901453-2039432856-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: AcroIEToolbarHelper Class -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
Toolbar: HKU\.DEFAULT -> No Name - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -  No File
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235146535754
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.6067592593
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

FireFox:
========
FF ProfilePath: C:\Documents and Settings\ttaylor.TMLNEW\Application Data\Mozilla\Firefox\Profiles\o8o3yjli.default
FF Homepage: hxxp://www.google.com/
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1212152.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=1.6.0_45 -> C:\WINDOWS\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\.DEFAULT: @adobe.com/Acrobat,version=5.1 -> C:\Program Files\Adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll No File
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2014-06-08]

Chrome:
=======
CHR Profile: C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-15]
CHR Extension: (Google Wallet) - C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-15]
CHR Extension: (example) - C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Raajwrn [2015-01-15]
CHR Extension: (example) - C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla\wzrhliyrnxq\Rkoxbzksqvpo [2015-01-15]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [120088 2013-10-10] (SUPERAntiSpyware.com)
S4 ASFAgent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [212992 2002-05-08] (Intel Corporation) [File not signed]
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
S4 Iap; C:\Program Files\Dell\OpenManage\Client\Iap.exe [163840 2002-04-04] (Dell Computer Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [158128 2014-06-08] (Sun Microsystems, Inc.)
S4 NMSSvc; C:\WINDOWS\System32\NMSSvc.exe [1118208 2002-07-30] (Intel Corporation) [File not signed]
S3 SwPrv; C:\WINDOWS\System32\dllhost.exe /Processid:{261FF5D6-55B3-4D28-8348-7DBC93E219F0}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 Aspi32; C:\WINDOWS\system32\Drivers\Aspi32.sys [17005 2002-08-14] (Adaptec) [File not signed]
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [192792 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [154904 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [192792 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [230680 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [98584 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [200984 2014-10-10] (AVG Technologies CZ, s.r.o.)
S3 basic2; C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys [67167 2001-08-17] (Conexant)
R0 BootDefragDriver; C:\WINDOWS\System32\drivers\BootDefragDriver.sys [13056 2013-10-23] (<Glarysoft Ltd>)
R1 Cdr4_xp; C:\WINDOWS\system32\Drivers\Cdr4_xp.sys [61424 2002-12-17] (Roxio) [File not signed]
R1 Cdralw2k; C:\WINDOWS\system32\Drivers\Cdralw2k.sys [23436 2002-12-17] (Roxio) [File not signed]
R1 cdudf_xp; C:\WINDOWS\system32\Drivers\cdudf_xp.sys [241152 2002-12-17] (Roxio) [File not signed]
S3 dvd_2K; C:\WINDOWS\system32\Drivers\dvd_2K.sys [25898 2003-05-12] (Roxio) [File not signed]
R3 E1000; C:\WINDOWS\System32\DRIVERS\e1000325.sys [99840 2002-11-12] (Intel Corporation)
S3 EL90XBC; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [66591 2001-08-17] (3Com Corporation)
R2 Fallback; C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys [289887 2001-08-17] (Conexant)
R2 Fsks; C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys [115807 2001-08-17] (Conexant)
S3 hsf_msft; C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys [542879 2001-08-17] (Conexant)
S3 i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [161020 2004-08-04] (Intel® Corporation)
S3 iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [12415 2004-08-04] (Intel® Corporation)
S3 iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [12127 2004-08-04] (Intel® Corporation)
S3 iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [11775 2004-08-04] (Intel® Corporation)
S3 iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [12063 2004-08-04] (Intel® Corporation)
S3 iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [19455 2004-08-04] (Intel® Corporation)
S3 iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [29311 2004-08-04] (Intel® Corporation)
S3 iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [19551 2004-08-04] (Intel® Corporation)
S3 iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [33599 2004-08-04] (Intel® Corporation)
S3 iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [23615 2004-08-04] (Intel® Corporation)
S3 IPFilter; C:\WINDOWS\System32\DRIVERS\IPFilter.sys [11136 2002-04-11] (Microsoft Corporation)
S2 IPSECEXT; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [113728 2001-08-09] (Nortel Networks) [File not signed]
R3 IPSECSHM; C:\WINDOWS\System32\DRIVERS\ipsecw2k.sys [113728 2001-08-09] (Nortel Networks) [File not signed]
R3 itchfltr; C:\WINDOWS\System32\DRIVERS\itchfltr.sys [12640 2002-11-14] (Logitech, Inc.)
R2 K56; C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys [391199 2001-08-17] (Conexant)
R3 mmc_2K; C:\WINDOWS\system32\Drivers\mmc_2K.sys [30630 2003-05-12] (Roxio) [File not signed]
R2 NetAlrt; C:\WINDOWS\System32\drivers\NetAlrt.sys [39680 2002-05-07] (Intel Corporation) [File not signed]
S3 NMSCFG; C:\WINDOWS\System32\drivers\NMSCFG.SYS [9868 2002-07-30] (Intel Corporation) [File not signed]
R1 omci; C:\WINDOWS\System32\DRIVERS\omci.sys [17217 2002-11-08] (Dell Computer Corporation) [File not signed]
S1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation)
R2 PlatAlrt; C:\WINDOWS\System32\drivers\PlatAlrt.sys [23744 2002-05-07] (Intel Corporation) [File not signed]
R1 pwd_2k; C:\WINDOWS\system32\Drivers\pwd_2k.sys [143834 2003-05-12] (Roxio) [File not signed]
S3 Rksample; C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys [57471 2001-08-17] (Conexant)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R2 SoftFax; C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys [199711 2001-08-17] (Conexant)
R2 Tones; C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys [50751 2001-08-17] (Conexant)
R1 UdfReadr_xp; C:\WINDOWS\system32\Drivers\UdfReadr_xp.sys [206464 2003-05-12] (Roxio)
R2 V124; C:\WINDOWS\System32\DRIVERS\HSF_V124.sys [488383 2001-08-17] (Conexant)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [108736 2003-01-14] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [78272 2003-01-14] (Intel Corporation)
S3 BS3022797993; \??\C:\DOCUME~1\TTAYLO~1.TML\LOCALS~1\Temp\NTFS.sys [X]
S3 bvrp_pci; No ImagePath
S3 iAimTV2; System32\DRIVERS\wATV03nt.sys [X]
S3 PalmUSBD; system32\drivers\PalmUSBD.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: Ip6FwHlp -> No Registry Path.

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 15:20 - 2015-01-15 15:20 - 00090112 _____ () C:\WINDOWS\Minidump\Mini011515-01.dmp
2015-01-15 13:12 - 2015-01-15 13:12 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\FictAyoh
2015-01-15 09:06 - 2015-01-15 09:07 - 00021395 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\Addition.txt
2015-01-15 09:03 - 2015-01-15 15:32 - 00020235 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\FRST.txt
2015-01-15 09:01 - 2015-01-15 09:01 - 01116672 _____ (Farbar) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\FRST.exe
2015-01-13 08:34 - 2015-01-15 15:31 - 00000000 ____D () C:\FRST
2015-01-13 08:20 - 2015-01-15 15:23 - 00054156 ____H () C:\WINDOWS\QTFont.qfn
2015-01-13 08:20 - 2015-01-15 15:23 - 00001409 _____ () C:\WINDOWS\QTFont.for
2015-01-13 03:11 - 2015-01-13 03:11 - 00000664 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\d3d9caps.tmp
2015-01-12 14:36 - 2015-01-12 14:36 - 00012440 _____ () C:\Documents and Settings\ttaylor.TMLNEW\My Documents\attach.txt
2015-01-12 14:36 - 2015-01-12 14:36 - 00011461 _____ () C:\Documents and Settings\ttaylor.TMLNEW\My Documents\dds.txt
2015-01-12 14:34 - 2015-01-12 14:34 - 00012440 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\attach.txt
2015-01-12 14:34 - 2015-01-12 14:34 - 00011461 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\dds.txt
2015-01-12 14:32 - 2015-01-12 14:32 - 00688992 ____R (Swearware) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\dds.com
2015-01-12 13:47 - 2015-01-12 19:10 - 00000664 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\d3d9caps.dat
2015-01-12 13:38 - 2015-01-12 13:38 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Application Data\AVG2015
2015-01-12 13:33 - 2015-01-12 13:33 - 00000702 _____ () C:\Documents and Settings\All Users\Desktop\AVG 2015.lnk
2015-01-12 13:31 - 2015-01-12 13:33 - 00007598 _____ () C:\WINDOWS\setupapi.log
2015-01-12 13:30 - 2015-01-12 13:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2015
2015-01-12 13:26 - 2015-01-15 09:28 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Avg2015
2015-01-12 13:26 - 2015-01-12 13:26 - 04637504 _____ (AVG Technologies) C:\Documents and Settings\ttaylor.TMLNEW\Desktop\avg_free_stb_all_2015_5557_cnet.exe
2015-01-12 12:56 - 2015-01-12 12:56 - 00045144 _____ () C:\Documents and Settings\ttaylor.TMLNEW\Desktop\cc_20150112_125614.reg
2015-01-07 09:30 - 2015-01-14 16:01 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 15:32 - 2009-02-13 13:00 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Temp
2015-01-15 15:23 - 2005-10-06 15:34 - 01474373 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-15 15:22 - 2003-05-12 18:25 - 00001170 _____ () C:\WINDOWS\system32\WPA.DBL
2015-01-15 15:21 - 2014-06-04 12:53 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-15 15:21 - 2013-11-07 11:28 - 00000324 _____ () C:\WINDOWS\Tasks\GlaryInitialize 3.job
2015-01-15 15:21 - 2003-05-15 18:40 - 00000120 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2015-01-15 15:21 - 2002-09-03 13:29 - 00000159 _____ () C:\WINDOWS\WIADEBUG.LOG
2015-01-15 15:21 - 2002-09-03 13:29 - 00000049 _____ () C:\WINDOWS\WIASERVC.LOG
2015-01-15 15:20 - 2003-06-17 10:49 - 00000000 ____D () C:\WINDOWS\Minidump
2015-01-15 15:20 - 2003-05-15 18:40 - 00000000 __SHD () C:\WINDOWS\CSC
2015-01-15 15:20 - 2003-05-12 18:27 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-15 15:16 - 2014-06-04 12:53 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-15 15:14 - 2009-02-13 13:00 - 00000278 ___SH () C:\Documents and Settings\ttaylor.TMLNEW\NTUSER.INI
2015-01-15 15:14 - 2003-05-12 18:27 - 00032644 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-15 13:44 - 2009-02-13 13:00 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW
2015-01-15 13:41 - 2003-05-12 18:13 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-01-15 13:38 - 2003-05-15 18:44 - 00000000 ____D () C:\Documents and Settings\Administrator.TML\Local Settings\Temp
2015-01-15 13:35 - 2007-08-25 13:33 - 00000000 ____D () C:\Documents and Settings\ttaylor\Local Settings\Temp
2015-01-15 13:33 - 2006-05-10 08:06 - 00000000 ____D () C:\Documents and Settings\chubbs\Local Settings\Temp
2015-01-15 13:33 - 2005-10-07 13:20 - 00000000 ____D () C:\Documents and Settings\mtaylor.TML\Local Settings\Temp
2015-01-15 13:29 - 2004-01-21 19:04 - 00000000 ____D () C:\Documents and Settings\mhennessy\Local Settings\Temp
2015-01-15 13:24 - 2003-05-15 18:43 - 00000000 ____D () C:\Documents and Settings\Foutersky\Local Settings\Temp
2015-01-15 13:23 - 2004-08-02 14:31 - 00000000 ____D () C:\Documents and Settings\dwells\Local Settings\Temp
2015-01-15 13:22 - 2009-02-13 13:11 - 00000000 ____D () C:\Documents and Settings\administrator.TMLNEW\Local Settings\Temp
2015-01-15 13:12 - 2013-02-08 16:12 - 00000178 ___SH () C:\Documents and Settings\UpdatusUser\NTUSER.INI
2015-01-15 09:27 - 2014-06-20 12:21 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\Mozilla
2015-01-15 09:27 - 2012-12-28 13:39 - 00000000 ____D () C:\Documents and Settings\ttaylor.TMLNEW\Local Settings\Application Data\MFAData
2015-01-15 09:13 - 2014-06-04 13:27 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-15 08:51 - 2003-05-12 18:12 - 00000000 ____D () C:\WINDOWS\SECURITY
2015-01-15 08:48 - 2005-10-06 18:39 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-14 09:51 - 2010-12-27 15:05 - 00000000 ____D () C:\Documents and Settings\MTaylor.TMLNEW\Local Settings\Temp
2015-01-14 09:49 - 2011-08-05 14:15 - 00000000 ____D () C:\Documents and Settings\foutersky.TMLNEW\Local Settings\Temp
2015-01-13 07:05 - 2011-11-07 10:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2015-01-12 14:51 - 2011-11-07 09:30 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2015-01-12 13:40 - 2002-09-03 13:42 - 00112584 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-01-12 13:38 - 2011-11-07 10:06 - 00000000 ____D () C:\Program Files\AVG
2015-01-12 13:36 - 2014-11-19 09:06 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2015-01-12 13:36 - 2012-06-02 09:52 - 00000000 ___HD () C:\$AVG
2015-01-12 13:21 - 2003-05-12 18:27 - 00000278 ___SH () C:\Documents and Settings\Administrator\NTUSER.INI
2015-01-12 13:15 - 2014-06-04 12:03 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-12 12:33 - 2013-11-07 11:28 - 00000000 ____D () C:\Program Files\Glary Utilities 3
2015-01-12 10:01 - 2005-10-07 13:21 - 00002497 _____ () C:\Documents and Settings\All Users\Desktop\Microsoft Outlook.lnk
2015-01-12 10:01 - 2002-09-03 13:36 - 00000382 _____ () C:\WINDOWS\WIN.INI
2015-01-07 09:25 - 2003-05-12 18:11 - 00000000 ____D () C:\WINDOWS\system32\Restore

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users