Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Followed misguided directions on another site to run TDSSKiller


  • This topic is locked This topic is locked
50 replies to this topic

#1 Error409

Error409

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 20 February 2018 - 05:17 PM

Hi

 

First of all, I am aware I didn't paste the contents of the FRST.txt and Addition.txt log files.

I don't know how strict Bleeping Computer is on this rule, but please allow me to elaborate on my reason.

I hope at least a reply will be received even though I knowingly started this post excluding the log files. (I do have a reason, if you will allow me the opportunity to explain).

 

I ran TDSSKiller.exe by Kapersky recently because I had been suspicious of TDSS rootkits that were causing browser re-directs to advertisements. I followed a poorly guided list of directions on another website that I downloaded TDSSkilller from. After learning on Bleeping Computer about the proper usage instructions for running TDSSKiller from the detailed tutorial, TDSSKiller was obviously ran improperly. But since I understand the proper procedures now, I was hoping that I could receive a reply on what might be the best step going forward.

 

These are the procedures I have performed so far:

I donwloaded TDSSKiller from an different website. I scanned with TDSSKiller ver 3.1.0.16 without renaming the program before running it. After finishing the scan, TDSSKIller created a quarantine subfolder with (3) DTA files, with 1KB, and also (11) config setting files in the folder TDSSKiller_Quantantine under root directory C:\ 

First three mistakes I made were: (1) Not re-naming the TDSSKiller.exe program before running it. (2)  Not downloading it to a clean computer and transferring it to the infected comptuer. (3) Clicking on "Delete" when I should have selected "Skip" and then "Continue". The program instead Quarantined the mentioned files, bypassing 'Cure"

 

I can't tell fully yet what TDSSKiller had any bearing on, if at all, on removing any rootkits, since I can't identify rootkit files by filename. This is what I can see in Windows Explorer. A subfolder was created by the removal program called tdlfs0000 holding a total of (21) files that contain (10) DTA files, where (3) of those DTA files hold 1KB and the remaining (7) DTA files have 0 KB. They are under a subfolder named 09.02.2018-08.22.39 under the TDSSKiller_Quarantine folder in the C:\  root directory.  

 

My reason for omitting the FRST report is that I will need to download Windows AIK first, and also launch a tool to make a bootable media which could be avoidable depending upon the circumstances that I created by the procedures I ran. My reasoning to post this first was to learn if I'm missing any safeguards I might want to consider if I delete all the DTA files and configuration settings files saved by the program. It's basically because of the fact that the Kapersky program, while in the manner I ran it, appears to have quarantined some type of files, and I don't know whether or not they're rootkits, or necessary files for the operating system to run properly.      

 

I'm just amiss on how to proceed forward at this point. Thank you for reading this. I appreciate any help at this point.               


Edited by hamluis, 20 February 2018 - 08:22 PM.
Moved from MRL to Am I infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 21 February 2018 - 12:00 PM

Are you able to boot in Normal Mode? How about in the Recovery Environment (WinRE)? Which version of windows is being ran?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Error409

Error409
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 21 February 2018 - 01:55 PM

In reply to JSntgRvr:

I can boot in normal mode.

I would have to install recovery console from the Windows CD.

Running WinXP SP3.

My primary concern that I'm uneasy about is whether or not to delete all of those quarantined files to the recycle bin, and then start all over with the Kapersky program.

I have no idea what those files are that are sitting in quarantine.

One major point left out of my post that I could not edit back in, due to time, is the following:

I downloaded TDSSKiller from a site other than BC, however when I launched it, I did NOT click to save it anywhere. I just ran it. The program did not install anywhere in my hard drive. Since I was not in full trust of the source / site where I downloaded it, I just ran it allowing it to scan for rootkits.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 21 February 2018 - 02:03 PM

Since you can boot in Normal Mode, lets take a look at your system.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 21 February 2018 - 02:06 PM

I have no idea what those files are that are sitting in quarantine.

 

 

Is there a way to post a report with the files names?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Error409

Error409
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 21 February 2018 - 03:27 PM

 

I have no idea what those files are that are sitting in quarantine.

 

 

Is there a way to post a report with the files names?

 

[EDIT]:

 

I feel I need to bring to attention something that I have just noticed on the Forum Page. A note reads in (red) under the Forum page in the category of "Security", under the topic of:  "Am I infected? What do I do? " where it states the following: No DDS, FSRT, HijackThis, or ComboFix logs should be posted in this forum    

 

Please reply back. I am not seeking to break any rules in the forums. I feel that this just needs to be addressed first before continuing on. Thank you 

 

[End of Edit]

 

I am assuming you replied in reference to posting the FRST.txt and Addition.txt report. from installing the Farbar Recovery Scan Tool.

 

 

 I'll see if that tool installs without issues. My impression was from the instructions I read on Bleeping Computers that for Win XP, installing the recovery tool may require the system to boot from recovery console (i.e, the name of the previous version of Win RE). I installed recovery console over a decade ago, however, it appears as though it is no longer installed.  I have the Win CD, just in case.        


Edited by Error409, 21 February 2018 - 03:56 PM.


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 21 February 2018 - 07:25 PM

The topic has been moved to the Malware Removal Forum.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Error409

Error409
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 22 February 2018 - 12:52 PM


I was just about to run the FRST downloaded from Bleeping Computer.

I don't know why my security suite software I have installed recommended to NOT run this tool. The reason given was the FRST file was too new - VERY NEW (released less than 1 week ago) and used by less than 5 individuals).

I know FRST has been around a long time. It just raises my curiosity - You might understand that I need to be especially cautious since, as you know, this OS is very suseptible to malware and viruses, etc (no longer being supported).

Any input on why Farbar is recognized, but flagged ? Thanks

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 22 February 2018 - 02:50 PM

FRST is being updated at all times. Some antivirus software may detect it as malware, but it is a false positive. Please turn Off your security while running FRST.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Error409

Error409
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 22 February 2018 - 04:21 PM

Ok
I see Event Log Errors in the Additon report. Should disable those services (Automatic Updates, BITS, Event Log)  in the Admin Console. Also, system errors (printer related)
 
I only see the txt report that the malware tool generated in the FRST report
I do not see the named files in the Quarantine subfolder   
That location is  C:\Documents and Settings\ XXXXXxxxxx_Quarantine   (X representing the malware removal tool).
 
Can I post a print screen of those quarantined files ?
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21.02.2018
Ran by Owner (administrator) on JESS-0YJZ0D7J2C (22-02-2018 15:06:59)
Running from C:\Documents and Settings\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner & Jess & Administrator & Guest)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
( ) C:\WINDOWS\system32\lxeecoms.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\nortonsecurity.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\nortonsecurity.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
() C:\Program Files\Lexmark Pro700 Series\lxeemon.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
() C:\Program Files\Lexmark Pro700 Series\ezprint.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [UpdatePSTShortCut] => "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
HKLM\...\Run: [lxeemon.exe] => C:\Program Files\Lexmark Pro700 Series\lxeemon.exe [770728 2011-01-23] ()
HKLM\...\Run: [Lexmark Pro700 Series Fax Server] => C:\Program Files\Lexmark Pro700 Series\fm3032.exe [316072 2009-08-10] ()
HKLM\...\Run: [igfxpers] => C:\WINDOWS\system32\igfxpers.exe [114688 2005-09-20] (Intel Corporation)
HKLM\...\Run: [igfxhkcmd] => C:\WINDOWS\system32\hkcmd.exe [77824 2005-09-20] (Intel Corporation)
HKLM\...\Run: [EzPrint] => C:\Program Files\Lexmark Pro700 Series\ezprint.exe [139944 2009-08-10] ()
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-436374069-1202660629-839522115-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\System32\ssflwbox.scr [393216 2008-04-14] (Microsoft Corporation)
GroupPolicyScripts: Restriction <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{60CA8F8B-B7BA-439B-8DB7-D2D90EAD43F8}: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-436374069-1202660629-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
HKU\S-1-5-21-436374069-1202660629-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKLM -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKU\S-1-5-21-436374069-1202660629-839522115-1003 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = 
SearchScopes: HKU\S-1-5-21-436374069-1202660629-839522115-1003 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NGC&chn=1122&geo=US&ver=22.12.0.104&locale=en_US&guid=66195742-70C4-4D91-9604-2AB4DE874394&doi=2016-09-01&gct=sb&qsrc=2869
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\coIEPlg.dll [2018-01-25] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\coIEPlg.dll [2018-01-25] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-436374069-1202660629-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-02-05] [Legacy] [not signed]
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-436374069-1202660629-839522115-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Owner\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2013-08-20] (Citrix Online)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> hxxps://www.google.com/webhp?sourceid=chrome-instant&ion=1&ie=UTF-8&rct=j
CHR StartupUrls: Default -> "hxxps://www.google.com/webhp?tab=qw&ei=7k4BWZ76J8GUmQGpnJB4&ved=0EKkuCAUoAQ"
CHR Profile: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default [2018-02-22]
CHR Extension: (Docs) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-16]
CHR Extension: (Reddit Enhancements Lite (RELite)) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dgdholpcdmhcmpceilhebneggabenide [2018-01-07]
CHR Extension: (User-Agent Switcher for Chrome) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\djflhoibgkdhkhhcedjiklpkjnoahfmg [2018-02-12]
CHR Extension: (PicMonkey) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fgdgokchhicmaiacmgegjnppjkgogdhm [2017-10-30]
CHR Extension: (Norton Identity Safe) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2016-09-06]
CHR Extension: (Norton Safe) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmgcfemagnogdodbambjhdcmfcpicngl [2017-10-09]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-23]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-436374069-1202660629-839522115-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjllphbppobebmjpjcijfbakobcheof] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2015-04-12] (Oracle Corporation)
S2 lxeeCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxeeserv.exe [193192 2010-04-14] (Lexmark International, Inc.)
R2 lxee_device; C:\WINDOWS\system32\lxeecoms.exe [598696 2010-04-14] ( )
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4563920 2017-11-01] (Malwarebytes)
S3 NetSvc; C:\Program Files\Intel\NCS\Sync\NetSvc.exe [143360 2003-03-03] (Intel® Corporation) [File not signed]
R2 NortonSecurity; C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\NortonSecurity.exe [290024 2018-01-26] (Symantec Corporation)
S3 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-05-13] ()
S3 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1570520 2016-02-02] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [837848 2016-02-02] (Secunia)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BHDrvx86; C:\Program Files (x86)\Norton Security Suite\NortonData\22.10.0.85\Definitions\BASHDefs\20180214.001\BHDrvx86.sys [1371216 2018-02-14] (Symantec Corporation)
R1 ccSet_NGC; C:\WINDOWS\system32\drivers\NGC\160C000.068\ccSetx86.sys [147096 2018-01-25] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [393296 2018-01-04] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [121936 2018-01-04] (Symantec Corporation)
R3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-14] (Microsoft Corporation)
R3 IDSxpx86; C:\Program Files (x86)\Norton Security Suite\NortonData\22.10.0.85\Definitions\IPSDefs\20180219.001\IDSxpx86.sys [759448 2017-12-27] (Symantec Corporation)
R3 IntelC51; C:\WINDOWS\System32\DRIVERS\IntelC51.sys [1339776 2005-05-06] (Intel Corporation)
R3 IntelC52; C:\WINDOWS\System32\DRIVERS\IntelC52.sys [618880 2006-03-01] (Intel Corporation)
R3 IntelC53; C:\WINDOWS\System32\DRIVERS\IntelC53.sys [47360 2005-05-06] (Intel Corporation)
S3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [40376 2018-02-13] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [221112 2018-02-22] (Malwarebytes)
R3 mohfilt; C:\WINDOWS\System32\DRIVERS\mohfilt.sys [36880 2005-05-06] (Intel Corporation)
R1 OMCI; C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS [13632 2001-08-22] (Dell Computer Corporation) [File not signed]
R3 P16X; C:\WINDOWS\System32\drivers\P16X.sys [1330048 2003-09-22] (Creative Technology Ltd.)
R2 PfModNT; C:\WINDOWS\system32\drivers\PfModNT.sys [15840 2003-03-05] (Creative Technology Ltd.) [File not signed]
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf_x86.sys [16024 2016-02-02] (Secunia)
R1 sbaphd; C:\WINDOWS\System32\drivers\sbaphd.sys [21464 2010-06-14] (Sunbelt Software)
R2 sbapifs; C:\WINDOWS\System32\drivers\sbapifs.sys [69976 2010-06-14] (Sunbelt Software)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NGC\160C000.068\SRTSP.SYS [666264 2018-01-25] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NGC\160C000.068\SRTSPX.SYS [41112 2018-01-25] (Symantec Corporation)
R0 SymEFASI; C:\WINDOWS\System32\drivers\NGC\160C000.068\SYMEFASI.SYS [1462424 2018-01-25] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [89240 2018-02-08] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NGC\160C000.068\Ironx86.SYS [243352 2018-01-25] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\NGC\160C000.068\SYMTDI.SYS [382216 2018-01-25] (Symantec Corporation)
U3 TrueSight; C:\WINDOWS\system32\drivers\TrueSight.sys [24688 2018-02-10] ()
S3 ADASPROT; \??\C:\Program Files\Advanced System Optimizer 3\adasprot32.sys [X]
S3 avchv; system32\DRIVERS\avchv.sys [X]
S3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [X]
S3 cpuz134; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [X]
S3 PcdrNdisuio; system32\DRIVERS\pcdrndisuio.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-14] (Microsoft Corporation)
U3 TlntSvr; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-02-22 15:06 - 2018-02-22 15:07 - 000013556 _____ C:\Documents and Settings\Owner\Desktop\FRST.txt
2018-02-22 15:04 - 2018-02-22 15:06 - 000000000 ____D C:\FRST
2018-02-22 13:39 - 2018-02-22 13:39 - 000000716 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Secunia PSI.lnk
2018-02-22 11:15 - 2018-02-22 11:15 - 000073000 _____ C:\Documents and Settings\Jess\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2018-02-21 15:34 - 2018-02-21 15:34 - 001763328 _____ (Farbar) C:\Documents and Settings\Owner\Desktop\FRST.exe
2018-02-21 10:57 - 2018-02-21 10:57 - 000000000 ____D C:\Documents and Settings\Owner\Desktop\New Folder
2018-02-20 21:36 - 2017-03-24 07:57 - 000000706 _____ C:\Documents and Settings\Jess\Desktop\PhotoScape.lnk
2018-02-20 21:36 - 2012-12-18 21:03 - 000001940 _____ C:\Documents and Settings\Jess\Desktop\Reader Library.lnk
2018-02-20 21:35 - 2018-01-26 13:56 - 000000589 _____ C:\Documents and Settings\Jess\Desktop\HP Envy.txt
2018-02-20 21:34 - 2018-01-23 09:00 - 000045056 _____ C:\Documents and Settings\Jess\Desktop\Most recent budget_02.25.2014-monthly-expenses spreadsheet.xls
2018-02-20 20:15 - 2018-02-20 20:15 - 000000000 ____D C:\Documents and Settings\Jess\Local Settings\Application Data\BVRP Software
2018-02-20 20:11 - 2018-02-20 20:11 - 000000000 ____D C:\Documents and Settings\Jess\Application Data\Pro700 Series
2018-02-20 20:10 - 2018-02-22 12:04 - 000000178 ___SH C:\Documents and Settings\Jess\ntuser.ini
2018-02-20 20:10 - 2018-02-22 12:04 - 000000000 ____D C:\Documents and Settings\Jess\Local Settings\temp
2018-02-20 20:10 - 2018-02-22 11:27 - 000000000 ____D C:\Documents and Settings\Jess\Local Settings\Application Data\Google
2018-02-20 20:10 - 2018-02-20 20:11 - 000000825 _____ C:\Documents and Settings\Jess\Desktop\LG Power Tools.lnk
2018-02-20 20:10 - 2018-02-20 20:10 - 000000803 _____ C:\Documents and Settings\Jess\Start Menu\Programs\Internet Explorer.lnk
2018-02-20 20:10 - 2018-02-20 20:10 - 000000788 _____ C:\Documents and Settings\Jess\Start Menu\Programs\Windows Media Player.lnk
2018-02-20 20:10 - 2018-02-20 20:10 - 000000738 _____ C:\Documents and Settings\Jess\Start Menu\Programs\Outlook Express.lnk
2018-02-20 20:10 - 2018-02-20 20:10 - 000000000 __SHD C:\Documents and Settings\Jess\IETldCache
2018-02-20 20:10 - 2018-02-20 20:10 - 000000000 ____D C:\Documents and Settings\Jess
2018-02-20 20:10 - 2015-04-12 15:47 - 000000000 ____D C:\Documents and Settings\Jess\Application Data\Sun
2018-02-20 20:10 - 2012-02-04 15:59 - 000001599 _____ C:\Documents and Settings\Jess\Start Menu\Programs\Remote Assistance.lnk
2018-02-20 20:10 - 2011-09-28 07:26 - 000000000 ____D C:\Documents and Settings\Jess\Local Settings\Application Data\Trusteer
2018-02-20 20:10 - 2010-12-13 13:28 - 000000000 ____D C:\Documents and Settings\Jess\Application Data\Macromedia
2018-02-20 20:10 - 2010-12-03 18:39 - 000000000 ____D C:\Documents and Settings\Jess\Start Menu\Programs\LG Power Tools
2018-02-19 14:46 - 2018-02-19 14:46 - 000000000 __SHD C:\Documents and Settings\Guest\IETldCache
2018-02-11 18:20 - 2018-02-13 16:18 - 000040376 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2018-02-11 12:58 - 2001-08-17 13:48 - 000012160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mouhid.sys
2018-02-11 12:58 - 2001-08-17 13:48 - 000012160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mouhid.sys
2018-02-11 12:10 - 2018-02-11 12:59 - 000001549 _____ C:\Documents and Settings\Owner\Desktop\DiagnosticReport.txt
2018-02-10 08:33 - 2018-02-10 10:41 - 000000000 ____D C:\Documents and Settings\Owner\Local Settings\Application Data\ESET
2018-02-09 23:08 - 2018-02-22 10:42 - 000221112 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2018-02-09 23:07 - 2018-02-09 23:07 - 000001715 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk
2018-02-09 23:07 - 2018-02-09 23:07 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes
2018-02-09 23:07 - 2017-11-29 09:11 - 000059896 _____ C:\WINDOWS\system32\Drivers\mbae.sys
2018-02-09 16:08 - 2018-02-09 16:08 - 000000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
2018-02-09 14:54 - 2018-02-22 14:54 - 000000280 ____H C:\WINDOWS\Tasks\CCleaner Update.job
2018-02-09 14:54 - 2018-02-09 14:54 - 000000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2018-02-09 14:54 - 2018-02-09 14:54 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
2018-02-09 14:53 - 2018-02-09 14:54 - 000000000 ____D C:\Program Files\CCleaner
2018-02-09 08:26 - 2018-02-09 08:26 - 000000000 ____D C:\TDSSKiller_Quarantine
2018-02-09 08:22 - 2018-02-09 08:35 - 000241538 _____ C:\TDSSKiller.3.1.0.16_09.02.2018_08.22.20_log.txt
2018-02-09 08:20 - 2018-02-09 08:21 - 000121560 _____ C:\TDSSKiller.3.1.0.16_09.02.2018_08.20.01_log.txt
2018-02-09 07:46 - 2018-02-09 07:46 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite
2018-02-09 07:09 - 2018-02-09 07:09 - 000002038 _____ C:\Documents and Settings\Administrator\Desktop\startup.txt
2018-02-08 10:13 - 2018-02-08 10:13 - 000000000 ____D C:\WINDOWS\system32\Drivers\NGC
2018-01-25 09:13 - 2018-02-17 17:51 - 000000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
2018-01-25 09:12 - 2018-01-25 09:12 - 000803328 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2018-01-25 09:12 - 2018-01-25 09:12 - 000144896 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2018-02-22 15:07 - 2017-10-30 07:05 - 000000000 ____D C:\Documents and Settings\Owner\Local Settings\Temp
2018-02-22 14:22 - 2014-04-08 14:37 - 000000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2018-02-22 12:05 - 2014-04-08 14:37 - 000000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2018-02-22 11:07 - 2010-12-03 06:38 - 000000278 __SHC C:\Documents and Settings\Owner\ntuser.ini
2018-02-22 10:41 - 2010-12-02 18:08 - 000000006 ___HC C:\WINDOWS\Tasks\SA.DAT
2018-02-22 10:40 - 2010-12-03 06:38 - 000032498 _____ C:\WINDOWS\SchedLgU.Txt
2018-02-21 12:35 - 2011-05-18 11:27 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Kodak
2018-02-21 11:35 - 2017-09-11 08:20 - 000282928 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2018-02-21 11:35 - 2010-12-03 06:38 - 000000000 ____D C:\Documents and Settings\Owner
2018-02-21 11:34 - 2012-03-02 10:40 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Kodak
2018-02-21 11:34 - 2011-05-18 11:27 - 000000000 ____D C:\Program Files\Kodak
2018-02-21 11:34 - 2010-12-02 12:57 - 000000000 ___HD C:\WINDOWS\inf
2018-02-21 11:34 - 2010-12-02 12:57 - 000000000 ____D C:\WINDOWS\Help
2018-02-21 11:33 - 2011-05-18 11:29 - 000000000 ____D C:\WINDOWS\system32\color
2018-02-21 11:30 - 2017-03-24 07:57 - 000000000 ____D C:\Documents and Settings\Owner\Application Data\PhotoScape
2018-02-21 10:52 - 2017-06-16 11:06 - 000000000 ____D C:\Documents and Settings\Owner\My Documents\FIREPLACE
2018-02-21 10:52 - 2017-06-16 11:05 - 000000000 ____D C:\Documents and Settings\Owner\My Documents\MIRROR
2018-02-21 10:52 - 2017-06-15 21:09 - 000000000 ____D C:\Documents and Settings\Owner\My Documents\Reba
2018-02-21 09:52 - 2017-09-09 09:36 - 000073000 _____ C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2018-02-21 09:48 - 2017-06-16 11:07 - 000000000 ____D C:\Documents and Settings\Owner\My Documents\NETGEAR
2018-02-21 09:39 - 2012-12-18 21:02 - 000000000 ____D C:\Program Files\Sony
2018-02-20 20:10 - 2010-12-02 13:01 - 000000000 ____D C:\Documents and Settings
2018-02-20 17:42 - 2014-04-08 14:57 - 000000000 ____D C:\Documents and Settings\Guest\Local Settings\temp
2018-02-20 14:15 - 2010-12-07 17:28 - 000000000 ____D C:\Documents and Settings\All Users\Lx_cats
2018-02-20 14:15 - 2010-12-02 13:01 - 000000000 ____D C:\Documents and Settings\All Users
2018-02-19 18:12 - 2014-04-10 07:09 - 000074320 ____C C:\Documents and Settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2018-02-19 16:44 - 2010-12-02 13:00 - 000000212 __RSH C:\boot.ini
2018-02-19 14:46 - 2014-04-08 14:57 - 000000000 ____D C:\Documents and Settings\Guest
2018-02-18 11:08 - 2010-12-02 18:07 - 000000000 ____D C:\WINDOWS\system32\Macromed
2018-02-17 17:43 - 2003-07-16 15:53 - 000002206 ____C C:\WINDOWS\system32\wpa.dbl
2018-02-12 12:07 - 2013-03-13 09:43 - 000000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2018-02-11 13:15 - 2012-02-24 13:22 - 000000178 __SHC C:\Documents and Settings\Administrator\ntuser.ini
2018-02-11 12:59 - 2010-12-02 12:57 - 000000000 RSHDC C:\WINDOWS\system32\dllcache
2018-02-11 12:25 - 2017-12-28 14:56 - 000000000 ____D C:\Program Files\Common Files\Symantec Shared
2018-02-10 13:14 - 2014-03-24 08:20 - 000000222 ____C C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2018-02-10 13:14 - 2014-03-24 08:20 - 000000216 ____C C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2018-02-10 11:51 - 2017-02-23 16:11 - 000024688 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2018-02-09 23:07 - 2017-04-11 16:16 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2018-02-09 23:03 - 2010-12-02 13:02 - 000564150 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2018-02-09 10:21 - 2017-02-23 15:53 - 000000000 ____D C:\AdwCleaner
2018-02-09 09:57 - 2015-04-12 18:13 - 000000000 ____D C:\Program Files\Bonjour Print Services
2018-02-09 09:57 - 2015-04-12 18:13 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Bonjour Print Services
2018-02-09 09:50 - 2015-04-12 18:12 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Apple
2018-02-09 09:47 - 2013-03-13 09:43 - 000000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2018-02-09 09:23 - 2017-12-29 11:21 - 000000000 ____D C:\Documents and Settings\Owner\My Documents\Samsung
2018-02-09 08:09 - 2017-02-27 16:18 - 000000520 _____ C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job
2018-02-09 08:08 - 2016-09-06 16:09 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2018-02-09 07:46 - 2017-12-28 14:56 - 000001998 _____ C:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
2018-02-08 10:14 - 2017-12-28 14:56 - 000089240 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2018-02-08 10:14 - 2017-12-28 14:56 - 000008383 _____ C:\WINDOWS\system32\Drivers\SYMEVENT.CAT
2018-02-05 01:34 - 2010-12-03 16:31 - 000000000 ____D C:\Documents and Settings\Owner\My Documents\Old Cover Letters
2018-02-02 16:44 - 2017-05-02 21:16 - 000167208 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
 
==================== Files in the root of some directories =======
 
2012-02-24 14:18 - 2012-02-24 14:18 - 000000000 ____C () C:\Documents and Settings\Administrator\settings.dat
2011-03-25 21:01 - 2011-06-07 12:35 - 000003584 ____C () C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-03-21 19:29 - 2017-03-21 19:29 - 000004145 _____ () C:\Documents and Settings\All Users\Application Data\cgbpfizu.hkv
2013-03-12 15:32 - 2015-04-01 08:47 - 000001177 ____C () C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc
2017-03-21 19:29 - 2017-03-21 19:29 - 000000016 _____ () C:\Documents and Settings\All Users\Application Data\mntemp
 
Some files in TEMP:
====================
2018-02-21 11:30 - 2018-02-21 11:30 - 000983040 _____ (Eastman Kodak Company) C:\Documents and Settings\Owner\Local Settings\Temp\6.0.20.16-EasyShrx.Dll
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of FRST.txt ============================
 
 
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21.02.2018
Ran by Owner (22-02-2018 15:08:13)
Running from C:\Documents and Settings\Owner\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) (2010-12-02 23:13:26)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-436374069-1202660629-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-436374069-1202660629-839522115-501 - Limited - Enabled) => %SystemDrive%\Documents and Settings\Guest
HelpAssistant (S-1-5-21-436374069-1202660629-839522115-1000 - Limited - Disabled)
Jess (S-1-5-21-436374069-1202660629-839522115-1004 - Limited - Enabled) => %SystemDrive%\Documents and Settings\Jess
Owner (S-1-5-21-436374069-1202660629-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Owner
SUPPORT_388945a0 (S-1-5-21-436374069-1202660629-839522115-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Norton Security Suite (Enabled - Up to date) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite (Disabled) {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: AVG Firewall (Disabled) {8decf618-9569-4340-b34a-d78d28969b66}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
ABBYY FineReader 6.0 Sprint (HKLM\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.2146.41621 - ABBYY Software House)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 21.0.0.215 - Adobe Systems Incorporated)
Adobe Flash Player 28 PPAPI (HKLM\...\Adobe Flash Player PPAPI) (Version: 28.0.0.137 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Bonjour Print Services (HKLM\...\{9D210D79-AEC5-453B-960C-4DD2C73931E1}) (Version: 2.0.2.0 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.39 - Piriform)
Combined Community Codec Pack 2009-09-09 (HKLM\...\Combined Community Codec Pack_is1) (Version: 2009.09.09.0 - CCCP Project)
Google Chrome (HKLM\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
H&R Block Deluxe + Efile + State 2015 (HKLM\...\{E7BFC29A-9459-4534-9E35-BF1D66A18BAA}) (Version: 15.05.8101 - HRB Technology, LLC.)
H&R Block Pennsylvania 2015 (HKLM\...\{C6689514-3971-4A22-B45B-6C45289B87C5}) (Version: 1.15.5301 - HRB Technology, LLC.)
H&R Block Pennsylvania 2016 (HKLM\...\{BAECF4E0-1EB0-4CBA-A0D9-09BA014038A3}) (Version: 1.16.3501 - HRB Technology, LLC.)
H&R Block Premium + Efile + State 2016 (HKLM\...\{955568EF-4BB1-4822-B2F4-931418CE2E46}) (Version: 16.07.6401 - HRB Technology, LLC.)
Intel® 537EP V9x DF PCI Modem (HKLM\...\Intel® 537EP V9x DF PCI Modem) (Version:  - )
Intel® Extreme Graphics 2 Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: 6.14.10.4396 - )
Intel® PRO Network Connections Drivers (HKLM\...\PROSet) (Version:  - )
Intel® PROSet (HKLM\...\{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}) (Version: 6.05.2001 - Intel)
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
Java 7 Update 75 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217075FF}) (Version: 7.0.750 - Oracle)
LG CyberLink PowerDVD 7.0 (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.0.3409.a - CyberLink Corp.)
LG Power Tools (HKLM\...\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.2806 - CyberLink Corp.) Hidden
LG Power Tools (HKLM\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.2806 - CyberLink Corp.)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Excel Viewer (HKLM\...\{95120000-003F-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Small Business Edition 2003 (HKLM\...\{91CA0409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Outlook Personal Folders Backup (HKLM\...\{C63E7C60-25EB-11D3-8EDA-00A0C911E8E5}) (Version: 1.10.0.0 - Microsoft Corporation)
Microsoft PowerPoint Viewer (HKLM\...\{95140000-00AF-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Modem On Hold (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 1.12 - BVRP Software, Inc)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (HKLM\...\{AEB9948B-4FF2-47C9-990E-47014492A0FE}) (Version: 6.00.3883.8 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.4.6308.28 - PC-Doctor, Inc.)
Norton Security Suite (HKLM\...\NGC) (Version: 22.12.0.104 - Symantec Corporation)
Pdf995 (installed by H&R Block) (HKLM\...\Pdf995) (Version: 15.0s - )
PdfEdit995 (installed by H&R Block) (HKLM\...\PdfEdit995) (Version:  - )
PhotoScape (HKLM\...\PhotoScape) (Version:  - )
PRS-500 USB driver (HKLM\...\{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}) (Version: 1.0.00.08110 - Sony)
Secunia PSI (3.0.0.11005) (HKLM\...\Secunia PSI) (Version: 3.0.0.11005 - Secunia)
Sound Blaster Live! (HKLM\...\{96E16100-A77F-4B31-B9AD-FFBA040EE1BD}) (Version:  - )
TurboTax 2012 (HKLM\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2014 (HKLM\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Driver Package - Sony Corporation (PRSUSB) USB  (08/08/2006 1.0.03.08080) (HKLM\...\75070B1806113224B16C70296B90DD1AD8A53479) (Version: 08/08/2006 1.0.03.08080 - Sony Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Yahoo! Detect (HKLM\...\YTdetect) (Version:  - )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\buShell.dll [2018-01-25] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\buShell.dll [2018-01-25] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\buShell.dll [2018-01-25] (Symantec Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers1: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\buShell.dll [2018-01-25] (Symantec Corporation)
ContextMenuHandlers1: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\NavShExt.dll [2018-01-25] (Symantec Corporation)
ContextMenuHandlers2: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\NavShExt.dll [2018-01-25] (Symantec Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [EasyPhotoUploader] -> {1A4CED0D-AC02-4A14-94B2-579A4F6EF3C9} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2005-09-20] (Intel Corporation)
ContextMenuHandlers6: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\buShell.dll [2018-01-25] (Symantec Corporation)
ContextMenuHandlers6: [EasyPhotoUploader] -> {1A4CED0D-AC02-4A14-94B2-579A4F6EF3C9} =>  -> No File
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.12.0.104\NavShExt.dll [2018-01-25] (Symantec Corporation)
 
==================== Scheduled Tasks=============================
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_28_0_0_137_pepper.exe
Task: C:\WINDOWS\Tasks\CCleaner Update.job => C:\Program Files\CCleaner\CCUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\My Dell\uaclauncher.exeq-backgroundmon scripts\backgroundmon.xml
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Software995\Software995.com.lnk -> hxxp://www.software995.com
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Lexmark\Pro700 Series\Visit Product Home Page.LNK -> hxxp:\\www.lexmark.com\M
 
ShortcutWithArgument: C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) -> --disable-infobars
 
==================== Loaded Modules (Whitelisted) ==============
 
2010-12-07 17:23 - 2009-05-18 07:39 - 000049152 _____ () C:\WINDOWS\system32\LXEEPMON.DLL
2010-12-07 17:22 - 2009-01-13 08:15 - 004485120 _____ () C:\WINDOWS\system32\LXEEOEM.DLL
2010-12-07 17:22 - 2009-05-18 07:38 - 000032768 _____ () C:\Program Files\Lexmark Pro700 Series\ipcmt.dll
2012-04-10 13:22 - 2016-04-18 01:32 - 000036864 _____ () C:\WINDOWS\system32\pdf995mon.dll
2010-12-07 17:25 - 2009-06-19 03:58 - 000157696 _____ () C:\WINDOWS\System32\spool\PRTPROCS\W32X86\lxeedrpp.dll
2018-02-09 23:07 - 2017-11-29 09:11 - 001934792 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2010-12-07 17:21 - 2011-01-23 18:37 - 000770728 _____ () C:\Program Files\Lexmark Pro700 Series\lxeemon.exe
2010-12-07 17:21 - 2010-04-01 13:23 - 000389120 _____ () C:\Program Files\Lexmark Pro700 Series\lxeescw.dll
2010-12-07 17:24 - 2009-05-27 07:16 - 000192512 _____ () C:\WINDOWS\system32\spool\drivers\w32x86\3\lxeedatr.dll
2010-12-07 17:21 - 2010-04-01 13:24 - 001159168 _____ () C:\Program Files\Lexmark Pro700 Series\lxeeDRS.dll
2010-12-07 17:21 - 2009-03-10 01:43 - 000155648 _____ () C:\Program Files\Lexmark Pro700 Series\lxeecaps.dll
2010-12-07 17:18 - 2009-02-20 03:48 - 000299008 _____ () C:\WINDOWS\system32\lxeesm.dll
2010-12-07 17:18 - 2009-02-20 03:48 - 000023552 _____ () C:\WINDOWS\system32\lxeesmr.dll
2010-12-07 17:21 - 2009-08-10 06:37 - 000139944 _____ () C:\Program Files\Lexmark Pro700 Series\ezprint.exe
2010-12-07 17:21 - 2009-03-30 07:37 - 000708608 _____ () C:\Program Files\Lexmark Pro700 Series\Epwizard.DLL
2010-12-07 17:21 - 2009-03-30 07:35 - 000159744 _____ () C:\Program Files\Lexmark Pro700 Series\customui.dll
2010-12-07 17:21 - 2009-03-30 07:35 - 000118784 _____ () C:\Program Files\Lexmark Pro700 Series\Eputil.DLL
2010-12-07 17:21 - 2009-03-30 07:35 - 000139264 _____ () C:\Program Files\Lexmark Pro700 Series\Imagutil.DLL
2010-12-07 17:21 - 2009-03-30 07:35 - 000061440 _____ () C:\Program Files\Lexmark Pro700 Series\Epfunct.DLL
2010-12-07 17:21 - 2010-04-05 06:56 - 002203803 _____ () C:\Program Files\Lexmark Pro700 Series\EPWizRes.dll
2010-12-07 17:21 - 2009-03-30 07:37 - 000045056 _____ () C:\Program Files\Lexmark Pro700 Series\epstring.dll
2010-12-07 17:21 - 2009-03-30 07:37 - 000094208 _____ () C:\Program Files\Lexmark Pro700 Series\EPOEMDll.dll
2010-12-07 17:21 - 2009-04-07 15:25 - 000409600 _____ () C:\Program Files\Lexmark Pro700 Series\iptk.dll
2010-12-07 17:21 - 2009-03-02 10:25 - 000151552 _____ () C:\Program Files\Lexmark Pro700 Series\lxeeptp.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:B24B19F1 [147]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:B6AC352B [276]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-436374069-1202660629-839522115-1003\...\microsoft.com -> hxxps://www.update.microsoft.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2012-04-22 11:40 - 2013-03-13 09:40 - 000000027 ____C C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-436374069-1202660629-839522115-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 75.75.76.76 - 75.75.75.75
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\lxeecoms.exe] => Enabled:Pro700 Series Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe] => Disabled:Kodak Software Updater
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\sessmgr.exe] => Disabled:@xpsp2res.dll,-22019
StandardProfile\AuthorizedApplications: [C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe] => Enabled:EasyShare
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe] => :LocalSubNet:Disabled:Intuit Update v4 Shared Downloads Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Abbyy FineReader 6.0 Sprint\scan\scanman6.exe] => Enabled:ABBYY FineReader
StandardProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour Service
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008
 
==================== Restore Points =========================
 
24-11-2017 17:24:16 System Checkpoint
29-11-2017 14:41:46 System Checkpoint
01-12-2017 10:42:53 System Checkpoint
02-12-2017 11:30:01 System Checkpoint
03-12-2017 12:31:06 System Checkpoint
05-12-2017 12:04:08 System Checkpoint
06-12-2017 12:30:38 System Checkpoint
07-12-2017 13:30:58 System Checkpoint
08-12-2017 14:30:38 System Checkpoint
17-05-2004 23:24:08 System Checkpoint
21-05-2004 22:53:34 System Checkpoint
14-12-2017 13:31:55 System Checkpoint
16-12-2017 14:38:17 System Checkpoint
18-12-2017 15:29:41 System Checkpoint
20-12-2017 09:07:29 System Checkpoint
21-12-2017 17:43:42 System Checkpoint
26-12-2017 16:02:39 System Checkpoint
27-12-2017 13:59:15 Unsigned printer driver Lexmark Pro700 Series installed.
28-12-2017 13:28:40 Removed Apple Mobile Device Support
28-12-2017 13:30:35 Removed iTunes
29-12-2017 14:02:00 System Checkpoint
01-01-2018 11:30:17 System Checkpoint
03-01-2018 06:37:11 System Checkpoint
04-01-2018 11:24:00 System Checkpoint
06-01-2018 11:03:14 System Checkpoint
07-01-2018 16:14:45 System Checkpoint
09-01-2018 09:57:38 System Checkpoint
10-01-2018 10:34:00 System Checkpoint
12-01-2018 11:54:04 System Checkpoint
14-01-2018 19:47:34 Before manual install of security updates for XP
15-01-2018 08:13:16 Removed Aviator.
15-01-2018 14:55:54 Installed Windows XP KB4012598.
16-01-2018 08:26:52 Software Distribution Service 3.0
17-01-2018 14:53:14 Installed Windows XP KB4012583.
17-01-2018 15:40:48 Installed Windows XP KB4022747.
17-01-2018 16:26:09 Installed Windows XP KB4018271.
17-01-2018 16:49:22 Installed Windows XP KB4018466.
17-01-2018 17:21:34 Installed Windows XP KB3197835.
17-01-2018 17:44:34 Installed Windows XP KB4024323.
17-01-2018 17:55:28 Installed Windows XP KB4025218.
17-01-2018 18:02:56 Installed Windows XP KB4024402.
17-01-2018 18:07:24 Installed Windows XP KB4019204.
18-01-2018 18:53:56 System Checkpoint
20-01-2018 12:40:36 System Checkpoint
22-01-2018 11:02:40 System Checkpoint
26-01-2018 12:34:30 System Checkpoint
30-01-2018 13:41:39 System Checkpoint
02-02-2018 12:10:57 System Checkpoint
06-02-2018 12:54:06 System Checkpoint
07-02-2018 15:56:59 System Checkpoint
09-02-2018 11:03:37 System Checkpoint
09-02-2018 09:21:26 System Checkpoint
09-02-2018 09:50:21 Removed Apple Application Support (32-bit)
09-02-2018 09:53:22 Removed Apple Software Update
10-02-2018 14:22:05 System Checkpoint
11-02-2018 14:52:04 System Checkpoint
13-02-2018 18:22:36 System Checkpoint
15-02-2018 10:15:29 System Checkpoint
16-02-2018 16:06:37 System Checkpoint
19-02-2018 10:58:32 System Checkpoint
20-02-2018 12:07:51 System Checkpoint
21-02-2018 09:39:05 Removed Reader Library by Sony.
22-02-2018 12:00:50 Installed Qualys BrowserCheck
 
==================== Faulty Device Manager Devices =============
 
Name: Multimedia Audio Controller
Description: Multimedia Audio Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/22/2018 12:00:47 PM) (Source: MsiInstaller) (EventID: 11303) (User: JESS-0YJZ0D7J2C)
Description: Product: Qualys BrowserCheck -- Error 1303. The installer has insufficient privileges to access this directory: C:\Program Files\Qualys.  The installation cannot continue.  Log on as administrator or contact your system administrator.(NULL)(NULL)(NULL)(NULL)
 
Error: (12/27/2017 03:58:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application InstGui.exe, version 12.40.4.36, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000501b6.
Processing media-specific event for [InstGui.exe!ws!]
 
Error: (12/27/2017 03:58:05 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file E:\INSTALL\X86\INSTGUI.EXE for one of the following reasons: 
there is a problem with the network connection, the disk that the file is stored on, or the storage 
drivers installed on this computer; or the disk is missing. 
Windows closed the program INSTGUI.EXE because of this error.
 
Program: INSTGUI.EXE
File: E:\INSTALL\X86\INSTGUI.EXE
 
The error value is listed in the Additional Data section.
User Action
1. Open the file again. 
This situation might be a temporary problem that corrects itself when the program runs again.
2. 
If the file still cannot be accessed and
- It is on the network, 
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
- It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for 
further assistance.
Additional Data
Error value: C0000240
Disk type: 5
 
Error: (05/21/2004 10:59:11 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (05/21/2004 10:59:11 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (05/21/2004 10:59:11 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (05/21/2004 10:59:10 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (05/21/2004 10:59:10 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
 
System errors:
=============
Error: (02/22/2018 10:42:04 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The lxeeCATSCustConnectService service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (02/22/2018 10:42:04 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the lxeeCATSCustConnectService service to connect.
 
Error: (02/22/2018 08:00:30 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The lxeeCATSCustConnectService service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (02/22/2018 08:00:30 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the lxeeCATSCustConnectService service to connect.
 
Error: (02/21/2018 05:43:15 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The lxeeCATSCustConnectService service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (02/21/2018 05:43:15 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the lxeeCATSCustConnectService service to connect.
 
Error: (02/21/2018 02:41:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The lxeeCATSCustConnectService service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (02/21/2018 02:41:00 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the lxeeCATSCustConnectService service to connect.
 
 
==================== Memory info =========================== 
 
Processor:  Intel® Pentium® 4 CPU 2.80GHz
Percentage of memory in use: 43%
Total physical RAM: 1533.98 MB
Available physical RAM: 867.02 MB
Total Virtual: 2148.86 MB
Available Virtual: 1539.02 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.75 GB) (Free:91.22 GB) NTFS ==>[drive with boot components (Windows XP)]
 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 111.8 GB) (Disk ID: 89278927)
Partition 1: (Active) - (Size=111.7 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 22 February 2018 - 05:07 PM

That location is  C:\Documents and Settings\ XXXXXxxxxx_Quarantine   (X representing the malware removal tool).
 
Can I post a print screen of those quarantined files ?

 

Please do. The FRST logs look clear.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Error409

Error409
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 22 February 2018 - 06:25 PM

 

 

Please do. The FRST logs look clear.

 

 I do not see any other options available to paste a print screen. Hence, the reason for the attachments  

 

One attachment is the file directory showing the subfolder with the saved data files using the DTA file extension.

 

The other attachment is a screen shot of the TDSSKiller report.  I am not able to ascertain whether the one (1) detected object that is seen on the report is a rootkit. Nevertheless, the report states a TDSS file was detected.     

 

 

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 22 February 2018 - 06:48 PM

  • Highlight the entire content of the quote box below.

Start::
CMD: Type C:\TDSSKiller.3.1.0.16_09.02.2018_08.22.20_log.txt
CMD: Type C:\TDSSKiller.3.1.0.16_09.02.2018_08.20.01_log.txt
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Error409

Error409
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 22 February 2018 - 07:06 PM

I followed the last reply's instructions to the Tee.  FRST did not process the lines copied of the quote from the clipboard.
Secondly, the pasted contents from the Fixlog.txt generated an error that it was too long, preventing me to post the report.  
 
 
 
[EDIT]:  The scan finished with these results
 
Detected object count :  (0) 
Actual Detected Object Count: (0)
Deinitialize Success 
 
I am running a 32 bit system.  Were you meaning to refer to (FRSTx86), and not FRST64?

Edited by Error409, 22 February 2018 - 07:17 PM.


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:59 AM

Posted 22 February 2018 - 07:39 PM

Download the enclosed file. Save it in the same location FRST is saved. Once done, Open FRST and click on the Fix button.

 

Post the resulting Fixlog.txt.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users