Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infection disabled malware, system restore, windows firewall, other settings


  • This topic is locked This topic is locked
20 replies to this topic

#1 Lost in NY

Lost in NY

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 07:03 AM

Please see my original post in 'am I infected' forum for further detail where I describe some setting that the infection disabled and posted mbam and sep logs.

 

Here are my logs from running steps 6 onwards per quietman7's instruction in the original post thread

 

attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/6/2012 6:38:42 PM
System Uptime: 1/17/2015 6:33:45 AM (0 hours ago)
.
Motherboard: Hewleet-Packard                                                  |  | Asterope2
Processor:              Intel® Pentium® D  CPU 2.66GHz | CPU 1 | 2666/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 141 GiB total, 105.098 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is FIXED (FAT32) - 8 GiB total, 0.374 GiB free.
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A3D103C&REV_81\3&267A616A&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A3D103C&REV_81\3&267A616A&0&A0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&B4B0D3&0&10A4
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&B4B0D3&0&10A4
Service:
.
==== System Restore Points ===================
.
RP1: 1/14/2015 4:07:04 AM - System Checkpoint
RP2: 1/15/2015 11:37:16 AM - System Checkpoint
RP3: 1/16/2015 12:27:46 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 16 ActiveX
Adobe Reader XI (11.0.08)
American Conquest - Divided Nation
ATI Display Driver
Battlestations: Midway
Cisco WebEx Meetings
Citrix Online Launcher
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Creative Audio Console
Creative Software AutoUpdate
Definition Update for Microsoft Office 2010 (KB2910899) 32-Bit Edition
Elevated Installer
Garmin Communicator Plugin
Garmin Express
Garmin Express Tray
Garmin Update Service
GoToMeeting 6.0.0.1259
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Java 7 Update 67
Java 8 Update 25
Java Auto Updater
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028
McAfee Security Scan Plus
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Software Update for Web Folders  (English) 14
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
OverDrive Media Console
PGIII Scorched Earth
Samsung_MonSetup
ScottradeELITE 2013
Search App by Ask
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2898855v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2901110v2)
Security Update for Microsoft Excel 2010 (KB2910902) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553154) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2810073) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2863942) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2880971) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2881071) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Microsoft Word 2010 (KB2899519) 32-Bit Edition
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB2817183)
Security Update for Windows Internet Explorer 8 (KB2829530)
Security Update for Windows Internet Explorer 8 (KB2838727)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2847204)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB2870699)
Security Update for Windows Internet Explorer 8 (KB2879017)
Security Update for Windows Internet Explorer 8 (KB2888505)
Security Update for Windows Internet Explorer 8 (KB2898785)
Security Update for Windows Internet Explorer 8 (KB2909210)
Security Update for Windows Internet Explorer 8 (KB2909921)
Security Update for Windows Internet Explorer 8 (KB2925418)
Security Update for Windows Internet Explorer 8 (KB2936068)
Security Update for Windows Internet Explorer 8 (KB2964358)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2803821-v2)
Security Update for Windows Media Player (KB2803821)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2808735)
Security Update for Windows XP (KB2813170)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2829361)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2847311)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2862152)
Security Update for Windows XP (KB2862330)
Security Update for Windows XP (KB2862335)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2868626)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876315)
Security Update for Windows XP (KB2876331)
Security Update for Windows XP (KB2883150)
Security Update for Windows XP (KB2892075)
Security Update for Windows XP (KB2893294)
Security Update for Windows XP (KB2893984)
Security Update for Windows XP (KB2898715)
Security Update for Windows XP (KB2900986)
Security Update for Windows XP (KB2914368)
Security Update for Windows XP (KB2916036)
Security Update for Windows XP (KB2922229)
Security Update for Windows XP (KB2929961)
Security Update for Windows XP (KB2930275)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Shopping App by Ask
Symantec Endpoint Protection
Update 4.0.3 for Microsoft .NET Framework 4 Client Profile (KB2600211)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Excel 2010 (KB2589348) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2878281) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817396) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553140) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589386) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597089) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687275) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825635) 32-Bit Edition
Update for Microsoft Office 2010 (KB2825640) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837581) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837602) 32-Bit Edition
Update for Microsoft Office 2010 (KB2837606) 32-Bit Edition
Update for Microsoft Office 2010 (KB2883019) 32-Bit Edition
Update for Microsoft Office 2010 (KB2889818) 32-Bit Edition
Update for Microsoft Office 2010 (KB2889828) 32-Bit Edition
Update for Microsoft Office 2010 (KB2910896) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2597088) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2880517) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2880526) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2837587) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2863058)
Update for Windows XP (KB2904266)
Update for Windows XP (KB2934207)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
.
==== Event Viewer Messages From Past Week ========
.
1/15/2015 5:05:02 AM, error: DCOM [10001]  - Unable to start a DCOM Server: {84AC6BE7-8CF2-4E67-A80E-32ACD3D7C381} as /. The error: "%1260" Happened while starting this command: "C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe" -Embedding
1/15/2015 4:57:59 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'SrtETmp' on the volume 'HarddiskVolume2'.  It has stopped monitoring the volume.
1/10/2015 5:58:52 AM, error: Service Control Manager [7023]  - The Computer Browser service terminated with the following error:  The specified service does not exist as an installed service.
1/10/2015 5:58:24 AM, error: NETLOGON [3095]  - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
.
==== End Of File ===========================
 

dds.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 11.25.2
Run by Telis at 6:54:15 on 2015-01-17
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1983.1222 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\Garmin\Express Tray\ExpressTray.exe
C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://forecast.weather.gov/MapClick.php?CityName=Staten+Island&state=NY&site=OKX&textField1=40.5866&textField2=-74.1489&e=0
uWindow Title = Internet Explorer, optimized for Bing and MSN
uURLSearchHooks: SearchHook Class: {D8278076-BC68-4484-9233-6E7F1628B56C} -
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
BHO: Search App by Ask: {4F524A2D-5350-4500-76A7-7A786E7484D7} -
BHO: Shopping App by Ask: {4F524A2D-5354-2D53-5045-7A786E7484D7} -
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_25\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_25\bin\jp2ssv.dll
TB: Search App by Ask: {4F524A2D-5350-4500-76A7-7A786E7484D7} -
TB: Shopping App by Ask: {4F524A2D-5354-2D53-5045-7A786E7484D7} -
TB: Search App by Ask: {4F524A2D-5350-4500-76A7-7A786E7484D7} -
TB: Shopping App by Ask: {4F524A2D-5354-2D53-5045-7A786E7484D7} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [GarminExpressTrayApp] "c:\program files\garmin\express tray\ExpressTray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [CTHelper] CTHELPER.EXE
mRun: [ApnTBMon] "c:\program files\askpartnernetwork\toolbar\updater\TBNotifier.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.8.130\SSScheduler.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1363518838265
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://arkadin.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B5E08754-632D-42F3-A803-A15670F1C64F} : DHCPNameServer = 192.168.1.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-7-14 65584]
R2 APNMCP;Ask Update Service;c:\program files\askpartnernetwork\toolbar\apnmcp.exe [2014-11-24 166296]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-9 108456]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2011-8-9 108456]
R2 Garmin Core Update Service;Garmin Core Update Service;c:\program files\garmin\core update service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-7-9 219480]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2011-8-9 1846592]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-11-25 111408]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20150105.019\NAVENG.SYS [2015-1-6 95704]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20150105.019\NAVEX15.SYS [2015-1-6 1636696]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2011-8-9 23960]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2012-4-7 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-7-30 114904]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.130\McCHSvc.exe [2013-9-6 235216]
.
=============== Created Last 30 ================
.
2015-01-15 14:32:16 -------- d-----w- C:\~ErdUserProfile.$$$
2015-01-15 10:26:17 4376752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2015-01-15 10:23:54 -------- d-----w- c:\windows\pss
2015-01-14 08:54:37 -------- d--h--w- c:\windows\system32\GroupPolicy
.
==================== Find3M  ====================
.
2015-01-15 18:33:19 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-15 10:26:22 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-01-15 10:26:22 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-21 11:14:14 54360 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14:06 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-19 09:31:16 1217192 ----a-w- c:\windows\system32\FM20.DLL
.
============= FINISH:  6:54:54.06 ===============
 

thanks in advance for your assistance.

 

 

 

 



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:52 PM

Posted 17 January 2015 - 07:06 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 07:32 AM

Thank you Juergen - one question - when I started FRST, I saw that all boxes in the Whitelist section were checked - is that ok?  I did run the scan option and here are the logs:

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-01-2015 01
Ran by Telis (administrator) on ABIGAIL on 17-01-2015 07:29:27
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CtHelper.exe
(APN) C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTSched.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Express Tray\ExpressTray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(APN LLC.) C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2011-08-09] (Symantec Corporation)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [CTHelper] => C:\WINDOWS\system32\CTHELPER.EXE [19456 2009-06-23] (Creative Technology Ltd)
HKLM\...\Run: [ApnTBMon] => C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [2039192 2014-11-24] (APN)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\InprocServer32: [Default-wbemess] wbemess.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [CreativeTaskScheduler] => C:\Program Files\Creative\Shared Files\CTSched.exe [53341 2006-11-17] (Creative Technology Ltd)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-07-09] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\MountPoints2: {b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} - J:\Setup.exe
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...0c966feabec1\InprocServer32: [Default-shell32]  ATTENTION! ====> ZeroAccess?
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?CityName=Staten+Island&state=NY&site=OKX&textField1=40.5866&textField2=-74.1489&e=0
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 - SearchHook Class - {D8278076-BC68-4484-9233-6E7F1628B56C} - C:\Program Files\AskPartnerNetwork\Toolbar\searchhook.dll (APN LLC.)
SearchScopes: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> {174C1EF0-55C6-48BB-B8DE-4192D56FA348} URL = http://www.search.ask.com/web?tpid=ORJ-ST-SPE&o=APN11460&pf=V7&p2=%5EBE6%5EOSJ000%5EYY%5EUS&gct=sb&itbv=12.15.5.31&apn_uid=07D35DFB-ADCD-4F53-93F9-72E8F1DF4543&apn_ptnrs=BE6&apn_dtid=%5EOSJ000%5EYY%5EUS&apn_dbr=ie_8.0.6001.18702&doi=2014-08-07&trgb=IE&q={searchTerms}&psv=&pt=tb
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Search App by Ask -> {4F524A2D-5350-4500-76A7-7A786E7484D7} -> C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-SPE\Passport.dll (APN LLC.)
BHO: Shopping App by Ask -> {4F524A2D-5354-2D53-5045-7A786E7484D7} -> C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-ST-SPE\Passport.dll (APN LLC.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Search App by Ask - {4F524A2D-5350-4500-76A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-SPE\Passport.dll (APN LLC.)
Toolbar: HKLM - Shopping App by Ask - {4F524A2D-5354-2D53-5045-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-ST-SPE\Passport.dll (APN LLC.)
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> Search App by Ask - {4F524A2D-5350-4500-76A7-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-SPE\Passport.dll (APN LLC.)
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> Shopping App by Ask - {4F524A2D-5354-2D53-5045-7A786E7484D7} - C:\Program Files\AskPartnerNetwork\Toolbar\ORJ-ST-SPE\Passport.dll (APN LLC.)
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://arkadin.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1454471165-220523388-1417001333-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Telis\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-17]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Documents and Settings\Telis\Local Settings\Application Data\APN\GoogleCRXs\apnorjtoolbar.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [166296 2014-11-24] (APN LLC.)
S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-04-07] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-14] (Creative Technology Ltd) [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [219480 2013-07-09] (Garmin Ltd or its subsidiaries)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-07] (Oracle Corporation)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-02-07] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1897960 2011-08-09] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2011-08-09] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2011-08-09] (Symantec Corporation)
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{19D15C11-8080-4550-841C-EF2CFF0C3362}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2011-08-09] (Symantec Corporation)
S3 COMMONFX; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
R3 COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
S3 CTAUDFX; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
R3 CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
S3 ctdvda2k; C:\WINDOWS\System32\drivers\ctdvda2k.sys [347080 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTSBLFX; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R3 CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-11-25] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-11-25] (Symantec Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [798744 2009-06-23] (Creative Technology Ltd)
S3 hap16v2k; C:\WINDOWS\System32\drivers\hap16v2k.sys [162840 2009-06-23] (Creative Technology Ltd)
R3 hap17v2k; C:\WINDOWS\System32\drivers\hap17v2k.sys [189464 2009-06-23] (Creative Technology Ltd)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-15] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVENG.SYS [95704 2014-08-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVEX15.SYS [1636696 2014-08-11] (Symantec Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-08-09] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2011-08-09] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2011-08-09] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2011-08-09] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-04-06] (Symantec Corporation)
S3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2011-08-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2011-08-09] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99744 2011-08-09] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2011-08-09] (Symantec Corporation)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [43936 2011-08-09] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2012-09-30] (Symantec Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath
U3 mbr; \??\C:\DOCUME~1\Telis\LOCALS~1\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-17 07:29 - 2015-01-17 07:29 - 00018219 _____ () C:\Documents and Settings\Telis\Desktop\FRST.txt
2015-01-17 07:27 - 2015-01-17 07:29 - 00000000 ____D () C:\FRST
2015-01-17 07:24 - 2015-01-17 07:24 - 01117696 _____ (Farbar) C:\Documents and Settings\Telis\Desktop\FRST.exe
2015-01-17 06:55 - 2015-01-17 06:55 - 00019097 _____ () C:\Documents and Settings\Telis\Desktop\attach.txt
2015-01-17 06:55 - 2015-01-17 06:55 - 00011473 _____ () C:\Documents and Settings\Telis\Desktop\dds.txt
2015-01-17 06:52 - 2015-01-17 06:53 - 00688992 ____R (Swearware) C:\Documents and Settings\Telis\Desktop\dds.com
2015-01-15 13:03 - 2015-01-15 13:03 - 00001034 _____ () C:\Documents and Settings\Telis\Desktop\sep log.csv
2015-01-15 10:12 - 2015-01-15 10:12 - 00000208 _____ () C:\Documents and Settings\Telis\Desktop\possible fix.txt
2015-01-15 09:32 - 2015-01-15 09:32 - 00000000 ____D () C:\~ErdUserProfile.$$$
2015-01-15 05:26 - 2015-01-15 05:26 - 04376752 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2015-01-15 05:23 - 2015-01-15 05:23 - 00000000 ____D () C:\WINDOWS\pss
2015-01-14 03:54 - 2015-01-14 03:54 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2015-01-03 15:07 - 2015-01-03 15:10 - 00020480 ___SH () C:\Documents and Settings\Telis\Desktop\Thumbs.db
2014-12-28 13:28 - 2014-12-28 13:28 - 00495616 _____ () C:\Documents and Settings\Telis\Desktop\New Microsoft Access Database.accdb
2014-12-20 09:59 - 2014-12-20 09:59 - 00000631 _____ () C:\Documents and Settings\Telis\Desktop\vanilla frosting with evap milk.txt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-17 07:29 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis\Local Settings\Temp
2015-01-17 07:26 - 2012-08-08 16:08 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-17 06:37 - 2012-04-06 17:35 - 01371694 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-17 06:34 - 2012-04-06 18:35 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2015-01-17 06:34 - 2012-04-06 17:39 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-17 06:34 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-01-16 20:28 - 2012-12-15 13:29 - 00281762 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-01-16 20:28 - 2012-04-07 04:24 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.BAK
2015-01-16 20:28 - 2012-04-07 04:21 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.CDF
2015-01-16 20:28 - 2012-04-06 17:41 - 00000178 ___SH () C:\Documents and Settings\Telis\ntuser.ini
2015-01-16 20:28 - 2012-04-06 17:39 - 00032618 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-16 19:43 - 2012-04-07 16:18 - 00000416 _____ () C:\Documents and Settings\Telis\My Documents\spider.sav
2015-01-15 22:53 - 2012-04-07 03:36 - 00065536 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-15 13:33 - 2014-07-30 06:39 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-15 10:13 - 2012-12-15 13:29 - 02506010 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1454471165-220523388-1417001333-1003-0.dat
2015-01-15 09:12 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\security
2015-01-15 06:34 - 2013-11-14 03:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-01-15 06:34 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis
2015-01-15 05:26 - 2012-04-06 18:05 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-15 05:26 - 2012-04-06 18:05 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-14 04:06 - 2012-04-06 17:33 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-01-14 03:58 - 2012-07-12 22:38 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-14 03:08 - 2013-08-14 19:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:00 - 2012-04-06 18:20 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-10 23:26 - 2014-10-13 03:17 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-08 15:00 - 2014-03-28 16:08 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-12-31 13:42 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\Help

ZeroAccess:
C:\Windows\Installer\{d8974088-d36f-254b-2486-b18b9b4f3f99}
C:\Windows\Installer\{d8974088-d36f-254b-2486-b18b9b4f3f99}\@

ZeroAccess:
C:\Documents and Settings\Telis\Local Settings\Application Data\{d8974088-d36f-254b-2486-b18b9b4f3f99}
C:\Documents and Settings\Telis\Local Settings\Application Data\{d8974088-d36f-254b-2486-b18b9b4f3f99}\@

Some content of TEMP:
====================
C:\Documents and Settings\Telis\Local Settings\Temp\APNSetup.exe
C:\Documents and Settings\Telis\Local Settings\Temp\APNStub.exe
C:\Documents and Settings\Telis\Local Settings\Temp\contentDATs.exe
C:\Documents and Settings\Telis\Local Settings\Temp\drm_dialogs.dll
C:\Documents and Settings\Telis\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-6u39-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\Telis\Local Settings\Temp\mssinstaller.exe
C:\Documents and Settings\Telis\Local Settings\Temp\SecurityScan_Release.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp1.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp3.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp4.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp4A.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp4D.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp5.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp6.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmp6C.exe
C:\Documents and Settings\Telis\Local Settings\Temp\tmpDF4.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 17-01-2015 01
Ran by Telis at 2015-01-17 07:30:29
Running from C:\Documents and Settings\Telis\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
American Conquest - Divided Nation (HKLM\...\American Conquest - Divided Nation) (Version:  - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.223-060207a3-031279C-HP - )
Battlestations: Midway (HKLM\...\{6BC0CDD6-E0C2-434D-9365-23E79E42DA95}) (Version: 1.00.0000 - EIDOS)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Citrix online plug-in - web (HKLM\...\CitrixOnlinePluginPackWeb) (Version: 12.1.44.1 - Citrix Systems, Inc.)
Creative Audio Console (HKLM\...\AudioCS) (Version: 1.32 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Elevated Installer (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Communicator Plugin (HKLM\...\{13F054F3-0B07-4D15-9E80-C55B496AB557}) (Version: 4.0.3 - Garmin Ltd or its subsidiaries)
Garmin Express (HKLM\...\{090dbdaf-9c21-4003-9544-3a57184fff74}) (Version: 2.2.16 - Garmin Ltd or its subsidiaries)
Garmin Express (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Update Service (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
GoToMeeting 6.0.0.1259 (HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\GoToMeeting) (Version: 6.0.0.1259 - CitrixOnline)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.102 - Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.130.10 - McAfee, Inc.)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
OverDrive Media Console (HKLM\...\{D07205E7-F6D3-4333-AFCC-782A07685B72}) (Version: 3.2.20 - OverDrive, Inc.)
PGIII Scorched Earth (HKLM\...\PGIII Scorched Earth) (Version:  - )
Samsung_MonSetup (HKLM\...\{8EA79DBF-D637-448A-89D6-410A087A4493}) (Version: 1.00.0000 - Samsung)
ScottradeELITE 2013 (HKLM\...\{10F03169-B313-4758-A0A2-E3A5CF2AB039}) (Version: 5.0.13.0 - Scottrader)
Search App by Ask (HKLM\...\{4F524A2D-5350-4500-76A7-A758B70C1500}) (Version: 12.21.0.114 - APN, LLC) <==== ATTENTION
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Shopping App by Ask (HKLM\...\{4F524A2D-5354-2D53-5045-A758B70C1500}) (Version: 12.21.0.115 - APN, LLC)
Symantec Endpoint Protection (HKLM\...\{5E2E4797-502A-4FFD-81EC-F9BA8BF0C581}) (Version: 11.0.7000.975 - Symantec Corporation)
Update 4.0.3 for Microsoft .NET Framework 4 Client Profile (KB2600211) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600211) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1454471165-220523388-1417001333-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1259\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points  =========================

14-01-2015 04:07:04 System Checkpoint
15-01-2015 11:37:16 System Checkpoint
16-01-2015 12:27:46 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 07:00 - 2008-04-14 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-1454471165-220523388-1417001333-500 - Administrator - Enabled)
Guest (S-1-5-21-1454471165-220523388-1417001333-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1454471165-220523388-1417001333-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1454471165-220523388-1417001333-1002 - Limited - Disabled)
Telis (S-1-5-21-1454471165-220523388-1417001333-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Telis

==================== Faulty Device Manager Devices =============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/13/2015 10:44:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/10/2015 11:27:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application AcroRd32.exe, version 11.0.8.4, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/10/2015 11:19:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

System errors:
=============
Error: (01/17/2015 06:35:03 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (01/17/2015 06:34:32 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (01/16/2015 07:13:10 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (01/16/2015 07:12:41 PM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (01/16/2015 09:24:39 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (01/16/2015 09:24:09 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (01/16/2015 02:53:01 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (01/16/2015 02:52:31 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (01/16/2015 02:52:31 AM) (Source: 0) (EventID: 1) (User: )
Description: 0xC0000243SrtETmpHarddiskVolume2

Error: (01/15/2015 10:14:57 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Microsoft Office Sessions:
=========================
Error: (01/13/2015 10:44:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (01/10/2015 11:27:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: AcroRd32.exe11.0.8.4hungapp0.0.0.000000000

Error: (01/10/2015 11:19:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

==================== Memory info ===========================

Processor:  Intel® Pentium® D CPU 2.66GHz
Percentage of memory in use: 39%
Total physical RAM: 1983.36 MB
Available physical RAM: 1202.02 MB
Total Pagefile: 3876.7 MB
Available Pagefile: 3361.22 MB
Total Virtual: 2047.88 MB
Available Virtual: 1930.62 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:141.23 GB) (Free:105.07 GB) NTFS
Drive h: (HP_RECOVERY) (Fixed) (Total:7.79 GB) (Free:0.37 GB) FAT32 ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: CAB10BEE)
Partition 1: (Not Active) - (Size=141.2 GB) - (Type=OF Extended)
Partition 2: (Active) - (Size=7.8 GB) - (Type=0C)

==================== End Of Log ============================



#4 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 07:39 AM

sorry I forgot to mention that I did fix the issue of system restore being blocked but the only restore points that exist now are from after computer was infected.  I also fixed the issue that was preventing SEP from downloading updates and scanning by deleting a reg key as described in the original thread in the 'am i infected' forum.



#5 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:52 PM

Posted 17 January 2015 - 07:44 AM

Thank you Juergen - one question - when I started FRST, I saw that all boxes in the Whitelist section were checked - is that ok?


You are welcome! :)
Yes, it is.

warning.gif Malware Warning

If your computer was used for online banking, has credit card information or other sensitive data, using a non-infected computer/device you should immediately change all account information (including those used for banking, Email, eBay, Paypal, online forums, etc).

windows_xp_logo.jpg Windows XP notes

I've noticed that you're a Windows XP user. I need to tell you that my canned speeches (texts I use to present instructions) are designed for newer systems in first place. Therefore, whenever you will see a request to Run as Administrator, please ignore it and instead run the tool just by a double-click on the aforementioned icon.

warning.gif Windows XP end of support warning!

As 8th of April 2014 has passed, this Operating System is not longer supported by the Microsoft.
Any patches, updates or security releases are ceased for this System.

This is just an information for you if not aware.
My recommendation would be to start thinking about replacing it with some newer edition, like Windows Vista, Windows 7 or Windows 8.
 

 

Please uninstall this program: Search App by Ask

 

Step 1

frst.pngfrstfix.png
Please download the attached fixlist txt.gif and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

After the Reboot:

 

Attached File  fixlist.txt   1.29KB   4 downloads


Step 2

frst.pngfrstscan.png

Start FRST with administator privileges.

  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#6 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 08:18 AM

Yes, I know XP isn't supported (I actually work in IT department, started as programmer a long time ago, now managing risk, compliance, governance type of things) so I know I shouldn't be letting this machine connect to internet...I do use a 64-buit Windows 7 machine for anything that involves financial transactions of any kind, but family likes the 32 bit games on here and insists on keeping it connected to internet too - maybe now they will listen  :) ,,,or maybe not...

 

Anyway, I removed 2 Ask apps ( I saw Ask Shopping app so I removed that one too)

 

Next, I ran FRST with Fix option, rebooted, and then using Scan option.  Please see logs below:

 

Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 17-01-2015 01
Ran by Telis at 2015-01-17 07:59:47 Run:1
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
CloseProcesses:
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM\...\InprocServer32: [Default-wbemess] wbemess.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...0c966feabec1\InprocServer32: [Default-shell32]  ATTENTION! ====> ZeroAccess?
SearchScopes: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> {174C1EF0-55C6-48BB-B8DE-4192D56FA348} URL = http://www.search.ask.co
C:\Windows\Installer\{d8974088-d36f-254b-2486-b18b9b4f3f99}
C:\Windows\Installer\{d8974088-d36f-254b-2486-b18b9b4f3f99}\@
C:\Documents and Settings\Telis\Local Settings\Application Data\{d8974088-d36f-254b-2486-b18b9b4f3f99}
C:\Documents and Settings\Telis\Local Settings\Application Data\{d8974088-d36f-254b-2486-b18b9b4f3f99}\@
CreateRestorePoint:
EmptyTemp:
*****************

Processes closed successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\\Default => Value was restored successfully.
"HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}" => Key deleted successfully.
"HKU\S-1-5-21-1454471165-220523388-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{174C1EF0-55C6-48BB-B8DE-4192D56FA348}" => Key deleted successfully.
HKCR\CLSID\{174C1EF0-55C6-48BB-B8DE-4192D56FA348} => Key not found.
C:\Windows\Installer\{d8974088-d36f-254b-2486-b18b9b4f3f99} => Moved successfully.
"C:\Windows\Installer\{d8974088-d36f-254b-2486-b18b9b4f3f99}\@" => File/Directory not found.
C:\Documents and Settings\Telis\Local Settings\Application Data\{d8974088-d36f-254b-2486-b18b9b4f3f99} => Moved successfully.
"C:\Documents and Settings\Telis\Local Settings\Application Data\{d8974088-d36f-254b-2486-b18b9b4f3f99}\@" => File/Directory not found.
Restore point was successfully created.
EmptyTemp: => Removed 2.5 GB temporary data.

The system needed a reboot.

==== End of Fixlog 08:02:39 ====

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-01-2015 01
Ran by Telis (administrator) on ABIGAIL on 17-01-2015 08:05:06
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CtHelper.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTSched.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Express Tray\ExpressTray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\reader_sl.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2011-08-09] (Symantec Corporation)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [CTHelper] => C:\WINDOWS\system32\CTHELPER.EXE [19456 2009-06-23] (Creative Technology Ltd)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [CreativeTaskScheduler] => C:\Program Files\Creative\Shared Files\CTSched.exe [53341 2006-11-17] (Creative Technology Ltd)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-07-09] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\MountPoints2: {b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} - J:\Setup.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?CityName=Staten+Island&state=NY&site=OKX&textField1=40.5866&textField2=-74.1489&e=0
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} -  No File
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5350-4500-76A7-7A786E7484D7} -  No File
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://arkadin.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1454471165-220523388-1417001333-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Telis\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-17]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Documents and Settings\Telis\Local Settings\Application Data\APN\GoogleCRXs\apnorjtoolbar.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-04-07] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-14] (Creative Technology Ltd) [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [219480 2013-07-09] (Garmin Ltd or its subsidiaries)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-07] (Oracle Corporation)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-02-07] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1897960 2011-08-09] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2011-08-09] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2011-08-09] (Symantec Corporation)
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{19D15C11-8080-4550-841C-EF2CFF0C3362}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2011-08-09] (Symantec Corporation)
S3 COMMONFX; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
R3 COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
S3 CTAUDFX; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
R3 CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
S3 ctdvda2k; C:\WINDOWS\System32\drivers\ctdvda2k.sys [347080 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTSBLFX; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R3 CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-11-25] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-11-25] (Symantec Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [798744 2009-06-23] (Creative Technology Ltd)
S3 hap16v2k; C:\WINDOWS\System32\drivers\hap16v2k.sys [162840 2009-06-23] (Creative Technology Ltd)
R3 hap17v2k; C:\WINDOWS\System32\drivers\hap17v2k.sys [189464 2009-06-23] (Creative Technology Ltd)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-15] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVENG.SYS [95704 2014-08-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVEX15.SYS [1636696 2014-08-11] (Symantec Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-08-09] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2011-08-09] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2011-08-09] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2011-08-09] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-04-06] (Symantec Corporation)
R3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2011-08-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2011-08-09] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99744 2011-08-09] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2011-08-09] (Symantec Corporation)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [43936 2011-08-09] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2012-09-30] (Symantec Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-17 08:05 - 2015-01-17 08:07 - 00015794 _____ () C:\Documents and Settings\Telis\Desktop\FRST.txt
2015-01-17 07:58 - 2015-01-17 07:58 - 00001324 _____ () C:\Documents and Settings\Telis\Desktop\fixlist[1].txt
2015-01-17 07:56 - 2015-01-17 07:56 - 00000319 _____ () C:\Documents and Settings\Telis\Desktop\next reply.txt
2015-01-17 07:27 - 2015-01-17 08:05 - 00000000 ____D () C:\FRST
2015-01-17 07:24 - 2015-01-17 07:24 - 01117696 _____ (Farbar) C:\Documents and Settings\Telis\Desktop\FRST.exe
2015-01-17 06:52 - 2015-01-17 06:53 - 00688992 ____R (Swearware) C:\Documents and Settings\Telis\Desktop\dds.com
2015-01-15 13:03 - 2015-01-15 13:03 - 00001034 _____ () C:\Documents and Settings\Telis\Desktop\sep log.csv
2015-01-15 10:12 - 2015-01-15 10:12 - 00000208 _____ () C:\Documents and Settings\Telis\Desktop\possible fix.txt
2015-01-15 09:32 - 2015-01-15 09:32 - 00000000 ____D () C:\~ErdUserProfile.$$$
2015-01-15 05:26 - 2015-01-15 05:26 - 04376752 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2015-01-15 05:23 - 2015-01-15 05:23 - 00000000 ____D () C:\WINDOWS\pss
2015-01-14 03:54 - 2015-01-14 03:54 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2015-01-03 15:07 - 2015-01-03 15:10 - 00020480 ___SH () C:\Documents and Settings\Telis\Desktop\Thumbs.db
2014-12-28 13:28 - 2014-12-28 13:28 - 00495616 _____ () C:\Documents and Settings\Telis\Desktop\New Microsoft Access Database.accdb
2014-12-20 09:59 - 2014-12-20 09:59 - 00000631 _____ () C:\Documents and Settings\Telis\Desktop\vanilla frosting with evap milk.txt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-17 08:07 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis\Local Settings\Temp
2015-01-17 08:07 - 2012-04-06 17:35 - 01376883 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-17 08:04 - 2012-04-06 18:35 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2015-01-17 08:04 - 2012-04-06 17:39 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-17 08:04 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-01-17 08:03 - 2012-12-15 13:29 - 00281762 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-01-17 08:03 - 2012-04-06 17:41 - 00000178 ___SH () C:\Documents and Settings\Telis\ntuser.ini
2015-01-17 08:03 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis
2015-01-17 08:03 - 2012-04-06 17:39 - 00032618 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-17 07:26 - 2012-08-08 16:08 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-16 20:28 - 2012-04-07 04:24 - 04931933 ____N () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.BAK
2015-01-16 20:28 - 2012-04-07 04:21 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.CDF
2015-01-16 19:43 - 2012-04-07 16:18 - 00000416 _____ () C:\Documents and Settings\Telis\My Documents\spider.sav
2015-01-15 22:53 - 2012-04-07 03:36 - 00065536 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-15 13:33 - 2014-07-30 06:39 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-15 10:13 - 2012-12-15 13:29 - 02506010 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1454471165-220523388-1417001333-1003-0.dat
2015-01-15 09:12 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\security
2015-01-15 06:34 - 2013-11-14 03:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-01-15 05:26 - 2012-04-06 18:05 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-15 05:26 - 2012-04-06 18:05 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-14 04:06 - 2012-04-06 17:33 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-01-14 03:58 - 2012-07-12 22:38 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-14 03:08 - 2013-08-14 19:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:00 - 2012-04-06 18:20 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-10 23:26 - 2014-10-13 03:17 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-08 15:00 - 2014-03-28 16:08 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-12-31 13:42 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\Help

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 17-01-2015 01
Ran by Telis at 2015-01-17 08:08:10
Running from C:\Documents and Settings\Telis\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
American Conquest - Divided Nation (HKLM\...\American Conquest - Divided Nation) (Version:  - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.223-060207a3-031279C-HP - )
Battlestations: Midway (HKLM\...\{6BC0CDD6-E0C2-434D-9365-23E79E42DA95}) (Version: 1.00.0000 - EIDOS)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Citrix online plug-in - web (HKLM\...\CitrixOnlinePluginPackWeb) (Version: 12.1.44.1 - Citrix Systems, Inc.)
Creative Audio Console (HKLM\...\AudioCS) (Version: 1.32 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Elevated Installer (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Communicator Plugin (HKLM\...\{13F054F3-0B07-4D15-9E80-C55B496AB557}) (Version: 4.0.3 - Garmin Ltd or its subsidiaries)
Garmin Express (HKLM\...\{090dbdaf-9c21-4003-9544-3a57184fff74}) (Version: 2.2.16 - Garmin Ltd or its subsidiaries)
Garmin Express (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Update Service (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
GoToMeeting 6.0.0.1259 (HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\GoToMeeting) (Version: 6.0.0.1259 - CitrixOnline)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.102 - Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.130.10 - McAfee, Inc.)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
OverDrive Media Console (HKLM\...\{D07205E7-F6D3-4333-AFCC-782A07685B72}) (Version: 3.2.20 - OverDrive, Inc.)
PGIII Scorched Earth (HKLM\...\PGIII Scorched Earth) (Version:  - )
Samsung_MonSetup (HKLM\...\{8EA79DBF-D637-448A-89D6-410A087A4493}) (Version: 1.00.0000 - Samsung)
ScottradeELITE 2013 (HKLM\...\{10F03169-B313-4758-A0A2-E3A5CF2AB039}) (Version: 5.0.13.0 - Scottrader)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Symantec Endpoint Protection (HKLM\...\{5E2E4797-502A-4FFD-81EC-F9BA8BF0C581}) (Version: 11.0.7000.975 - Symantec Corporation)
Update 4.0.3 for Microsoft .NET Framework 4 Client Profile (KB2600211) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600211) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1454471165-220523388-1417001333-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1259\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points  =========================

14-01-2015 04:07:04 System Checkpoint
15-01-2015 11:37:16 System Checkpoint
16-01-2015 12:27:46 System Checkpoint
17-01-2015 07:49:31 Removed Search App by Ask
17-01-2015 07:50:08 Removed Shopping App by Ask
17-01-2015 07:59:53 Restore Point Created by FRST

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 07:00 - 2008-04-14 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-1454471165-220523388-1417001333-500 - Administrator - Enabled)
Guest (S-1-5-21-1454471165-220523388-1417001333-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1454471165-220523388-1417001333-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1454471165-220523388-1417001333-1002 - Limited - Disabled)
Telis (S-1-5-21-1454471165-220523388-1417001333-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Telis

==================== Faulty Device Manager Devices =============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/17/2015 07:49:26 AM) (Source: MsiInstaller) (EventID: 10005) (User: ABIGAIL)
Description: Product: Search App by Ask -- Error 25001. The following applications must be closed before continuing the uninstall:

Internet Explorer

Error: (01/13/2015 10:44:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/10/2015 11:27:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application AcroRd32.exe, version 11.0.8.4, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/10/2015 11:19:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

System errors:
=============
Error: (01/17/2015 08:05:44 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (01/17/2015 08:04:20 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (01/17/2015 07:59:58 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (01/17/2015 07:59:58 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Installer service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/17/2015 07:59:58 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Symantec Endpoint Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (01/17/2015 07:59:58 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Garmin Core Update Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (01/17/2015 07:59:58 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/17/2015 07:59:48 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Symantec Settings Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.

Error: (01/17/2015 07:59:48 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Symantec Event Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 200 milliseconds: Restart the service.

Error: (01/17/2015 07:59:48 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Creative Audio Service service terminated unexpectedly.  It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (01/17/2015 07:49:26 AM) (Source: MsiInstaller) (EventID: 10005) (User: ABIGAIL)
Description: Product: Search App by Ask -- Error 25001. The following applications must be closed before continuing the uninstall:

Internet Explorer (NULL)(NULL)(NULL)

Error: (01/13/2015 10:44:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (01/10/2015 11:27:02 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: AcroRd32.exe11.0.8.4hungapp0.0.0.000000000

Error: (01/10/2015 11:19:28 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

==================== Memory info ===========================

Processor:  Intel® Pentium® D CPU 2.66GHz
Percentage of memory in use: 31%
Total physical RAM: 1983.36 MB
Available physical RAM: 1353.82 MB
Total Pagefile: 3876.7 MB
Available Pagefile: 3456.09 MB
Total Virtual: 2047.88 MB
Available Virtual: 1947.82 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:141.23 GB) (Free:107.56 GB) NTFS
Drive h: (HP_RECOVERY) (Fixed) (Total:7.79 GB) (Free:0.37 GB) FAT32 ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: CAB10BEE)
Partition 1: (Not Active) - (Size=141.2 GB) - (Type=OF Extended)
Partition 2: (Active) - (Size=7.8 GB) - (Type=0C)

==================== End Of Log ============================



#7 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 08:21 AM

sorry - one more thing - I just checked Windows Firewall from control panel and still am unable to open it to see settings - as I mentioned in my first post, I get pop-up "due to unidentifed problem Windows cannot display firewall settings" - so I think there is still some issue.  Please let me know if any thoughts on this.



#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:52 PM

Posted 17 January 2015 - 08:27 AM

sorry - one more thing - I just checked Windows Firewall from control panel and still am unable to open it to see settings - as I mentioned in my first post, I get pop-up "due to unidentifed problem Windows cannot display firewall settings" - so I think there is still some issue.  Please let me know if any thoughts on this.

 
Please follow my instructions...  I know what to do... :)
 
 
Step 1
 
Download mbar.PNGMalwarebytes Anti-Rootkit to your Desktop.

  • Double-click "mbar.exe" to start the tool.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"

mbar.gif
 

Step 2


Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:

settings.png

  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.

esetlog.png
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif
 
 
Step 3
 
Please download fss.pngFarbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 12:14 PM

Thanks - and you are right of course that eset did take a long time to run.  So, I followed the steps you provided:

 

First I ran mbar and it finished with no malware found so no clean-up step 

 

Here is the mbar log:

 

Malwarebytes Anti-Rootkit BETA 1.08.2.1001
www.malwarebytes.org

Database version: v2015.01.17.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Telis :: ABIGAIL [administrator]

1/17/2015 8:53:20 AM
mbar-log-2015-01-17 (08-53-20).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 298381
Time elapsed: 15 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Here is the system log:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, H:\ DRIVE_FIXED
CPU speed: 2.665000 GHz
Memory total: 2079698944, free: 1319391232

Downloaded database version: v2015.01.17.02
Downloaded database version: v2015.01.14.01
Downloaded database version: v2014.12.06.01
=======================================
------------ Kernel report ------------
     01/17/2015 08:52:38
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\ctaud2k.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ctoss2k.sys
\SystemRoot\system32\drivers\ctprxy2k.sys
\SystemRoot\system32\DRIVERS\RTL8139.SYS
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\teefer2.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\hap17v2k.sys
\SystemRoot\system32\drivers\ha10kx2k.sys
\SystemRoot\system32\drivers\emupia2k.sys
\SystemRoot\system32\drivers\ctsfm2k.sys
\SystemRoot\system32\drivers\ctac32k.sys
\SystemRoot\System32\drivers\COMMONFX.SYS
\SystemRoot\System32\drivers\CTAUDFX.SYS
\SystemRoot\System32\drivers\CTSBLFX.SYS
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\SRTSP.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20150105.019\NAVEX15.SYS
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20150105.019\NAVENG.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\SRTSPX.SYS
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
\SystemRoot\System32\Drivers\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\system32\DRIVERS\ctxusbm.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\SYMREDRV.SYS
\??\C:\WINDOWS\system32\drivers\WpsHelper.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR6
Upper Device Object: 0xffffffff89aa3ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000081\
Lower Device Object: 0xffffffff8946d150
Lower Device Driver Name: \Driver\usbstor\
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR5
Upper Device Object: 0xffffffff8958b030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000080\
Lower Device Object: 0xffffffff894623b8
Lower Device Driver Name: \Driver\usbstor\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR4
Upper Device Object: 0xffffffff89e00030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007f\
Lower Device Object: 0xffffffff8944bb18
Lower Device Driver Name: \Driver\usbstor\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR3
Upper Device Object: 0xffffffff8a476a50
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007e\
Lower Device Object: 0xffffffff8946aea0
Lower Device Driver Name: \Driver\usbstor\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8a55bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-7\
Lower Device Object: 0xffffffff8a55cd98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8a55bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8a5ed508, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a55bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8a54a250, DeviceName: \Device\00000077\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8a55cd98, DeviceName: \Device\Ide\IdeDeviceP2T0L0-7\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: CAB10BEE

Partition information:

    Partition 0 type is Extended with LBA (0xf)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 16065  Numsec = 296190405

    Partition 1 type is Other (0xc)
    Partition is ACTIVE.
    Partition starts at LBA: 296206470  Numsec = 16370235
    Partition file system is FAT32
    Partition is bootable

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8a476a50, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff895e7020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8a476a50, DeviceName: \Device\Harddisk1\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8946aea0, DeviceName: \Device\0000007e\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff89e00030, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89e13860, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89e00030, DeviceName: \Device\Harddisk2\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8944bb18, DeviceName: \Device\0000007f\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xffffffff8958b030, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8958d020, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8958b030, DeviceName: \Device\Harddisk3\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff894623b8, DeviceName: \Device\00000080\, DriverName: \Driver\usbstor\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffffffff89aa3ab8, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff89dae7e8, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff89aa3ab8, DeviceName: \Device\Harddisk4\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8946d150, DeviceName: \Device\00000081\, DriverName: \Driver\usbstor\
------------ End ----------
Scan finished
=======================================

Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-1-296206470-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

 

 

Next I disabled SEP and ran eset online scanner

 

here is the eset log:

 

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=8c7b115d2908a94493116792fdacc957
# engine=22016
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-01-17 04:53:22
# local_time=2015-01-17 11:53:22 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=59721
# found=41
# cleaned=0
# scan_time=6549
sh=4C189E9C101E3F69151B02986E9D00CCFC4D049E ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NJZ trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\0\6e8ce980-3f3c9229"
sh=F16D0180B652CB9F683C55447B885DE8FAB1FAF9 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\13\464e860d-5418f90a"
sh=1B336EC8B0EE96161ABE89987DBA9FD9788273F4 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\14\79ba264e-310d490a"
sh=9157C4A5CB18AC83B0F5F5F2E41BCFD6765BE53E ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\15\21db984f-5109bea7"
sh=8A3E21300C7294EFE39134FB2DD6A98DF7EB9AE4 ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2012-1723.DE trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\15\29d775cf-12cf535b"
sh=9E8FE89690575BC20C9BBF799A15078A6253FBDE ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\15\2a73298f-79a5a0d6"
sh=32B7D9D1CC1FF521589DDE9B0C8A61C5C514F086 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\15\6f05a74f-1aca2359"
sh=B8AB7BF4994E20A956CB9DA4ED256951B70F5303 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\16\50101a10-5e18c2e0"
sh=F801000D586E3AFE5DEABBEFA9976BD40C371B02 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.RBV trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\2\18121602-104473b5"
sh=A459E5D8D59711BEDA5EC956C38DCFB2E9CAE34B ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\20\2a907594-7376043f"
sh=1B336EC8B0EE96161ABE89987DBA9FD9788273F4 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\25\57591f19-60feb088"
sh=DABE701BE98348672FE5CD90F9402509C9852D02 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NJZ trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\28\10e5dd1c-5a1c4e26"
sh=3387524B0AB99ADD49B126EF13C4929E9E61F558 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2013-0422.CF trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\3\151c26c3-15e3755b"
sh=9157C4A5CB18AC83B0F5F5F2E41BCFD6765BE53E ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\31\5129f41f-2eb37c82"
sh=C0995779394CDA513A5D014DF51D8D60674FF05F ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\31\5b1a65df-614e0830"
sh=0D60E7ADA7E40078A5EBABF25711D04B82DF4079 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.CVE-2012-1723.FO trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\31\775873df-5d8b664a-temp"
sh=9AB0E258293D64CC3E24F7E8B0D92A98D96FB964 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\32\d2e9060-4b211e74"
sh=01CBE972B6C4C101CBA198A2BC27B713611C32AC ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\36\31aec5a4-13a70299"
sh=E71E59C8558533BE10BEA69BADC28D73C3F2D72D ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\38\1ca297a6-4b4f4718-temp"
sh=42543D2E26EB2ACD4D4CAC848656DC90B921A756 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NIC trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\38\54fe1d66-7beada50"
sh=5175C3CC24C3BE9351704CE341FFCD0C8D7AC678 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\41\35a2b569-4e5115a4"
sh=DABE701BE98348672FE5CD90F9402509C9852D02 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NJZ trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\42\2a9a956a-547a695d"
sh=9AB0E258293D64CC3E24F7E8B0D92A98D96FB964 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\42\5d878aaa-27e81b9a"
sh=E71E59C8558533BE10BEA69BADC28D73C3F2D72D ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\45\1cc6562d-3b245463"
sh=DCC02755B8B124AC31F3CE1ECB08A85C68F3090E ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\48\15dc61b0-40699f46"
sh=B0B0CB256D3BC138FA505AA0A7EF6EB0965FF0F3 ft=0 fh=0000000000000000 vn="Java/Exploit.CVE-2012-1723.GE trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\48\43f2c70-480e3b3b"
sh=A140C1C013D152800A707CECDC88352A112A822C ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\49\485588f1-7cb1fda1"
sh=D4056E0A7ADCDA8F7BA6ECB2ED691297C6AB1AB7 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\5\1337a4c5-743efb24"
sh=A140C1C013D152800A707CECDC88352A112A822C ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\54\79d133f6-6ecd67aa"
sh=6D5E6C6359B485911BBF4A1C90352DAA4F1239EE ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NEA trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\59\434268bb-194a4249"
sh=01CBE972B6C4C101CBA198A2BC27B713611C32AC ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\59\812a2bb-1ec93f33-temp"
sh=EF21D3FEB97FF801F2E2070CFD4F393C2241F129 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\59\ac44f7b-4b09a3d1"
sh=3665139245E737B7885D2300BEF083C80EB4504F ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\6\3621b346-65f972bb"
sh=A370E27FDBA07424196B4DBA1D561BED0F6AE62E ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\62\6cc9583e-2cb03263"
sh=5175C3CC24C3BE9351704CE341FFCD0C8D7AC678 ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\63\133f073f-2e17ca33"
sh=29DD7804022E5648DD10C187951D40F4C713B06B ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\7\6e423447-6bf48ed0"
sh=EFE568A17AF6C5F6C25914B65B4DCF756B625857 ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NKR trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\8\1bfb2908-17cebcb0"
sh=8364AB759DE8D37EE426C8928CDA6BF0ED3D1C4C ft=0 fh=0000000000000000 vn="a variant of Java/Exploit.Agent.NJZ trojan" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\8\5d3b1e08-43fc0003"
sh=359820856D2CB8C324FB90E7AE59186F39B5429D ft=0 fh=0000000000000000 vn="multiple threats" ac=I fn="C:\Documents and Settings\Telis\Application Data\Sun\Java\Deployment\cache\6.0\9\53c6c549-327c7641"
sh=DF6CA5A78F2A55AC562C3D6B614AD96F5E2DB9B6 ft=1 fh=6f1c659b29064956 vn="a variant of Win32/AdInstaller potentially unwanted application" ac=I fn="H:\I386\APPS\APP11418\src\CompaqPresario_Spring06.exe"
sh=1F0C7A834BC3BBA49A793D14CDC968144EAAB5C6 ft=1 fh=5d88b9eb43c017aa vn="a variant of Win32/AdInstaller potentially unwanted application" ac=I fn="H:\I386\APPS\APP11418\src\HPPavillion_Spring06.exe"
 

Last, I downloaded Farbar Service DScanner and ran it

 

Here is the FSS.txt:

 

Farbar Service Scanner Version: 17-01-2015
Ran by Telis (administrator) on 17-01-2015 at 12:08:11
Running from "C:\Documents and Settings\Telis\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.

Firewall Disabled Policy:
==================
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" registry key does not exist.

System Restore:
============

System Restore Policy:
========================

Security Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: ATTENTION!=====> Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============
Checking Start type of SharedAccess: ATTENTION!=====> Unable to retrieve start type of SharedAccess. The value does not exist.
Checking ImagePath of SharedAccess: ATTENTION!=====> Unable to retrieve ImagePath of SharedAccess. The value does not exist.
Checking ServiceDll of SharedAccess: ATTENTION!=====> Unable to retrieve ServiceDll of SharedAccess. The value does not exist.

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) WPS(9)
0x09000000050000000100000002000000030000000400000009000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****



#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:52 PM

Posted 17 January 2015 - 12:58 PM

Hi,
this looks worse than it actually is. :)
Please do the following now:

Step 1

Please download ATF Cleaner  atf.PNG by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Java Cache [1]
Click the Empty Selected button. [2]

javacache.png


Step 2

Please runfixdamage2.png
- Open the mbar (Malwarebytes Anti-Rootkit) folder that you extracted when you download the program.
- Inside the plugins folder you should see a program called fixdamage.exe.
- Double-click on that file and the program will launch as shown below.

fixdamage.png
 
- When it has finished, you be shown a message that says press any key to exit.
- Press any key on your keyboard and the fixdamage screen will close.
- For the changes to go into effect, you now need to manually reboot your computer.
 
Step 3

Please runfss.pngFarbar Service Scanner again.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Edited by deeprybka, 17 January 2015 - 01:02 PM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 01:46 PM

I downloaded ATF cleaner, checked java cache but it said 'no files were deleted'

 

Then I ran the fixdamage plugin and rebooted

 

Then I ran FSS and here is the FSS.txt:

 

Farbar Service Scanner Version: 17-01-2015
Ran by Telis (administrator) on 17-01-2015 at 13:40:13
Running from "C:\Documents and Settings\Telis\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Other Services:
==============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4) WPS(9)
0x09000000050000000100000002000000030000000400000009000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

And then I decided to check Windows Firewall and I can access it again, so it is definitely looking better!



#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:52 PM

Posted 17 January 2015 - 02:15 PM

Please do this: https://www.java.com/en/download/help/plugin_cache.xml

Step 1

secheck.png
Please download SecurityCheck and save the file to your Desktop.

  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your Desktop.
  • Copy the contents of the log and paste in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 03:54 PM

I have run SecurityCheck and here is the log:

 

 Results of screen317's Security Check version 0.99.93 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Symantec Endpoint Protection  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 67 
 Java 8 Update 25 
 Java version 32-bit out of Date!
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 10%
````````````````````End of Log``````````````````````
 



#14 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:52 PM

Posted 17 January 2015 - 04:13 PM

OK! :)
 
 
Please uninstall  Java 7 Update 67
 
 
Let's do a final check up:

Step 1


Don't remove on your own anything that HitmanPro detects!
This scanner, as it is a really good for checking, has been known for deleting files instead of curing them, which in some cases may render the machine unbootable.
Any removals will be done manually after careful analysis of the scan results!


Please download hitmanpro_32.pngHitmanPro 32-bit / HitmanPro 64-bit by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click onhitmanpro.pngicon and select admin.PNGRun as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button (1). You must agree with the terms of EULA (2 - if asked).
  • Check the box beside "No, I only want to perform a one-time scan to check this computer" and click on the Next button. (3)
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click on Save Log (4) and close HitmanPro! (5)
  • Copy and paste the content of the log file in your next reply.
hitman.gif


lesestoff.png

Can you please tell me which problems still persist now?
How is the computer running

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#15 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:05:52 AM

Posted 17 January 2015 - 04:44 PM

I removed java 7 update 67 via add/remove programs.   Then I downloaded HitmanPro 32-bit and disabled SEP

I ran the one-time scan and it flagged FSS and FRST exe files as suspicious :) but aside from that it only flagged some cookies and some Ask components that were still there.

 

However I did not let it delete anything per your instructions, justed saved the log.  I did re-enable SEP afterwards.

 

Here is the log:

 

HitmanPro 3.7.9.234
www.hitmanpro.com
   Computer name . . . . : ABIGAIL
   Windows . . . . . . . : 5.1.3.2600.X86/2
   User name . . . . . . : ABIGAIL\Telis
   License . . . . . . . : Free
   Scan date . . . . . . : 2015-01-17 16:31:45
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 4m 33s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 24
   Objects scanned . . . : 546,795
   Files scanned . . . . : 9,416
   Remnants scanned  . . : 119,250 files / 418,129 keys
Suspicious files ____________________________________________________________
   C:\Documents and Settings\Telis\Desktop\FRST.exe
      Size . . . . . . . : 1,117,696 bytes
      Age  . . . . . . . : 0.4 days (2015-01-17 07:24:40)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 1744792230793A282DF76927EDC678EE127AE1F382E50B5736E35905FAE5E618
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      References
         HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Telis\Desktop\FRST.exe
   C:\Documents and Settings\Telis\Desktop\FSS.exe
      Size . . . . . . . : 415,232 bytes
      Age  . . . . . . . : 0.2 days (2015-01-17 12:05:52)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : CF5F35213C6434469F1B4F614A2366A2A88F3CBC7C9965A458F64545A76C5AC1
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      References
         HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Telis\Desktop\FSS.exe

Potential Unwanted Programs _________________________________________________
   C:\Documents and Settings\All Users\Application Data\APN\ (AskBar)
   C:\Documents and Settings\All Users\Application Data\Ask\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF\ (AskBar)
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E\ (AskBar)
   HKU\.DEFAULT\Software\AskPartnerNetwork\ (AskBar)
   HKU\S-1-5-18\Software\AskPartnerNetwork\ (AskBar)
Cookies _____________________________________________________________________
   C:\Documents and Settings\Telis\Cookies\HJHUSLD2.txt
   C:\Documents and Settings\Telis\Cookies\N3975GV6.txt
   C:\Documents and Settings\Telis\Cookies\UAJ5T90J.txt
   C:\Documents and Settings\Telis\Cookies\X1QMUBAZ.txt

 

I am not seeing any obvious problem at this time - SEP works, system restore can be invoked, windows firewall is accessible, my chosen home page displays when I go open the internet.  Is there anything else that you think I should check now?

 

Thanks again






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users