Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reinfected - Windows Firewall, SEP, System Restore Disabled


  • This topic is locked This topic is locked
29 replies to this topic

#1 Lost in NY

Lost in NY

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 03 February 2015 - 09:50 AM

Symptoms are almost the same as when this happened last month - please see this post for further details, but in brief, this a a standalone XP computer - upon turning it on earlire today, windows firewall was turned off (I was able to enable it normally, unlike last time this happend) SEP was not visible on tray - I updated the registry taking same action as last time to remove enries under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\codeidentifiers and system restore disabled (and prior restore points were all gone) so fixed this by removing the entries under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore.

 

I was able to run a scan with SEP but cannot update the anti-virus signature definitions - it runs, but last update in January 5 - do I need to remove and reinstall?

 

I ran Malwarebytes successfully. 

 

I have also run FRST scan

 

Attached are MBAM log and from FRST scan the FRST.txt and Addition.txt

 

SEP found 'conhost.exe' a 'Trojan Gen 2' and quarantined it.

 

Hoping you can advise on next steps to remedy this situation.

 

Thank you!

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,013 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:21 PM

Posted 03 February 2015 - 11:23 AM

Hey, :)

Can you please post all logs directly into the thread? I can not open attachments on my system.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 03 February 2015 - 12:07 PM

apologies - here is text below

 

mbam log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/3/2015
Scan Time: 9:01:40 AM
Logfile: 3 feb mbam log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.03.05
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Telis

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 311629
Time Elapsed: 32 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [8e8321f918727fb7097e8279f60c38c8],
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [8e8321f918727fb7097e8279f60c38c8],

Registry Values: 3
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{4F524A2D-5350-4500-76A7-7A786E7484D7}, 䨭ä½?åä??ê¶ç¡ºç?®í??, No Action By User, [8e8321f918727fb7097e8279f60c38c8]
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [a96871a9d1b957df8ef9689316ec7b85],
Trojan.Agent, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER|zergling_rush, Quarantined, [f51ca87256348caa2b9c8ff522e1f907],

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-02-2015
Ran by Telis (administrator) on ABIGAIL on 03-02-2015 05:44:43
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Creative Technology Ltd) C:\WINDOWS\system32\CtHelper.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2011-08-09] (Symantec Corporation)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [CTHelper] => C:\WINDOWS\system32\CTHELPER.EXE [19456 2009-06-23] (Creative Technology Ltd)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [{9d78bb1d-25b9-1691-667e-d58c0c12be96}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d78bb1d-25b9-1691-667e-d58c0c12be96}\{9d78bb1d-25b9-1691-667e-d58c0c12be96}.exe [305208 2015-02-02] ()
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer\Run: [{9d78bb1d-25b9-1691-667e-d58c0c12be96}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d78bb1d-25b9-1691-667e-d58c0c12be96}\{9d78bb1d-25b9-1691-667e-d58c0c12be96}.exe [305208 2015-02-02] ( ())
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [CreativeTaskScheduler] => C:\Program Files\Creative\Shared Files\CTSched.exe [53341 2006-11-17] (Creative Technology Ltd)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-07-09] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\MountPoints2: {b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} - J:\Setup.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?lat=40.569439931508725&lon=-74.11710937099985&site=all&smap=1
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} -  No File
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5350-4500-76A7-7A786E7484D7} -  No File
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://arkadin.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1454471165-220523388-1417001333-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Telis\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-17]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Documents and Settings\Telis\Local Settings\Application Data\APN\GoogleCRXs\apnorjtoolbar.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-04-07] (Creative Labs) [File not signed]
S2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-14] (Creative Technology Ltd) [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [219480 2013-07-09] (Garmin Ltd or its subsidiaries)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-02-07] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1897960 2011-08-09] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2011-08-09] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2011-08-09] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2011-08-09] (Symantec Corporation)
S3 COMMONFX; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
R3 COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
S3 CTAUDFX; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
R3 CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
S3 ctdvda2k; C:\WINDOWS\System32\drivers\ctdvda2k.sys [347080 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTSBLFX; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R3 CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-11-25] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-11-25] (Symantec Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [798744 2009-06-23] (Creative Technology Ltd)
S3 hap16v2k; C:\WINDOWS\System32\drivers\hap16v2k.sys [162840 2009-06-23] (Creative Technology Ltd)
R3 hap17v2k; C:\WINDOWS\System32\drivers\hap17v2k.sys [189464 2009-06-23] (Creative Technology Ltd)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVENG.SYS [95704 2014-08-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVEX15.SYS [1636696 2014-08-11] (Symantec Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-08-09] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2011-08-09] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2011-08-09] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2011-08-09] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-04-06] (Symantec Corporation)
R3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2011-08-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2011-08-09] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99744 2011-08-09] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2011-08-09] (Symantec Corporation)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [43936 2011-08-09] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2012-09-30] (Symantec Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-03 05:44 - 2015-02-03 05:45 - 00014842 _____ () C:\Documents and Settings\Telis\Desktop\FRST.txt
2015-02-03 05:42 - 2015-02-03 05:42 - 00000000 ____D () C:\Documents and Settings\Telis\Desktop\mbar
2015-02-03 04:47 - 2015-02-03 05:44 - 00000000 ____D () C:\FRST
2015-02-03 04:46 - 2015-02-03 04:46 - 01122304 _____ (Farbar) C:\Documents and Settings\Telis\Desktop\FRST.exe
2015-02-03 03:40 - 2015-02-03 03:40 - 00002891 _____ () C:\Documents and Settings\Telis\Desktop\3-feb mbam log.xml
2015-02-02 20:51 - 2015-02-02 20:51 - 00000664 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\d3d9caps.tmp
2015-01-22 07:17 - 2015-01-22 07:17 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-17 18:30 - 2015-01-17 18:31 - 00000998 _____ () C:\DelFix.txt
2015-01-17 18:30 - 2015-01-17 18:30 - 00000000 ____D () C:\WINDOWS\ERUNT
2015-01-17 16:31 - 2015-01-17 16:37 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2015-01-17 08:52 - 2015-01-17 09:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-01-17 08:50 - 2015-01-17 08:50 - 16448208 _____ (Malwarebytes Corp.) C:\Documents and Settings\Telis\Desktop\mbar-1.08.2.1001.exe
2015-01-15 09:32 - 2015-01-15 09:32 - 00000000 ____D () C:\~ErdUserProfile.$$$
2015-01-15 05:23 - 2015-01-15 05:23 - 00000000 ____D () C:\WINDOWS\pss
2015-01-14 03:54 - 2015-01-14 03:54 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-03 05:46 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis\Local Settings\Temp
2015-02-03 05:45 - 2012-07-12 22:38 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-03 05:26 - 2012-08-08 16:08 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-03 05:01 - 2012-04-06 17:35 - 01703528 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-03 04:58 - 2012-04-06 17:33 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-02-03 04:30 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-03 04:29 - 2012-04-06 18:35 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2015-02-03 04:29 - 2012-04-06 17:39 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-03 04:27 - 2012-12-15 13:29 - 00281762 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-02-03 04:27 - 2012-04-07 04:24 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.BAK
2015-02-03 04:27 - 2012-04-07 04:21 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.CDF
2015-02-03 04:27 - 2012-04-06 17:41 - 00000178 ___SH () C:\Documents and Settings\Telis\ntuser.ini
2015-02-03 04:27 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis
2015-02-03 04:27 - 2012-04-06 17:39 - 00032460 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-03 03:00 - 2014-07-30 06:39 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-02 23:31 - 2012-12-15 13:29 - 02506010 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1454471165-220523388-1417001333-1003-0.dat
2015-02-02 19:13 - 2012-04-07 16:18 - 00000372 _____ () C:\Documents and Settings\Telis\My Documents\spider.sav
2015-01-31 05:38 - 2014-08-07 13:24 - 00000000 ____D () C:\Program Files\Java
2015-01-25 06:43 - 2012-04-06 18:05 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-25 06:43 - 2012-04-06 18:05 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-22 07:18 - 2014-10-16 13:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-22 07:16 - 2014-08-07 13:25 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-01-22 07:16 - 2014-08-07 13:24 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-01-18 14:27 - 2012-04-07 03:36 - 00065536 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-17 13:36 - 2012-04-06 13:20 - 00563934 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-17 08:51 - 2014-07-30 06:38 - 00055000 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-15 09:12 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\security
2015-01-15 06:34 - 2013-11-14 03:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-01-14 03:08 - 2013-08-14 19:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:00 - 2012-04-06 18:20 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-10 23:26 - 2014-10-13 03:17 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-08 15:00 - 2014-03-28 16:08 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

==================== Files in the root of some directories =======

2015-02-02 20:51 - 2015-02-02 20:51 - 0000664 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\d3d9caps.tmp

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 01-02-2015
Ran by Telis at 2015-02-03 05:47:06
Running from C:\Documents and Settings\Telis\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.296 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
American Conquest - Divided Nation (HKLM\...\American Conquest - Divided Nation) (Version:  - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.223-060207a3-031279C-HP - )
Battlestations: Midway (HKLM\...\{6BC0CDD6-E0C2-434D-9365-23E79E42DA95}) (Version: 1.00.0000 - EIDOS)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Citrix online plug-in - web (HKLM\...\CitrixOnlinePluginPackWeb) (Version: 12.1.44.1 - Citrix Systems, Inc.)
Creative Audio Console (HKLM\...\AudioCS) (Version: 1.32 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Elevated Installer (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Communicator Plugin (HKLM\...\{13F054F3-0B07-4D15-9E80-C55B496AB557}) (Version: 4.0.3 - Garmin Ltd or its subsidiaries)
Garmin Express (HKLM\...\{090dbdaf-9c21-4003-9544-3a57184fff74}) (Version: 2.2.16 - Garmin Ltd or its subsidiaries)
Garmin Express (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Update Service (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
GoToMeeting 6.0.0.1259 (HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\GoToMeeting) (Version: 6.0.0.1259 - CitrixOnline)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.102 - Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.130.10 - McAfee, Inc.)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
OverDrive Media Console (HKLM\...\{D07205E7-F6D3-4333-AFCC-782A07685B72}) (Version: 3.2.20 - OverDrive, Inc.)
PGIII Scorched Earth (HKLM\...\PGIII Scorched Earth) (Version:  - )
Samsung_MonSetup (HKLM\...\{8EA79DBF-D637-448A-89D6-410A087A4493}) (Version: 1.00.0000 - Samsung)
ScottradeELITE 2013 (HKLM\...\{10F03169-B313-4758-A0A2-E3A5CF2AB039}) (Version: 5.0.13.0 - Scottrader)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Symantec Endpoint Protection (HKLM\...\{5E2E4797-502A-4FFD-81EC-F9BA8BF0C581}) (Version: 11.0.7000.975 - Symantec Corporation)
Update 4.0.3 for Microsoft .NET Framework 4 Client Profile (KB2600211) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600211) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1454471165-220523388-1417001333-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1259\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points  =========================

03-02-2015 04:58:48 System Checkpoint
03-02-2015 05:04:45 Restore Point Created by FRST

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 07:00 - 2008-04-14 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-1454471165-220523388-1417001333-500 - Administrator - Enabled)
Guest (S-1-5-21-1454471165-220523388-1417001333-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1454471165-220523388-1417001333-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1454471165-220523388-1417001333-1002 - Limited - Disabled)
Telis (S-1-5-21-1454471165-220523388-1417001333-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Telis

==================== Faulty Device Manager Devices =============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/03/2015 05:34:00 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Start Menu\Programs\Startup\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:33:21 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Local Settings\Temp\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:11:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 1.2.2015.0, faulting module frst.exe, version 1.2.2015.0, fault address 0x0001f09e.
Processing media-specific event for [frst.exe!ws!]

Error: (01/30/2015 08:59:10 PM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Suspicious.AD in File: C:\Documents and Settings\Telis\Local Settings\Temp\urepair.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (01/28/2015 09:25:55 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application Scottrader.exe, version 4.3.153.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/23/2015 03:44:08 AM) (Source: MsiInstaller) (EventID: 10005) (User: ABIGAIL)
Description: Product: Search App by Ask -- Error 25001. The following applications must be closed before continuing the uninstall:

Internet Explorer

Error: (01/21/2015 07:48:34 PM) (Source: SescLU) (EventID: 13) (User: )
Description: LiveUpdate returned a non-critical error.  Available content updates may have failed to install.

Error: (01/17/2015 07:49:26 AM) (Source: MsiInstaller) (EventID: 10005) (User: ABIGAIL)
Description: Product: Search App by Ask -- Error 25001. The following applications must be closed before continuing the uninstall:

Internet Explorer

System errors:
=============
Error: (02/03/2015 05:04:47 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The LiveUpdate service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/03/2015 05:04:34 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 4.0.0.0 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (02/03/2015 05:04:34 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Garmin Core Update Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (02/03/2015 05:04:34 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Symantec Endpoint Protection service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (02/03/2015 05:04:34 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Creative Audio Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/03/2015 05:04:31 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (02/03/2015 05:04:31 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Symantec Settings Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.

Error: (02/03/2015 05:04:31 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Symantec Event Manager service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 200 milliseconds: Restart the service.

Error: (02/03/2015 05:04:31 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Symantec Management Client service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.

Error: (02/03/2015 05:04:31 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Ati HotKey Poller service terminated unexpectedly.  It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (02/03/2015 05:34:00 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Start Menu\Programs\Startup\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:33:21 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Local Settings\Temp\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:11:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe1.2.2015.0frst.exe1.2.2015.00001f09e

Error: (01/30/2015 08:59:10 PM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Suspicious.AD in File: C:\Documents and Settings\Telis\Local Settings\Temp\urepair.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (01/28/2015 09:25:55 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Scottrader.exe4.3.153.0hungapp0.0.0.000000000

Error: (01/23/2015 03:44:08 AM) (Source: MsiInstaller) (EventID: 10005) (User: ABIGAIL)
Description: Product: Search App by Ask -- Error 25001. The following applications must be closed before continuing the uninstall:

Internet Explorer (NULL)(NULL)(NULL)

Error: (01/21/2015 07:48:34 PM) (Source: SescLU) (EventID: 13) (User: )
Description: LiveUpdate returned a non-critical error.  Available content updates may have failed to install.

Error: (01/17/2015 07:49:26 AM) (Source: MsiInstaller) (EventID: 10005) (User: ABIGAIL)
Description: Product: Search App by Ask -- Error 25001. The following applications must be closed before continuing the uninstall:

Internet Explorer (NULL)(NULL)(NULL)

==================== Memory info ===========================

Processor:  Intel® Pentium® D CPU 2.66GHz
Percentage of memory in use: 51%
Total physical RAM: 1983.36 MB
Available physical RAM: 959.46 MB
Total Pagefile: 3876.77 MB
Available Pagefile: 3202.76 MB
Total Virtual: 2047.88 MB
Available Virtual: 1941.96 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:141.23 GB) (Free:107.57 GB) NTFS
Drive h: (HP_RECOVERY) (Fixed) (Total:7.79 GB) (Free:0.37 GB) FAT32 ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: CAB10BEE)
Partition 1: (Not Active) - (Size=141.2 GB) - (Type=OF Extended)
Partition 2: (Active) - (Size=7.8 GB) - (Type=0C)

==================== End Of Log ============================



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,013 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:21 PM

Posted 03 February 2015 - 02:54 PM

Hey, :)

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 03 February 2015 - 05:38 PM

Thanks - I have run the tools and here are the logs:

 

adware:

 

# AdwCleaner v4.109 - Report created 03/02/2015 at 15:40:37
# Updated 24/01/2015 by Xplode
# Database : 2015-01-24.3 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Telis - ABIGAIL
# Running from : C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\apn
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Ask

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Activities\Search\ask.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D8278076-BC68-4484-9233-6E7F1628B56C}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D8278076-BC68-4484-9233-6E7F1628B56C}]
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

*************************

AdwCleaner[R0].txt - [3011 octets] - [03/02/2015 15:34:00]
AdwCleaner[S0].txt - [2970 octets] - [03/02/2015 15:40:37]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3030 octets] ##########

 

mbam:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/3/2015
Scan Time: 3:48:10 PM
Logfile: mbam log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.03.07
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Telis

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 301054
Time Elapsed: 54 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [0f039f7bc2c8270f1fb614e709f914ec],
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [0f039f7bc2c8270f1fb614e709f914ec],

Registry Values: 2
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{4F524A2D-5350-4500-76A7-7A786E7484D7}, 䨭ä½?åä??ê¶ç¡ºç?®í??, No Action By User, [0f039f7bc2c8270f1fb614e709f914ec]
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [c74b55c5107ac27429ac56a552b0db25],

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

JRT

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Microsoft Windows XP x86
Ran by Telis on Tue 02/03/2015 at 16:45:16.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/03/2015 at 16:49:32.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-02-2015
Ran by Telis (administrator) on ABIGAIL on 03-02-2015 16:52:17
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CtHelper.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTSched.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Express Tray\ExpressTray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Microsoft Corporation) C:\WINDOWS\system32\sol.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2011-08-09] (Symantec Corporation)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [CTHelper] => C:\WINDOWS\system32\CTHELPER.EXE [19456 2009-06-23] (Creative Technology Ltd)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [{9d78bb1d-25b9-1691-667e-d58c0c12be96}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d78bb1d-25b9-1691-667e-d58c0c12be96}\{9d78bb1d-25b9-1691-667e-d58c0c12be96}.exe [305208 2015-02-02] ()
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer\Run: [{9d78bb1d-25b9-1691-667e-d58c0c12be96}] => C:\Documents and Settings\All Users\Application Data\Microsoft\{9d78bb1d-25b9-1691-667e-d58c0c12be96}\{9d78bb1d-25b9-1691-667e-d58c0c12be96}.exe [305208 2015-02-02] ( ())
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [CreativeTaskScheduler] => C:\Program Files\Creative\Shared Files\CTSched.exe [53341 2006-11-17] (Creative Technology Ltd)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-07-09] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\MountPoints2: {b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} - J:\Setup.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?lat=40.569439931508725&lon=-74.11710937099985&site=all&smap=1
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5350-4500-76A7-7A786E7484D7} -  No File
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://arkadin.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1454471165-220523388-1417001333-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Telis\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-17]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Documents and Settings\Telis\Local Settings\Application Data\APN\GoogleCRXs\apnorjtoolbar.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-04-07] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-14] (Creative Technology Ltd) [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [219480 2013-07-09] (Garmin Ltd or its subsidiaries)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-02-07] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1897960 2011-08-09] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2011-08-09] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2011-08-09] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2011-08-09] (Symantec Corporation)
S3 COMMONFX; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
R3 COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
S3 CTAUDFX; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
R3 CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
S3 ctdvda2k; C:\WINDOWS\System32\drivers\ctdvda2k.sys [347080 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTSBLFX; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R3 CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-11-25] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-11-25] (Symantec Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [798744 2009-06-23] (Creative Technology Ltd)
S3 hap16v2k; C:\WINDOWS\System32\drivers\hap16v2k.sys [162840 2009-06-23] (Creative Technology Ltd)
R3 hap17v2k; C:\WINDOWS\System32\drivers\hap17v2k.sys [189464 2009-06-23] (Creative Technology Ltd)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVENG.SYS [95704 2014-08-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVEX15.SYS [1636696 2014-08-11] (Symantec Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-08-09] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2011-08-09] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2011-08-09] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2011-08-09] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2012-04-06] (Symantec Corporation)
R3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2011-08-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2011-08-09] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99744 2011-08-09] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2011-08-09] (Symantec Corporation)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [43936 2011-08-09] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2012-09-30] (Symantec Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-03 16:52 - 2015-02-03 16:53 - 00015697 _____ () C:\Documents and Settings\Telis\Desktop\FRST.txt
2015-02-03 16:49 - 2015-02-03 16:49 - 00000589 _____ () C:\Documents and Settings\Telis\Desktop\JRT.txt
2015-02-03 15:43 - 2015-02-03 15:43 - 00003110 _____ () C:\Documents and Settings\Telis\Desktop\AdwCleaner[S0].txt
2015-02-03 15:33 - 2015-02-03 15:40 - 00000000 ____D () C:\AdwCleaner
2015-02-03 15:28 - 2015-02-03 15:28 - 01388274 _____ (Thisisu) C:\Documents and Settings\Telis\Desktop\JRT.exe
2015-02-03 15:27 - 2015-02-03 15:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Telis\Desktop\mbam-setup-2.0.4.1028.exe
2015-02-03 15:26 - 2015-02-03 15:26 - 02194432 _____ () C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe
2015-02-03 05:42 - 2015-02-03 05:42 - 00000000 ____D () C:\Documents and Settings\Telis\Desktop\mbar
2015-02-03 04:47 - 2015-02-03 16:52 - 00000000 ____D () C:\FRST
2015-02-03 04:46 - 2015-02-03 04:46 - 01122304 _____ (Farbar) C:\Documents and Settings\Telis\Desktop\FRST.exe
2015-01-22 07:17 - 2015-01-22 07:17 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-17 18:30 - 2015-01-17 18:31 - 00000998 _____ () C:\DelFix.txt
2015-01-17 18:30 - 2015-01-17 18:30 - 00000000 ____D () C:\WINDOWS\ERUNT
2015-01-17 16:31 - 2015-01-17 16:37 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2015-01-17 08:52 - 2015-01-17 09:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-01-17 08:50 - 2015-01-17 08:50 - 16448208 _____ (Malwarebytes Corp.) C:\Documents and Settings\Telis\Desktop\mbar-1.08.2.1001.exe
2015-01-15 09:32 - 2015-01-15 09:32 - 00000000 ____D () C:\~ErdUserProfile.$$$
2015-01-15 05:23 - 2015-01-15 05:23 - 00000000 ____D () C:\WINDOWS\pss
2015-01-14 03:54 - 2015-01-14 03:54 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-03 16:53 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis\Local Settings\Temp
2015-02-03 16:49 - 2012-07-12 22:38 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-03 16:26 - 2012-08-08 16:08 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-03 15:48 - 2014-07-30 06:39 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-03 15:45 - 2012-04-06 17:35 - 01715218 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-03 15:43 - 2012-04-06 18:35 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2015-02-03 15:43 - 2012-04-06 17:39 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-03 15:43 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-03 15:41 - 2012-12-15 13:29 - 00281762 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-02-03 15:41 - 2012-04-06 17:41 - 00000178 ___SH () C:\Documents and Settings\Telis\ntuser.ini
2015-02-03 15:41 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis
2015-02-03 15:41 - 2012-04-06 17:39 - 00032460 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-03 04:58 - 2012-04-06 17:33 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-02-03 04:27 - 2012-04-07 04:24 - 04931933 ____N () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.BAK
2015-02-03 04:27 - 2012-04-07 04:21 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.CDF
2015-02-02 23:31 - 2012-12-15 13:29 - 02506010 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1454471165-220523388-1417001333-1003-0.dat
2015-02-02 19:13 - 2012-04-07 16:18 - 00000372 _____ () C:\Documents and Settings\Telis\My Documents\spider.sav
2015-01-31 05:38 - 2014-08-07 13:24 - 00000000 ____D () C:\Program Files\Java
2015-01-25 06:43 - 2012-04-06 18:05 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-25 06:43 - 2012-04-06 18:05 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-22 07:18 - 2014-10-16 13:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-22 07:16 - 2014-08-07 13:25 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-01-22 07:16 - 2014-08-07 13:24 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-01-18 14:27 - 2012-04-07 03:36 - 00065536 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-17 13:36 - 2012-04-06 13:20 - 00563934 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-17 08:51 - 2014-07-30 06:38 - 00055000 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-15 09:12 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\security
2015-01-15 06:34 - 2013-11-14 03:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-01-14 03:08 - 2013-08-14 19:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:00 - 2012-04-06 18:20 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-10 23:26 - 2014-10-13 03:17 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-08 15:00 - 2014-03-28 16:08 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

Some content of TEMP:
====================
C:\Documents and Settings\Telis\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Telis\Local Settings\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

thank you.



#6 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 04 February 2015 - 03:09 AM

I want to mention that I still am not able to update the definitions for SEP 11 but now it finally shows the warning that defs are out of date and displays the 'fix' option...however, when I click that to download updated defs, it doesn't download anything new. 

 

Thanks,

Abigail



#7 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,013 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:21 PM

Posted 04 February 2015 - 10:40 AM

Hey, :)

PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [0f039f7bc2c8270f1fb614e709f914ec],
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [0f039f7bc2c8270f1fb614e709f914ec],
Registry Values: 2
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{4F524A2D-5350-4500-76A7-7A786E7484D7}, 䨭ä½?åä??ê¶ç¡ºç?®í??, No Action By User, [0f039f7bc2c8270f1fb614e709f914ec]
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{4F524A2D-5350-4500-76A7-7A786E7484D7}, No Action By User, [c74b55c5107ac27429ac56a552b0db25],

Could you please move the items shown above into quarantine?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#8 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 04 February 2015 - 12:38 PM

sorry  I thought I had done that  I will check from mbam and make sure to do - am at work now, so not for several hours though.



#9 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 05 February 2015 - 03:52 AM

I ran mbam again and found 2 trojans as well as the entries you mention - I did quarantine all - here is the log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/5/2015
Scan Time: 3:07:38 AM
Logfile: 5 Feb mbam log.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.05.04
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Telis

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 301253
Time Elapsed: 29 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, Quarantined, [e13174a6236775c1a3c90af3f40e09f7],
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{4F524A2D-5350-4500-76A7-7A786E7484D7}, Quarantined, [e13174a6236775c1a3c90af3f40e09f7],

Registry Values: 4
Trojan.Kovter.CR, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|{9d78bb1d-25b9-1691-667e-d58c0c12be96}, "C:\Documents and Settings\All Users\Application Data\Microsoft\{9d78bb1d-25b9-1691-667e-d58c0c12be96}\{9d78bb1d-25b9-1691-667e-d58c0c12be96}.exe", Quarantined, [53bfd446117947ef95ca8e8c45bdae52]
Trojan.Kovter.CR, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|{9d78bb1d-25b9-1691-667e-d58c0c12be96}, "C:\Documents and Settings\All Users\Application Data\Microsoft\{9d78bb1d-25b9-1691-667e-d58c0c12be96}\{9d78bb1d-25b9-1691-667e-d58c0c12be96}.exe", Quarantined, [53bfd446117947ef95ca8e8c45bdae52]
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{4F524A2D-5350-4500-76A7-7A786E7484D7}, 䨭ä½?åä??ê¶ç¡ºç?®í??, Quarantined, [e13174a6236775c1a3c90af3f40e09f7]
PUP.Optional.Ask.A, HKU\S-1-5-21-1454471165-220523388-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{4F524A2D-5350-4500-76A7-7A786E7484D7}, Quarantined, [48ca52c8305ab1858fddac5151b1639d],

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Trojan.Kovter.CR, C:\Documents and Settings\All Users\Application Data\Microsoft\{9d78bb1d-25b9-1691-667e-d58c0c12be96}\{9d78bb1d-25b9-1691-667e-d58c0c12be96}.exe, Delete-on-Reboot, [53bfd446117947ef95ca8e8c45bdae52],
Trojan.Agent, C:\Documents and Settings\Telis\Local Settings\Temp\Quarantine.exe, Quarantined, [3bd7e3370b7f59dd76ab1a01dc2645bb],

Physical Sectors: 0
(No malicious items detected)

(end)

 

Thanks,

Abigail



#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,013 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:21 PM

Posted 05 February 2015 - 11:26 AM

Well done! :)
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#11 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 05 February 2015 - 04:54 PM

Please see logs below:

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-02-2015
Ran by Telis (administrator) on ABIGAIL on 05-02-2015 16:46:24
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CtHelper.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTSched.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Express Tray\ExpressTray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2011-08-09] (Symantec Corporation)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [CTHelper] => C:\WINDOWS\system32\CTHELPER.EXE [19456 2009-06-23] (Creative Technology Ltd)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [CreativeTaskScheduler] => C:\Program Files\Creative\Shared Files\CTSched.exe [53341 2006-11-17] (Creative Technology Ltd)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-07-09] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\MountPoints2: {b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} - J:\Setup.exe
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?lat=40.569439931508725&lon=-74.11710937099985&site=all&smap=1
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://arkadin.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1454471165-220523388-1417001333-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Telis\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-17]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Documents and Settings\Telis\Local Settings\Application Data\APN\GoogleCRXs\apnorjtoolbar.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-04-07] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-14] (Creative Technology Ltd) [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [219480 2013-07-09] (Garmin Ltd or its subsidiaries)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-02-07] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1897960 2011-08-09] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2011-08-09] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2011-08-09] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2011-08-09] (Symantec Corporation)
S3 COMMONFX; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
R3 COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
S3 CTAUDFX; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
R3 CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
S3 ctdvda2k; C:\WINDOWS\System32\drivers\ctdvda2k.sys [347080 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTSBLFX; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R3 CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-11-25] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-11-25] (Symantec Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [798744 2009-06-23] (Creative Technology Ltd)
S3 hap16v2k; C:\WINDOWS\System32\drivers\hap16v2k.sys [162840 2009-06-23] (Creative Technology Ltd)
R3 hap17v2k; C:\WINDOWS\System32\drivers\hap17v2k.sys [189464 2009-06-23] (Creative Technology Ltd)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVENG.SYS [95704 2014-08-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVEX15.SYS [1636696 2014-08-11] (Symantec Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-08-09] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2011-08-09] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2011-08-09] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2011-08-09] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2015-02-04] (Symantec Corporation)
R3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2011-08-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2011-08-09] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99744 2011-08-09] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2011-08-09] (Symantec Corporation)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [43936 2011-08-09] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2012-09-30] (Symantec Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 16:46 - 2015-02-05 16:46 - 00015160 _____ () C:\Documents and Settings\Telis\Desktop\FRST.txt
2015-02-05 16:46 - 2015-02-05 16:46 - 00000000 ____D () C:\Documents and Settings\Telis\Desktop\FRST-OlderVersion
2015-02-05 03:26 - 2015-02-05 03:26 - 04437680 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2015-02-04 11:41 - 2015-02-04 11:41 - 00000664 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\d3d9caps.tmp
2015-02-03 16:49 - 2015-02-03 16:49 - 00000589 _____ () C:\Documents and Settings\Telis\Desktop\JRT.txt
2015-02-03 15:43 - 2015-02-03 15:43 - 00003110 _____ () C:\Documents and Settings\Telis\Desktop\AdwCleaner[S0].txt
2015-02-03 15:33 - 2015-02-03 15:40 - 00000000 ____D () C:\AdwCleaner
2015-02-03 15:28 - 2015-02-03 15:28 - 01388274 _____ (Thisisu) C:\Documents and Settings\Telis\Desktop\JRT.exe
2015-02-03 15:27 - 2015-02-03 15:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Telis\Desktop\mbam-setup-2.0.4.1028.exe
2015-02-03 15:26 - 2015-02-03 15:26 - 02194432 _____ () C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe
2015-02-03 05:42 - 2015-02-03 05:42 - 00000000 ____D () C:\Documents and Settings\Telis\Desktop\mbar
2015-02-03 04:47 - 2015-02-05 16:46 - 00000000 ____D () C:\FRST
2015-02-03 04:46 - 2015-02-05 16:46 - 01123328 _____ (Farbar) C:\Documents and Settings\Telis\Desktop\FRST.exe
2015-01-22 07:17 - 2015-01-22 07:17 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-17 18:30 - 2015-01-17 18:31 - 00000998 _____ () C:\DelFix.txt
2015-01-17 18:30 - 2015-01-17 18:30 - 00000000 ____D () C:\WINDOWS\ERUNT
2015-01-17 16:31 - 2015-01-17 16:37 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2015-01-17 08:52 - 2015-01-17 09:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-01-17 08:50 - 2015-01-17 08:50 - 16448208 _____ (Malwarebytes Corp.) C:\Documents and Settings\Telis\Desktop\mbar-1.08.2.1001.exe
2015-01-15 09:32 - 2015-01-15 09:32 - 00000000 ____D () C:\~ErdUserProfile.$$$
2015-01-15 05:23 - 2015-01-15 05:23 - 00000000 ____D () C:\WINDOWS\pss
2015-01-14 03:54 - 2015-01-14 03:54 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 16:46 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis\Local Settings\Temp
2015-02-05 16:42 - 2012-04-06 17:35 - 01769162 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-05 16:41 - 2012-04-06 18:35 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2015-02-05 16:41 - 2012-04-06 17:39 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-05 16:41 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-05 14:54 - 2012-12-15 13:29 - 00281762 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-02-05 14:54 - 2012-04-06 17:41 - 00000178 ___SH () C:\Documents and Settings\Telis\ntuser.ini
2015-02-05 14:54 - 2012-04-06 17:39 - 00032558 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-05 14:53 - 2012-04-07 04:24 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.BAK
2015-02-05 14:53 - 2012-04-07 04:21 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.CDF
2015-02-05 14:26 - 2012-08-08 16:08 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-05 03:54 - 2012-04-06 17:56 - 00069592 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-02-05 03:50 - 2014-07-30 06:39 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-05 03:38 - 2012-04-06 18:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2647518$
2015-02-05 03:38 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis
2015-02-05 03:37 - 2012-07-12 22:38 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-05 03:26 - 2012-04-06 18:05 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-02-05 03:26 - 2012-04-06 18:05 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-02-04 03:56 - 2012-04-06 17:53 - 00126584 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2015-02-04 03:56 - 2012-04-06 17:53 - 00060872 _____ (Symantec Corporation) C:\WINDOWS\system32\S32EVNT1.DLL
2015-02-04 03:56 - 2012-04-06 17:53 - 00007468 _____ () C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2015-02-04 03:56 - 2012-04-06 17:52 - 00000000 ____D () C:\Program Files\Symantec
2015-02-04 03:56 - 2012-04-06 17:52 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection
2015-02-03 17:39 - 2012-12-15 13:29 - 02506010 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1454471165-220523388-1417001333-1003-0.dat
2015-02-03 04:58 - 2012-04-06 17:33 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-02-02 19:13 - 2012-04-07 16:18 - 00000372 _____ () C:\Documents and Settings\Telis\My Documents\spider.sav
2015-01-31 05:38 - 2014-08-07 13:24 - 00000000 ____D () C:\Program Files\Java
2015-01-22 07:18 - 2014-10-16 13:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-22 07:16 - 2014-08-07 13:25 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-01-22 07:16 - 2014-08-07 13:24 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-01-18 14:27 - 2012-04-07 03:36 - 00065536 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-17 13:36 - 2012-04-06 13:20 - 00563934 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-17 08:51 - 2014-07-30 06:38 - 00055000 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-15 09:12 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\security
2015-01-15 06:34 - 2013-11-14 03:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-01-14 03:08 - 2013-08-14 19:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:00 - 2012-04-06 18:20 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-10 23:26 - 2014-10-13 03:17 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-08 15:00 - 2014-03-28 16:08 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

==================== Files in the root of some directories =======

2015-02-04 11:41 - 2015-02-04 11:41 - 0000664 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\d3d9caps.tmp

Some content of TEMP:
====================
C:\Documents and Settings\Telis\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Telis\Local Settings\Temp\urepair.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 05-02-2015
Ran by Telis at 2015-02-05 16:47:30
Running from C:\Documents and Settings\Telis\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Disabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
American Conquest - Divided Nation (HKLM\...\American Conquest - Divided Nation) (Version:  - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.223-060207a3-031279C-HP - )
Battlestations: Midway (HKLM\...\{6BC0CDD6-E0C2-434D-9365-23E79E42DA95}) (Version: 1.00.0000 - EIDOS)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
Citrix online plug-in - web (HKLM\...\CitrixOnlinePluginPackWeb) (Version: 12.1.44.1 - Citrix Systems, Inc.)
Creative Audio Console (HKLM\...\AudioCS) (Version: 1.32 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Elevated Installer (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Communicator Plugin (HKLM\...\{13F054F3-0B07-4D15-9E80-C55B496AB557}) (Version: 4.0.3 - Garmin Ltd or its subsidiaries)
Garmin Express (HKLM\...\{090dbdaf-9c21-4003-9544-3a57184fff74}) (Version: 2.2.16 - Garmin Ltd or its subsidiaries)
Garmin Express (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
Garmin Update Service (Version: 2.2.16 - Garmin Ltd or its subsidiaries) Hidden
GoToMeeting 6.0.0.1259 (HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\GoToMeeting) (Version: 6.0.0.1259 - CitrixOnline)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
LiveUpdate 3.3 (Symantec Corporation) (HKLM\...\LiveUpdate) (Version: 3.3.0.102 - Symantec Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.130.10 - McAfee, Inc.)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
OverDrive Media Console (HKLM\...\{D07205E7-F6D3-4333-AFCC-782A07685B72}) (Version: 3.2.20 - OverDrive, Inc.)
PGIII Scorched Earth (HKLM\...\PGIII Scorched Earth) (Version:  - )
Samsung_MonSetup (HKLM\...\{8EA79DBF-D637-448A-89D6-410A087A4493}) (Version: 1.00.0000 - Samsung)
ScottradeELITE 2013 (HKLM\...\{10F03169-B313-4758-A0A2-E3A5CF2AB039}) (Version: 5.0.13.0 - Scottrader)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Symantec Endpoint Protection (HKLM\...\{5E2E4797-502A-4FFD-81EC-F9BA8BF0C581}) (Version: 11.0.7000.975 - Symantec Corporation)
Update 4.0.3 for Microsoft .NET Framework 4 Client Profile (KB2600211) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600211) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1454471165-220523388-1417001333-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1259\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points  =========================

03-02-2015 04:58:48 System Checkpoint
03-02-2015 05:04:45 Restore Point Created by FRST
04-02-2015 10:53:17 System Checkpoint
05-02-2015 12:50:30 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 07:00 - 2008-04-14 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) ==============

2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccEvtMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSetMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antivirus => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Symantec Antvirus => ""="Service"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Registry Areas =====================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Telis\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== Accounts: =============================

Administrator (S-1-5-21-1454471165-220523388-1417001333-500 - Administrator - Enabled)
Guest (S-1-5-21-1454471165-220523388-1417001333-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1454471165-220523388-1417001333-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1454471165-220523388-1417001333-1002 - Limited - Disabled)
Telis (S-1-5-21-1454471165-220523388-1417001333-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Telis

==================== Faulty Device Manager Devices =============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/04/2015 04:57:18 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application SymCorpUI.exe, version 11.0.7000.52, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (02/04/2015 04:57:14 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
Event Info:  Resume Thread
Action Taken:  Logged
Actor Process:  C:\WINDOWS\system32\dumprep.exe (PID 4176)
Time:  Wednesday, February 04, 2015  4:57:14 AM

Error: (02/04/2015 04:57:13 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
Event Info:  Suspend Thread
Action Taken:  Logged
Actor Process:  C:\WINDOWS\system32\dumprep.exe (PID 4176)
Time:  Wednesday, February 04, 2015  4:57:12 AM

Error: (02/03/2015 03:40:46 PM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe (PID 5292)
Time:  Tuesday, February 03, 2015  3:40:46 PM

Error: (02/03/2015 03:40:46 PM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe (PID 5292)
Time:  Tuesday, February 03, 2015  3:40:46 PM

Error: (02/03/2015 05:34:00 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Start Menu\Programs\Startup\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:33:21 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Local Settings\Temp\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:11:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 1.2.2015.0, faulting module frst.exe, version 1.2.2015.0, fault address 0x0001f09e.
Processing media-specific event for [frst.exe!ws!]

Error: (01/30/2015 08:59:10 PM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Suspicious.AD in File: C:\Documents and Settings\Telis\Local Settings\Temp\urepair.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (01/28/2015 09:25:55 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application Scottrader.exe, version 4.3.153.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

System errors:
=============
Error: (02/05/2015 04:41:30 PM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (02/05/2015 00:35:31 PM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (02/05/2015 00:35:24 PM) (Source: 0) (EventID: 1) (User: )
Description: 0xC0000243SrtETmpHarddiskVolume2

Error: (02/05/2015 03:40:20 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The LiveUpdate service failed to start due to the following error:
%%1053

Error: (02/05/2015 03:40:20 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.

Error: (02/05/2015 03:40:20 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1053" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}

Error: (02/05/2015 03:39:38 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (02/05/2015 02:49:39 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (02/04/2015 09:05:43 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (02/04/2015 04:03:22 AM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Microsoft Office Sessions:
=========================
Error: (02/04/2015 04:57:18 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: SymCorpUI.exe11.0.7000.52hungapp0.0.0.000000000

Error: (02/04/2015 04:57:14 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
Event Info:  Resume Thread
Action Taken:  Logged
Actor Process:  C:\WINDOWS\system32\dumprep.exe (PID 4176)
Time:  Wednesday, February 04, 2015  4:57:14 AM

Error: (02/04/2015 04:57:13 AM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
Event Info:  Suspend Thread
Action Taken:  Logged
Actor Process:  C:\WINDOWS\system32\dumprep.exe (PID 4176)
Time:  Wednesday, February 04, 2015  4:57:12 AM

Error: (02/03/2015 03:40:46 PM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe (PID 5292)
Time:  Tuesday, February 03, 2015  3:40:46 PM

Error: (02/03/2015 03:40:46 PM) (Source: Symantec AntiVirus) (EventID: 45) (User: ABIGAIL)
Description: SYMANTEC TAMPER PROTECTION ALERT

Target:  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Event Info:  Terminate Process
Action Taken:  Logged
Actor Process:  C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe (PID 5292)
Time:  Tuesday, February 03, 2015  3:40:46 PM

Error: (02/03/2015 05:34:00 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Start Menu\Programs\Startup\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:33:21 AM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Trojan.Gen.2 in File: C:\Documents and Settings\Telis\Local Settings\Temp\conhost.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (02/03/2015 05:11:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: frst.exe1.2.2015.0frst.exe1.2.2015.00001f09e

Error: (01/30/2015 08:59:10 PM) (Source: Symantec AntiVirus) (EventID: 51) (User: )
Description: Security Risk Found!Suspicious.AD in File: C:\Documents and Settings\Telis\Local Settings\Temp\urepair.exe by: Auto-Protect scan.  Action: Quarantine succeeded : Access denied.  Action Description: The file was quarantined successfully.

Error: (01/28/2015 09:25:55 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Scottrader.exe4.3.153.0hungapp0.0.0.000000000

==================== Memory info ===========================

Processor:  Intel® Pentium® D CPU 2.66GHz
Percentage of memory in use: 29%
Total physical RAM: 1983.36 MB
Available physical RAM: 1402.36 MB
Total Pagefile: 3876.7 MB
Available Pagefile: 3516.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1930.55 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:141.23 GB) (Free:106.91 GB) NTFS
Drive h: (HP_RECOVERY) (Fixed) (Total:7.79 GB) (Free:0.37 GB) FAT32 ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: CAB10BEE)
Partition 1: (Not Active) - (Size=141.2 GB) - (Type=OF Extended)
Partition 2: (Active) - (Size=7.8 GB) - (Type=0C)

==================== End Of Log ============================



#12 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,013 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:21 PM

Posted 06 February 2015 - 08:26 AM

Hey, :)

Step 1: FRST Fix
  • Please open Notepad.exe. Make sure that you don't use any other software than Notepad.exe!
  • Copy and Paste the content of the codebox below into the empty textfile:

    HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\MountPoints2: {b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} - J:\Setup.exe
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
    CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Documents and Settings\Telis\Local Settings\Application Data\APN\GoogleCRXs\apnorjtoolbar.crx [Not Found]
    EmptyTemp:
  • Then click on File >> Save as
    • File Name: Fixlist.txt
    • From the Save as type drop down list, choose All Files
  • It is very important that you save this textfile on your Desktop!
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe (Note: If FRST advises there is a new updated version to be downloaded, allow this.)and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Step 2: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
Step 3: ESET

Please run a free online scan with the ESET Online Scanner:

IMPORTANT: You MUST use Internet Explorer for this step!
  • Visit the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button:
    ESET1_zps23a5e840.png
  • Tick the box next to YES, I accept the Terms of Use and click Start
    ESET_EULA2_zps9451f1c3.png
  • When asked, allow the ActiveX control to install.
  • Select Enable detection of potentially unwanted applications and select Advanced Settings:
    ESET2_zpsc701c045.png
  • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked:
    ESET4_zps0afafd0d.png
  • Click Start. (This scan can take several hours, so please be patient):
    ESET3_zpsccd1657d.png
  • Once the scan is completed, select List of found threats:
    ESET5_zpsd27be299.png
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop:
    ESET6_zpsc17d154e.png
  • Click the Back button.
  • Click the Finish button:
    ESET9_zps51587217.png
  • Use Notepad to open the saved log file (on your Desktop- ESET.txt)[/b]
  • Copy and paste that log as a reply to this topic.
Step 4: Question

How is your PC running?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#13 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 07 February 2015 - 05:09 AM

Finally I have completed these steps - please see below:

 

1 - Fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 05-02-2015
Ran by Telis at 2015-02-07 03:54:47 Run:2
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\MountPoints2: {b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} - J:\Setup.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-1454471165-220523388-1417001333-1003 -> No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
CHR HKLM\...\Chrome\Extension: [aaaaojmikegpiepcfdkkjaplodkpfmlo] - C:\Documents and Settings\Telis\Local Settings\Application Data\APN\GoogleCRXs\apnorjtoolbar.crx [Not Found]
EmptyTemp:
*****************

"HKU\S-1-5-21-1454471165-220523388-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1bcb0d6-8039-11e1-b8cd-0016ecb60d91}" => Key deleted successfully.
HKCR\CLSID\{b1bcb0d6-8039-11e1-b8cd-0016ecb60d91} => Key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4F524A2D-5354-2D53-5045-7A786E7484D7} => value deleted successfully.
HKCR\CLSID\{4F524A2D-5354-2D53-5045-7A786E7484D7} => Key not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo" => Key deleted successfully.
EmptyTemp: => Removed 773.4 MB temporary data.

The system needed a reboot.

==== End of Fixlog 03:56:45 ====

 

 

2 - FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-02-2015
Ran by Telis (administrator) on ABIGAIL on 07-02-2015 04:00:07
Running from C:\Documents and Settings\Telis\Desktop
Loaded Profiles: Telis (Available profiles: Telis)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Symantec Corporation) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CtHelper.exe
(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTSched.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\wfcrun32.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Express Tray\ExpressTray.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe
(Garmin Ltd or its subsidiaries) C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ccApp] => C:\Program Files\Common Files\Symantec Shared\ccApp.exe [115624 2011-08-09] (Symantec Corporation)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
HKLM\...\Run: [CTHelper] => C:\WINDOWS\system32\CTHELPER.EXE [19456 2009-06-23] (Creative Technology Ltd)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [CreativeTaskScheduler] => C:\Program Files\Creative\Shared Files\CTSched.exe [53341 2006-11-17] (Creative Technology Ltd)
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\...\Run: [GarminExpressTrayApp] => C:\Program Files\Garmin\Express Tray\ExpressTray.exe [1093464 2013-07-09] (Garmin Ltd or its subsidiaries)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.130\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?lat=40.569439931508725&lon=-74.11710937099985&site=all&smap=1
HKU\S-1-5-21-1454471165-220523388-1417001333-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://arkadin.webex.com/client/WBXclient-T27L10NSP32EP5-14362/webex/ieatgpc.cab
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1454471165-220523388-1417001333-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Telis\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-17]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [520192 2006-02-09] () [File not signed]
R2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
R2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108456 2011-08-09] (Symantec Corporation)
S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2012-04-07] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-14] (Creative Technology Ltd) [File not signed]
R2 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [219480 2013-07-09] (Garmin Ltd or its subsidiaries)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093944 2011-02-07] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1897960 2011-08-09] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [357808 2011-08-09] (Symantec Corporation)
R2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1846592 2011-08-09] (Symantec Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23960 2011-08-09] (Symantec Corporation)
S3 COMMONFX; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
R3 COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [99352 2009-06-23] (Creative Technology Ltd)
S3 CTAUDFX; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
R3 CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [555032 2009-06-23] (Creative Technology Ltd)
S3 ctdvda2k; C:\WINDOWS\System32\drivers\ctdvda2k.sys [347080 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [100888 2009-06-23] (Creative Technology Ltd)
S3 CTSBLFX; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R3 CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [566296 2009-06-23] (Creative Technology Ltd)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-11-25] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-11-25] (Symantec Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [798744 2009-06-23] (Creative Technology Ltd)
S3 hap16v2k; C:\WINDOWS\System32\drivers\hap16v2k.sys [162840 2009-06-23] (Creative Technology Ltd)
R3 hap17v2k; C:\WINDOWS\System32\drivers\hap17v2k.sys [189464 2009-06-23] (Creative Technology Ltd)
R3 NAVENG; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVENG.SYS [95704 2014-08-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Common Files\Symantec Shared\VirusDefs\20150105.019\NAVEX15.SYS [1636696 2014-08-11] (Symantec Corporation)
R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-08-09] (Symantec Corporation)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [287352 2011-08-09] (Symantec Corporation)
S3 SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [321016 2011-08-09] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [43768 2011-08-09] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [126584 2015-02-04] (Symantec Corporation)
R3 SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [26416 2011-08-09] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [188080 2011-08-09] (Symantec Corporation)
S4 SysPlant; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [99744 2011-08-09] (Symantec Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer2.sys [67520 2011-08-09] (Symantec Corporation)
R1 WPS; C:\WINDOWS\system32\drivers\wpsdrvnt.sys [43936 2011-08-09] (Symantec Corporation)
R3 WpsHelper; C:\WINDOWS\system32\drivers\WpsHelper.sys [174056 2012-09-30] (Symantec Corporation)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-07 04:00 - 2015-02-07 04:00 - 00014445 _____ () C:\Documents and Settings\Telis\Desktop\FRST.txt
2015-02-05 16:46 - 2015-02-05 16:46 - 00000000 ____D () C:\Documents and Settings\Telis\Desktop\FRST-OlderVersion
2015-02-05 03:26 - 2015-02-05 03:26 - 04437680 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerInstaller.exe
2015-02-04 11:41 - 2015-02-04 11:41 - 00000664 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\d3d9caps.tmp
2015-02-03 15:33 - 2015-02-03 15:40 - 00000000 ____D () C:\AdwCleaner
2015-02-03 15:28 - 2015-02-03 15:28 - 01388274 _____ (Thisisu) C:\Documents and Settings\Telis\Desktop\JRT.exe
2015-02-03 15:27 - 2015-02-03 15:27 - 20447072 _____ (Malwarebytes Corporation ) C:\Documents and Settings\Telis\Desktop\mbam-setup-2.0.4.1028.exe
2015-02-03 15:26 - 2015-02-03 15:26 - 02194432 _____ () C:\Documents and Settings\Telis\Desktop\AdwCleaner.exe
2015-02-03 05:42 - 2015-02-03 05:42 - 00000000 ____D () C:\Documents and Settings\Telis\Desktop\mbar
2015-02-03 04:47 - 2015-02-07 04:00 - 00000000 ____D () C:\FRST
2015-02-03 04:46 - 2015-02-05 16:46 - 01123328 _____ (Farbar) C:\Documents and Settings\Telis\Desktop\FRST.exe
2015-01-22 07:17 - 2015-01-22 07:17 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-17 18:30 - 2015-01-17 18:31 - 00000998 _____ () C:\DelFix.txt
2015-01-17 18:30 - 2015-01-17 18:30 - 00000000 ____D () C:\WINDOWS\ERUNT
2015-01-17 16:31 - 2015-01-17 16:37 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2015-01-17 08:52 - 2015-01-17 09:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-01-17 08:50 - 2015-01-17 08:50 - 16448208 _____ (Malwarebytes Corp.) C:\Documents and Settings\Telis\Desktop\mbar-1.08.2.1001.exe
2015-01-15 09:32 - 2015-01-15 09:32 - 00000000 ____D () C:\~ErdUserProfile.$$$
2015-01-15 05:23 - 2015-01-15 05:23 - 00000000 ____D () C:\WINDOWS\pss
2015-01-14 03:54 - 2015-01-14 03:54 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-07 04:00 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis\Local Settings\Temp
2015-02-07 04:00 - 2012-04-06 17:35 - 01804339 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-07 03:58 - 2012-04-06 18:35 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2015-02-07 03:58 - 2012-04-06 17:39 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-07 03:58 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-07 03:57 - 2012-12-15 13:29 - 00281762 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-02-07 03:57 - 2012-04-06 17:41 - 00000178 ___SH () C:\Documents and Settings\Telis\ntuser.ini
2015-02-07 03:57 - 2012-04-06 17:39 - 00032558 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-07 03:56 - 2012-04-07 04:24 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.BAK
2015-02-07 03:56 - 2012-04-07 04:21 - 04931933 _____ () C:\WINDOWS\{00000002-00000000-00000003-00001102-00000008-10221102}.CDF
2015-02-06 03:26 - 2012-08-08 16:08 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-05 16:54 - 2012-12-15 13:29 - 02506010 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1454471165-220523388-1417001333-1003-0.dat
2015-02-05 03:54 - 2012-04-06 17:56 - 00069592 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2015-02-05 03:50 - 2014-07-30 06:39 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-05 03:38 - 2012-04-06 18:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2647518$
2015-02-05 03:38 - 2012-04-06 17:41 - 00000000 ____D () C:\Documents and Settings\Telis
2015-02-05 03:37 - 2012-07-12 22:38 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-02-05 03:26 - 2012-04-06 18:05 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-02-05 03:26 - 2012-04-06 18:05 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-02-04 03:56 - 2012-04-06 17:53 - 00126584 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2015-02-04 03:56 - 2012-04-06 17:53 - 00060872 _____ (Symantec Corporation) C:\WINDOWS\system32\S32EVNT1.DLL
2015-02-04 03:56 - 2012-04-06 17:53 - 00007468 _____ () C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2015-02-04 03:56 - 2012-04-06 17:52 - 00000000 ____D () C:\Program Files\Symantec
2015-02-04 03:56 - 2012-04-06 17:52 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Symantec Endpoint Protection
2015-02-03 04:58 - 2012-04-06 17:33 - 00000000 ____D () C:\WINDOWS\system32\Restore
2015-02-02 19:13 - 2012-04-07 16:18 - 00000372 _____ () C:\Documents and Settings\Telis\My Documents\spider.sav
2015-01-31 05:38 - 2014-08-07 13:24 - 00000000 ____D () C:\Program Files\Java
2015-01-22 07:18 - 2014-10-16 13:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-22 07:16 - 2014-08-07 13:25 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-01-22 07:16 - 2014-08-07 13:24 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-01-18 14:27 - 2012-04-07 03:36 - 00065536 _____ () C:\WINDOWS\system32\config\OAlerts.evt
2015-01-17 13:36 - 2012-04-06 13:20 - 00563934 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-17 08:51 - 2014-07-30 06:38 - 00055000 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-01-15 09:12 - 2012-04-06 13:09 - 00000000 ____D () C:\WINDOWS\security
2015-01-15 06:34 - 2013-11-14 03:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-01-14 03:08 - 2013-08-14 19:37 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 03:00 - 2012-04-06 18:20 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-10 23:26 - 2014-10-13 03:17 - 00002315 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-08 15:00 - 2014-03-28 16:08 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

==================== Files in the root of some directories =======

2015-02-04 11:41 - 2015-02-04 11:41 - 0000664 _____ () C:\Documents and Settings\Telis\Local Settings\Application Data\d3d9caps.tmp

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

3 - ESETlog.txt:

 

H:\I386\APPS\APP11418\src\CompaqPresario_Spring06.exe a variant of Win32/AdInstaller potentially unwanted application deleted - quarantined
H:\I386\APPS\APP11418\src\HPPavillion_Spring06.exe a variant of Win32/AdInstaller potentially unwanted application deleted - quarantined
 

4 - I will try now to update the SEP definitions and post another reply - I want to save this post in case system hangs or something.

 

Thanks,

Abigail


Edited by Lost in NY, 07 February 2015 - 05:10 AM.


#14 Lost in NY

Lost in NY
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NYC
  • Local time:01:21 PM

Posted 07 February 2015 - 05:12 AM

well, I tried again to update the SEP definitions and still it doesn't do it - should I try again to do a 'repair'?

 

Thanks,

Abigail



#15 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,013 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:21 PM

Posted 07 February 2015 - 08:23 AM

Have you tried to reinstall SEP? :)

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users