Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HANCITOR MALSPAM infection on 5/31/2017


  • This topic is locked This topic is locked
64 replies to this topic

#1 clemente2

clemente2

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 03 June 2017 - 11:10 AM

The XP_SP3 32-bit system was infected by malware payload contained within a MS Word .doc file on 5/31/17 as detailed in this link http://www.malware-traffic-analysis.net/2017/05/31/index2.html.

 

The infection should be similar to that experienced in the following thread:  https://www.bleepingcomputer.com/forums/t/639505/downloaded-worddoc-with-hancitorpony-malspam/

 

The payload was delivered after opening the .doc file under Word 2003.

 

The infection occurred at approximately 9:40am PDT on 5/31 and the infected system was shutdown at approximately 11:30am on 5/31

 

The system was rebooted briefly on 6/1 for investigative purposes but has remained offline.

 

The infected hard drive was temporarily removed for cloning purposes via Macrium Reflect.

 

Although this particular system has undergone various motherboard migrations and other hardware changes, it has been functional for approximately 20 years (initially installed as a Windows 98 system) and currently serves as the primary email client (Outlook Express) for my wife.

 

Thanks in advance for your assistance and expertise in attempting to clean the infection.

 

------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-05-2017
Ran by Administrator (administrator) on SEMPRON3000 (03-06-2017 09:02:00)
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(HP) C:\WINDOWS\System32\HPZipm12.exe
(Microsoft Corporation) C:\WINDOWS\System32\WUAUCLT.EXE
(Microsoft Corporation) C:\WINDOWS\System32\wscntfy.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-1708537768-1935655697-1343024091-500\...\MountPoints2: ##celerond326a#cd1 (q) - Z:\Autoplay.exe -auto
HKU\S-1-5-18\...\RunOnce: [Printing Migration] => rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [40960 2002-08-28] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [RunNarrator] => C:\WINDOWS\system32\Narrator.exe [53760 2008-04-14] (Microsoft Corporation)
Lsa: [Notification Packages] scecli kbrsdilt.dll
ShellIconOverlayIdentifiers: [SlowFile Icon Overlay] -> {7D688A77-C613-11D0-999B-00C04FD655E1} =>  -> No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyServer: [.DEFAULT] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [.DEFAULT] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
ProxyServer: [S-1-5-19] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [S-1-5-19] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
ProxyServer: [S-1-5-20] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [S-1-5-20] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
ProxyServer: [S-1-5-21-1708537768-1935655697-1343024091-500] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [S-1-5-21-1708537768-1935655697-1343024091-500] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
Winsock: Catalog5 01 C:\Program Files\Bonjour\mdnsNSP.dll [94208 2006-02-28] (Apple Computer, Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\..\Interfaces\{50C57E3C-A8AC-4967-8141-2272FF62D6B2}: [NameServer] 192.168.0.1
Tcpip\..\Interfaces\{7E832B1C-40D1-4976-95CC-0F0BAC8CCF91}: [NameServer] 24.51.240.2,206.13.29.12
Tcpip\..\Interfaces\{E46AA575-BE18-4C2B-ADA4-6C5C5E92A1F3}: [DhcpNameServer] 76.85.229.110 76.85.229.111
Tcpip\..\Interfaces\{FA8E2DDA-98DA-4598-A92D-36ED6D87A5AB}: [DhcpNameServer] 209.18.47.62 209.18.47.61
 
Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1708537768-1935655697-1343024091-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1708537768-1935655697-1343024091-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKLM - ProtoHandler Class - {724F6607-4698-48F8-903F-120EA084E3F9} - C:\PROGRAM FILES\BROWSERENH\IE.DLL No File
URLSearchHook: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
BHO: ContributeBHO Class -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> M:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16] (Adobe Systems Incorporated.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-07-27] (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> n:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15] (Safer Networking Limited)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> Q:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
BHO: CAdBlocker Object -> {E24AD748-155E-4254-B674-4EDF86E7E1DF} -> C:\Program Files\Acronis\PrivacyExpert\Blocker.dll [2009-01-26] (Acronis)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKLM - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - M:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16] (Adobe Systems Incorporated.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKU\.DEFAULT -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\.DEFAULT -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-19 -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\S-1-5-20 -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> PowerSearch - {4E7BD74F-2B8D-469E-D1F0-E56FA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrscznc.dll No File
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> No Name - {4E7BD74F-2B8D-469E-C0FF-FD63B399BC7D} -  No File
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> No Name - {41564952-412D-5637-00A7-7A786E7484D7} -  No File
DPF: {00000075-9980-0010-8000-00AA00389B71} hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306364967734
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37970.7198148148
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll [2008-04-14] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2000-12-22] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - Q:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx [2008-04-14] ()
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default [2008-12-05]
FF Session Restore: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> is enabled.
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ftp", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ftp_port", 80
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> http", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> http_port", 80
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> no_proxies_on", "*.local"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> socks", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> socks_port", 1080
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ssl", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ssl_port", 80
FF Extension: (Ancestry.com Advanced Image Viewer) - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default\Extensions\support@ancestry.com [2010-04-12] [not signed]
FF Extension: (EPUBReader) - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2017-02-18]
FF Extension: (Microsoft .NET Framework Assistant) - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011-05-31] [not signed]
FF HKLM\...\Firefox\Extensions: [{86058C3D-8A47-4897-BAD8-A2B33A78AEB1}] - C:\Documents and Settings\Administrator\Local Settings\Application Data\{86058C3D-8A47-4897-BAD8-A2B33A78AEB1}
FF Extension: (XULRunner) - C:\Documents and Settings\Administrator\Local Settings\Application Data\{86058C3D-8A47-4897-BAD8-A2B33A78AEB1} [2009-11-01] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-05-25] [not signed]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - V:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - V:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013-01-03] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll [2013-01-03] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\System32\Adobe\Director\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
FF Plugin: Adobe Acrobat -> V:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2012-07-27] (Adobe Systems Inc.)
StartMenuInternet: FIREFOX.EXE - M:\Program Files\Mozilla Firefox\firefox.exe
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [804528 2010-11-23] (Acronis)
S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2004-03-30] () [File not signed]
S4 AdobeVersionCue; I:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe [61440 2003-10-13] (Adobe Sytems) [File not signed]
S4 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3246040 2012-06-01] (Acronis)
S4 Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [229376 2006-02-28] (Apple Computer, Inc.) [File not signed]
S4 CPUCooLServer; L:\Program Files\CPUCooL\CooLSrv.exe [20480 2003-03-31] () [File not signed]
S4 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2011-06-03] (Macrovision Europe Ltd.) [File not signed]
S4 Iomega App Services; C:\Program Files\Iomega\System32\AppServices.exe [73728 2002-09-04] (Iomega Corporation) [File not signed]
S4 Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [68096 2003-10-05] () [File not signed]
S4 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [270336 2001-02-23] (Microsoft Corporation) [File not signed]
S3 MozillaMaintenance; C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe [146888 2016-08-24] (Mozilla Foundation) [File not signed]
S4 paamsrv; C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe [676053 2009-01-26] () [File not signed]
S4 Pctspk; C:\WINDOWS\system32\pctspk.exe [86016 2001-08-17] (PCtel, Inc.)
S4 Pml Driver; C:\WINDOWS\System32\HPHipm09.exe [77824 2001-10-25] (HP)
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [69632 2004-09-29] (HP) [File not signed]
S3 SCardDrv; C:\WINDOWS\System32\SCardSvr.exe [95744 2008-04-14] (Microsoft Corporation)
S4 SkypeUpdate; Q:\Program Files\Skype\Updater\Updater.exe [160944 2012-07-13] (Skype Technologies)
S4 Iomega Activity Disk2; "" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 3dfxvs; C:\WINDOWS\System32\DRIVERS\3dfxvsm.sys [148352 2001-08-17] (3dfx Interactive, Inc.)
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2279424 2004-10-01] (Realtek Semiconductor Corp.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
U4 Claloo; no ImagePath
S3 cmpci; C:\WINDOWS\System32\drivers\cmaudio.sys [357070 2001-12-10] (C-Media Inc) [File not signed]
S3 cmuda; C:\WINDOWS\System32\drivers\cmuda.sys [743887 2003-05-29] (C-Media Inc)
S3 Dot4 HPH09; C:\WINDOWS\System32\DRIVERS\hphid409.sys [50704 2001-10-25] (HP)
S3 Dot4Print HPH09; C:\WINDOWS\System32\DRIVERS\hphipr09.sys [15984 2001-10-25] (HP)
S3 Dot4Scan; C:\WINDOWS\System32\DRIVERS\Dot4Scan.sys [8704 2001-08-17] (Microsoft Corporation)
S3 Dot4Storage HPH09; C:\WINDOWS\System32\Drivers\hphs2k09.sys [50179 2001-10-25] (Hewlett-Packard)
S3 Dot4Usb HPH09; C:\WINDOWS\System32\drivers\hphius09.sys [18864 2001-10-25] (HP)
S3 es1371; C:\WINDOWS\System32\drivers\es1371mp.sys [40832 2002-06-03] (Creative Technology Ltd.)
R3 FETNDIS; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc.              )
S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-14] (Microsoft Corporation)
R0 iomdisk; C:\WINDOWS\System32\DRIVERS\iomdisk.sys [30258 2002-09-04] (Iomega Corporation) [File not signed]
S3 msgame; C:\WINDOWS\System32\DRIVERS\msgame.sys [35200 2001-08-17] (Microsoft Corporation)
S3 ms_mpu401; C:\WINDOWS\System32\drivers\msmpu401.sys [2944 2001-08-17] (Microsoft Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R2 npf; C:\WINDOWS\System32\drivers\npf.sys [34064 2007-11-15] (CACE Technologies)
R1 ntiowp; C:\WINDOWS\system32\Drivers\ntiowp.sys [10240 2003-03-08] () [File not signed]
R2 NwlnkIpx; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-14] (Microsoft Corporation)
R2 NwlnkNb; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [63232 2008-04-14] (Microsoft Corporation)
R2 NwlnkSpx; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [55936 2008-04-14] (Microsoft Corporation)
S3 P1370Aud; C:\WINDOWS\system32\Drivers\P1370Aud.sys [93056 2005-12-05] (Creative Technology Ltd.)
S3 P1370Aul; C:\WINDOWS\system32\Drivers\P1370Aul.sys [4992 2005-12-06] (Creative Technology Ltd.)
S3 P1370Vfx; C:\WINDOWS\System32\DRIVERS\P1370Vfx.sys [6272 2006-03-24] (EyePower Games Pte. Ltd.)
S3 P1370VID; C:\WINDOWS\System32\DRIVERS\P1370Vid.sys [297792 2006-06-20] (Creative Technology Ltd.)
R2 pamondrv; C:\WINDOWS\System32\DRIVERS\pamondrv.sys [43520 2009-01-26] () [File not signed]
S3 pnicII; C:\WINDOWS\System32\DRIVERS\lne100.SYS [20573 2001-08-17] (The Linksts Group )
S3 Ptserial; C:\WINDOWS\System32\DRIVERS\ptserial.sys [120209 2002-03-13] (PCTEL, INC.) [File not signed]
S3 Ptserlp; C:\WINDOWS\System32\DRIVERS\ptserlp.sys [112574 2001-08-17] (PCTEL, INC.)
S3 SISNIC; C:\WINDOWS\System32\DRIVERS\sisnic.sys [32768 2008-04-13] (SiS Corporation)
S3 USRTI; C:\WINDOWS\System32\DRIVERS\USRTI.SYS [765884 2001-08-17] (U.S. Robotics, Inc.)
R3 viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [172544 2005-03-08] (Copyright © VIA/S3 Graphics Co, Ltd.)
R0 Vmodem; C:\WINDOWS\System32\DRIVERS\vmodem.sys [604253 2001-08-17] (PCTEL, INC.)
R0 Vpctcom; C:\WINDOWS\System32\DRIVERS\vpctcom.sys [397502 2001-08-17] (PCtel, Inc.)
R0 Vvoice; C:\WINDOWS\System32\DRIVERS\vvoice.sys [64605 2001-08-17] (PCtel, Inc.)
S4 hpt3xx; no ImagePath
S4 IntelIde; no ImagePath
S3 PCI_Ctrl; \??\C:\WINDOWS\system32\drivers\PCI_Ctrl.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2099-12-31 8888:439 - 61320-153-64 23224:416 - 00000000 ___SD C:\Documents and Settings\LocalService\Application Data\Microsoft
2099-12-31 61232:695 - 61320-153-64 65520:693 - 00000000 ____D C:\WINDOWS\system32\config\systemprofile
2099-12-31 60848:695 - 61320-153-64 65336:429 - 00000000 ___HD C:\Documents and Settings\Default User\Local Settings\Application Data
2099-12-31 60848:695 - 61320-153-64 63736:697 - 00000000 ___SD C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
2099-12-31 60848:695 - 61320-153-64 35808:430 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\Temp
2099-12-31 60848:695 - 61320-153-64 23328:421 - 00000000 ___SD C:\Documents and Settings\Default User\Local Settings\History
2099-12-31 59560:429 - 61320-153-64 54288:431 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data
2099-12-31 59560:429 - 61320-153-64 51136:695 - 00000000 ___SD C:\Documents and Settings\NetworkService\Cookies
2099-12-31 59560:429 - 61320-153-64 51112:695 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings
2099-12-31 57416:424 - 61320-153-64 9008:435 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu
2099-12-31 57416:424 - 61320-153-64 63688:431 - 00000000 ___RD C:\Documents and Settings\All Users\Documents
2099-12-31 57416:424 - 61320-153-64 36640:430 - 00000000 __RHD C:\Documents and Settings\All Users\Application Data
2099-12-31 57416:424 - 61320-153-64 30520:421 - 00000000 ___HD C:\Documents and Settings\All Users\Templates
2099-12-31 57416:424 - 61320-153-64 30200:430 - 00000000 ____D C:\Documents and Settings\All Users\Desktop
2099-12-31 57416:424 - 61320-153-64 24208:702 - 00000000 ____D C:\Documents and Settings\All Users\Favorites
2099-12-31 54776:424 - 61320-153-64 7688:427 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu\Programs\Startup
2099-12-31 54776:424 - 61320-153-64 51096:696 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu\Programs\Accessories
2099-12-31 52024:420 - 61320-153-64 8880:425 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\PolyView
2099-12-31 52024:420 - 61320-153-64 65336:429 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Multimedia
2099-12-31 52024:420 - 61320-153-64 64216:429 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\HP DeskJet 880C Series v11.1
2099-12-31 52024:420 - 61320-153-64 64168:429 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\The Print Shop Signature Greetings 1.0
2099-12-31 52024:420 - 61320-153-64 63600:429 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2099-12-31 52024:420 - 61320-153-64 62704:431 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
2099-12-31 52024:420 - 61320-153-64 6128:430 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\HD Tach
2099-12-31 52024:420 - 61320-153-64 60312:424 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Startup
2099-12-31 52024:420 - 61320-153-64 58520:429 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\QuarkXPress
2099-12-31 52024:420 - 61320-153-64 58304:429 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak Digital Science
2099-12-31 52024:420 - 61320-153-64 58056:421 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
2099-12-31 52024:420 - 61320-153-64 57416:424 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Clip Gallery
2099-12-31 52024:420 - 61320-153-64 57312:438 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Ghost
2099-12-31 52024:420 - 61320-153-64 54288:431 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Games
2099-12-31 52024:420 - 61320-153-64 52352:696 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\MP3 WAV Converter
2099-12-31 52024:420 - 61320-153-64 49872:429 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Hardware
2099-12-31 52024:420 - 61320-153-64 49232:432 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Ulead Photo Explorer 4.2
2099-12-31 52024:420 - 61320-153-64 31616:430 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Bureau Multimedia
2099-12-31 52024:420 - 61320-153-64 22272:430 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\OLYMPUS CAMEDIA Master
2099-12-31 52024:420 - 61320-153-64 19760:430 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\WinZip
2099-12-31 52024:420 - 61320-153-64 16544:430 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\HP PhotoSmart
2099-12-31 52024:420 - 61320-153-64 13752:435 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
2099-12-31 50704:421 - 61320-153-64 18456:695 - 00000000 ___SD C:\Documents and Settings\NetworkService\Application Data\Microsoft
2099-12-31 50640:695 - 61320-153-64 31384:430 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
2099-12-31 50616:695 - 61320-153-64 24792:430 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu\Programs
2099-12-31 49184:432 - 61320-153-64 24792:430 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data
2099-12-31 49184:432 - 61320-153-64 20528:430 - 00000000 ___HD C:\Documents and Settings\LocalService\Local Settings
2099-12-31 49184:432 - 61320-153-64 18952:430 - 00000000 ___SD C:\Documents and Settings\LocalService\Cookies
2099-12-31 48200:439 - 61320-153-64 61328:695 - 00000000 ____D C:\WINDOWS\Registration
2099-12-31 48200:439 - 61320-153-64 60944:695 - 00000000 ____D C:\WINDOWS\mui
2099-12-31 48200:439 - 61320-153-64 60896:695 - 00000000 ____D C:\WINDOWS\repair
2099-12-31 48200:439 - 61320-153-64 60824:695 - 00000000 ____D C:\WINDOWS\WinSxS
2099-12-31 48200:439 - 61320-153-64 56808:429 - 00000000 ____D C:\WINDOWS\ime
2099-12-31 48200:439 - 61320-153-64 47520:439 - 00000000 ____D C:\WINDOWS\PCHEALTH
2099-12-31 48200:439 - 61320-153-64 46872:695 - 00000000 ____D C:\WINDOWS\security
2099-12-31 48200:439 - 61320-153-64 46832:695 - 00000000 ____D C:\WINDOWS\AppPatch
2099-12-31 48200:439 - 61320-153-64 46600:695 - 00000000 ____D C:\WINDOWS\addins
2099-12-31 48200:439 - 61320-153-64 45976:695 - 00000000 ____D C:\WINDOWS\srchasst
2099-12-31 48200:439 - 61320-153-64 26696:436 - 00000000 ____D C:\WINDOWS\Resources
2099-12-31 48200:439 - 61320-153-64 21488:702 - 00000000 ____D C:\WINDOWS\Connection Wizard
2099-12-31 48200:439 - 61320-153-64 21440:702 - 00000000 ____D C:\WINDOWS\Debug
2099-12-31 48200:439 - 61320-153-64 21304:702 - 00000000 ____D C:\WINDOWS\Driver Cache
2099-12-31 48200:439 - 61320-153-64 21016:702 - 00000000 ___HD C:\WINDOWS\inf
2099-12-31 47632:438 - 61320-153-64 880:439 - 00000000 ___HD C:\Documents and Settings\LocalService\Local Settings\Application Data
2099-12-31 47632:438 - 61320-153-64 56408:431 - 00000000 ___SD C:\Documents and Settings\LocalService\Local Settings\History
2099-12-31 47632:438 - 61320-153-64 54288:431 - 00000000 ___SD C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
2099-12-31 47632:438 - 61320-153-64 54288:431 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Temp
2099-12-31 44984:429 - 61320-153-64 63712:697 - 00000000 ___SD C:\Documents and Settings\All Users\Application Data\Microsoft
2099-12-31 44800:421 - 61320-153-64 56120:439 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings\Application Data
2099-12-31 44800:421 - 61320-153-64 54584:439 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Temp
2099-12-31 44800:421 - 61320-153-64 35832:426 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings\History
2099-12-31 44800:421 - 61320-153-64 32816:422 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
2099-12-31 37680:417 - 61320-153-64 54184:424 - 00000000 ____D C:\Documents and Settings
2099-12-31 37680:417 - 61320-153-64 12040:418 - 00000000 __SHD C:\System Volume Information
2099-12-31 36520:430 - 61320-153-64 6424:430 - 00000000 ____D C:\Program Files\xerox
2099-12-31 36520:430 - 61320-153-64 61008:429 - 00000000 ____D C:\Program Files\Windows NT
2099-12-31 36520:430 - 61320-153-64 60776:431 - 00000000 ___HD C:\Program Files\WindowsUpdate
2099-12-31 36520:430 - 61320-153-64 55664:429 - 00000000 ____D C:\Program Files\Movie Maker
2099-12-31 36520:430 - 61320-153-64 43496:424 - 00000000 ____D C:\Program Files\Messenger
2099-12-31 36520:430 - 61320-153-64 31616:430 - 00000000 ____D C:\Program Files\ComPlus Applications
2099-12-31 36520:430 - 61320-153-64 23384:430 - 00000000 ____D C:\Program Files\Online Services
2099-12-31 36520:430 - 61320-153-64 23016:430 - 00000000 ____D C:\Program Files\microsoft frontpage
2099-12-31 32408:430 - 61320-153-64 2208:428 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
2099-12-31 29664:421 - 61320-153-64 920:427 - 00000000 ___HD C:\Documents and Settings\Default User\NetHood
2099-12-31 29664:421 - 61320-153-64 7688:427 - 00000000 ____D C:\Documents and Settings\Default User\Favorites
2099-12-31 29664:421 - 61320-153-64 63464:429 - 00000000 ___SD C:\Documents and Settings\Default User\Cookies
2099-12-31 29664:421 - 61320-153-64 54520:431 - 00000000 ___HD C:\Documents and Settings\Default User\PrintHood
2099-12-31 29664:421 - 61320-153-64 54288:431 - 00000000 ____D C:\Documents and Settings\Default User\My Documents
2099-12-31 29664:421 - 61320-153-64 44512:426 - 00000000 ___HD C:\Documents and Settings\Default User\Recent
2099-12-31 29664:421 - 61320-153-64 32272:426 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu
2099-12-31 29664:421 - 61320-153-64 29832:430 - 00000000 ___HD C:\Documents and Settings\Default User\Templates
2099-12-31 29664:421 - 61320-153-64 23728:437 - 00000000 __RHD C:\Documents and Settings\Default User\Local Settings
2099-12-31 29664:421 - 61320-153-64 23728:437 - 00000000 __RHD C:\Documents and Settings\Default User\Application Data
2099-12-31 29664:421 - 61320-153-64 20104:430 - 00000000 ____D C:\Documents and Settings\Default User\Desktop
2099-12-31 29664:421 - 61320-153-64 16760:430 - 00000000 __RHD C:\Documents and Settings\Default User\SendTo
2099-12-31 25048:430 - 61320-153-64 23224:416 - 00000000 ___SD C:\Documents and Settings\Default User\Application Data\Microsoft
2099-12-31 22080:438 - 61320-153-64 7304:418 - 00000000 _____ C:\WINDOWS\system32\h323log.txt
2099-12-31 22080:438 - 61320-153-64 64816:431 - 00000000 ____D C:\WINDOWS\system32\1033
2099-12-31 22080:438 - 61320-153-64 64656:697 - 00000000 ____D C:\WINDOWS\system32\MsDtc
2099-12-31 22080:438 - 61320-153-64 64504:697 - 00000000 ____D C:\WINDOWS\system32\Restore
2099-12-31 22080:438 - 61320-153-64 64136:697 - 00000000 ____D C:\WINDOWS\system32\3076
2099-12-31 22080:438 - 61320-153-64 64096:697 - 00000000 ____D C:\WINDOWS\system32\export
2099-12-31 22080:438 - 61320-153-64 63760:697 - 00000000 ____D C:\WINDOWS\system32\1025
2099-12-31 22080:438 - 61320-153-64 63624:697 - 00000000 ____D C:\WINDOWS\system32\CatRoot
2099-12-31 22080:438 - 61320-153-64 63536:697 - 00000000 ____D C:\WINDOWS\system32\usmt
2099-12-31 22080:438 - 61320-153-64 61112:695 - 00000000 ____D C:\WINDOWS\system32\1031
2099-12-31 22080:438 - 61320-153-64 53184:696 - 00000000 ____D C:\WINDOWS\system32\config
2099-12-31 22080:438 - 61320-153-64 52896:696 - 00000000 ____D C:\WINDOWS\system32\1037
2099-12-31 22080:438 - 61320-153-64 52664:696 - 00000000 ____D C:\WINDOWS\system32\wins
2099-12-31 22080:438 - 61320-153-64 52472:696 - 00000000 ____D C:\WINDOWS\system32\1042
2099-12-31 22080:438 - 61320-153-64 51920:696 - 00000000 ____D C:\WINDOWS\system32\ShellExt
2099-12-31 22080:438 - 61320-153-64 51896:696 - 00000000 ____D C:\WINDOWS\system32\IME
2099-12-31 22080:438 - 61320-153-64 51848:696 - 00000000 ____D C:\WINDOWS\system32\dhcp
2099-12-31 22080:438 - 61320-153-64 51216:696 - 00000000 ____D C:\WINDOWS\system32\3com_dmi
2099-12-31 22080:438 - 61320-153-64 51120:696 - 00000000 ____D C:\WINDOWS\system32\2052
2099-12-31 22080:438 - 61320-153-64 51072:696 - 00000000 ____D C:\WINDOWS\system32\ias
2099-12-31 22080:438 - 61320-153-64 50632:696 - 00000000 ____D C:\WINDOWS\system32\1041
2099-12-31 22080:438 - 61320-153-64 50416:696 - 00000000 ____D C:\WINDOWS\system32\wbem
2099-12-31 22080:438 - 61320-153-64 50320:696 - 00000000 ____D C:\WINDOWS\system32\1054
2099-12-31 22080:438 - 61320-153-64 50152:696 - 00000000 ____D C:\WINDOWS\system32\Setup
2099-12-31 22080:438 - 61320-153-64 48600:439 - 00000000 ____D C:\WINDOWS\system32\1028
2099-12-31 22080:438 - 61320-153-64 46744:695 - 00000000 ____D C:\WINDOWS\system32\oobe
2099-12-31 22080:438 - 61320-153-64 46352:695 - 00000000 ____D C:\WINDOWS\system32\mui
2099-12-31 22080:438 - 61320-153-64 46184:439 - 00000000 ____D C:\WINDOWS\system32\DirectX
2099-12-31 22080:438 - 61320-153-64 45456:693 - 00000000 ____D C:\WINDOWS\system32\icsxml
2099-12-31 22080:438 - 61320-153-64 43472:424 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2099-12-31 22080:438 - 61320-153-64 36776:430 - 00000000 ____D C:\WINDOWS\system32\spool
2099-12-31 22080:438 - 61320-153-64 24208:702 - 00000000 _RSHD C:\WINDOWS\system32\dllcache
2099-12-31 22080:438 - 61320-153-64 21440:702 - 00000000 ____D C:\WINDOWS\system32\npp
2099-12-31 22080:438 - 61320-153-64 21416:430 - 00000000 ____D C:\WINDOWS\system32\xircom
2099-12-31 22080:438 - 61320-153-64 21304:702 - 00000000 ____D C:\WINDOWS\system32\ras
2099-12-31 22080:438 - 61320-153-64 16368:698 - 00000000 ____D C:\WINDOWS\system32\CatRoot2
2099-12-31 22080:438 - 61320-153-64 16000:430 - 00000000 ____D C:\WINDOWS\system32\Com
2099-12-31 19288:695 - 61320-153-64 23776:421 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs
2099-12-31 15424:698 - 61320-153-64 8608:439 - 00000000 ____D C:\Program Files\Common Files\MSSoap
2099-12-31 15424:698 - 61320-153-64 24544:438 - 00000000 ____D C:\Program Files\Common Files\SpeechEngines
2099-12-31 14344:430 - 61320-153-64 54152:431 - 00000000 ____D C:\WINDOWS\system32\Drivers\etc
2099-12-31 14344:430 - 61320-153-64 16296:698 - 00000000 ____D C:\WINDOWS\system32\Drivers\disdn
2099-12-31 11656:418 - 61320-153-64 61584:426 - 00000000 ___HD C:\Documents and Settings\Default User
2099-12-31 11656:418 - 61320-153-64 4920:430 - 00000000 ____D C:\Documents and Settings\All Users
2099-12-31 11656:418 - 61320-153-64 46184:439 - 00000000 __SHD C:\Documents and Settings\LocalService
2099-12-31 11656:418 - 61320-153-64 24152:421 - 00000000 __SHD C:\Documents and Settings\NetworkService
2017-06-03 09:02 - 2017-06-03 09:02 - 00020707 _____ C:\Documents and Settings\Administrator\Desktop\FRST.txt
2017-06-03 09:01 - 2017-06-03 09:01 - 00000000 ____D C:\FRST
2017-06-03 09:01 - 2017-06-01 08:54 - 01772032 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2017-06-01 08:25 - 2017-06-01 08:25 - 00000000 ____D C:\WINDOWS\CSC
2017-06-01 08:07 - 2017-06-01 08:07 - 00000000 ____D C:\WINDOWS\erdnt
2017-05-14 13:54 - 2017-05-14 13:54 - 00000000 ___HD C:\WINDOWS\$NtUninstallKB4012598$
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2099-12-31 61232:695 - 1980-01-01 00:00 - 00065536 _____ C:\WINDOWS\system32\config\SecEvent.Evt
2099-12-31 59560:429 - 1980-01-01 00:00 - 00001024 ____H C:\Documents and Settings\NetworkService\ntuser.dat.ref.LOG
2099-12-31 52024:420 - 2001-05-29 10:32 - 00001512 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Picture It!.lnk
2099-12-31 52024:420 - 1996-09-12 00:52 - 00001359 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Exchange.lnk
2099-12-31 49184:432 - 1980-01-01 00:00 - 00001024 ____H C:\Documents and Settings\LocalService\ntuser.dat.ref.LOG
2099-12-31 48200:439 - 1980-01-01 00:00 - 00000667 _____ C:\WINDOWS\COMMAND.LNK
2099-12-31 29664:421 - 1980-01-01 00:00 - 00001024 ____H C:\Documents and Settings\Default User\ntuser.dat.ref.LOG
2099-01-14 03:28 - 1980-01-01 00:00 - 00008192 _____ C:\WINDOWS\REGLOCS.OLD
2092-11-16 20:41 - 1980-01-01 00:00 - 00000086 _____ C:\WINDOWS\vbaddin.ini
2092-09-22 18:06 - 2002-07-17 11:09 - 00000062 ___SH C:\Documents and Settings\Administrator\Application Data\desktop.ini
2044-02-15 00:50 - 2002-05-31 14:37 - 00000402 _____ C:\WINDOWS\commigrate.log
2017-06-03 08:59 - 2004-08-31 13:44 - 00002228 _____ C:\WINDOWS\system32\wpa.dbl
2017-06-03 08:57 - 1998-10-19 17:53 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-01 09:42 - 2002-12-08 17:23 - 00032542 _____ C:\WINDOWS\SchedLgU.Txt
2017-06-01 09:42 - 2002-07-17 11:09 - 00000278 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2017-06-01 08:47 - 1980-01-01 00:00 - 00017673 _____ C:\WINDOWS\UEDIT32.INI
2017-06-01 08:26 - 2002-07-17 11:08 - 01482358 _____ C:\WINDOWS\ntbtlog.txt
2017-05-31 05:52 - 2008-06-18 14:03 - 00002404 _____ C:\WINDOWS\system32\d3d9caps.dat
2017-05-24 12:00 - 1980-01-01 00:00 - 00000054 _____ C:\WINDOWS\TWUI200.INI
2017-05-24 11:59 - 2011-06-03 10:43 - 00002191 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Acrobat X Pro.lnk
 
==================== Files in the root of some directories =======
 
2002-01-22 21:24 - 2002-01-22 21:24 - 0000560 _____ () C:\Program Files\Global.sw
1998-10-19 17:50 - 1999-10-20 15:48 - 0011079 ____H () C:\Program Files\folder.htt
1996-10-09 20:17 - 1996-10-09 20:17 - 0000000 ___RH () C:\Program Files\Common Files\MSCREATE.DIR
2009-11-01 12:06 - 2009-11-01 12:06 - 0000024 _____ () C:\Documents and Settings\Administrator\Application Data\wiaserva.log
2003-12-04 18:28 - 2017-03-05 13:18 - 0047104 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2007-12-23 08:41 - 2007-12-23 08:41 - 0000032 _____ () C:\Documents and Settings\All Users\Application Data\ezsid.dat
2016-11-13 11:19 - 2016-11-13 11:52 - 0000644 _____ () C:\Documents and Settings\All Users\Application Data\hpzinstall.log
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:43 PM

Posted 08 June 2017 - 11:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/648463 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 10 June 2017 - 11:45 AM

As requested, I have run the most recent 32-bit version of FRST and have attached the logs.

---------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-06-2017 01
Ran by Administrator (administrator) on SEMPRON3000 (10-06-2017 09:37:00)
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: FF)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(HP) C:\WINDOWS\System32\HPZipm12.exe
(Microsoft Corporation) C:\WINDOWS\System32\WUAUCLT.EXE
(Microsoft Corporation) C:\WINDOWS\System32\wscntfy.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKU\S-1-5-21-1708537768-1935655697-1343024091-500\...\MountPoints2: ##celerond326a#cd1 (q) - Z:\Autoplay.exe -auto
HKU\S-1-5-18\...\RunOnce: [Printing Migration] => rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters
HKU\S-1-5-18\...\RunOnce: [tscuninstall] => C:\WINDOWS\system32\tscupgrd.exe [40960 2002-08-28] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [RunNarrator] => C:\WINDOWS\system32\Narrator.exe [53760 2008-04-14] (Microsoft Corporation)
Lsa: [Notification Packages] scecli kbrsdilt.dll
ShellIconOverlayIdentifiers: [SlowFile Icon Overlay] -> {7D688A77-C613-11D0-999B-00C04FD655E1} =>  -> No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyServer: [.DEFAULT] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [.DEFAULT] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
ProxyServer: [S-1-5-19] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [S-1-5-19] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
ProxyServer: [S-1-5-20] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [S-1-5-20] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
ProxyServer: [S-1-5-21-1708537768-1935655697-1343024091-500] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
AutoConfigURL: [S-1-5-21-1708537768-1935655697-1343024091-500] => ftp=192.168.0.1:80;http=192.168.0.1:80;https=192.168.0.1:80;socks=192.168.0.1:1080
Winsock: Catalog5 01 C:\Program Files\Bonjour\mdnsNSP.dll [94208 2006-02-28] (Apple Computer, Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.62 209.18.47.61
Tcpip\..\Interfaces\{50C57E3C-A8AC-4967-8141-2272FF62D6B2}: [NameServer] 192.168.0.1
Tcpip\..\Interfaces\{7E832B1C-40D1-4976-95CC-0F0BAC8CCF91}: [NameServer] 24.51.240.2,206.13.29.12
Tcpip\..\Interfaces\{E46AA575-BE18-4C2B-ADA4-6C5C5E92A1F3}: [DhcpNameServer] 76.85.229.110 76.85.229.111
Tcpip\..\Interfaces\{FA8E2DDA-98DA-4598-A92D-36ED6D87A5AB}: [DhcpNameServer] 209.18.47.62 209.18.47.61
 
Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-19\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-20\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1708537768-1935655697-1343024091-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1708537768-1935655697-1343024091-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKLM - ProtoHandler Class - {724F6607-4698-48F8-903F-120EA084E3F9} - C:\PROGRAM FILES\BROWSERENH\IE.DLL No File
URLSearchHook: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
BHO: ContributeBHO Class -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> M:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16] (Adobe Systems Incorporated.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-07-27] (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> n:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15] (Safer Networking Limited)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> Q:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
BHO: CAdBlocker Object -> {E24AD748-155E-4254-B674-4EDF86E7E1DF} -> C:\Program Files\Acronis\PrivacyExpert\Blocker.dll [2009-01-26] (Acronis)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKLM - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - M:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll [2007-03-16] (Adobe Systems Incorporated.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKU\.DEFAULT -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\.DEFAULT -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-19 -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\S-1-5-20 -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx [2008-04-14] ()
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> PowerSearch - {4E7BD74F-2B8D-469E-D1F0-E56FA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrscznc.dll No File
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> No Name - {4E7BD74F-2B8D-469E-C0FF-FD63B399BC7D} -  No File
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  No File
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-07-27] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1708537768-1935655697-1343024091-500 -> No Name - {41564952-412D-5637-00A7-7A786E7484D7} -  No File
DPF: {00000075-9980-0010-8000-00AA00389B71} hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1306364967734
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37970.7198148148
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll [2008-04-14] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2000-12-22] (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - Q:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2011-10-10] (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Handler: vnd.ms.radio - {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx [2008-04-14] ()
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default [2008-12-05]
FF Session Restore: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> is enabled.
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ftp", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ftp_port", 80
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> http", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> http_port", 80
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> no_proxies_on", "*.local"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> socks", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> socks_port", 1080
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ssl", "192.168.0.1"
FF NetworkProxy: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default -> ssl_port", 80
FF Extension: (Ancestry.com Advanced Image Viewer) - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default\Extensions\support@ancestry.com [2010-04-12] [not signed]
FF Extension: (EPUBReader) - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default\Extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F} [2017-02-18]
FF Extension: (Microsoft .NET Framework Assistant) - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\d5w206l9.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011-05-31] [not signed]
FF HKLM\...\Firefox\Extensions: [{86058C3D-8A47-4897-BAD8-A2B33A78AEB1}] - C:\Documents and Settings\Administrator\Local Settings\Application Data\{86058C3D-8A47-4897-BAD8-A2B33A78AEB1}
FF Extension: (XULRunner) - C:\Documents and Settings\Administrator\Local Settings\Application Data\{86058C3D-8A47-4897-BAD8-A2B33A78AEB1} [2009-11-01] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-05-25] [not signed]
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - V:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - V:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013-01-03] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll [2013-01-03] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\System32\Adobe\Director\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
FF Plugin: Adobe Acrobat -> V:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll [2012-07-27] (Adobe Systems Inc.)
StartMenuInternet: FIREFOX.EXE - M:\Program Files\Mozilla Firefox\firefox.exe
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [804528 2010-11-23] (Acronis)
S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2004-03-30] () [File not signed]
S4 AdobeVersionCue; I:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe [61440 2003-10-13] (Adobe Sytems) [File not signed]
S4 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3246040 2012-06-01] (Acronis)
S4 Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [229376 2006-02-28] (Apple Computer, Inc.) [File not signed]
S4 CPUCooLServer; L:\Program Files\CPUCooL\CooLSrv.exe [20480 2003-03-31] () [File not signed]
S4 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2011-06-03] (Macrovision Europe Ltd.) [File not signed]
S4 Iomega App Services; C:\Program Files\Iomega\System32\AppServices.exe [73728 2002-09-04] (Iomega Corporation) [File not signed]
S4 Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [68096 2003-10-05] () [File not signed]
S4 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [270336 2001-02-23] (Microsoft Corporation) [File not signed]
S3 MozillaMaintenance; C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe [146888 2016-08-24] (Mozilla Foundation) [File not signed]
S4 paamsrv; C:\Program Files\Common Files\Acronis\ProcessActivityMonitor\paamsrv.exe [676053 2009-01-26] () [File not signed]
S4 Pctspk; C:\WINDOWS\system32\pctspk.exe [86016 2001-08-17] (PCtel, Inc.)
S4 Pml Driver; C:\WINDOWS\System32\HPHipm09.exe [77824 2001-10-25] (HP)
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [69632 2004-09-29] (HP) [File not signed]
S3 SCardDrv; C:\WINDOWS\System32\SCardSvr.exe [95744 2008-04-14] (Microsoft Corporation)
S4 SkypeUpdate; Q:\Program Files\Skype\Updater\Updater.exe [160944 2012-07-13] (Skype Technologies)
S4 Iomega Activity Disk2; "" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 3dfxvs; C:\WINDOWS\System32\DRIVERS\3dfxvsm.sys [148352 2001-08-17] (3dfx Interactive, Inc.)
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2279424 2004-10-01] (Realtek Semiconductor Corp.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
U4 Claloo; no ImagePath
S3 cmpci; C:\WINDOWS\System32\drivers\cmaudio.sys [357070 2001-12-10] (C-Media Inc) [File not signed]
S3 cmuda; C:\WINDOWS\System32\drivers\cmuda.sys [743887 2003-05-29] (C-Media Inc)
S3 Dot4 HPH09; C:\WINDOWS\System32\DRIVERS\hphid409.sys [50704 2001-10-25] (HP)
S3 Dot4Print HPH09; C:\WINDOWS\System32\DRIVERS\hphipr09.sys [15984 2001-10-25] (HP)
S3 Dot4Scan; C:\WINDOWS\System32\DRIVERS\Dot4Scan.sys [8704 2001-08-17] (Microsoft Corporation)
S3 Dot4Storage HPH09; C:\WINDOWS\System32\Drivers\hphs2k09.sys [50179 2001-10-25] (Hewlett-Packard)
S3 Dot4Usb HPH09; C:\WINDOWS\System32\drivers\hphius09.sys [18864 2001-10-25] (HP)
S3 es1371; C:\WINDOWS\System32\drivers\es1371mp.sys [40832 2002-06-03] (Creative Technology Ltd.)
R3 FETNDIS; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [27165 2001-08-17] (VIA Technologies, Inc.              )
S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-14] (Microsoft Corporation)
R0 iomdisk; C:\WINDOWS\System32\DRIVERS\iomdisk.sys [30258 2002-09-04] (Iomega Corporation) [File not signed]
S3 msgame; C:\WINDOWS\System32\DRIVERS\msgame.sys [35200 2001-08-17] (Microsoft Corporation)
S3 ms_mpu401; C:\WINDOWS\System32\drivers\msmpu401.sys [2944 2001-08-17] (Microsoft Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R2 npf; C:\WINDOWS\System32\drivers\npf.sys [34064 2007-11-15] (CACE Technologies)
R1 ntiowp; C:\WINDOWS\system32\Drivers\ntiowp.sys [10240 2003-03-08] () [File not signed]
R2 NwlnkIpx; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-14] (Microsoft Corporation)
R2 NwlnkNb; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [63232 2008-04-14] (Microsoft Corporation)
R2 NwlnkSpx; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [55936 2008-04-14] (Microsoft Corporation)
S3 P1370Aud; C:\WINDOWS\system32\Drivers\P1370Aud.sys [93056 2005-12-05] (Creative Technology Ltd.)
S3 P1370Aul; C:\WINDOWS\system32\Drivers\P1370Aul.sys [4992 2005-12-06] (Creative Technology Ltd.)
S3 P1370Vfx; C:\WINDOWS\System32\DRIVERS\P1370Vfx.sys [6272 2006-03-24] (EyePower Games Pte. Ltd.)
S3 P1370VID; C:\WINDOWS\System32\DRIVERS\P1370Vid.sys [297792 2006-06-20] (Creative Technology Ltd.)
R2 pamondrv; C:\WINDOWS\System32\DRIVERS\pamondrv.sys [43520 2009-01-26] () [File not signed]
S3 pnicII; C:\WINDOWS\System32\DRIVERS\lne100.SYS [20573 2001-08-17] (The Linksts Group )
S3 Ptserial; C:\WINDOWS\System32\DRIVERS\ptserial.sys [120209 2002-03-13] (PCTEL, INC.) [File not signed]
S3 Ptserlp; C:\WINDOWS\System32\DRIVERS\ptserlp.sys [112574 2001-08-17] (PCTEL, INC.)
S3 SISNIC; C:\WINDOWS\System32\DRIVERS\sisnic.sys [32768 2008-04-13] (SiS Corporation)
S3 USRTI; C:\WINDOWS\System32\DRIVERS\USRTI.SYS [765884 2001-08-17] (U.S. Robotics, Inc.)
R3 viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [172544 2005-03-08] (Copyright © VIA/S3 Graphics Co, Ltd.)
R0 Vmodem; C:\WINDOWS\System32\DRIVERS\vmodem.sys [604253 2001-08-17] (PCTEL, INC.)
R0 Vpctcom; C:\WINDOWS\System32\DRIVERS\vpctcom.sys [397502 2001-08-17] (PCtel, Inc.)
R0 Vvoice; C:\WINDOWS\System32\DRIVERS\vvoice.sys [64605 2001-08-17] (PCtel, Inc.)
S4 hpt3xx; no ImagePath
S4 IntelIde; no ImagePath
S3 PCI_Ctrl; \??\C:\WINDOWS\system32\drivers\PCI_Ctrl.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2099-12-31 9600:427 - 61320-153-64 53160:438 - 00000000 ___SD C:\Documents and Settings\All Users\Application Data\Microsoft
2099-12-31 8680:695 - 61320-153-64 5016:696 - 00000000 ___SD C:\Documents and Settings\Default User\Application Data\Microsoft
2099-12-31 7248:428 - 61320-153-64 64264:430 - 00000000 ____D C:\Program Files\microsoft frontpage
2099-12-31 7248:428 - 61320-153-64 62000:427 - 00000000 ____D C:\Program Files\Online Services
2099-12-31 7248:428 - 61320-153-64 46432:427 - 00000000 ____D C:\Program Files\Windows NT
2099-12-31 7248:428 - 61320-153-64 36768:416 - 00000000 ___HD C:\Program Files\WindowsUpdate
2099-12-31 7248:428 - 61320-153-64 34208:432 - 00000000 ____D C:\Program Files\xerox
2099-12-31 7248:428 - 61320-153-64 34160:432 - 00000000 ____D C:\Program Files\Messenger
2099-12-31 7248:428 - 61320-153-64 14976:426 - 00000000 ____D C:\Program Files\Movie Maker
2099-12-31 7248:428 - 61320-153-64 14840:432 - 00000000 ____D C:\Program Files\ComPlus Applications
2099-12-31 6880:428 - 61320-153-64 5824:428 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings\History
2099-12-31 6880:428 - 61320-153-64 43056:427 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings\Application Data
2099-12-31 6880:428 - 61320-153-64 40976:416 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files
2099-12-31 6880:428 - 61320-153-64 1392:428 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Temp
2099-12-31 65208:702 - 61320-153-64 7600:428 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
2099-12-31 65040:431 - 61320-153-64 50760:438 - 00000000 ___SD C:\Documents and Settings\LocalService\Local Settings\History
2099-12-31 65040:431 - 61320-153-64 40008:427 - 00000000 ___SD C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
2099-12-31 65040:431 - 61320-153-64 23040:429 - 00000000 ___HD C:\Documents and Settings\LocalService\Local Settings\Application Data
2099-12-31 65040:431 - 61320-153-64 144:432 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Temp
2099-12-31 6448:432 - 61320-153-64 800:428 - 00000000 ___RD C:\Documents and Settings\All Users\Documents
2099-12-31 6448:432 - 61320-153-64 55800:421 - 00000000 ____D C:\Documents and Settings\All Users\Desktop
2099-12-31 6448:432 - 61320-153-64 39144:427 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu
2099-12-31 6448:432 - 61320-153-64 35688:438 - 00000000 __RHD C:\Documents and Settings\All Users\Application Data
2099-12-31 6448:432 - 61320-153-64 33752:421 - 00000000 ___HD C:\Documents and Settings\All Users\Templates
2099-12-31 6448:432 - 61320-153-64 31648:421 - 00000000 ____D C:\Documents and Settings\All Users\Favorites
2099-12-31 6224:428 - 61320-153-64 22000:437 - 00000000 ____D C:\WINDOWS\system32\config\systemprofile
2099-12-31 608:432 - 61320-153-64 56680:435 - 00000000 ___SD C:\Documents and Settings\LocalService\Application Data\Microsoft
2099-12-31 54184:417 - 61320-153-64 51248:421 - 00000000 __SHD C:\System Volume Information
2099-12-31 54184:417 - 61320-153-64 1288:428 - 00000000 ____D C:\Documents and Settings
2099-12-31 4656:696 - 61320-153-64 32048:427 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs
2099-12-31 45080:428 - 61320-153-64 9568:429 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Startup
2099-12-31 45080:428 - 61320-153-64 8536:428 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\MP3 WAV Converter
2099-12-31 45080:428 - 61320-153-64 8200:425 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Clip Gallery
2099-12-31 45080:428 - 61320-153-64 8176:438 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Hardware
2099-12-31 45080:428 - 61320-153-64 65216:427 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\WinZip
2099-12-31 45080:428 - 61320-153-64 64984:431 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\HP DeskJet 880C Series v11.1
2099-12-31 45080:428 - 61320-153-64 63384:427 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak Digital Science
2099-12-31 45080:428 - 61320-153-64 61296:439 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
2099-12-31 45080:428 - 61320-153-64 608:432 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\The Print Shop Signature Greetings 1.0
2099-12-31 45080:428 - 61320-153-64 58552:701 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\PolyView
2099-12-31 45080:428 - 61320-153-64 54352:435 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Ulead Photo Explorer 4.2
2099-12-31 45080:428 - 61320-153-64 53048:438 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Multimedia
2099-12-31 45080:428 - 61320-153-64 47920:427 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\HD Tach
2099-12-31 45080:428 - 61320-153-64 4744:696 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Bureau Multimedia
2099-12-31 45080:428 - 61320-153-64 44976:427 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\OLYMPUS CAMEDIA Master
2099-12-31 45080:428 - 61320-153-64 400:428 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Games
2099-12-31 45080:428 - 61320-153-64 29824:433 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2099-12-31 45080:428 - 61320-153-64 28568:437 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Ghost
2099-12-31 45080:428 - 61320-153-64 28120:429 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
2099-12-31 45080:428 - 61320-153-64 27832:421 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\WinRAR
2099-12-31 45080:428 - 61320-153-64 21688:437 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\QuarkXPress
2099-12-31 45080:428 - 61320-153-64 20416:426 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\HP PhotoSmart
2099-12-31 43896:427 - 61320-153-64 8200:425 - 00000000 ___SD C:\Documents and Settings\NetworkService\Application Data\Microsoft
2099-12-31 38776:427 - 61320-153-64 64984:702 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data
2099-12-31 38776:427 - 61320-153-64 12592:430 - 00000000 ___SD C:\Documents and Settings\LocalService\Cookies
2099-12-31 38776:427 - 61320-153-64 12456:695 - 00000000 ___HD C:\Documents and Settings\LocalService\Local Settings
2099-12-31 35664:438 - 61320-153-64 57976:701 - 00000000 ___HD C:\Documents and Settings\Default User\Local Settings\Application Data
2099-12-31 35664:438 - 61320-153-64 4768:429 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\Temp
2099-12-31 35664:438 - 61320-153-64 37128:421 - 00000000 ___SD C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
2099-12-31 35664:438 - 61320-153-64 32320:426 - 00000000 ___SD C:\Documents and Settings\Default User\Local Settings\History
2099-12-31 34520:438 - 61320-153-64 9688:695 - 00000000 ____D C:\WINDOWS\system32\mui
2099-12-31 34520:438 - 61320-153-64 9664:695 - 00000000 ____D C:\WINDOWS\system32\1037
2099-12-31 34520:438 - 61320-153-64 9280:695 - 00000000 ____D C:\WINDOWS\system32\config
2099-12-31 34520:438 - 61320-153-64 9144:695 - 00000000 ____D C:\WINDOWS\system32\MsDtc
2099-12-31 34520:438 - 61320-153-64 8728:695 - 00000000 ____D C:\WINDOWS\system32\1041
2099-12-31 34520:438 - 61320-153-64 8512:695 - 00000000 ____D C:\WINDOWS\system32\wbem
2099-12-31 34520:438 - 61320-153-64 8416:695 - 00000000 ____D C:\WINDOWS\system32\1054
2099-12-31 34520:438 - 61320-153-64 8368:695 - 00000000 ____D C:\WINDOWS\system32\2052
2099-12-31 34520:438 - 61320-153-64 61072:701 - 00000000 ____D C:\WINDOWS\system32\wins
2099-12-31 34520:438 - 61320-153-64 60904:701 - 00000000 ____D C:\WINDOWS\system32\CatRoot2
2099-12-31 34520:438 - 61320-153-64 58432:701 - 00000000 ____D C:\WINDOWS\system32\IME
2099-12-31 34520:438 - 61320-153-64 58264:701 - 00000000 ____D C:\WINDOWS\system32\ShellExt
2099-12-31 34520:438 - 61320-153-64 58240:701 - 00000000 ____D C:\WINDOWS\system32\3com_dmi
2099-12-31 34520:438 - 61320-153-64 58192:701 - 00000000 ____D C:\WINDOWS\system32\dhcp
2099-12-31 34520:438 - 61320-153-64 57464:701 - 00000000 ____D C:\WINDOWS\system32\Setup
2099-12-31 34520:438 - 61320-153-64 57440:701 - 00000000 ____D C:\WINDOWS\system32\1025
2099-12-31 34520:438 - 61320-153-64 57416:701 - 00000000 ____D C:\WINDOWS\system32\ias
2099-12-31 34520:438 - 61320-153-64 57288:435 - 00000000 ____D C:\WINDOWS\system32\icsxml
2099-12-31 34520:438 - 61320-153-64 56088:435 - 00000000 ____D C:\WINDOWS\system32\npp
2099-12-31 34520:438 - 61320-153-64 51016:428 - 00000000 ____D C:\WINDOWS\system32\1028
2099-12-31 34520:438 - 61320-153-64 4920:423 - 00000000 ____D C:\WINDOWS\system32\oobe
2099-12-31 34520:438 - 61320-153-64 36952:427 - 00000000 ____D C:\WINDOWS\system32\usmt
2099-12-31 34520:438 - 61320-153-64 36416:438 - 00000000 ____D C:\WINDOWS\system32\CatRoot
2099-12-31 34520:438 - 61320-153-64 36224:438 - 00000000 _RSHD C:\WINDOWS\system32\dllcache
2099-12-31 34520:438 - 61320-153-64 36176:438 - 00000000 ____D C:\WINDOWS\system32\1031
2099-12-31 34520:438 - 61320-153-64 36080:438 - 00000000 ____D C:\WINDOWS\system32\xircom
2099-12-31 34520:438 - 61320-153-64 35616:438 - 00000000 ____D C:\WINDOWS\system32\inetsrv
2099-12-31 34520:438 - 61320-153-64 34328:438 - 00000000 ____D C:\WINDOWS\system32\Com
2099-12-31 34520:438 - 61320-153-64 31848:433 - 00000000 ____D C:\WINDOWS\system32\1033
2099-12-31 34520:438 - 61320-153-64 29776:433 - 00000000 _____ C:\WINDOWS\system32\h323log.txt
2099-12-31 34520:438 - 61320-153-64 26168:417 - 00000000 ____D C:\WINDOWS\system32\Restore
2099-12-31 34520:438 - 61320-153-64 26048:433 - 00000000 ____D C:\WINDOWS\system32\ras
2099-12-31 34520:438 - 61320-153-64 25888:433 - 00000000 ____D C:\WINDOWS\system32\spool
2099-12-31 34520:438 - 61320-153-64 25632:433 - 00000000 ____D C:\WINDOWS\system32\DirectX
2099-12-31 34520:438 - 61320-153-64 14152:695 - 00000000 ____D C:\WINDOWS\system32\1042
2099-12-31 34520:438 - 61320-153-64 14104:695 - 00000000 ____D C:\WINDOWS\system32\3076
2099-12-31 34520:438 - 61320-153-64 14064:695 - 00000000 ____D C:\WINDOWS\system32\export
2099-12-31 32048:427 - 61320-153-64 6784:423 - 00000000 ___HD C:\Documents and Settings\Default User\Recent
2099-12-31 32048:427 - 61320-153-64 6320:426 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu
2099-12-31 32048:427 - 61320-153-64 60808:431 - 00000000 ___SD C:\Documents and Settings\Default User\Cookies
2099-12-31 32048:427 - 61320-153-64 60520:427 - 00000000 __RHD C:\Documents and Settings\Default User\Application Data
2099-12-31 32048:427 - 61320-153-64 51592:428 - 00000000 ___HD C:\Documents and Settings\Default User\NetHood
2099-12-31 32048:427 - 61320-153-64 50176:693 - 00000000 __RHD C:\Documents and Settings\Default User\Local Settings
2099-12-31 32048:427 - 61320-153-64 49496:427 - 00000000 ___HD C:\Documents and Settings\Default User\Templates
2099-12-31 32048:427 - 61320-153-64 40392:427 - 00000000 __RHD C:\Documents and Settings\Default User\SendTo
2099-12-31 32048:427 - 61320-153-64 39616:425 - 00000000 ____D C:\Documents and Settings\Default User\Desktop
2099-12-31 32048:427 - 61320-153-64 38368:428 - 00000000 ___HD C:\Documents and Settings\Default User\PrintHood
2099-12-31 32048:427 - 61320-153-64 35816:426 - 00000000 ____D C:\Documents and Settings\Default User\Favorites
2099-12-31 32048:427 - 61320-153-64 11520:418 - 00000000 ____D C:\Documents and Settings\Default User\My Documents
2099-12-31 31936:433 - 61320-153-64 53944:439 - 00000000 ____D C:\Program Files\Common Files\MSSoap
2099-12-31 31936:433 - 61320-153-64 35760:427 - 00000000 ____D C:\Program Files\Common Files\SpeechEngines
2099-12-31 31184:427 - 61320-153-64 43000:427 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu\Programs\Startup
2099-12-31 31184:427 - 61320-153-64 41216:427 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu\Programs\Accessories
2099-12-31 2888:431 - 61320-153-64 7144:428 - 00000000 ___SD C:\Documents and Settings\NetworkService\Cookies
2099-12-31 2888:431 - 61320-153-64 63640:431 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data
2099-12-31 2888:431 - 61320-153-64 28656:427 - 00000000 ___HD C:\Documents and Settings\NetworkService\Local Settings
2099-12-31 23016:429 - 61320-153-64 29016:421 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
2099-12-31 20416:426 - 61320-153-64 9136:428 - 00000000 ____D C:\WINDOWS\PCHEALTH
2099-12-31 20416:426 - 61320-153-64 63272:431 - 00000000 ____D C:\WINDOWS\ime
2099-12-31 20416:426 - 61320-153-64 51016:428 - 00000000 ____D C:\WINDOWS\Connection Wizard
2099-12-31 20416:426 - 61320-153-64 36456:438 - 00000000 ____D C:\WINDOWS\Driver Cache
2099-12-31 20416:426 - 61320-153-64 36392:438 - 00000000 ____D C:\WINDOWS\security
2099-12-31 20416:426 - 61320-153-64 36032:438 - 00000000 ____D C:\WINDOWS\Debug
2099-12-31 20416:426 - 61320-153-64 35128:438 - 00000000 ____D C:\WINDOWS\Registration
2099-12-31 20416:426 - 61320-153-64 35104:438 - 00000000 ____D C:\WINDOWS\WinSxS
2099-12-31 20416:426 - 61320-153-64 34840:438 - 00000000 ____D C:\WINDOWS\Resources
2099-12-31 20416:426 - 61320-153-64 34744:438 - 00000000 ____D C:\WINDOWS\mui
2099-12-31 20416:426 - 61320-153-64 34576:438 - 00000000 ____D C:\WINDOWS\addins
2099-12-31 20416:426 - 61320-153-64 34328:438 - 00000000 ____D C:\WINDOWS\srchasst
2099-12-31 20416:426 - 61320-153-64 29600:433 - 00000000 ____D C:\WINDOWS\AppPatch
2099-12-31 20416:426 - 61320-153-64 26672:433 - 00000000 ___HD C:\WINDOWS\inf
2099-12-31 20416:426 - 61320-153-64 26648:433 - 00000000 ____D C:\WINDOWS\repair
2099-12-31 20160:432 - 61320-153-64 8896:428 - 00000000 ___RD C:\Documents and Settings\Default User\Start Menu\Programs
2099-12-31 18792:426 - 61320-153-64 448:428 - 00000000 ____D C:\WINDOWS\system32\Drivers\disdn
2099-12-31 18792:426 - 61320-153-64 43896:438 - 00000000 ____D C:\WINDOWS\system32\Drivers\etc
2099-12-31 11544:418 - 61320-153-64 43056:427 - 00000000 __SHD C:\Documents and Settings\LocalService
2099-12-31 11544:418 - 61320-153-64 36832:427 - 00000000 ____D C:\Documents and Settings\All Users
2099-12-31 11544:418 - 61320-153-64 36624:416 - 00000000 __SHD C:\Documents and Settings\NetworkService
2099-12-31 11544:418 - 61320-153-64 22544:418 - 00000000 ___HD C:\Documents and Settings\Default User
2017-06-10 09:37 - 2017-06-10 09:37 - 00020710 _____ C:\Documents and Settings\Administrator\Desktop\FRST.txt
2017-06-10 09:36 - 2017-06-10 05:55 - 01775104 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2017-06-03 09:01 - 2017-06-03 09:01 - 00000000 ____D C:\FRST
2017-06-01 08:25 - 2017-06-01 08:25 - 00000000 ____D C:\WINDOWS\CSC
2017-06-01 08:07 - 2017-06-01 08:07 - 00000000 ____D C:\WINDOWS\erdnt
2017-05-14 13:54 - 2017-05-14 13:54 - 00000000 ___HD C:\WINDOWS\$NtUninstallKB4012598$
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2099-12-31 6224:428 - 1980-01-01 00:00 - 00065536 _____ C:\WINDOWS\system32\config\SecEvent.Evt
2099-12-31 45080:428 - 2001-05-29 10:32 - 00001512 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Picture It!.lnk
2099-12-31 45080:428 - 1996-09-12 00:52 - 00001359 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Exchange.lnk
2099-12-31 38776:427 - 1980-01-01 00:00 - 00001024 ____H C:\Documents and Settings\LocalService\ntuser.dat.ref.LOG
2099-12-31 32048:427 - 1980-01-01 00:00 - 00001024 ____H C:\Documents and Settings\Default User\ntuser.dat.ref.LOG
2099-12-31 2888:431 - 1980-01-01 00:00 - 00001024 ____H C:\Documents and Settings\NetworkService\ntuser.dat.ref.LOG
2099-12-31 20416:426 - 1980-01-01 00:00 - 00000667 _____ C:\WINDOWS\COMMAND.LNK
2099-01-14 03:28 - 1980-01-01 00:00 - 00008192 _____ C:\WINDOWS\REGLOCS.OLD
2092-11-16 20:41 - 1980-01-01 00:00 - 00000086 _____ C:\WINDOWS\vbaddin.ini
2092-09-22 18:06 - 2002-07-17 11:09 - 00000062 ___SH C:\Documents and Settings\Administrator\Application Data\desktop.ini
2044-02-15 00:50 - 2002-05-31 14:37 - 00000402 _____ C:\WINDOWS\commigrate.log
2017-06-10 09:35 - 2004-08-31 13:44 - 00002228 _____ C:\WINDOWS\system32\wpa.dbl
2017-06-10 09:33 - 1998-10-19 17:53 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-03 09:31 - 2002-12-08 17:23 - 00032542 _____ C:\WINDOWS\SchedLgU.Txt
2017-06-03 09:30 - 2002-07-17 11:09 - 00000278 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2017-06-01 08:47 - 1980-01-01 00:00 - 00017673 _____ C:\WINDOWS\UEDIT32.INI
2017-06-01 08:26 - 2002-07-17 11:08 - 01482358 _____ C:\WINDOWS\ntbtlog.txt
2017-05-31 05:52 - 2008-06-18 14:03 - 00002404 _____ C:\WINDOWS\system32\d3d9caps.dat
2017-05-24 12:00 - 1980-01-01 00:00 - 00000054 _____ C:\WINDOWS\TWUI200.INI
2017-05-24 11:59 - 2011-06-03 10:43 - 00002191 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Acrobat X Pro.lnk
 
==================== Files in the root of some directories =======
 
2002-01-22 21:24 - 2002-01-22 21:24 - 0000560 _____ () C:\Program Files\Global.sw
1998-10-19 17:50 - 1999-10-20 15:48 - 0011079 ____H () C:\Program Files\folder.htt
1996-10-09 20:17 - 1996-10-09 20:17 - 0000000 ___RH () C:\Program Files\Common Files\MSCREATE.DIR
2009-11-01 12:06 - 2009-11-01 12:06 - 0000024 _____ () C:\Documents and Settings\Administrator\Application Data\wiaserva.log
2003-12-04 18:28 - 2017-03-05 13:18 - 0047104 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2007-12-23 08:41 - 2007-12-23 08:41 - 0000032 _____ () C:\Documents and Settings\All Users\Application Data\ezsid.dat
2016-11-13 11:19 - 2016-11-13 11:52 - 0000644 _____ () C:\Documents and Settings\All Users\Application Data\hpzinstall.log
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of FRST.txt ============================


#4 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 10 June 2017 - 11:48 AM

I have attached the Addition.txt file

Attached Files



#5 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 12 June 2017 - 10:42 AM

Hi clemente2 :)

 

My name is polskamachina and I would like to welcome you to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 
I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-7 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#6 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 14 June 2017 - 03:37 PM

Hi clemente2 :)
 
I must preface my comments by saying something that may already be obvious to you. Windows XP is an older operating system that is not supported by Microsoft anymore. What that means is that there are no longer any security updates for it. If you still want to use it, you will be more susceptible to security breeches. Though I cannot exactly quantify how much of an increased risk there is, you must use extreme caution when navigating the internet and even that may not be enough to protect you from harm. That being said, please proceed with the following:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

I would advise you to immediately disconnect this PC from the Internet. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would also be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I cannot guarantee afterwards that it will be 100% secure .
 
In summary:
 
Please let me know whether or not you want to have the malware removed with our cleaning tools or you would rather reformat and reinstall the operating system.
 
Let me know if you have any questions.
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#7 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 14 June 2017 - 08:19 PM

Thank you polskamachina.

 

I would appreciate your assistance in using the tools required to attempt to clean the infected system.



#8 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 15 June 2017 - 05:41 PM

Hi clemente2 :)

 
Please perform the following tasks:
 
DISCONNECT YOUR INFECTED COMPUTER FROM THE INTERNET and keep it that way until I tell you otherwise.

We need to vaccinate the USB drive to prevent infection:

Please download USBVaccineSetup.exe from Panda Software to the desktop of your clean / working computer.
note: the download mirror is called MajorGeeks and the download should start automatically. please do not click any advertisements.

  • Insert your USB flash drive into the clean / working computer
  • Double-click on USBVaccineSetup.exe to install the program
  • Select your language, read and accept the agreement to continue
  • Choose if you would like the program to run at all times, and for all newly inserted USB drives
  • Click Next then Finish to complete the installation, the program will launch
  • Select your USB drive from the list, then click Vaccinate USB
    note: optionally you can click Vaccinate computer as well, this disables removable items from automatically running on the system entirely
  • A message should appear that your USB drive was vaccinated. If not please report the error in your next post

Now download the two files below to the portable flash drive you have just vaccinated:

Next:

  • Open Notepad
  • Copy and paste the text below in its entirety into an empty Notepad window
CreateRestorePoint:
CloseProcesses:
MSCONFIG\startupreg: 01indcsg => C:\WINDOWS\System32\01indcsg.exe
MSCONFIG\startupreg: 0dweMq4 => C:\WINDOWS\dwbrgxxq.exe
MSCONFIG\startupreg: 26138727 => C:\DOCUME~1\ALLUSE~1\APPLIC~1\26138727\26138727.exe
Lsa: [Notification Packages] scecli kbrsdilt.dll
  • Save the file to your flash drive as fixlist.txt
  • Eject your flash drive and insert into your infected computer

Next:

  • If you have not already disconnected your infected computer from the internet, please do so now.
  • Power on your infected computer
  • Copy fixlist.txt, AdwCleaner.exe, and mbam-setup-bc.1878-2.2.1.1043.exe from your flash drive to your infected computer's Desktop
  • Note: FRST and fixlist.txt must be in the same folder in order for the fix to work.
  • Run FRST
  • Click on Fix
  • It should only take a few moments for the fix to complete
  • If you are asked to restart your computer, please do so
  • When the fix has completed, a new file will be created named Fixlog.txt, and it will be saved to your Desktop
  • Please copy and paste that log into your next reply to me

Next:

  • Launch AdwCleaner from your desktop
  • The tool will not be able to update because you will be disconnected from the internet but continue anyway
  • Click on the Scan button
  • AdwCleaner will begin...be patient as the scan may take some time to complete
  • After the scan has finished, click on the Logfile button
  • A window will open which lists the logs of your scans
  • Click on the Scan tab
  • Double-click the most recent scan which will be at the top of the list....the log will appear
  • Review the results...see note below
  • After reviewing the log, click on the Clean button
  • Press OK when asked to close all programs and follow the onscreen prompts
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report)
  • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list
  • Please copy and paste the contents of AdwCleaner[CX].txt in your next reply to me
  • A copy of all logfiles are saved to C:\AdwCleaner.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

Next:

  • From your desktop, launch the setup file, mbam-setup-bc.1878-2.2.1.1043.exe, then click on Run to install.
  • Malwarebytes will automatically open to its Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"

    malwarebytes-anti-malware-fix-now.jpg
    .
  • If you are allowed to bypass the Update Now window (remember, you're still disconnected from the internet)  then click the Scan Now >> button. Otherwise, you should get a message saying that the update failed which is ok for now
    .
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".

  • malwarebytes-anti-malware-2-0-update-now
    .
  • The THREAT SCAN will automatically begin.

    malwarebytes-anti-malware-scan.jpg
    .
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

    malwarebytes-anti-malware-potential-thre
    .
  • To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

    mbam4_zps490948cc.png
    .
  • After rebooting the computer, copy and paste the mbam.log into your next reply to me
  • To retrieve the Malwarebytes Anti-Malware scan log information:
    • Open Malwarebytes Anti-Malware.
    • Click the History Tab at the top and select Application Logs.
    • Select (check) the box next to Scan Log. Choose the most current scan.
    • Click the View button.
    • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
    • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
    • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system

In summary I will need from you:

  • Fixlog.txt
  • AdwCleaner log
  • Malwarebytes Anti-malware log
  • How is your computer performing now?

Let me know if you have any questions.
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#9 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 15 June 2017 - 10:31 PM

The version of malwarebytes that I downloaded (mb3-setup-1878.1878-3.1.2.1733-10139) aborted during setup with the same error documented here:

 

https://forums.malwarebytes.com/topic/202734-cannot-install-mb3-setup-consumer-3121733-10141-102092/

 

The error is -

========================

Runtime Error at (49:120):

Invalid Floating Point Operation

========================



#10 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 16 June 2017 - 01:28 PM

Hi clemente2 :)
 
Sorry that you had trouble running the Malwarebytes Anti-Malware program. Please try this link and it will directly download version 2 of the software. You should have better luck with that. If not, let me know.
 
In your next reply to me, don't forget to include:

  • Fixlog.txt
  • AdwCleaner log
  • Malwarebytes Anti-malware log
  • How is your computer performing now?

Let me know if you have any questions.
 
polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#11 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 16 June 2017 - 01:42 PM

Hi polskamachina

 

I was able to install the version 2 of malwarebytes.

 

When I launch the program it aborts with the following:

 

mbam.exe - Application Error

 

The application failed to initialize properly (0xc000001d).



#12 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 16 June 2017 - 01:49 PM

While waiting for malwarebytes to function, I have attached the other logs requested.

 

Here is the fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 07-06-2017 01
Ran by Administrator (15-06-2017 20:00:51) Run:1
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profiles: Administrator (Available Profiles: Administrator)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
MSCONFIG\startupreg: 01indcsg => C:\WINDOWS\System32\01indcsg.exe
MSCONFIG\startupreg: 0dweMq4 => C:\WINDOWS\dwbrgxxq.exe
MSCONFIG\startupreg: 26138727 => C:\DOCUME~1\ALLUSE~1\APPLIC~1\26138727\26138727.exe
Lsa: [Notification Packages] scecli kbrsdilt.dll
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\01indcsg => key removed successfully.
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\0dweMq4 => key removed successfully.
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\26138727 => key removed successfully.
HKLM\System\CurrentControlSet\Control\Lsa\\Notification Packages => value restored successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 20:00:51 ====
 
Here is the AdwCleaner[C0].txt
 
# AdwCleaner v6.047 - Logfile created 15/06/2017 at 20:10:55
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-19.1 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : Administrator - SEMPRON3000
# Running from : C:\Documents and Settings\Administrator\Desktop\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Documents and Settings\All Users\Application Data\26138727
[-] Folder deleted: C:\Documents and Settings\All Users\Application Data\apn
[-] Folder deleted: C:\Documents and Settings\All Users\Application Data\Tarma Installer
[-] Folder deleted: C:\Documents and Settings\All Users\Application Data\Viewpoint
[-] Folder deleted: C:\Documents and Settings\All Users\Start Menu\Programs\Coupons
[-] Folder deleted: C:\Program Files\Coupons
[-] Folder deleted: C:\Program Files\Viewpoint
[-] Folder deleted: C:\Program Files\Yahoo!\Companion
 
 
***** [ Files ] *****
 
[-] File deleted: C:\Program Files\Yahoo!\Common\unyt.exe
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
[-] Key deleted: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
[-] Key deleted: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
[-] Key deleted: HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{4F7D1B07-6203-41F0-947B-A29CC9ECD9B0}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{41564952-412D-5637-00A7-7A786E7484D7}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Value deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{41564952-412D-5637-00A7-7A786E7484D7}]
[-] Value deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
[-] Key deleted: HKU\.DEFAULT\Software\AskPartnerNetwork
[-] Key deleted: HKU\S-1-5-21-1708537768-1935655697-1343024091-500\Software\Viewpoint
[-] Key deleted: HKU\S-1-5-21-1708537768-1935655697-1343024091-500\Software\Yahoo\Companion
[-] Key deleted: HKU\S-1-5-21-1708537768-1935655697-1343024091-500\Software\Yahoo\YFriendsBar
[-] Key deleted: HKU\S-1-5-21-1708537768-1935655697-1343024091-500\Software\YahooPartnerToolbar
[#] Key deleted on reboot: HKU\S-1-5-18\Software\AskPartnerNetwork
[#] Key deleted on reboot: HKCU\Software\Viewpoint
[#] Key deleted on reboot: HKCU\Software\Yahoo\Companion
[#] Key deleted on reboot: HKCU\Software\Yahoo\YFriendsBar
[#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar
[-] Key deleted: HKLM\SOFTWARE\MetaStream
[-] Key deleted: HKLM\SOFTWARE\Tarma Installer
[-] Key deleted: HKLM\SOFTWARE\Viewpoint
[-] Key deleted: HKLM\SOFTWARE\Yahoo\Companion
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SaveNow
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Viewpoint Manager
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
[-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [5043 Bytes] - [15/06/2017 20:05:58]
C:\AdwCleaner\AdwCleaner[C0].txt - [5123 Bytes] - [15/06/2017 20:10:55]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [5196 Bytes] ##########
 


#13 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 16 June 2017 - 01:58 PM

Hi polskamachina

 

I can install the infected hard drive on another system and run malwarebytes.

 

Does malwarebytes scan the system files and registry of a hard disk that is not the current system disk?



#14 polskamachina

polskamachina

  • Malware Study Hall Senior
  • 3,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 16 June 2017 - 02:48 PM

Hi clemente2 :)

Does malwarebytes scan the system files and registry of a hard disk that is not the current system disk?

That is a very good question.

 

I will have to consult with staff about this. I have done it this way myself but it is definitely not optimal. Please hold off performing any other scans, as tempting as it might be, until I get back to you. I'll probably just have you use a different anti-malware tool.

 

Thanks for your patience.

 

polskamachina


Member of the Bleeping Computer A.I.I. early response team!

#15 clemente2

clemente2
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 16 June 2017 - 02:59 PM

It would seem that the ability to scan and repair an infected hard disk from a clean system would be optimal.

 

There should be anti-malware tools that are designed to operate this way.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users