Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Malware/Virus - Help required to determine if this is so


  • This topic is locked This topic is locked
15 replies to this topic

#1 NorrieC

NorrieC

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 11 August 2015 - 07:16 AM

Good Afternoon,

I would be much obliged if someone could help me determine whether I do actually have a problem or not.

 

If I look at the Firewall logs in my router (BT Business Hub 5) I can see that the Router is allowing incoming connections through to my PC ( XP SP3) from a bunch of IP addresses. When I carry out a whois on the addresses I get some weird and wonderful results from all around the world. To narrow this down I have switched off all browsers and other applicaitons which might legitmately want to access the internet to make sure that they don't cloud the issue. The form of the log entry is the same in all cases, vis-a-vis:

 

12:52:17, 11 Aug.IN: ACCEPT [57] Connection closed (Port Forwarding: UDP [192.168.1.66]:12639 <-​-​> [<my external static IP>]:12639 -​ -​ -​ [80.189.60.235]:54280 ppp0 NAPT)

 

Where 192.168.1.66 is my local PC IP address issued by the DHCP server in the router. The ports 12639 appear on every log entry.

 

The last IP address (80.189.60.235) changes on every line in the log as does the remote port number. The hits are occuring at anything between 10-30s.

 

I have used netstat and CurrPorts to try to determine which app (or whatever) is using port 12639. There is no sign of port 12639 in the port list of either diagnostic tools.

 

I have run TDSKiller, HiJackThis, Malwarebytes and have the Symantec Endpoint 12.1.5 client installed. None can find any issue. I have checked that the DNS settings for my NIC are set to "Obtain...Automatically". I have checked for Proxy settings in the browsers but both are set to "No Proxy".

 

 

One other curious occurence is that IE8 will not connect to ghostery.com. I never use IE and prefer to use Firefox which connects to ghostery.com without an issue. The IE8 can search for ghostery on google but after it finds it I cannot connect to the site. The error says "Internet Explorer cannot display the web page" and offers me the option of clicking on the "Diagnose Network Connection" button. However, even when using Firefox there is a delay before a website will load. I don't think it is a Broadband Speed issue since my line speed is not bad.

 

Am I being overly suspicious here or do I have a problem? What other tests can you suggest to try to determine this?

 

Thank you in advance for any advice offerred.

Regards

NC

 



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 14 August 2015 - 11:36 AM

Greetings NorrieC and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Can you tell me if this is familiar to you?

United Kingdom Sheffield Plusnet Plc.

Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 17 August 2015 - 08:59 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 NorrieC

NorrieC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 18 August 2015 - 04:34 PM

Hello Gary,

 

Aplogies for the delay in response but I have been away from home the last few days.

 

Your question about Plusnet is slightly cryptic. I know Sheffield. It is a city approx 250miles from me. I know Plusnet. It is an ISP in the UK, but not mine. Is that what you wanted to know? Or was that the secret society password I just blew?

 

In the time between posting and now I have found out that it was Skype which was using port 12639. I don't know why I didn't see it before. Therfore maybe my concern is unfounded. As per your instructions please find below the contents of FRST and addition.txt copied and pasted into the body of the post. I have attached the summary.nfo file (zipped).

Not that it makes much difference but Symantec didn't like FRST.exe. It said something along the lines of dying a terrible death if I allowed it to run so I did. Lastly, you will see entries in the hosts file. These are listed to prevent the advertising appearing on Skype and would like to leave them in place if that's OK.

 

Kind regards,

 

Norrie

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:17-08-2015
Ran by <name> (administrator) on <name>LP6 (18-08-2015 21:58:33)
Running from C:\Documents and Settings\<name>.<name>\Desktop
Loaded Profiles: <name> (Available Profiles: <name> & Administrator & <name>admin & <name>)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
(Seagate Technology LLC) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
(Mindteck India Limited) C:\WINDOWS\system32\klpnm.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(O&O Software GmbH) C:\Program Files\OO Software\Defrag\oodag.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
(Apple Inc.) C:\Program Files\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe
(BlackBerry Limited) C:\Program Files\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe
(BlackBerry Limited) C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe
(O&O Software GmbH) C:\Program Files\OO Software\Defrag\oodtray.exe
() C:\Program Files\Unlocker\UnlockerAssistant.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Roxio) C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Seagate LLC) C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
(Intel Corporation) C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(BlackBerry Limited) C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(BlackBerry Limited) C:\Program Files\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe
() C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe
(Sysinternals - www.sysinternals.com) C:\Apps\procexp.exe
(Research In Motion Limited) C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
(Research In Motion) C:\Program Files\Research In Motion\BlackBerry Link\BlackBerryLink.Helper.exe
(Research In Motion) C:\Program Files\Research In Motion\BlackBerry Link\BlackBerryLink.AutoUpdate.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [OODefragTray] => C:\Program Files\OO Software\Defrag\oodtray.exe [5029232 2012-09-14] (O&O Software GmbH)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [UnlockerAssistant] => C:\Program Files\Unlocker\UnlockerAssistant.exe [17408 2010-07-04] ()
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [761947 2006-03-08] (Synaptics, Inc.)
HKLM\...\Run: [SigmatelSysTrayApp] => C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [405504 2007-05-10] (SigmaTel, Inc.)
HKLM\...\Run: [RoxioDragToDisc] => C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [1116920 2006-08-17] (Roxio)
HKLM\...\Run: [nwiz] => nwiz.exe /installquiet
HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit
HKLM\...\Run: [NVHotkey] => rundll32.exe nvHotkey.dll,Start
HKLM\...\Run: [MaxMenuMgr] => C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [185640 2009-05-01] (Seagate LLC)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [995328 2007-10-08] (Intel Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [1101824 2007-10-08] (Intel Corporation)
HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [443640 2014-10-31] (BlackBerry Limited)
HKLM\...\Run: [RIM PeerManager] => C:\Program Files\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe [4730616 2015-05-26] (BlackBerry Limited)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\...\Run: [AdobeBridge] => [X]
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\O&O Defrag Tray.lnk [2015-06-01]
ShortcutTarget: O&O Defrag Tray.lnk -> C:\WINDOWS\Installer\{A797B4C6-AEDB-4D46-9F4B-8E98DA192252}\DefragIcon.exe ()
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\WINDOWS\system32\AcSignIcon.dll [2012-02-06] (Autodesk, Inc.)
BootExecute: autocheck autochk * OODBS

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2875639932-1471808782-1253104730-1147\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-1695840115-2258506580-2628638250-1134] => http=;ftp=;https=;
HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.co.uk/
HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://uk.msn.com/?ocid=iehp
HKU\S-1-5-21-2875639932-1471808782-1253104730-1147\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://companyweb
HKU\S-1-5-21-2875639932-1471808782-1253104730-1147\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://companyweb
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\bin\IPS\IPSBHO.DLL [2014-09-12] (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_51\bin\ssv.dll [2015-08-04] (Oracle Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18] (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-08-04] (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-02-25] (Eyeo GmbH)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1695840115-2258506580-2628638250-1134 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-2875639932-1471808782-1253104730-1147 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2006-12-18] (Adobe Systems Incorporated)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-02-08] (Skype Technologies S.A.)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of  Addition.txt
Tcpip\..\Interfaces\{7A14B27A-A34A-43E0-8573-EE1FA8BFB6CA}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{EF2A0816-37DA-41F0-9153-306E0CBC2DB0}: [NameServer] 10.0.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default
FF Homepage: https://duckduckgo.com/
FF NetworkProxy: "gopher", ""
FF NetworkProxy: "gopher_port", 0
FF NetworkProxy: "no_proxies_on", "localhost, 127.0.0.1, stealthy.co"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-08-04] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1215155.dll [2014-12-02] (Adobe Systems, Inc.)
FF Plugin: @alibaba.com/nptrademanager;version=1.0 -> C:\DOCUME~1\<name>~1.CRA\LOCALS~1\Temp\..\application data\nptrademanager\nptrademanager.dll [2012-05-31] ( )
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-08-04] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-08-04] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2015-05-22] ()
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1695840115-2258506580-2628638250-1134: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\<name>\Local Settings\Application Data\Citrix\Plugins\94\npappdetector.dll [2013-02-28] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\<name>.<name>\Application Data\mozilla\plugins\npatgpc.dll [2015-01-20] (Cisco WebEx LLC)
FF Extension: Advanced Cookie Manager - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\cookiemgr@jayapal.com [2015-05-29]
FF Extension: Blur (Formerly DoNotTrackMe) - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\donottrackplus@abine.com [2015-05-29]
FF Extension: ProxTube - Unblock YouTube - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\ich@maltegoetz.de [2015-06-03]
FF Extension: Flashblock - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2015-05-29]
FF Extension: DownloadHelper - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2015-05-29]
FF Extension: YouTube to MP3 Free Converter - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\extension@321youtube.com.xpi [2014-11-22]
FF Extension: YouTube Video and Audio Downloader - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\feca4b87-3be4-43da-a1b1-137c24220968@jetpack.xpi [2014-11-22]
FF Extension: Ghostery - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\firefox@ghostery.com.xpi [2014-11-22]
FF Extension: Image and Flash Blocker - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\imgflashblocker@shimon.chohen.xpi [2014-11-22]
FF Extension: ProxMate - Proxy on steroids! - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi [2015-04-10]
FF Extension: stealthy - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\stealthyextension@gmail.com.xpi [2014-11-22]
FF Extension: UAControl - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\uacontrol@qz.tsugumi.org.xpi [2015-08-07]
FF Extension: Screengrab  (fix version) - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{02450914-cdd9-410f-b1da-db004e18c671}.xpi [2014-11-22]
FF Extension: FxIF - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{11483926-db67-4190-91b1-ef20fcec5f33}.xpi [2015-06-26]
FF Extension: FlashGot - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2014-11-22]
FF Extension: Nuke Anything Enhanced - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{1ced4832-f06e-413f-aa14-9eb63ad40ace}.xpi [2015-08-17]
FF Extension: Modify Headers - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}.xpi [2014-11-22]
FF Extension: DownThemAll! - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2014-11-22]
FF Extension: Greasemonkey - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2014-11-22]
FF Extension: Adblock Edge - C:\Documents and Settings\<name>.<name>\Application Data\Mozilla\Firefox\Profiles\e1gzd0hc.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2014-11-22]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-08-04]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 6to4; C:\WINDOWS\System32\6to4svc.dll [100864 2010-02-12] (Microsoft Corporation)
S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2011-08-25] (Adobe Systems) [File not signed]
R3 BlackBerry Device Manager; C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [588024 2014-10-31] (BlackBerry Limited)
R2 EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [794624 2007-10-08] (Intel Corporation) [File not signed]
R2 FreeAgentGoNext Service; C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe [181544 2009-05-01] (Seagate Technology LLC)
R2 instdt; C:\WINDOWS\system32\klpnm.exe [20480 2013-03-17] (Mindteck India Limited) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 OODefragAgent; C:\Program Files\OO Software\Defrag\oodag.exe [2019184 2012-09-14] (O&O Software GmbH)
R2 RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [483328 2007-10-08] (Intel Corporation) [File not signed]
R2 RIM MDNS; C:\Program Files\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [396024 2015-03-19] (Apple Inc.)
R2 RIM Tunnel Service; C:\Program Files\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe [1355000 2015-05-26] (BlackBerry Limited)
S2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [1183744 2007-10-08] (Intel Corporation ) [File not signed]
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\ccSvcHst.exe [144496 2014-09-12] (Symantec Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\snac.exe [337248 2014-09-12] (Symantec Corporation)
S3 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [73728 2006-09-14] (MicroVision Development, Inc.) [File not signed]
S2 WLANKEEPER; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [356352 2007-10-08] (Intel Corporation) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21361 2011-08-04] (Cisco Systems, Inc.)
R1 BHDrvx86; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\BASHDefs\20150806.012\BHDrvx86.sys [1181936 2015-08-05] (Symantec Corporation)
S3 blackberryncm; C:\WINDOWS\System32\DRIVERS\blackberryncm.sys [19968 2014-09-08] (BlackBerry)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R1 ccSettings_{7EC551EC-6FEE-44A6-BD12-987F87D7C525}; C:\WINDOWS\System32\Drivers\SEP\0C0114D9\1388.105\x86\ccSetx86.sys [127064 2014-09-12] (Symantec Corporation)
S3 DrvAgent32; C:\WINDOWS\system32\Drivers\DrvAgent32.sys [23456 2015-05-10] (Phoenix Technologies) [File not signed]
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [122192 2015-08-07] (Symantec Corporation)
R3 GT680x; C:\WINDOWS\System32\Drivers\gt680x.sys [17504 2003-02-21] (   )
S3 HSFHWAZL; C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys [201600 2005-07-22] (Conexant Systems, Inc.)
S3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [1035008 2005-07-22] (Conexant Systems, Inc.)
R1 IDSxpx86; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\IPSDefs\20150817.011\IDSxpx86.sys [478352 2015-05-27] (Symantec Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 NAVENG; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150817.001\NAVENG.SYS [104440 2015-08-07] (Symantec Corporation)
R3 NAVEX15; C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Data\Definitions\VirusDefs\20150817.001\NAVEX15.SYS [1645432 2015-08-07] (Symantec Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S3 Netaapl; C:\WINDOWS\System32\DRIVERS\netaapl.sys [18432 2011-08-02] (Apple Inc.) [File not signed]
S3 NETw4x32; C:\WINDOWS\System32\DRIVERS\NETw4x32.sys [2236032 2007-09-26] (Intel Corporation) [File not signed]
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [36528 2006-07-24] (Sonic Solutions) [File not signed]
S3 RimUsb; C:\WINDOWS\System32\Drivers\RimUsb.sys [68608 2014-05-06] (BlackBerry Limited)
R3 rimvndis; C:\WINDOWS\System32\Drivers\rimvndis.sys [12288 2015-03-19] (BlackBerry Limited)
R3 SGCameraUVC; C:\WINDOWS\System32\Drivers\SGCameraUVC.sys [66560 2008-10-22] (SiGma Micro)
R1 SRTSP; C:\WINDOWS\System32\Drivers\SEP\0C0114D9\1388.105\x86\SRTSP.SYS [668888 2014-09-12] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\System32\Drivers\SEP\0C0114D9\1388.105\x86\SRTSPX.SYS [32984 2014-09-12] (Symantec Corporation)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.5337.5000.105\Bin\SyDvCtrl32.sys [30736 2014-09-12] (Symantec Corporation)
R0 SymEFASI; C:\WINDOWS\System32\drivers\symefasi\0500010.01F\symefasi.sys [1278680 2015-01-20] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2015-01-20] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\System32\Drivers\SEP\0C0114D9\1388.105\x86\Ironx86.SYS [209624 2014-09-12] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\SEP\0C0114D9\1388.105\x86\SYMTDI.SYS [423256 2014-09-12] (Symantec Corporation)
S3 SynTP; C:\WINDOWS\System32\DRIVERS\SynTP.sys [191872 2006-03-08] (Synaptics, Inc.) [File not signed]
R1 SysPlant; C:\WINDOWS\System32\Drivers\SysPlant.sys [131176 2015-01-20] (Symantec Corporation)
R1 Tcpip6; C:\WINDOWS\System32\DRIVERS\tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
R3 Teefer2; C:\WINDOWS\System32\DRIVERS\teefer.sys [152984 2014-09-12] (Symantec Corporation)
U2 CertPropSvc; no ImagePath
R1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [X]
S4 HSXHWAZL; system32\DRIVERS\HSXHWAZL.sys [X]
S4 IntelIde; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
S4 utdrv; \??\C:\WINDOWS\system32\drivers\utdrv.sys [X]
U4 WinDefend; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-18 21:58 - 2015-08-18 21:59 - 00025001 _____ C:\Documents and Settings\<name>.<name>\Desktop\FRST.txt
2015-08-18 21:57 - 2015-08-18 21:58 - 00000000 ____D C:\FRST
2015-08-18 21:55 - 2015-08-18 21:55 - 01677312 _____ (Farbar) C:\Documents and Settings\<name>.<name>\Desktop\frst.exe
2015-08-12 14:25 - 2015-08-12 14:32 - 00000000 ____D C:\AdwCleaner
2015-08-11 12:11 - 2015-08-11 12:11 - 00000000 ____D C:\Documents and Settings\<name>.<name>\Local Settings\Application Data\Adblock Plus for IE
2015-08-11 12:03 - 2015-08-11 12:03 - 00000000 ____D C:\Program Files\Adblock Plus for IE
2015-08-11 12:03 - 2015-08-11 12:03 - 00000000 ____D C:\Documents and Settings\<name>.<name>\Application Data\Adblock Plus for IE
2015-08-04 22:41 - 2015-08-04 22:41 - 00000000 ____D C:\Program Files\Common Files\Java
2015-08-04 10:40 - 2009-08-07 06:30 - 86770592 _____ (Microsoft Corporation) C:\WSUS30-KB972455-x64.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-18 21:59 - 2014-11-22 00:26 - 00000000 ____D C:\Documents and Settings\<name>.<name>\Local Settings\Temp
2015-08-18 21:55 - 2014-11-27 09:38 - 00000000 ____D C:\Documents and Settings\<name>.<name>\Application Data\Skype
2015-08-18 21:51 - 2011-08-05 00:28 - 00000128 _____ C:\WINDOWS\system32\config\netlogon.ftl
2015-08-18 19:19 - 2003-03-31 13:00 - 00000634 _____ C:\WINDOWS\win.ini
2015-08-18 19:17 - 2011-08-04 20:51 - 01351106 _____ C:\WINDOWS\WindowsUpdate.log
2015-08-18 11:14 - 2011-08-04 21:21 - 00009892 _____ C:\WINDOWS\wiadebug.log
2015-08-18 08:55 - 2011-08-04 21:12 - 00000000 ____D C:\WINDOWS\security
2015-08-18 07:15 - 2012-07-30 16:32 - 00141281 _____ C:\WINDOWS\system32\nvModes.001
2015-08-17 11:57 - 2011-10-25 13:44 - 00000000 ____D C:\Program Files\LT-Extender 2000
2015-08-17 10:03 - 2014-11-27 09:44 - 00002036 ____H C:\Documents and Settings\<name>.<name>\My Documents\Default.rdp
2015-08-13 12:51 - 2015-07-12 23:08 - 00004182 _____ C:\ads_err.adt
2015-08-13 12:51 - 2015-07-12 23:08 - 00003072 _____ C:\ads_err.adi
2015-08-12 14:40 - 2011-08-04 21:19 - 00607640 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-08-12 14:39 - 2012-07-30 16:32 - 00163003 _____ C:\WINDOWS\system32\nvapps.xml
2015-08-12 14:37 - 2003-03-31 13:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl
2015-08-12 14:35 - 2011-08-04 21:21 - 00000053 _____ C:\WINDOWS\wiaservc.log
2015-08-12 14:35 - 2011-08-04 21:12 - 00000000 ____D C:\WINDOWS\system32\ias
2015-08-12 14:35 - 2011-08-04 20:30 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-08-12 14:34 - 2015-05-27 18:56 - 00090793 _____ C:\WINDOWS\system32\oodbs.lor
2015-08-12 14:34 - 2012-09-12 14:06 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2736233$
2015-08-12 14:33 - 2014-11-22 00:26 - 00000278 ___SH C:\Documents and Settings\<name>.<name>\ntuser.ini
2015-08-12 14:33 - 2014-11-22 00:26 - 00000000 ____D C:\Documents and Settings\<name>.<name>
2015-08-12 14:33 - 2013-03-30 09:57 - 08388608 _____ C:\WINDOWS\system32\config\Symantec.evt
2015-08-12 14:33 - 2011-08-26 17:18 - 00000012 _____ C:\WINDOWS\bthservsdp.dat
2015-08-12 14:33 - 2011-08-04 20:34 - 00032466 _____ C:\WINDOWS\SchedLgU.Txt
2015-08-11 11:33 - 2015-05-31 21:14 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-08-11 11:31 - 2015-05-31 21:14 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-11 11:31 - 2015-05-31 21:14 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-11 10:45 - 2014-08-13 20:31 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-08-11 09:04 - 2014-12-08 17:02 - 01237395 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2875639932-1471808782-1253104730-1147-0.dat
2015-08-11 09:04 - 2011-10-06 08:59 - 00292698 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2015-08-04 22:52 - 2014-11-22 00:27 - 00000000 ____D C:\Documents and Settings\<name>.<name>\Application Data\Adobe
2015-08-04 22:44 - 2014-10-20 13:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Oracle
2015-08-04 22:44 - 2011-08-05 00:57 - 00000000 ____D C:\Program Files\Java
2015-08-04 22:40 - 2015-05-10 13:00 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2015-08-04 22:40 - 2015-05-10 13:00 - 00096352 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2015-08-04 19:58 - 2014-11-22 12:53 - 00000000 ____D C:\Documents and Settings\<name>.<name>\Local Settings\Application Data\Adobe
2015-08-04 19:58 - 2012-03-31 18:40 - 00778416 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-08-04 19:58 - 2011-08-05 00:59 - 00142512 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-08-04 19:39 - 2014-11-05 19:53 - 00528828 _____ C:\WINDOWS\setupapi.log
2015-08-03 07:24 - 2011-08-05 00:29 - 00000000 __SHD C:\WINDOWS\CSC

==================== Files in the root of some directories =======

2015-01-21 14:12 - 2015-01-21 14:12 - 0000147 _____ () C:\Documents and Settings\<name>.<name>\Local Settings\Application Data\fusioncache.dat

Some files in TEMP:
====================
C:\Documents and Settings\<name>.<name>\Local Settings\Temp\dllnt_dump.dll
C:\Documents and Settings\<name>.<name>\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\<name>.<name>\Local Settings\Temp\SkypeSetup.exe
C:\Documents and Settings\<name>.<name>\Local Settings\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:17-08-2015
Ran by <name> (2015-08-18 22:00:03)
Running from C:\Documents and Settings\<name>.<name>\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2000478354-261478967-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-2000478354-261478967-839522115-1006 - Limited - Enabled)
Guest (S-1-5-21-2000478354-261478967-839522115-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-2000478354-261478967-839522115-1000 - Limited - Disabled)
Joe.Bloggs (S-1-5-21-2000478354-261478967-839522115-1013 - Limited - Enabled)
<name> (S-1-5-21-2000478354-261478967-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Norrie
SUPPORT_388945a0 (S-1-5-21-2000478354-261478967-839522115-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Enabled - Up to date) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection (Disabled) {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABBYY FineReader 4.0 Sprint (HKLM\...\ABBYY FineReader 4.0 Sprint) (Version:  - )
Adblock Plus for IE (32-bit) (HKLM\...\{A243D0E2-D027-4340-AA12-6B13B2A96AC0}) (Version: 1.4 - Eyeo GmbH)
Adobe Acrobat 7.1.0 Professional (HKLM\...\Adobe Acrobat 7.0 Professional) (Version: 7.1.0 - Adobe Systems)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.7.1.19610 - Adobe Systems Incorporated)
Adobe Dreamweaver CS4 (HKLM\...\Adobe_acce07fd2c8fe7f9e3f26243e626578) (Version: 10.0 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Photoshop CS2 (HKLM\...\Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}) (Version: 9.0 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.5.155 - Adobe Systems, Inc.)
AliIM Plugins for Browser (HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\...\AliIM Plugins for Browser) (Version: 1.0 - Alibaba(China) Co., Ltd)
AnVir Task Manager Free (HKLM\...\AnVir Task Manager Free) (Version:  - AnVir Software)
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Application Verifier x86 External Package (Version: 8.37.0 - Microsoft) Hidden
AutoCAD LT 2006 - English (HKLM\...\{5783F2D7-4009-0409-0002-0060B0CE6BBA}) (Version: 16.2.77.0 - Autodesk)
Autodesk 2006 OE Hotfix (HKLM\...\Autodesk 2006 OE Hotfix) (Version:  - )
Autodesk Architectural 2006 Object Enabler (HKLM\...\{ABA7DDDE-ECA7-4DD3-94D6-0FD6A50D66E0}) (Version: 4.7.265 - Autodesk, Inc.)
Autodesk Buzzsaw 2012.1.21.2991 (HKLM\...\Autodesk Buzzsaw 2012) (Version: 2012.1.21.2991 - Autodesk)
Autodesk DWF Viewer (HKLM\...\Autodesk DWF Viewer) (Version: 5.1 - Autodesk, Inc.)
Autodesk Inventor Fusion 2013 (HKLM\...\Autodesk Inventor Fusion 2013) (Version: 2.0.0.206 - Autodesk, Inc.)
Autodesk Inventor Fusion 2013 (Version: 2.0.0.206 - Autodesk, Inc.) Hidden
Autodesk Material Library 2012 (HKLM\...\{8F0837C2-EE09-4903-88F3-1976FE7FFF4E}) (Version: 2.5.0.8 - Autodesk)
Autodesk Material Library 2013 (HKLM\...\{117EBEEB-5DB0-43C8-9FD6-DD583DB152DD}) (Version: 3.0.14 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2012 (HKLM\...\{65420DC9-306E-4371-905F-F4DC3B418E52}) (Version: 2.5.0.8 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2013 (HKLM\...\{606E12B9-641F-4644-A22A-FF38AE980AFD}) (Version: 3.0.14 - Autodesk)
BearPaw 1200CU Plus v1.2 (HKLM\...\InstallShield_{243AA596-2B64-4DBF-B765-374B8328F504}) (Version: 1.2 - mustek)
BearPaw 1200CU Plus v1.2 (Version: 1.2 - mustek) Hidden
BlackBerry 10 Desktop Software (Blend, Link, Drivers) (HKLM\...\{c33e77db-89b5-4abf-a1d1-97f8b35347e1}) (Version: 1.2.0.52 - BlackBerry)
BlackBerry Communication Drivers (Version: 8.0.0.143 - BlackBerry Ltd.) Hidden
BlackBerry Device Drivers (Version: 8.0.0.143 - BlackBerry Ltd.) Hidden
BlackBerry Link (Version: 1.2.4.39 - BlackBerry) Hidden
BlackBerry Link Remover (Version: 1.2.4.0 - BlackBerry Ltd.) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom 440x 10/100 Integrated Controller (HKLM\...\InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}) (Version: 5.51.03 - Broadcom)
Broadcom 440x 10/100 Integrated Controller (Version: 5.51.03 - Broadcom) Hidden
Broadcom Advanced Control Suite (HKLM\...\{26E1BFB0-E87E-4696-9F89-B467F01F81E5}) (Version: 8.68.05 - Broadcom Corporation)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Component Checker (HKLM\...\{9B2E8AF3-0BF6-4822-BF21-32D493319042}) (Version: 2.0.0 - Microsoft)
Connect (Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden
ConvertHelper 2.2 (HKLM\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1) (Version:  - DownloadHelper)
CPUID CPU-Z 1.72 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
CPUID HWMonitor 1.27 (HKLM\...\CPUID HWMonitor_is1) (Version:  - )
CuteFTP 8 Professional (HKLM\...\{91F34319-08DE-457a-99C0-0BCDFAC145B9}) (Version: 8.3.2 - GlobalSCAPE)
DWG TrueView 2013 (HKLM\...\DWG TrueView 2013) (Version: 19.0.55.0 - Autodesk)
DWG TrueView 2013 (Version: 19.0.55.0 - Autodesk) Hidden
Gadwin PrintScreen Professional (HKLM\...\Gadwin PrintScreen Professional) (Version: 4.5 - Gadwin Systems, Inc.)
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
HijackThis 2.0.2 (HKLM\...\HijackThis) (Version: 2.0.2 - TrendMicro)
HP DeskJet 1220C Printer (HKLM\...\HP DeskJet 1220C Printer) (Version:  - )
Intel® PROSet/Wireless Software (HKLM\...\ProInst) (Version: 11.5.0000 - Intel Corporation)
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Java 8 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
Kits Configuration Installer (Version: 8.37.0 - Microsoft) Hidden
K-Lite Codec Pack 10.0.5 Standard (HKLM\...\KLiteCodecPack_is1) (Version: 10.0.5 - )
kuler (Version: 2.0 - Adobe Systems Incorporated) Hidden
LT-Extender 2000 Plus for AutoCAD LT© 2000-2008 (HKLM\...\LT-Extender 2000 Plus for AutoCAD LT© 2000-2008) (Version:  - )
Magical Jelly Bean KeyFinder (HKLM\...\KeyFinder_is1) (Version: 2.0.10.10 - Magical Jelly Bean)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
mCore (Version: 11.02.0000 - Intel Corporation) Hidden
mDriver (Version: 11.02.0000 - Intel) Hidden
mDrWiFi (Version: 11.02.0000 - Intel Corporation) Hidden
mHlpDell (Version: 11.02.0000 - Intel) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Bootvis (HKLM\...\{0F9196C6-58B4-445B-B56E-B1200FECC151}) (Version: 1.3.37 - Microsoft)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Fix it Center (HKLM\...\{B7588D45-AFDC-4C93-9E2E-A100F3554B64}) (Version: 1.0.0100 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office OneNote 2003 (HKLM\...\{90A10409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{91110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Project 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-003A-0000-0000-0000000FF1CE}_PRJSTD_{8446EB22-A746-46DC-B1BD-E0DFA1F3CDDA}) (Version:  - Microsoft)
Microsoft Office Project Standard 2007 (HKLM\...\PRJSTD) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office SharePoint Designer 2007 (HKLM\...\SharePointDesigner) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office SharePoint Designer 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{4B4DF6E2-5E40-422B-82DD-205FD7E79226}) (Version:  - Microsoft)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft WinUsb 1.0 (HKLM\...\winusb0100) (Version:  - Microsoft Corporation)
mIWA (Version: 11.02.0000 - Intel Corporation) Hidden
mLogView (Version: 11.02.0000 - Intel Corporation) Hidden
mMHouse (Version: 11.02.0000 - Intel Corporation) Hidden
Modem Helper (HKLM\...\{7F142D56-3326-11D5-B229-002078017FBF}) (Version: 3.02 - BVRP Software)
Mozilla Firefox 25.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 25.0.1 (x86 en-US)) (Version: 25.0.1 - Mozilla)
mPfMgr (Version: 11.02.0000 - Intel Corporation) Hidden
mPfWiz (Version: 11.02.0000 - Intel Corporation) Hidden
mProSafe (Version: 9.00.0000 - Intel) Hidden
mSCfg (Version: 11.02.0000 - Intel Corporation) Hidden
mSSO (Version: 11.02.0000 - Intel Corporation) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (Version: 6.00.3883.8 - Microsoft Corporation) Hidden
mWlsSafe (Version: 9.00.0000 - Intel) Hidden
mWMI (Version: 11.02.0000 - Intel Corporation) Hidden
mZConfig (Version: 11.02.0000 - Intel Corporation) Hidden
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.3 - )
O&O Defrag Professional (HKLM\...\{A797B4C6-AEDB-4D46-9F4B-8E98DA192252}) (Version: 16.0.139 - O&O Software GmbH)
Outlook Spam Report add-on (HKLM\...\{4659DAA8-516D-4048-A323-5DAE7117A2F7}) (Version: 1.0.0 - 2011)
OZ776 SCR CardBus Windows Driver (HKLM\...\InstallShield_{2D91C34E-12CC-4B1B-90D5-31DAD47B6F48}) (Version: 0.0.0.1 - O2Micro International LTD.)
OZ776 SCR CardBus Windows Driver (Version: 0.0.0.1 - O2Micro International LTD.) Hidden
PDF to DWG Converter (HKLM\...\{547C9628-C490-48AB-94F4-7F2495562930}) (Version:  - )
Photoshop Camera Raw (Version: 5.0 - Adobe Systems Incorporated) Hidden
PowerISO (HKLM\...\PowerISO) (Version:  - )
Process Hacker 2.33 (r5590) (HKLM\...\Process_Hacker2_is1) (Version: 2.33.0.5590 - wj32)
QuickTime (HKLM\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Recuva (HKLM\...\Recuva) (Version: 1.37 - Piriform)
Reg Organizer version 6.11 (HKLM\...\Reg Organizer_is1) (Version: 6.11 - ChemTable Software)
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.3.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.3.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.3.0 - Roxio)
Roxio Creator DE (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.3.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.3.0 - Roxio)
Roxio Drag-to-Disc (HKLM\...\{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}) (Version: 9.0 - Roxio)
Roxio Express Labeler (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 2.1.0 - Roxio)
Roxio MyDVD LE (HKLM\...\{21657574-BD54-48A2-9450-EB03B2C7FC29}) (Version: 6.1.6 - Roxio)
Roxio RecordNow Audio (HKLM\...\{AB708C9B-97C8-4AC9-899B-DBF226AC9382}) (Version: 2.0.4 - Roxio)
Roxio RecordNow Copy (HKLM\...\{B12665F4-4E93-4AB4-B7FC-37053B524629}) (Version: 2.0.4 - Roxio)
Roxio RecordNow Data (HKLM\...\{075473F5-846A-448B-BCB3-104AA1760205}) (Version: 2.0.4 - Roxio)
Roxio Update Manager (HKLM\...\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}) (Version: 3.0.0 - Roxio)
SDK Debuggers (Version: 8.37.0 - Microsoft Corporation) Hidden
Seagate Manager Installer (HKLM\...\InstallShield_{231A1A09-FDF2-45F2-B3D1-964CECE372BC}) (Version: 2.01.0109 - Seagate)
Seagate Manager Installer (Version: 2.01.0109 - Seagate) Hidden
SeaTools for Windows 1.4.0.2 (HKLM\...\SeaTools for Windows) (Version: 1.4.0.2 - Seagate Technology)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.5210.0 - SigmaTel)
Skype Toolbars (HKLM\...\{981029E0-7FC9-4CF3-AB39-6F133621921A}) (Version: 1.0.4051 - Skype Technologies S.A.)
Skype™ 6.18 (HKLM\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.18.106 - Skype Technologies S.A.)
Sonic Activation Module (Version: 1.0 - Sonic Solutions) Hidden
SPC2000 (HKLM\...\{B4AEA107-D492-4FE6-B43D-DD920FB34669}) (Version: 1.0.0.0 - )
Suite Shared Configuration CS4 (Version: 1.0 - Adobe Systems Incorporated) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Symantec Endpoint Protection (HKLM\...\{0E251D4D-316C-4F8B-A4C5-2722000764BE}) (Version: 12.1.5337.5000 - Symantec Corporation)
Symantec Endpoint Protection Manager Remote Console (HKU\S-1-5-21-2875639932-1471808782-1253104730-1147\...\Symantec Endpoint Protection Manager Remote Console) (Version:  - Symantec Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 8.2.4.6 - Synaptics)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-003A-0000-0000-0000000FF1CE}_PRJSTD_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
WallWatcher (HKLM\...\WallWatcher) (Version:  - )
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
WinDFT (HKLM\...\{065F384A-5C64-4532-814A-A24BA5374503}) (Version: 1.0.0 - HGST)
Windows Driver Package - FTDI CDM Driver Package (06/27/2007 2.02.04) (HKLM\...\00BD1CD47675C125126C80095FCC12CFA4D311DB) (Version: 06/27/2007 2.02.04 - FTDI)
Windows Driver Package - FTDI CDM Driver Package (06/27/2007 2.02.04) (HKLM\...\A622B79B943ECA1F0AECF1FF5BE13D458F345EBB) (Version: 06/27/2007 2.02.04 - FTDI)
Windows Driver Package - Ricoh Company (rimsptsk) hdc  (11/14/2006 6.00.01.04) (HKLM\...\4569969E1360D2854474C661EF9B4D54F143EB16) (Version: 11/14/2006 6.00.01.04 - Ricoh Company)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Media Player Firefox Plugin (HKLM\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
Windows PowerShell™ 1.0 (HKLM\...\PowerShell) (Version: 1 - Microsoft Corporation)
Windows Small Business Server 2008 ClientAgent (HKLM\...\{492F8345-095D-467F-926C-278870D93ECF}) (Version: 6.0.5601.0 - Microsoft Corporation)
Windows Software Development Kit (HKLM\...\{9a2c2c20-17e6-43c4-be07-a3e0c5cea9f7}) (Version: 8.37.0 - Microsoft Corporation)
Windows Support Tools (HKLM\...\{8398B542-3CC4-44D9-83DF-696CCE70124B}) (Version: 5.1.2510.0 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
WinZip 12.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}) (Version: 12.0.8252 - WinZip Computing, S.L. )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2875639932-1471808782-1253104730-1147_Classes\CLSID\{3faa4380-a399-11cf-a466-00805fe418f6}\InprocServer32 -> C:\Program Files\Autodesk\DWG TrueView 2013\en-US\dwgviewrficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2875639932-1471808782-1253104730-1147_Classes\CLSID\{57919D40-FFFB-43F0-B464-D909E268A690}\localserver32 -> C:\Program Files\AutoCAD LT 2006\aclt.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2875639932-1471808782-1253104730-1147_Classes\CLSID\{6A221957-2D85-42A7-8E19-BE33950D1DEB}\localserver32 -> C:\Program Files\Autodesk\DWG TrueView 2013\dwgviewr.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2875639932-1471808782-1253104730-1147_Classes\CLSID\{74F5CC00-49A9-11CF-A2F9-444553540000}\InprocServer32 -> C:\Program Files\AutoCAD LT 2006\acltficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2875639932-1471808782-1253104730-1147_Classes\CLSID\{8E75D913-3D21-11D2-85C4-080009A0C626}\localserver32 -> C:\Program Files\AutoCAD LT 2006\aclt.exe (Autodesk, Inc.)

==================== Restore Points =========================

13-06-2015 13:31:45 System Checkpoint
14-06-2015 19:52:47 System Checkpoint
15-06-2015 21:11:52 System Checkpoint
17-06-2015 19:44:42 System Checkpoint
18-06-2015 20:32:08 System Checkpoint
19-06-2015 21:14:52 System Checkpoint
21-06-2015 12:57:27 System Checkpoint
22-06-2015 17:30:51 System Checkpoint
23-06-2015 21:30:59 System Checkpoint
24-06-2015 22:09:02 System Checkpoint
26-06-2015 17:21:20 System Checkpoint
28-06-2015 10:08:10 System Checkpoint
29-06-2015 18:54:11 System Checkpoint
01-07-2015 08:20:29 System Checkpoint
02-07-2015 17:08:44 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005
03-07-2015 18:50:45 System Checkpoint
07-07-2015 19:38:10 System Checkpoint
08-07-2015 10:19:28 Installed WinDFT
09-07-2015 18:14:02 System Checkpoint
10-07-2015 18:57:37 System Checkpoint
11-07-2015 19:53:15 System Checkpoint
12-07-2015 19:59:12 System Checkpoint
12-07-2015 21:51:18 BlackBerry 10 Desktop Software (Blend, Link, Drivers)
12-07-2015 21:57:10 BlackBerry 10 Desktop Software
14-07-2015 21:05:12 System Checkpoint
15-07-2015 21:40:49 System Checkpoint
16-07-2015 22:37:17 System Checkpoint
03-08-2015 18:31:09 System Checkpoint
04-08-2015 18:41:34 System Checkpoint
05-08-2015 18:42:45 System Checkpoint
06-08-2015 18:55:29 System Checkpoint
07-08-2015 20:02:53 System Checkpoint
09-08-2015 10:47:44 System Checkpoint
10-08-2015 16:56:29 System Checkpoint
11-08-2015 12:03:39 Installed Adblock Plus for IE (32-bit)
12-08-2015 17:56:15 System Checkpoint
13-08-2015 18:35:09 System Checkpoint
17-08-2015 08:25:03 System Checkpoint
18-08-2015 11:35:31 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2003-03-31 13:00 - 2014-11-03 10:16 - 00001122 ___RA C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1    localhost
127.0.0.1 rad.msn.com
127.0.0.1 live.rads.msn.com
127.0.0.1 ads1.msn.com
127.0.0.1 static.2mdn.net
127.0.0.1 g.msn.com
127.0.0.1 a.ads2.msads.net
127.0.0.1 b.ads2.msads.net
127.0.0.1 ac3.msn.com
127.0.0.1 adnexus.net
127.0.0.1 adnxs.com
127.0.0.1 live.com
127.0.0.1 gpsoftware.com.au
127.0.0.1 www.gpsoftware.com.au


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (Whitelisted) ==============

2014-02-12 21:58 - 2014-02-12 21:58 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 14:05 - 2014-10-11 14:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2015-03-19 12:22 - 2015-03-19 12:22 - 00094208 _____ () C:\Program Files\Common Files\Research In Motion\Tunnel Manager\libxpmux.dll
2011-08-04 23:39 - 2006-08-18 13:17 - 00056056 _____ () C:\WINDOWS\system32\DLAAPI_W.DLL
2010-07-04 22:32 - 2010-07-04 22:32 - 00004608 _____ () C:\Program Files\Unlocker\UnlockerHook.dll
2010-07-04 22:32 - 2010-07-04 22:32 - 00010752 _____ () C:\Program Files\Unlocker\UnlockerCOM.dll
2012-09-13 22:10 - 2003-01-15 01:27 - 00118784 _____ () C:\Program Files\WinRAR\rarext.dll
2012-07-30 14:42 - 2008-02-22 05:46 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2010-07-04 20:51 - 2010-07-04 20:51 - 00017408 _____ () C:\Program Files\Unlocker\UnlockerAssistant.exe
2015-05-20 13:00 - 2015-05-20 13:00 - 00688888 _____ () C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe
2013-11-19 18:23 - 2013-11-13 04:39 - 03363952 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll
2012-09-23 21:43 - 2012-09-23 21:43 - 00313992 _____ () C:\Program Files\Adobe\Reader 11.0\Reader\sqlite.dll
2015-08-04 19:58 - 2015-08-04 19:58 - 17448624 _____ () C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\sdpsenv.dat:naughtypirates

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\79770840.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\79770840.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{7EC551EC-6FEE-44A6-BD12-987F87D7C525}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2875639932-1471808782-1253104730-1147\...\dell.com -> dell.com


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\<name>\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
HKU\S-1-5-21-2875639932-1471808782-1253104730-1147\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\<name>.<name>\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 192.168.1.254 - 10.0.0.1
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe] => :LocalSubNet:Enabled:BlackBerry Link Service (Nginx)
DomainProfile\AuthorizedApplications: [C:\Program Files\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe] => :LocalSubNet:Enabled:BlackBerry Link Peer Manager
StandardProfile\AuthorizedApplications: [C:\Program Files\Skype\Phone\Skype.exe] => Enabled:Skype
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe] => :LocalSubNet:Enabled:BlackBerry Link Service (Nginx)
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe] => :LocalSubNet:Enabled:BlackBerry Link Peer Manager

==================== Faulty Device Manager Devices =============

Name: Intel® PRO/Wireless 3945ABG Network Connection
Description: Intel® PRO/Wireless 3945ABG Network Connection
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Intel Corporation
Service: NETw4x32
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/18/2015 09:59:23 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:23 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:22 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:22 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:22 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:22 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:21 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:21 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:20 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

Error: (08/18/2015 09:59:13 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.


System errors:
=============
Error: (08/18/2015 09:30:51 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 59 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 09:00:51 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 08:45:46 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 07:15:49 AM) (Source: Server) (EventID: 2505) (User: )
Description: The server could not bind to the transport \Device\NetBT_Tcpip_{BDC6C324-4BF4-406D-86B7-5B345B13BA73} because another computer on the network has the same name.  The server could not start.

Error: (08/18/2015 07:15:32 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 07:15:28 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 07:15:28 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 07:15:25 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 07:15:24 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (08/18/2015 07:15:24 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.


Microsoft Office:
=========================

==================== Memory info ===========================

Processor: Genuine Intel® CPU T2500 @ 2.00GHz
Percentage of memory in use: 57%
Total physical RAM: 3326.39 MB
Available physical RAM: 1401.31 MB
Total Virtual: 4699.3 MB
Available Virtual: 2538.44 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:91.67 GB) (Free:48.58 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive f: () (Fixed) (Total:931.51 GB) (Free:633.41 GB) NTFS
Drive k: () (Network) (Total:464.49 GB) (Free:198.09 GB)
Drive l: () (Network) (Total:464.49 GB) (Free:198.09 GB)
Drive p: () (Network) (Total:464.49 GB) (Free:198.09 GB)
Drive r: () (Network) (Total:464.49 GB) (Free:198.09 GB)
Drive s: () (Network) (Total:464.49 GB) (Free:198.09 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 91.8 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=86 MB) - (Type=DE)
Partition 2: (Active) - (Size=91.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 7A62BF00)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End of log ============================

Attached Files


Edited by NorrieC, 18 August 2015 - 04:45 PM.


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 18 August 2015 - 05:43 PM

Greetings Norrie,

It is no longer a secret! :)

Can you tell me if you are connected to an Advantage Database Server?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 NorrieC

NorrieC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 19 August 2015 - 03:46 AM

Hi Gary,

 

Story of my life !

 

No, we use Windows SBS 2008 with all the very mundane apps. No databases in use.

 

Regards

 

Norrie



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 19 August 2015 - 09:11 AM

Thanks for the information. I would like you to do this please.

===================================================

Virustotal Online Virus Scanner

--------------------
  • Please go to Virustotal
  • Select Choose File
  • Navigate to the following file (if multiple files then one at a time), double click on it so the file name is populated, then click Scan it!
  • IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

C:\ads_err.adt
C:\ads_err.adi

  • Once completed, highlight the information in the address bar and copy then paste the link in your reply
virustotal.jpg

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Virustotal links

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 NorrieC

NorrieC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 19 August 2015 - 09:42 AM

Links as requested. No hits I'm afraid or should I say thank goodness !

 

C:\ads_err.adt

https://www.virustotal.com/en/file/fc08acb9adf801dc3305d89abf4814b4b753cbeabcc3e3c6e1f59b8781973378/analysis/1439995033/

 

C:\ads_err.adi

https://www.virustotal.com/en/file/82e2e96b9bae9b1f448ce3a46f403a4cc4d3ad9d8ed71e7b4c3d7b1373251015/analysis/1439995227/

 

I think those files are related to Autocad crash reports.

 

Regards

 

Norrie



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 19 August 2015 - 11:10 AM

Hi Norrie,

Although Virustotal seems to indicate they are fine, actually I don't believe they are. Instead of deleting them I am going to rename them just in case we find you need them at some point.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
closeprocesses:
HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\...\Run: [AdobeBridge] => [X]
U2 CertPropSvc; no ImagePath
R1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [X]
S4 HSXHWAZL; system32\DRIVERS\HSXHWAZL.sys [X]
S4 IntelIde; no ImagePath
S4 utdrv; \??\C:\WINDOWS\system32\drivers\utdrv.sys [X]
U4 WinDefend; no ImagePath
cmd: rename C:\ads_err.adt ads_err.adt.old
cmd: rename C:\ads_err.adi ads_err.adi.old
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 NorrieC

NorrieC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 19 August 2015 - 01:03 PM

Log as requested

 

Fix result of Farbar Recovery Scan Tool (x86) Version:17-08-2015
Ran by norrie.crawford (2015-08-19 17:38:56) Run:1
Running from C:\Documents and Settings\<name>.<name>\Desktop
Loaded Profiles: <name> (Available Profiles: <name> & Administrator & <name> & <name>)
Boot Mode: Normal

==============================================

fixlist content:
*****************
closeprocesses:
HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\...\Run: [AdobeBridge] => [X]
U2 CertPropSvc; no ImagePath
R1 eeCtrl; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [X]
S4 HSXHWAZL; system32\DRIVERS\HSXHWAZL.sys [X]
S4 IntelIde; no ImagePath
S4 utdrv; \??\C:\WINDOWS\system32\drivers\utdrv.sys [X]
U4 WinDefend; no ImagePath
cmd: rename C:\ads_err.adt ads_err.adt.old
cmd: rename C:\ads_err.adi ads_err.adi.old
*****************

Processes closed successfully.
HKU\S-1-5-21-1695840115-2258506580-2628638250-1134\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully.
CertPropSvc => service removed successfully.
eeCtrl => Service stopped successfully.
eeCtrl => service could not remove
HSXHWAZL => service removed successfully.
IntelIde => service removed successfully.
utdrv => service removed successfully.
WinDefend => service removed successfully.

=========  rename C:\ads_err.adt ads_err.adt.old =========


========= End of CMD: =========


=========  rename C:\ads_err.adi ads_err.adi.old =========


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 17:39:02 ====

 

 

I'm not too surprised at the failure to remove eeCtrl.sys because its a Symantec Endpoint file.

 

There's no appreciable difference in the running of the machine with the possible exception that it seemed to start a little quicker at the reboot.

 

Regards

 

Norrie



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 19 August 2015 - 01:17 PM

The Symantec entry is odd because it shows the process running but also indicates the file is not present. That may be because of the odd file path.

Are you experiencing any issues?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 22 August 2015 - 08:39 AM

Greetings,

How are we doing?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 23 August 2015 - 03:22 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 NorrieC

NorrieC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:10 AM

Posted 24 August 2015 - 02:37 PM

Hi Gary,

Sorry for the delay in replying.

I don't have any issues with the machine.. As I said above I did find out that it was Skype which was using port 12639 so my paranoia level reduced somewhat. I guess none of the tests showed anything serious? So we're probably finished here? Do you agree?

Cheers

Norrie



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,988 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:12:10 AM

Posted 24 August 2015 - 02:39 PM

Greetings,

Yes I agree but I wanted to double check before closing the Topic.

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and you may delete any programs or logs on your computer as a result of our efforts. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder. For everything else you simply delete the log files or desktop icons.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:I will leave this topic open for just a brief period of time in case you have any further issues then it will be closed shortly thereafter.

Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users