Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP Hitman Pro can't prevent viruses from returning


  • This topic is locked This topic is locked
10 replies to this topic

#1 AtariBaby

AtariBaby

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 03 May 2015 - 08:33 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-05-2015

Ran by Administrator (administrator) on DV01911 on 03-05-2015 18:06:51
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\AgentMon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Nero AG) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
(Prolific Technology Inc.) C:\WINDOWS\system32\IoctlSvc.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\winvnc4.exe
( ) C:\Program Files\Kaseya\KSAASC51184681212415\extensions\Lua.exe
( ) C:\Program Files\Kaseya\KSAASC51184681212415\extensions\Lua.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\Kaseya.AgentEndpoint.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\KDLLHost.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\InCD.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\KaUsrTsk.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(OnviSource, Inc.) C:\OnviCall\OnviNetSwitchServer\SwitchServer.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\KaseyaRemoteControlHost.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\KaseyaRemoteControlHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [570664 2008-03-25] (Nero AG)
HKLM\...\Run: [SecurDisc] => C:\Program Files\Nero\Nero8\InCD\NBHGui.exe [2049320 2008-02-28] (Nero AG)
HKLM\...\Run: [InCD] => C:\Program Files\Nero\Nero8\InCD\InCD.exe [1083176 2008-02-28] (Nero AG)
HKLM\...\Run: [NBKeyScan] => C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2221352 2008-02-18] (Nero AG)
HKLM\...\Run: [KASHKSAASC51184681212415] => C:\Program Files\Kaseya\KSAASC51184681212415\KaUsrTsk.exe [574992 2015-03-20] (Kaseya International Limited)
HKLM\...\Run: [tvncontrol] => C:\Program Files\TightVNC\tvnserver.exe [1690096 2013-07-19] (GlavSoft LLC.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll [2011-10-07] (LogMeIn, Inc.)
HKLM\...\Policies\Explorer\Run: [37644] => C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msiswwzez.exe
HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\CurrentVersion\Windows: [Load] C:\WINDOWS\system32\Microsoft.com <===== ATTENTION
HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\MountPoints2: {7fca2940-28e3-11e4-b20e-003048f8c0fd} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
IFEO\AvastSvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\AvastUI.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avcenter.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avconfig.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgcsrvx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgidsagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgnt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgrsx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avguard.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgwdsvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avp.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avscan.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\bdagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ccuac.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ComboFix.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\egui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\hijackthis.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\instup.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\jack: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\keyscrambler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbam.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbampt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamscheduler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamservice.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MpCmdRun.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MSASCui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MsMpEng.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\msseces.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\rstrui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\spybotsd.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\virus1: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\wireshark.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\zlclient.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to LoadDSP65.lnk [2010-04-14]
ShortcutTarget: Shortcut to LoadDSP65.lnk -> C:\OnviCall\OnviNetSwitchServer\LoadDSP65.bat ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [2010-03-19]
ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Auto-Startup Firmware (If Enabled).lnk [2010-03-19]
ShortcutTarget: Auto-Startup Firmware (If Enabled).lnk -> C:\Program Files\Aculab\GUI Installer\configtool.exe ()
ShellIconOverlayIdentifiers: [NBHShellExt] -> {8D2223A2-B3C6-4e32-B096-CDD11F628C60} => C:\Program Files\Nero\Nero8\InCD\NBHShx.dll [2008-02-28] (Nero AG)
BootExecute: autocheck autochk * bootdelete
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2472326792-1737383404-690393355-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14] (Adobe Systems Incorporated)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://onvisource.webex.com/client/T27LB/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2014-03-06] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2014-03-06] (Microsoft Corporation)
Tcpip\..\Interfaces\{F96CFECE-4D53-4F9A-AEBA-B7846B0ADD20}: [NameServer] 65.87.16.20,8.8.8.8
 
FireFox:
========
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
Locked "ghulp" service was unlocked successfully. <===== ATTENTION
 
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106248 2015-04-23] (SurfRight B.V.)
S3 idsvc; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [741376 2006-10-30] (Microsoft Corporation) [File not signed]
R2 InCDsrv; C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe [1440552 2008-02-28] (Nero AG)
R2 KAKSAASC51184681212415; C:\Program Files\Kaseya\KSAASC51184681212415\AgentMon.exe [1155088 2015-03-20] (Kaseya International Limited)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2008-02-26] (Hewlett-Packard Company) [File not signed]
S3 MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [9162752 2012-05-11] (Microsoft Corporation)
S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [73728 2005-05-03] (Microsoft Corporation) [File not signed]
R2 NeroRegInCDSrv; C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [53032 2008-02-28] (Nero AG)
S4 NetTcpPortSharing; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [122880 2006-10-30] (Microsoft Corporation) [File not signed]
R2 PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
S3 SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe [323584 2005-05-03] (Microsoft Corporation) [File not signed]
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1690096 2013-07-19] (GlavSoft LLC.)
R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [1696496 2011-08-18] (RealVNC Ltd)
S2 ghulp; C:\WINDOWS\system32\bggtk.dll [X]
S3 MySQL; c:\mysql\bin\mysqld-nt MySQL [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 Aculab Call 0; C:\WINDOWS\System32\drivers\AculabCall0.sys [965556 2003-05-16] (Aculab Plc.) [File not signed]
R3 Aculab Card; C:\WINDOWS\System32\drivers\AculabCard.sys [604192 2003-05-19] (Aculab Plc) [File not signed]
R3 Aculab Switch; C:\WINDOWS\System32\drivers\AculabSwitch.sys [22788 2003-05-19] (Aculab Plc) [File not signed]
S3 AculabBridgeFilter; C:\WINDOWS\system32\Drivers\AculabBridge.sys [9720 2002-12-12] (Windows ® 2000 DDK provider) [File not signed]
R3 dfmirage; C:\WINDOWS\System32\DRIVERS\dfmirage.sys [31896 2014-10-08] (DemoForge, LLC)
R3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [35992 2015-05-03] ()
R1 hwinterface; C:\WINDOWS\System32\Drivers\hwinterface.sys [3026 2010-04-15] (Logix4u) [File not signed]
R4 InCDfs; C:\WINDOWS\System32\drivers\InCDFs.sys [128424 2008-02-28] (Nero AG)
R1 InCDPass; C:\WINDOWS\System32\drivers\InCDPass.sys [38952 2008-02-28] (Nero AG)
U1 InCDRec; C:\WINDOWS\System32\drivers\InCDRec.sys [17448 2008-02-28] (Nero AG)
R1 incdrm; C:\WINDOWS\System32\drivers\InCDRm.sys [40360 2008-02-28] (Nero AG)
R3 KAPFA; C:\WINDOWS\system32\drivers\KAPFA.SYS [30992 2015-03-20] (Kaseya)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2009-01-22] (Intel Corporation )
R3 PikaDaytona; C:\WINDOWS\System32\DRIVERS\PikaDaytona.sys [105337 2009-08-24] (PIKA Technologies Inc.) [File not signed]
S3 vncmirror; C:\WINDOWS\System32\DRIVERS\vncmirror.sys [4608 2014-08-18] (RealVNC Ltd.)
R3 XGIGraphics_XG2X; C:\WINDOWS\System32\DRIVERS\xg20grp.sys [299136 2008-09-11] (XGI Technology Inc.)
S4 IntelIde; No ImagePath
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; No ImagePath
U1 WS2IFSL; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
NETSVC: ghulp -> C:\WINDOWS\system32\bggtk.dll ==> No File.
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-03 18:06 - 2015-05-03 18:06 - 01140736 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-05-03 18:06 - 2015-05-03 18:06 - 00013079 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-05-03 18:06 - 2015-05-03 18:06 - 00000000 ____D () C:\FRST
2015-05-03 15:45 - 2015-05-03 15:46 - 00002022 _____ () C:\WINDOWS\setupapi.log
2015-05-01 07:40 - 2015-05-01 07:40 - 00001126 _____ () C:\Documents and Settings\Administrator\Desktop\FixExec.txt
2015-05-01 07:39 - 2015-05-01 07:39 - 00883616 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Administrator\Desktop\FixExec.exe
2015-05-01 07:20 - 2015-05-03 15:17 - 00000000 ____D () C:\AdwCleaner
2015-05-01 07:19 - 2015-05-01 07:19 - 02204160 _____ () C:\Documents and Settings\Administrator\Desktop\adwcleaner_4.203.exe
2015-05-01 07:09 - 2015-05-01 07:09 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE
2015-04-30 15:45 - 2015-05-03 15:41 - 00035992 _____ () C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2015-04-30 15:28 - 2015-04-30 15:28 - 00020178 _____ () C:\WINDOWS\iis6.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00018548 _____ () C:\WINDOWS\FaxSetup.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00008868 _____ () C:\WINDOWS\ocgen.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00008463 _____ () C:\WINDOWS\tsoc.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00006739 _____ () C:\WINDOWS\KB2510531-IE8.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00006185 _____ () C:\WINDOWS\comsetup.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00005700 _____ () C:\WINDOWS\msmqinst.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00005423 _____ () C:\WINDOWS\KB2964358-IE8.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00004096 _____ () C:\WINDOWS\KB2909210-IE8.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00003744 _____ () C:\WINDOWS\ntdtcsetup.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00003249 _____ () C:\WINDOWS\netfxocm.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00001374 _____ () C:\WINDOWS\imsins.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00001374 _____ () C:\WINDOWS\imsins.BAK
2015-04-30 15:28 - 2015-04-30 15:28 - 00001275 _____ () C:\WINDOWS\MedCtrOC.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00001026 _____ () C:\WINDOWS\ocmsn.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000933 _____ () C:\WINDOWS\tabletoc.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000927 _____ () C:\WINDOWS\msgsocm.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000497 _____ () C:\WINDOWS\updspapi.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000000 _____ () C:\WINDOWS\setupact.log
2015-04-30 15:26 - 2015-04-30 15:26 - 00004808 _____ () C:\WINDOWS\KB2286198.log
2015-04-30 15:20 - 2015-04-30 15:20 - 00022668 _____ () C:\Documents and Settings\Administrator\Desktop\reb_backup_04_30_2015.reg
2015-04-29 10:55 - 2015-04-29 10:55 - 00008316 _____ () C:\Documents and Settings\Administrator\Desktop\HitmanPro_20150429_1055.log
2015-04-29 10:53 - 2015-05-03 15:40 - 00000238 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-04-29 10:53 - 2015-04-29 10:58 - 00000232 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-04-29 10:53 - 2015-04-29 10:53 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2015-04-29 10:52 - 2015-04-29 10:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2015-04-29 10:52 - 2015-04-29 10:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2868626$
2015-04-29 10:51 - 2015-04-30 15:28 - 00000000 ____D () C:\WINDOWS\ie8updates
2015-04-29 10:51 - 2015-04-29 10:52 - 00065536 _____ () C:\WINDOWS\system32\config\Internet.evt
2015-04-29 10:51 - 2015-04-29 10:51 - 00000000 __HDC () C:\WINDOWS\ie8
2015-04-29 10:51 - 2015-04-29 10:51 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2467659$
2015-04-29 10:51 - 2014-03-06 10:59 - 11113472 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 02006016 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00743424 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00630272 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00522240 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00247808 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00055296 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00012800 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
2015-04-29 10:51 - 2011-08-16 03:45 - 00006144 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iecompat.dll
2015-04-29 10:49 - 2015-04-29 10:49 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2387149$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2934207$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834886$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2712808$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2659262$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2631813$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2585542$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2564958$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2544893-v2$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2536276-v2$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2479943$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478971$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2345886$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2296011$
2015-04-29 10:46 - 2015-04-29 10:46 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2691442$
2015-04-29 10:46 - 2015-04-29 10:46 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB982132$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB978338$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB975558_WM8$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2909212$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2900986$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2898715$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862335$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2847311$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834902-v2_WM10$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2802968$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2686509$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2655992$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2598479$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2485663$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2481109$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2443105$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2378111_WM9$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2229593$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2115168$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB979687$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB941569$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2936068$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2904266$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876217$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2864063$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2780091$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2770660$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2719985$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2592799$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2510581$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2507938$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2483185$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2347290$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB978695_WM9$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB977816$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2964358$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876331$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2859537$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2850869$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2820917$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2807986$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2603381$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2570947$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2535512$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 ____D () C:\WINDOWS\$SQLUninstallSQL2000-KB983812-v8.00.2066-x86-ENU$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB981997$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB979482$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB979309$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB978542$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB971029$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2893294$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2892075$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862330$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2757638$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2749655$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2727528$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2723135-v2$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2705219-v2$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2698365$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2653956$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2619339$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2508429$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2506212$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2419632$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB982665$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2813345$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2676562$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661637$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2620712$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2566454$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2509553$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478960$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2393802$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 ____D () C:\Program Files\MSXML 4.0
2015-04-29 10:40 - 2015-04-29 10:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2584146$
2015-04-29 10:40 - 2015-04-29 10:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2423089$
2015-04-29 10:39 - 2015-04-29 10:39 - 00008314 _____ () C:\Documents and Settings\Administrator\Desktop\HitmanPro_20150429_1039.log
2015-04-28 11:28 - 2015-04-28 11:28 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2286198$
2015-04-28 11:25 - 2015-04-28 11:25 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU.exe
2015-04-28 11:25 - 2015-04-28 11:25 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU (2).exe
2015-04-28 11:25 - 2015-04-28 11:25 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU (1).exe
2015-04-28 10:04 - 2014-02-25 18:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\xp_eos.exe
2015-04-28 10:04 - 2014-02-25 18:59 - 00013312 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xp_eos.exe
2015-04-28 10:04 - 2013-07-02 19:12 - 00025088 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidparse.sys
2015-04-28 10:04 - 2013-07-02 18:59 - 00014976 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbscan.sys
2015-04-28 10:03 - 2013-02-11 17:32 - 00012928 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usb8023x.sys
2015-04-28 10:02 - 2013-08-08 17:55 - 00032384 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbccgp.sys
2015-04-28 10:02 - 2013-08-08 17:55 - 00005376 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbd.sys
2015-04-28 10:02 - 2012-01-11 12:06 - 00003072 ____N () C:\WINDOWS\system32\iacenc.dll
2015-04-28 10:02 - 2012-01-11 12:06 - 00003072 ____C () C:\WINDOWS\system32\dllcache\iacenc.dll
2015-04-28 09:54 - 2012-06-02 15:19 - 00015384 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll.mui
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-03 18:06 - 2009-11-23 15:19 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-05-03 15:44 - 2009-11-23 22:55 - 00530804 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-05-03 15:41 - 2014-09-17 11:28 - 01659275 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-03 15:40 - 2014-08-20 20:32 - 00000000 ____D () C:\kworking
2015-05-03 15:40 - 2009-11-23 15:17 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-05-03 15:40 - 2008-04-14 05:00 - 00012598 _____ () C:\WINDOWS\system32\wpa.dbl
2015-05-03 15:20 - 2009-11-23 15:19 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-05-03 15:20 - 2009-11-23 15:17 - 00031154 _____ () C:\WINDOWS\SchedLgU.Txt
2015-05-02 01:46 - 2014-08-20 20:31 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Kaseya
2015-05-01 07:09 - 2009-11-23 15:19 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-04-30 15:28 - 2009-11-23 15:37 - 00000000 ___HD () C:\WINDOWS\$hf_mig$
2015-04-30 15:19 - 2014-09-17 12:33 - 00003430 _____ () C:\WINDOWS\system32\.crusader
2015-04-29 10:54 - 2009-11-23 15:19 - 00000803 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2015-04-29 10:54 - 2009-11-23 15:19 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2015-04-29 10:53 - 2009-11-23 22:54 - 00096664 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-04-29 10:53 - 2009-11-23 22:31 - 00000000 ____D () C:\WINDOWS\Help
2015-04-29 10:51 - 2009-11-23 22:31 - 00000000 ____D () C:\WINDOWS\Media
2015-04-29 10:44 - 2009-11-23 15:40 - 00015628 _____ () C:\WINDOWS\system32\TZLog.log
2015-04-29 10:42 - 2009-11-23 15:01 - 00000000 ____D () C:\Program Files\Movie Maker
2015-04-29 10:42 - 2009-11-23 15:00 - 00000000 ____D () C:\Program Files\Outlook Express
2015-04-29 10:41 - 2009-11-23 22:55 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-04-28 11:09 - 2014-09-30 22:32 - 00000000 ____D () C:\Program Files\RealVNC
2015-04-28 11:09 - 2014-09-30 22:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\RealVNC
2015-04-28 11:09 - 2009-11-23 15:17 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-04-28 09:50 - 2015-01-28 06:21 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\LDTUDY
 
==================== Files in the root of some directories =======
 
2015-01-21 07:45 - 2015-03-17 08:24 - 0000119 _____ () C:\Documents and Settings\Administrator\Application Data\29B722.dat
2008-02-05 12:28 - 2008-02-05 12:28 - 0000051 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\setup.txt
 
Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\nircmd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\TeraCopy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wget.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 02-05-2015
Ran by Administrator at 2015-05-03 18:07:12
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2472326792-1737383404-690393355-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-2472326792-1737383404-690393355-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-2472326792-1737383404-690393355-1004 - Limited - Disabled)
localadmin (S-1-5-21-2472326792-1737383404-690393355-1006 - Administrator - Enabled)
SQLDebugger (S-1-5-21-2472326792-1737383404-690393355-1005 - Limited - Enabled)
SUPPORT_388945a0 (S-1-5-21-2472326792-1737383404-690393355-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
AccuCall DataServer (HKLM\...\{2FF65A80-B00D-11D4-87BD-0060081E96ED}) (Version:  - )
Aculab Configuration Tool (HKLM\...\Aculab Configuration Tool) (Version:  - )
Adobe Flash Player 10 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 10.0.32.18 - Adobe Systems Incorporated)
Adobe Reader 7.0 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A70000000000}) (Version: 7.0.0 - Adobe Systems Incorporated)
BDE Information Utility (HKLM\...\BDE Information Utility) (Version:  - InterBase Installation Info (and BDE Information Utility))
CCleaner (HKLM\...\CCleaner) (Version: 4.12 - Piriform)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.240 - SurfRight B.V.)
Hotfix 2066 for SQL Server 2000 ENU (KB983812) (HKLM\...\KB983812(ENU)) (Version: 1 - Microsoft Corporation)
Intel® Network Connections 14.0.40.0 (HKLM\...\{888019C0-54D4-40C2-9274-27B9DAB17017}) (Version: 14.0.40.0 - Intel)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
Kaseya Agent (switchserver.root.procomm - saas32.kaseya.net) (HKLM\...\KAKSAASC51184681212415) (Version: 9.0.0.2 - Kaseya)
LightScribe System Software  1.12.33.2 (HKLM\...\{582287DA-0806-4AC0-BF19-C15E3A466034}) (Version: 1.12.33.2 - LightScribe)
MessageFormatEditor (HKLM\...\{D763282B-678A-4B84-A91D-2AC03E8DBAAD}) (Version: 6.1.2 - Onvisource)
Microsoft .NET Framework 2.0 (HKLM\...\Microsoft .NET Framework 2.0) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.0 (HKLM\...\Microsoft .NET Framework 3.0) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2000 (HKLM\...\Microsoft SQL Server 2000) (Version: 8.00.2039 - Microsoft)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (KB925673) (HKLM\...\{FE9126DB-5F84-495A-BB46-3C724F1C2D08}) (Version: 6.00.3888.0 - Microsoft Corporation)
MySQL Connector Net 5.1.4 (HKLM\...\{5FD88490-011C-4DF1-B886-F298D955171B}) (Version: 5.1.4 - MySQL AB)
MySQL Connector/ODBC 3.51 (HKLM\...\{0CB3C535-1171-4A20-B549-E2CB5DEB9723}) (Version: 3.51.12 - MySQL AB)
MySQL Query Browser 1.1 (HKLM\...\{342DEBAA-7E71-42BF-B818-308631FC75E2}) (Version: 1.1.19 - MySQL AB)
Nero 8 Essentials (HKLM\...\{B661D1BD-5C0C-4EF1-A801-B5699AD41033}) (Version: 8.3.200 - Nero AG)
OnViews (HKLM\...\{DFCC7442-C6A2-42A2-BE10-175C29C59D5B}) (Version: 1.0.16 - OnviSource)
OnviSource OnviCall OnviNetSwitchServer 7.0.0 (HKLM\...\OnviSource OnviCall OnviNetSwitchServer) (Version: 7.0.0 - OnviSource, Inc.)
OnviSource OnviCenter Database Server 6.1.4 (HKLM\...\OnviSource OnviCenter Database Server) (Version: 6.1.4 - OnviSource, Inc.)
OnviSource OnviCenter OnviCall Operator 6.1.4 (HKLM\...\OnviSource OnviCenter OnviCall Operator) (Version: 6.1.4 - OnviSource, Inc.)
PIKA MonteCarlo SDK (HKLM\...\PIKA MonteCarlo SDK 6.5.14) (Version: 6.5.14 - PIKA Technologies Inc.)
TightVNC (HKLM\...\{D903B276-81AE-4AED-AEF9-45DACFBF16CE}) (Version: 2.7.10.0 - GlavSoft LLC.)
VCRedistSetup (Version: 1.0.0 - Nero AG) Hidden
VNC Enterprise Edition E4.6.3 (HKLM\...\RealVNC_is1) (Version: E4.6.3 - RealVNC Ltd)
VNC Viewer 5.2.1 (HKLM\...\{AF2FFFDD-875A-4A0F-A98D-C264A7AEF961}) (Version: 5.2.1 - RealVNC Ltd)
Web Launcher (HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\fc3ac04dc8eedef7) (Version: 1.0.0.20 - ShowMyPC)
WebEx (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format Runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
XGI Volari Z7/Z9/Z9s/Z11 Display Driver (HKLM\...\XG20) (Version:  - )
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
17-03-2015 14:50:59 Checkpoint by HitmanPro
18-03-2015 16:02:41 System Checkpoint
19-03-2015 16:06:14 System Checkpoint
20-03-2015 16:08:39 System Checkpoint
21-03-2015 17:08:37 System Checkpoint
22-03-2015 20:44:46 System Checkpoint
23-03-2015 21:56:45 System Checkpoint
24-03-2015 22:44:42 System Checkpoint
25-03-2015 22:57:18 System Checkpoint
27-03-2015 00:08:40 System Checkpoint
28-03-2015 00:32:38 System Checkpoint
29-03-2015 01:08:36 System Checkpoint
30-03-2015 01:20:35 System Checkpoint
31-03-2015 01:32:33 System Checkpoint
01-04-2015 06:11:40 System Checkpoint
02-04-2015 08:20:30 System Checkpoint
03-04-2015 08:32:28 System Checkpoint
04-04-2015 11:35:16 System Checkpoint
05-04-2015 12:20:29 System Checkpoint
06-04-2015 12:32:27 System Checkpoint
07-04-2015 13:08:26 System Checkpoint
08-04-2015 14:08:24 System Checkpoint
09-04-2015 15:08:22 System Checkpoint
10-04-2015 16:08:21 System Checkpoint
11-04-2015 17:08:19 System Checkpoint
12-04-2015 21:11:59 System Checkpoint
13-04-2015 21:24:03 System Checkpoint
14-04-2015 22:08:14 System Checkpoint
16-04-2015 00:56:13 System Checkpoint
17-04-2015 01:20:11 System Checkpoint
18-04-2015 02:32:10 System Checkpoint
19-04-2015 03:08:12 System Checkpoint
20-04-2015 04:08:10 System Checkpoint
21-04-2015 04:32:09 System Checkpoint
22-04-2015 04:44:07 System Checkpoint
23-04-2015 05:08:06 System Checkpoint
24-04-2015 05:08:45 System Checkpoint
25-04-2015 05:15:49 System Checkpoint
26-04-2015 06:15:47 System Checkpoint
27-04-2015 06:51:46 System Checkpoint
28-04-2015 07:15:57 System Checkpoint
28-04-2015 09:50:40 Checkpoint by HitmanPro
28-04-2015 09:54:32 Checkpoint by HitmanPro
28-04-2015 11:28:16 Installed Windows XP KB2286198.
28-04-2015 11:43:51 Checkpoint by HitmanPro
29-04-2015 10:40:52 Software Distribution Service 3.0
29-04-2015 10:55:50 Checkpoint by HitmanPro
30-04-2015 11:37:28 System Checkpoint
30-04-2015 15:07:21 Checkpoint by HitmanPro
30-04-2015 15:19:10 Checkpoint by HitmanPro
30-04-2015 15:26:26 Installed Windows XP KB2286198.
30-04-2015 15:28:46 Software Distribution Service 3.0
01-05-2015 16:35:02 System Checkpoint
02-05-2015 20:01:37 System Checkpoint
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2008-04-14 05:00 - 2008-04-14 05:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2014-08-20 20:31 - 2015-03-20 18:50 - 00925696 _____ () C:\Program Files\Kaseya\KSAASC51184681212415\libkacm.dll
2014-08-20 20:31 - 2015-03-20 18:50 - 00110592 _____ () C:\Program Files\Kaseya\KSAASC51184681212415\extensions\scripts\socket\core.dll
2014-08-20 20:31 - 2015-03-20 18:50 - 00073728 _____ () C:\Program Files\Kaseya\KSAASC51184681212415\extensions\scripts\mime\core.dll
2014-09-17 11:24 - 2014-09-17 11:24 - 00167936 _____ () C:\Program Files\Kaseya\KSAASC51184681212415\lua5.1.dll
2010-03-19 14:10 - 2001-05-10 11:00 - 00589312 _____ () C:\Program Files\Borland\Common Files\BDE\IDAPI32.DLL
2010-03-19 14:10 - 2001-05-10 11:00 - 00116736 _____ () C:\Program Files\Borland\Common Files\BDE\IDR20009.DLL
2010-03-19 14:10 - 2001-05-10 11:00 - 00101376 _____ () C:\Program Files\Borland\Common Files\BDE\BANTAM.DLL
2010-03-19 14:10 - 2001-05-10 11:00 - 00436224 _____ () C:\Program Files\Borland\Common Files\BDE\IDODBC32.DLL
2014-02-12 11:52 - 2009-08-24 09:06 - 00090112 _____ () C:\WINDOWS\system32\pikaosipparser2.dll
2014-02-12 11:52 - 2009-08-24 09:06 - 00057344 _____ () C:\WINDOWS\system32\pikaosip2.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KAKSAASC51184681212415 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\KAKSAASC51184681212415 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tvnserver => ""=""
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, the associated entry will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\microsoft.com -> hxxps://microsoft.com
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2472326792-1737383404-690393355-500\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\onvisource_1024.bmp
DNS Servers: 65.87.16.20 - 8.8.8.8
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManager: not accepting connections: failed to listen on at least one transport.
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManager: not listening on IPv4: unable to create listening socket: Only one usage of each socket address (protocol/network address/port) is normally permitted. (10048)
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManager: not accepting connections: failed to listen on at least one transport.
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManager: not listening on IPv4: unable to create listening socket: Only one usage of each socket address (protocol/network address/port) is normally permitted. (10048)
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManager: not accepting connections: failed to listen on at least one transport.
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManager: not listening on IPv4: unable to create listening socket: Only one usage of each socket address (protocol/network address/port) is normally permitted. (10048)
 
 
System errors:
=============
Error: (05/03/2015 03:42:07 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The LogMeIn Kernel Information Provider service failed to start due to the following error: 
%%2
 
Error: (05/03/2015 03:42:07 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The LMIGuardianSvc service failed to start due to the following error: 
%%1053
 
Error: (05/03/2015 03:42:07 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the LMIGuardianSvc service to connect.
 
Error: (05/03/2015 03:42:07 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Image Installer service terminated with the following error: 
%%126
 
Error: (05/03/2015 03:17:21 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The InCD Helper service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (05/03/2015 03:17:20 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Kaseya Agent service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (05/03/2015 03:17:20 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The TightVNC Server service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
 
Error: (05/03/2015 03:17:20 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The VNC Server Version 4 service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (05/03/2015 03:17:20 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows User Mode Driver Framework service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (05/03/2015 03:17:20 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The PLFlash DeviceIoControl Service service terminated unexpectedly.  It has done this 1 time(s).
 
 
Microsoft Office Sessions:
=========================
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManagernot accepting connections: failed to listen on at least one transport.
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManagernot listening on IPv4: unable to create listening socket: Only one usage of each socket address (protocol/network address/port) is normally permitted. (10048)
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManagernot accepting connections: failed to listen on at least one transport.
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManagernot listening on IPv4: unable to create listening socket: Only one usage of each socket address (protocol/network address/port) is normally permitted. (10048)
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManagernot accepting connections: failed to listen on at least one transport.
 
Error: (05/03/2015 03:40:37 PM) (Source: WinVNC4) (EventID: 1) (User: )
Description: TcpListenerManagernot listening on IPv4: unable to create listening socket: Only one usage of each socket address (protocol/network address/port) is normally permitted. (10048)
 
 
==================== Memory info =========================== 
 
Processor: Intel® Xeon® CPU X3330 @ 2.66GHz
Percentage of memory in use: 23%
Total physical RAM: 2045.94 MB
Available physical RAM: 1561.78 MB
Total Pagefile: 3938.29 MB
Available Pagefile: 3469.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1945.41 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:46.58 GB) (Free:27.13 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:419.18 GB) (Free:383.63 GB) NTFS
Drive z: () (Network) (Total:1800.16 GB) (Free:1613.38 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: BCFDBCFD)
Partition 1: (Active) - (Size=46.6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=419.2 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

Attached Files


Edited by xXToffeeXx, 04 May 2015 - 04:53 AM.
Posted addition log~


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 04 May 2015 - 06:02 AM

Hi AtariBaby,
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM\...\Policies\Explorer\Run: [37644] => C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msiswwzez.exe
C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msiswwzez.exe
HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\CurrentVersion\Windows: [Load] C:\WINDOWS\system32\Microsoft.com <===== ATTENTION
HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\MountPoints2: {7fca2940-28e3-11e4-b20e-003048f8c0fd} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
C:\WINDOWS\system32\Microsoft.com
IFEO\AvastSvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\AvastUI.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avcenter.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avconfig.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgcsrvx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgidsagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgnt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgrsx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avguard.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgwdsvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avp.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avscan.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\bdagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ccuac.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ComboFix.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\egui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\hijackthis.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\instup.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\jack: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\keyscrambler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbam.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbampt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamscheduler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamservice.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MpCmdRun.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MSASCui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MsMpEng.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\msseces.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\rstrui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\spybotsd.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\virus1: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\wireshark.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\zlclient.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
S2 ghulp; C:\WINDOWS\system32\bggtk.dll [X]
S4 IntelIde; No ImagePath
S4 LMIRfsClientNP; No ImagePath
U1 WS2IFSL; No ImagePath
NETSVC: ghulp -> C:\WINDOWS\system32\bggtk.dll ==> No File.
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 05 May 2015 - 05:46 PM

This time "fix" seem to only last about 1 or 2 seconds. I hope that's not a sign I did something wrong. fix log:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-05-2015
Ran by Administrator at 2015-05-05 15:45:12 Run:1
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\Policies\Explorer\Run: [37644] => C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msiswwzez.exe
C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msiswwzez.exe
HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\CurrentVersion\Windows: [Load] C:\WINDOWS\system32\Microsoft.com <===== ATTENTION
HKU\S-1-5-21-2472326792-1737383404-690393355-500\...\MountPoints2: {7fca2940-28e3-11e4-b20e-003048f8c0fd} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
C:\WINDOWS\system32\Microsoft.com
IFEO\AvastSvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\AvastUI.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avcenter.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avconfig.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgcsrvx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgidsagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgnt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgrsx.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avguard.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avgwdsvc.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avp.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\avscan.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\bdagent.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ccuac.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\ComboFix.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\egui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\hijackthis.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\instup.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\jack: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\keyscrambler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbam.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamgui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbampt.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamscheduler.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\mbamservice.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MpCmdRun.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MSASCui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\MsMpEng.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\msseces.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\rstrui.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\spybotsd.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\virus1: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\wireshark.exe: [Debugger] C:\WINDOWS\system32\Microsoft.com
IFEO\zlclient.exe: [Debugger] C:\WINDOWS\systema32\Microsoft.com
 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
S2 ghulp; C:\WINDOWS\system32\bggtk.dll [X]
S4 IntelIde; No ImagePath
S4 LMIRfsClientNP; No ImagePath
U1 WS2IFSL; No ImagePath
NETSVC: ghulp -> C:\WINDOWS\system32\bggtk.dll ==> No File.
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\37644 => Value not found.
"C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\msiswwzez.exe" => File/Directory not found.
HKU\S-1-5-21-2472326792-1737383404-690393355-500\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully.
"HKU\S-1-5-21-2472326792-1737383404-690393355-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7fca2940-28e3-11e4-b20e-003048f8c0fd}" => Key deleted successfully.
HKCR\CLSID\{7fca2940-28e3-11e4-b20e-003048f8c0fd} => Key not found. 
"C:\WINDOWS\system32\Microsoft.com" => File/Directory not found.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\jack" => Key deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\virus1" => Key deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe" => Key Deleted successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe" => Key Deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
ghulp => Service deleted successfully.
IntelIde => Service deleted successfully.
LMIRfsClientNP => Service deleted successfully.
WS2IFSL => Service deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ghulp => Value deleted successfully.
 

 

==== End of Fixlog 15:45:12 ====


#4 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 05 May 2015 - 05:52 PM

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-05-2015

Ran by Administrator (administrator) on DV01911 on 05-05-2015 15:47:21
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\AgentMon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Nero AG) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
(Prolific Technology Inc.) C:\WINDOWS\system32\IoctlSvc.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(RealVNC Ltd) C:\Program Files\RealVNC\VNC4\winvnc4.exe
( ) C:\Program Files\Kaseya\KSAASC51184681212415\extensions\Lua.exe
( ) C:\Program Files\Kaseya\KSAASC51184681212415\extensions\Lua.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\Kaseya.AgentEndpoint.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\HitmanPro.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\NBHGui.exe
(Nero AG) C:\Program Files\Nero\Nero8\InCD\InCD.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\KaUsrTsk.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(OnviSource, Inc.) C:\OnviCall\OnviNetSwitchServer\SwitchServer.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\KaseyaRemoteControlHost.exe
(Kaseya International Limited) C:\Program Files\Kaseya\KSAASC51184681212415\KaseyaRemoteControlHost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [570664 2008-03-25] (Nero AG)
HKLM\...\Run: [SecurDisc] => C:\Program Files\Nero\Nero8\InCD\NBHGui.exe [2049320 2008-02-28] (Nero AG)
HKLM\...\Run: [InCD] => C:\Program Files\Nero\Nero8\InCD\InCD.exe [1083176 2008-02-28] (Nero AG)
HKLM\...\Run: [NBKeyScan] => C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe [2221352 2008-02-18] (Nero AG)
HKLM\...\Run: [KASHKSAASC51184681212415] => C:\Program Files\Kaseya\KSAASC51184681212415\KaUsrTsk.exe [574992 2015-03-20] (Kaseya International Limited)
HKLM\...\Run: [tvncontrol] => C:\Program Files\TightVNC\tvnserver.exe [1690096 2013-07-19] (GlavSoft LLC.)
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll [2011-10-07] (LogMeIn, Inc.)
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Shortcut to LoadDSP65.lnk [2010-04-14]
ShortcutTarget: Shortcut to LoadDSP65.lnk -> C:\OnviCall\OnviNetSwitchServer\LoadDSP65.bat ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk [2010-03-19]
ShortcutTarget: Adobe Reader Speed Launch.lnk -> C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Auto-Startup Firmware (If Enabled).lnk [2010-03-19]
ShortcutTarget: Auto-Startup Firmware (If Enabled).lnk -> C:\Program Files\Aculab\GUI Installer\configtool.exe ()
ShellIconOverlayIdentifiers: [NBHShellExt] -> {8D2223A2-B3C6-4e32-B096-CDD11F628C60} => C:\Program Files\Nero\Nero8\InCD\NBHShx.dll [2008-02-28] (Nero AG)
BootExecute: autocheck autochk * bootdelete
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-2472326792-1737383404-690393355-500\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14] (Adobe Systems Incorporated)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://onvisource.webex.com/client/T27LB/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2014-03-06] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll [2014-03-06] (Microsoft Corporation)
Tcpip\..\Interfaces\{F96CFECE-4D53-4F9A-AEBA-B7846B0ADD20}: [NameServer] 65.87.16.20,8.8.8.8
 
FireFox:
========
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106248 2015-04-23] (SurfRight B.V.)
S3 idsvc; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [741376 2006-10-30] (Microsoft Corporation) [File not signed]
R2 InCDsrv; C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe [1440552 2008-02-28] (Nero AG)
R2 KAKSAASC51184681212415; C:\Program Files\Kaseya\KSAASC51184681212415\AgentMon.exe [1155088 2015-03-20] (Kaseya International Limited)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2008-02-26] (Hewlett-Packard Company) [File not signed]
S3 MSSQLSERVER; C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe [9162752 2012-05-11] (Microsoft Corporation)
S3 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [73728 2005-05-03] (Microsoft Corporation) [File not signed]
R2 NeroRegInCDSrv; C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [53032 2008-02-28] (Nero AG)
S4 NetTcpPortSharing; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [122880 2006-10-30] (Microsoft Corporation) [File not signed]
R2 PLFlash DeviceIoControl Service; C:\WINDOWS\system32\IoctlSvc.exe [81920 2006-12-19] (Prolific Technology Inc.) [File not signed]
S3 SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe [323584 2005-05-03] (Microsoft Corporation) [File not signed]
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1690096 2013-07-19] (GlavSoft LLC.)
R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [1696496 2011-08-18] (RealVNC Ltd)
S3 MySQL; c:\mysql\bin\mysqld-nt MySQL [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 Aculab Call 0; C:\WINDOWS\System32\drivers\AculabCall0.sys [965556 2003-05-16] (Aculab Plc.) [File not signed]
R3 Aculab Card; C:\WINDOWS\System32\drivers\AculabCard.sys [604192 2003-05-19] (Aculab Plc) [File not signed]
R3 Aculab Switch; C:\WINDOWS\System32\drivers\AculabSwitch.sys [22788 2003-05-19] (Aculab Plc) [File not signed]
S3 AculabBridgeFilter; C:\WINDOWS\system32\Drivers\AculabBridge.sys [9720 2002-12-12] (Windows ® 2000 DDK provider) [File not signed]
R3 dfmirage; C:\WINDOWS\System32\DRIVERS\dfmirage.sys [31896 2014-10-08] (DemoForge, LLC)
R3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [35992 2015-05-03] ()
R1 hwinterface; C:\WINDOWS\System32\Drivers\hwinterface.sys [3026 2010-04-15] (Logix4u) [File not signed]
R4 InCDfs; C:\WINDOWS\System32\drivers\InCDFs.sys [128424 2008-02-28] (Nero AG)
R1 InCDPass; C:\WINDOWS\System32\drivers\InCDPass.sys [38952 2008-02-28] (Nero AG)
U1 InCDRec; C:\WINDOWS\System32\drivers\InCDRec.sys [17448 2008-02-28] (Nero AG)
R1 incdrm; C:\WINDOWS\System32\drivers\InCDRm.sys [40360 2008-02-28] (Nero AG)
R3 KAPFA; C:\WINDOWS\system32\drivers\KAPFA.SYS [30992 2015-03-20] (Kaseya)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2009-01-22] (Intel Corporation )
R3 PikaDaytona; C:\WINDOWS\System32\DRIVERS\PikaDaytona.sys [105337 2009-08-24] (PIKA Technologies Inc.) [File not signed]
S3 vncmirror; C:\WINDOWS\System32\DRIVERS\vncmirror.sys [4608 2014-08-18] (RealVNC Ltd.)
R3 XGIGraphics_XG2X; C:\WINDOWS\System32\DRIVERS\xg20grp.sys [299136 2008-09-11] (XGI Technology Inc.)
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-03 18:07 - 2015-05-03 18:07 - 00018584 _____ () C:\Documents and Settings\Administrator\Desktop\Addition.txt
2015-05-03 18:06 - 2015-05-05 15:47 - 00009574 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-05-03 18:06 - 2015-05-05 15:47 - 00000000 ____D () C:\FRST
2015-05-03 18:06 - 2015-05-03 18:06 - 01140736 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2015-05-03 15:45 - 2015-05-03 15:46 - 00002022 _____ () C:\WINDOWS\setupapi.log
2015-05-01 07:40 - 2015-05-01 07:40 - 00001126 _____ () C:\Documents and Settings\Administrator\Desktop\FixExec.txt
2015-05-01 07:39 - 2015-05-01 07:39 - 00883616 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Administrator\Desktop\FixExec.exe
2015-05-01 07:20 - 2015-05-03 15:17 - 00000000 ____D () C:\AdwCleaner
2015-05-01 07:19 - 2015-05-01 07:19 - 02204160 _____ () C:\Documents and Settings\Administrator\Desktop\adwcleaner_4.203.exe
2015-05-01 07:09 - 2015-05-01 07:09 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE
2015-04-30 15:45 - 2015-05-03 15:41 - 00035992 _____ () C:\WINDOWS\system32\Drivers\hitmanpro37.sys
2015-04-30 15:28 - 2015-04-30 15:28 - 00020178 _____ () C:\WINDOWS\iis6.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00018548 _____ () C:\WINDOWS\FaxSetup.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00008868 _____ () C:\WINDOWS\ocgen.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00008463 _____ () C:\WINDOWS\tsoc.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00006739 _____ () C:\WINDOWS\KB2510531-IE8.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00006185 _____ () C:\WINDOWS\comsetup.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00005700 _____ () C:\WINDOWS\msmqinst.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00005423 _____ () C:\WINDOWS\KB2964358-IE8.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00004096 _____ () C:\WINDOWS\KB2909210-IE8.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00003744 _____ () C:\WINDOWS\ntdtcsetup.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00003249 _____ () C:\WINDOWS\netfxocm.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00001374 _____ () C:\WINDOWS\imsins.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00001374 _____ () C:\WINDOWS\imsins.BAK
2015-04-30 15:28 - 2015-04-30 15:28 - 00001275 _____ () C:\WINDOWS\MedCtrOC.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00001026 _____ () C:\WINDOWS\ocmsn.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000933 _____ () C:\WINDOWS\tabletoc.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000927 _____ () C:\WINDOWS\msgsocm.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000497 _____ () C:\WINDOWS\updspapi.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-04-30 15:28 - 2015-04-30 15:28 - 00000000 _____ () C:\WINDOWS\setupact.log
2015-04-30 15:26 - 2015-04-30 15:26 - 00004808 _____ () C:\WINDOWS\KB2286198.log
2015-04-30 15:20 - 2015-04-30 15:20 - 00022668 _____ () C:\Documents and Settings\Administrator\Desktop\reb_backup_04_30_2015.reg
2015-04-29 10:55 - 2015-04-29 10:55 - 00008316 _____ () C:\Documents and Settings\Administrator\Desktop\HitmanPro_20150429_1055.log
2015-04-29 10:53 - 2015-05-03 15:40 - 00000238 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-04-29 10:53 - 2015-04-29 10:58 - 00000232 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-04-29 10:53 - 2015-04-29 10:53 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache
2015-04-29 10:52 - 2015-04-29 10:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2015-04-29 10:52 - 2015-04-29 10:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2868626$
2015-04-29 10:51 - 2015-04-30 15:28 - 00000000 ____D () C:\WINDOWS\ie8updates
2015-04-29 10:51 - 2015-04-29 10:52 - 00065536 _____ () C:\WINDOWS\system32\config\Internet.evt
2015-04-29 10:51 - 2015-04-29 10:51 - 00000000 __HDC () C:\WINDOWS\ie8
2015-04-29 10:51 - 2015-04-29 10:51 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2467659$
2015-04-29 10:51 - 2014-03-06 10:59 - 11113472 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 02006016 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00743424 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00630272 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00522240 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00247808 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00055296 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2015-04-29 10:51 - 2014-03-06 10:59 - 00012800 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
2015-04-29 10:51 - 2011-08-16 03:45 - 00006144 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iecompat.dll
2015-04-29 10:49 - 2015-04-29 10:49 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2387149$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2934207$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834886$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2712808$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2659262$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2631813$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2585542$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2564958$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2544893-v2$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2536276-v2$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2479943$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478971$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2345886$
2015-04-29 10:48 - 2015-04-29 10:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2296011$
2015-04-29 10:46 - 2015-04-29 10:46 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2691442$
2015-04-29 10:46 - 2015-04-29 10:46 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB982132$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB978338$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB975558_WM8$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2909212$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2900986$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2898715$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862335$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2847311$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834902-v2_WM10$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2802968$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2686509$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2655992$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2598479$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2485663$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2481109$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2443105$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2378111_WM9$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2229593$
2015-04-29 10:45 - 2015-04-29 10:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2115168$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB979687$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB941569$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2936068$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2904266$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876217$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2864063$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2780091$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2770660$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2719985$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2592799$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2510581$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2507938$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2483185$
2015-04-29 10:44 - 2015-04-29 10:44 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2347290$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB978695_WM9$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB977816$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2964358$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876331$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2859537$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2850869$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2820917$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2807986$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2603381$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2570947$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2535512$
2015-04-29 10:43 - 2015-04-29 10:43 - 00000000 ____D () C:\WINDOWS\$SQLUninstallSQL2000-KB983812-v8.00.2066-x86-ENU$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB981997$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB979482$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB979309$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB978542$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB971029$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2893294$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2892075$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862330$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2757638$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2749655$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2727528$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2723135-v2$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2705219-v2$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2698365$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2653956$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2619339$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2508429$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2506212$
2015-04-29 10:42 - 2015-04-29 10:42 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2419632$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB982665$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2813345$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2676562$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2661637$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2620712$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2566454$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2509553$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478960$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2393802$
2015-04-29 10:41 - 2015-04-29 10:41 - 00000000 ____D () C:\Program Files\MSXML 4.0
2015-04-29 10:40 - 2015-04-29 10:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2584146$
2015-04-29 10:40 - 2015-04-29 10:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2423089$
2015-04-29 10:39 - 2015-04-29 10:39 - 00008314 _____ () C:\Documents and Settings\Administrator\Desktop\HitmanPro_20150429_1039.log
2015-04-28 11:28 - 2015-04-28 11:28 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2286198$
2015-04-28 11:25 - 2015-04-28 11:25 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU.exe
2015-04-28 11:25 - 2015-04-28 11:25 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU (2).exe
2015-04-28 11:25 - 2015-04-28 11:25 - 03028352 _____ (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB2286198-x86-ENU (1).exe
2015-04-28 10:04 - 2014-02-25 18:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\xp_eos.exe
2015-04-28 10:04 - 2014-02-25 18:59 - 00013312 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xp_eos.exe
2015-04-28 10:04 - 2013-07-02 19:12 - 00025088 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidparse.sys
2015-04-28 10:04 - 2013-07-02 18:59 - 00014976 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbscan.sys
2015-04-28 10:03 - 2013-02-11 17:32 - 00012928 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usb8023x.sys
2015-04-28 10:02 - 2013-08-08 17:55 - 00032384 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbccgp.sys
2015-04-28 10:02 - 2013-08-08 17:55 - 00005376 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbd.sys
2015-04-28 10:02 - 2012-01-11 12:06 - 00003072 ____N () C:\WINDOWS\system32\iacenc.dll
2015-04-28 10:02 - 2012-01-11 12:06 - 00003072 ____C () C:\WINDOWS\system32\dllcache\iacenc.dll
2015-04-28 09:54 - 2012-06-02 15:19 - 00015384 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll.mui
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-05 15:47 - 2009-11-23 15:19 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-05-05 11:26 - 2014-08-20 20:32 - 00000000 ____D () C:\kworking
2015-05-05 01:06 - 2014-09-17 11:28 - 01681913 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-03 15:44 - 2009-11-23 22:55 - 00530804 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-05-03 15:40 - 2009-11-23 15:17 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-05-03 15:40 - 2008-04-14 05:00 - 00012598 _____ () C:\WINDOWS\system32\wpa.dbl
2015-05-03 15:20 - 2009-11-23 15:19 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-05-03 15:20 - 2009-11-23 15:17 - 00031154 _____ () C:\WINDOWS\SchedLgU.Txt
2015-05-02 01:46 - 2014-08-20 20:31 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Kaseya
2015-05-01 07:09 - 2009-11-23 15:19 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-04-30 15:28 - 2009-11-23 15:37 - 00000000 ___HD () C:\WINDOWS\$hf_mig$
2015-04-30 15:19 - 2014-09-17 12:33 - 00003430 _____ () C:\WINDOWS\system32\.crusader
2015-04-29 10:54 - 2009-11-23 15:19 - 00000803 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Explorer.lnk
2015-04-29 10:54 - 2009-11-23 15:19 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2015-04-29 10:53 - 2009-11-23 22:54 - 00096664 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-04-29 10:53 - 2009-11-23 22:31 - 00000000 ____D () C:\WINDOWS\Help
2015-04-29 10:51 - 2009-11-23 22:31 - 00000000 ____D () C:\WINDOWS\Media
2015-04-29 10:44 - 2009-11-23 15:40 - 00015628 _____ () C:\WINDOWS\system32\TZLog.log
2015-04-29 10:42 - 2009-11-23 15:01 - 00000000 ____D () C:\Program Files\Movie Maker
2015-04-29 10:42 - 2009-11-23 15:00 - 00000000 ____D () C:\Program Files\Outlook Express
2015-04-29 10:41 - 2009-11-23 22:55 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-04-28 11:09 - 2014-09-30 22:32 - 00000000 ____D () C:\Program Files\RealVNC
2015-04-28 11:09 - 2014-09-30 22:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\RealVNC
2015-04-28 11:09 - 2009-11-23 15:17 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-04-28 09:50 - 2015-01-28 06:21 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\LDTUDY
 
==================== Files in the root of some directories =======
 
2015-01-21 07:45 - 2015-03-17 08:24 - 0000119 _____ () C:\Documents and Settings\Administrator\Application Data\29B722.dat
2008-02-05 12:28 - 2008-02-05 12:28 - 0000051 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\setup.txt
 
Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\nircmd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\TeraCopy.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\wget.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================


#5 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 05 May 2015 - 05:53 PM

I ran Hitman Pro and it only found tracking cookies and such! Wasn't prompted for a reboot.

 

FYI not sure if you saw, but in my other thread I still have a recurring worm alert.



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 06 May 2015 - 02:33 PM

Hi AtariBaby,
 
Looks like the worm is gone on this computer. Lets run a couple more scans :)
 
Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------
 
This scan can take a long time, so it is best done overnight or when you do not need the computer
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Emsisoft log
  • ESET log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 07 May 2015 - 01:41 PM

Emsisoft Emergency Kit - Version 9.0Last update: 5/6/2015 2:03:40 PM
User account: DV01911\Administrator


Scan settings:


Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\


Detect PUPs: Off
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off


Scan start: 5/6/2015 2:04:32 PM
C:\Documents and Settings\Administrator\My Documents\My Music\Plasma RAT.exe  detected: Trojan.Generic.11207683 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003490.exe  detected: Gen:Heur.MSIL.Krypt.3 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003491.exe  detected: Gen:Variant.Barys.7090 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003492.exe  detected: Trojan.GenericKD.2186152 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003493.exe  detected: Gen:Variant.Application.Keylogger.Ardamax.6 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003494.exe  detected: Gen:Variant.Zusy.82226 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003495.com  detected: Gen:Variant.Zusy.82226 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003497.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP165\A0003565.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP165\A0003578.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP166\A0003585.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP166\A0003593.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP167\A0003599.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP168\A0003602.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP169\A0003604.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP170\A0003606.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP171\A0003608.exe  detected: Gen:Variant.Application.Keylogger.Ardamax.6 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP171\A0003609.exe  detected: Gen:Variant.Barys.7090 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP171\A0003611.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP172\A0003627.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP173\A0003652.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP174\A0003655.vbs  detected: Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP175\A0003716.vbs  detected: Type_VBS_Autorun (B)


Scanned 330094
Found 23


Scan end: 5/6/2015 3:11:17 PM
Scan time: 1:06:45


C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP175\A0003716.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP174\A0003655.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP173\A0003652.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP172\A0003627.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP171\A0003611.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP171\A0003609.exe Quarantined Gen:Variant.Barys.7090 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP171\A0003608.exe Quarantined Gen:Variant.Application.Keylogger.Ardamax.6 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP170\A0003606.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP169\A0003604.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP168\A0003602.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP167\A0003599.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP166\A0003593.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP166\A0003585.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP165\A0003578.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP165\A0003565.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003497.vbs Quarantined Type_VBS_Autorun (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003495.com Quarantined Gen:Variant.Zusy.82226 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003494.exe Quarantined Gen:Variant.Zusy.82226 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003493.exe Quarantined Gen:Variant.Application.Keylogger.Ardamax.6 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003492.exe Quarantined Trojan.GenericKD.2186152 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003491.exe Quarantined Gen:Variant.Barys.7090 (B)
C:\System Volume Information\_restore{CE58744A-F310-477F-8E54-7C2F27D04226}\RP130\A0003490.exe Quarantined Gen:Heur.MSIL.Krypt.3 (B)
C:\Documents and Settings\Administrator\My Documents\My Music\Plasma RAT.exe Quarantined Trojan.Generic.11207683 (B)


Quarantined 23


#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 09 May 2015 - 02:17 PM

Hi AtariBaby,
 
Looks like it found mostly stuff from old system restore points. How is the computer running?
 
Your version of Adobe Flash is out of date.

Please follow these steps to remove older version Adobe Flash components and update:

  • Download the latest version of Adobe Flash and save it to your desktop.
  • Note: If you use Google Chrome then there is no need to download Adobe Flash, if you also use Internet Explorer then use that browser to download Flash.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel, and double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8.
  • Check (highlight) any item with Adobe Flash in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Adobe Flash uninstaller.
  • Reboot your computer once Adobe Flash is removed.
  • Then from your desktop double-click on the Adobe Flash installer to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then run as Administrator.
  • If offered any unwanted software or toolbars during installation (such as Google Chrome and Google Toolbar); just uncheck the box before continuing unless you want these programs.

--------------

Your version of Adobe Reader is out of date.
 
Please follow these steps to remove older version Adobe Reader components and update:

  • Download the latest version of Adobe Reader and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel, and double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7/8.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Adobe Reader uninstaller.
  • Reboot your computer once Adobe Reader is removed.
  • Then from your desktop double-click on the Adobe Reader installer to install the newest version.
  • If using Windows 7/8 or Vista and the installer refuses to launch due to insufficient user permissions, then run as Administrator.
  • If offered any unwanted software or toolbars during installation (such as the McAfee Security Plan Plus); just uncheck the box before continuing unless you want it.
  • Adobe Reader is updated frequently. If you want to be automatically notified of future updates, or automatically have them installed then make sure to check the option in the installer

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 25 May 2015 - 02:20 PM

Hi AtariBaby,

 

How are you getting on with this?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 AtariBaby

AtariBaby
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 25 May 2015 - 04:29 PM

I beg your forgiveness. Personal crisis has necessitated I drop this for the last couple of weeks. I would like to check on this and update you within the next 48 hours. Thanks in advance for understanding.



#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:05:06 AM

Posted 26 May 2015 - 12:21 PM

Hi AtariBaby,

 

I am just keeping an eye on my topics, so do not worry about having to reply so quickly. As long as I know what is happening then I am happy to wait. Sorry to hear about a personal crisis.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users