Jump to content

Recommended Posts

Trying to help neighbor with spyware problem.  Installed and ran MBAM, if found a few things, removed them.  Norton Anti-Virus doesn't find anything. I've also run tdsskiller and it found nothing.  I've run Adwcleaner on it, and if found a few registry entries that it removed, but still having the same problem.

 

When ever windows is running, there's always an explorer.exe process, which is normal.  However, this machine has 2  and one of them on occasion uses over 700k of memory, and eats up too much CPU time, which makes the system very slow. 

Any help would be appreciated.

 

TKS

Link to post
Share on other sites

Hi!

Welcome to Malwarebytes' Support Forums! I am Blackbird and I will help you removing any malware that might be present on your computer.

An important WARNING to all individuals reading this topic:
All advice in this topic was given specifically for this user and this computer!! Performing instructions given by me in this topic on other computers may harm your computer's infrastructure and can cause serious damage to them!!
Please don't perform the steps given by me or other Helpers in this topic when you are not the original Topic Starter, but start your own topic with a question for help. You will get help from a trained and qualified Helper to clean up your computer from any present malware when you do so.


General rules:
  • From now on, don't use this computer anymore to access your bank account or any other serious business where you have to login for, untill I've told you your computer is clean from malware.
  • Be patient waiting for my answer. I'm doing the best I can to answer to logs as soon as possible, but I'm handling multiple topics at the same time. Please feel free to remind me of your topic by sending a link to it by private message, when I didn't get back to you after 24 hours.
  • Don't change anything on your computer in the period I'm helping you, except when I tell you to do so. So don't add/remove any software (programs, drivers, etc.) and don't change any hardware. If you really need to change something that can't wait, please inform me directly, by posting it in this topic or - if private - send me a private message containing an explanation of the changes made by you. This gives me the possibility to give you good advice.


Rules about advices from me:
  • The Helpers active on this board first got a full training in removing malware and providing support to people who got infected. Also they were trained to resolve any problems caused by malware infections. Please use the programs I provide to you only when under supervision of a trained Helper. This, because using these programs without supervision can cause damage to your computer.
  • It's possible that your virus scanner, anti-spyware program or any other malware protection program or policy tries to block one or more of the programs provided by us. If that is the case, please always allow those programs to run and/or allow the provided changes to be made. If needed to run our tools properly, temporarily disable your anti-malware programs.
  • Always Save tools provided by me to your Desktop, unless I give you other instructions. Don't ever run tools directly from the internet, because this can stop them from working properly. Also never save tools to any other locations than your Desktop.
  • If you have any problems while following my instructions, stop there and tell me the exact nature of the issue.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit.



Rules about posting results:

  • Always copy/paste the logfiles in your replies completely. If a logfile doesn't fit into one post, please add the logfile as an attachment instead. If this still won't work, please inform me.
  • Never change something in the logfiles!! Include them in your posts as they were provided by the tools. This way I'll get a clear view on your system's situation. If you change the logfiles, it will take more time to clean up your computer.
  • Don't post logs using CODE, QUOTE or FONT tags. Just post them as direct text.


Things I want you to do before performing the steps below:
  • Please enable your system to show hidden files: How to see hidden files in Windows.
  • Make sure you're subscribed to this topic. Click on the Follow This Topic button at the top right of this page, make sure that the Receive Notification box is checked and that it is set to Instantly.
  • Even though we do the best we can to help you, removing malware includes risks. Therefor I advise you to back-up all of your important files to a CD/DVD, external drive or flash drive. For instructions/help, take a look here.



-------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks in advance for keeping above rules in mind. :)
Maybe they look like unnecessary rules, but practice teaches us they are needed to help.

Now, let's continue with the steps you need to do:
-------------------------------------------------------------------------------------------------------------------------------------------------------

1. We need to temporarily disable any cd-emulators active on your computer, as they can impede the interpretation of logfiles provided by our tools.

  • Download Defogger and save it to your Desktop.
  • Right-click Defogger.exe and select Run as Administrator.
  • When the program has opened, click the Disable button.
  • When Defogger asks for a confirmation, click Yes.
  • Wait untill you get the "Finished" message. Click OK.
  • When Defogger asks you to restart the system, please allow the program to do so immediately.


  • When an error occured while using Defogger, look for a file called "defogger_disable.txt", which should be located at your Desktop. Post the contents of this file into your next reply.
  • You can enable the cd-emulator software again by running Defogger again and clicking the "Re-enable" button. Only do this when I told you your computer is clean again.


2. Download AdwCleaner and save it to your Desktop.
  • Close all open windows.
  • Right-click AdwCleaner.exe and select Run as Administrator.
  • When the program has started, click the Scan button and wait untill the scan has finished.
  • Make sure everything (on all tabs) is selected, and click the Delete button.
  • It's possible that AdwCleaner asks you to restart the system. It's important that you agree with this.
  • After restart a logfile will appear. Please post the contents of that logfile in your next reply.



3. Download Malwarebytes' Anti-Malware and save it to your Desktop.
If you already got Malwarebytes' Anti-Malware installed on your computer, please go to step 3-A.



3-A. Start Malwarebytes' Anti-Malware.

  • On the Dashboard tab, click the Update Now button, to update the definitions to the latest version.
  • Then click the Scan tab. Select Custom Scan and click the Start Scan button.
  • In the window that appears, check the box next to Scan for Rootkits. Also, select all drives, except for CD/DVD-drives. After you have done this, click Start Scan.
  • Follow the instructions given by Malwarebytes' Anti-Malware.
  • If any items were found during the scan process, Malwarebytes' Anti-Malware will ask you what you want to do with those items. Please quarantine all items.
  • It's possible the program asks you for permission to restart the computer. If so, please allow MBAM to do so immediately.
  • Save the logfile in txt-format and copy/paste it in your next reply.
  • Note: If you can't find the logfile, look at the "History" tab. Select the most recent logfile (you can see the creation date in the log's title).


4. Please read and perform the steps described on this page: I'm infected - What do I do now?.
Post the logfile from Farbar Recovery Scan Tool into your next reply.

5. Download GMER Rootkit Scanner and save it to your Desktop.
NOTE: Windows 8 users can skip this step. GMER Rootkit Scanner isn't compatible with Windows 8. Don't run it.
  • Right-click the GMER executable file (which's name will contain 8 digits/characters) and select Run as Administrator.
  • If GMER warns you about possible rootkit activity and asks you to scan for rootkits, DON'T allow GMER to do so.
  • Under "Files", put a checkmark next to Quick Scan.
  • Remove the checkmark next to Show all.
  • Now, click the Scan button.
  • Note: This scan often provides False Positives in the scan results. Never fix anything found by Gmer, unless I instructed you to do so!
  • If the scan's finished, click Save and save the log to your Desktop.
  • Post GMER's logfile into your next reply.



6. Please provide me a detailed description of any computer problems you're facing, together with the logfiles mentioned in step 1 - 6.

Good luck! :)

Link to post
Share on other sites

OS is Windows XP Pro SP3, so I don't have the option to "run as administrator", but the user is an administrator.

______________________________________________________

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 19:33 on 10/01/2015 (default)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

ADWcleaner does not have a "Delete" button, so I assume you meant the "Clean" button.

 

# AdwCleaner v4.107 - Report created 10/01/2015 at 19:44:05
# Updated 07/01/2015 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : default - WIERSON
# Running from : C:\Documents and Settings\default\Desktop\adwcleaner_4.107.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v34.0.5 (x86 en-US)


-\\ Google Chrome v


*************************

AdwCleaner[R0].txt - [6522 octets] - [29/12/2014 13:06:35]
AdwCleaner[R1].txt - [902 octets] - [30/12/2014 13:44:04]
AdwCleaner[R2].txt - [1070 octets] - [10/01/2015 17:02:30]
AdwCleaner[R3].txt - [1319 octets] - [10/01/2015 19:40:54]
AdwCleaner[s0].txt - [6505 octets] - [29/12/2014 15:39:55]
AdwCleaner[s1].txt - [1134 octets] - [10/01/2015 17:05:38]
AdwCleaner[s2].txt - [1244 octets] - [10/01/2015 19:44:05]

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [1304 octets] ##########

-------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/10/2015
Scan Time: 7:52:43 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.10.19
Rootkit Database: v2015.01.07.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: default

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 488238
Time Elapsed: 1 hr, 43 min, 26 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

-------------------------------------------------------------------------------------------------------------------------------------------------------------

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-01-2015
Ran by default at 2015-01-11 09:41:37
Running from C:\Documents and Settings\default\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABBYY FineReader 6.0 Sprint (HKLM\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1395.41612 - ABBYY Software House)
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.0.0.0 - Adobe Systems Incorporated)
Acrobat.com (Version: 2.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.6.0.19140 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
CyberLink PowerDVD 9 (HKLM\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.0.4105.01 - CyberLink Corp.)
GoToAssist Customer 2.1.0.726 (HKLM\...\GoToAssist Express Customer) (Version: 2.1.0.726 - Citrix Online)
HijackThis 2.0.2 (HKLM\...\HijackThis) (Version: 2.0.2 - TrendMicro)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.16432 - HP)
HP Photosmart 6520 series Basic Device Software (HKLM\...\{D9B4150C-9EF6-4861-902F-5F5CB760D7ED}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Photosmart 6520 series Help (HKLM\...\{D3293275-1002-41F5-BC37-099B4251FF5B}) (Version: 28.0.0 - Hewlett Packard)
HP Photosmart 6520 series Product Improvement Study (HKLM\...\{DF711F5A-C9E4-4241-9A83-58532C99DB28}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Smart Print 2.1 (HKLM\...\{8046B41C-FB30-4614-898F-57D44D0C66EB}) (Version: 2.1.0.235 - Hewlett-Packard)
HP Update (HKLM\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Network Connections 15.7.176.0 (HKLM\...\{8C9B6B1F-0A8E-402A-A60C-110BBB38D67E}) (Version: 15.7.176.0 - Intel)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.10.5313 - Intel Corporation)
Jasc Paint Shop Photo Album 5 (HKLM\...\{4192EAC0-6B36-4723-B216-D0E86E7757AC}) (Version: 5.21 - Jasc Software, Inc.)
Jasc Paint Shop Pro Studio, Dell Editon (HKLM\...\{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}) (Version: 1.00.0000 - Jasc Software Inc)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217040FF}) (Version: 7.0.710 - Oracle)
Kodak EasyShare software (HKLM\...\{11DB853A-6966-4724-BEAD-793C48AC8C54}) (Version: 2.00.0003 - EASTMAN KODAK Company)
LightScribe  1.4.136.1 (Version: 1.4.136.1 - http://www.lightscribe.com)Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2656353) (HKLM\...\M2656353) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2656370) (HKLM\...\M2656370) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office XP Professional (HKLM\...\{90110409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 34.0.5 - Mozilla)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MSXML 6.0 Parser (HKLM\...\{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}) (Version: 6.10.1129.0 - Microsoft Corporation)
Nero 7 Essentials (HKLM\...\{B28B351F-1232-46EA-85EF-B8EA91641033}) (Version: 7.02.5017 - Nero AG)
Norton AntiVirus (HKLM\...\NAV) (Version: 21.6.0.32 - Symantec Corporation)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
QuickTime (HKLM\...\{0E64B098-8018-4256-BA23-C316A43AD9B0}) (Version: 7.72.80.56 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6257 - Realtek Semiconductor Corp.)
Snapfish Export Plug-in version 1.12.5 for Adobe Lightroom (HKLM\...\Snapfish Export Plug-in for Adobe Lightroom_is1) (Version: 1.12 - AlloyPhoto)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
WordPerfect Office 11 (HKLM\...\{54F90B55-BEB3-4F0D-8802-228822FA5921}) (Version: 11.0 - Corel Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{2837E0FE-686B-4CB0-BE53-0EA097EAF71B}\InprocServer32 -> C:\WINDOWS\Downloaded Program Files\isusweb.dll (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{49F6E216-E1DC-42CB-9176-45F721AB011A}\InprocServer32 -> C:\Documents and Settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{5B7524C8-2446-40E9-9474-94A779DBA224}\InprocServer32 -> C:\WINDOWS\Downloaded Program Files\isusweb.dll (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{621D3650-F1D3-414C-97F9-03A02B211261}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{623E415A-22EF-4DAA-A2FF-E68E77A673C9}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{885BB46A-3F1E-44C3-A01B-A7D9260CC98B}\InprocServer32 -> C:\WINDOWS\Downloaded Program Files\dwusplay.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{885BB46A-3F1E-44C3-A01B-A7D9260CC98B}\localserver32 -> C:\WINDOWS\Downloaded Program Files\dwusplay.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{915C2CEB-216B-4B7C-89E4-9ED3512D58D9}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{92C5E738-7372-4CD6-BE57-15833624EBF3}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{9CAAD2EA-177B-4D07-871F-47255B5D30F3}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{B391A1DB-28C8-4506-A43C-5BD6051F16BA}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{C84CD8A9-B62D-4B0F-A57F-959A30D6C584}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{D8E876D2-1A1C-495c-8A7D-80CF0EDA3566}\localserver32 -> C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio.exe (Jasc Software, Inc.)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{E50C953D-311A-481B-8F8D-C55E65AF7417}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{E9880553-B8A7-4960-A668-95C68BED571E}\InprocServer32 -> C:\WINDOWS\Downloaded Program Files\isusweb.dll (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{E9A93328-79D4-4AED-A778-146E7191F8BC}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\ISDM.exe (InstallShield Software Corporation)
CustomCLSID: HKU\S-1-5-21-1935655697-329068152-839522115-1003_Classes\CLSID\{FFF2D28F-E4EE-44D9-8104-8E71556757F6}\localserver32 -> C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe (InstallShield Software Corporation)

==================== Restore Points  =========================

Could not list restore points.
Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2001-08-23 06:00 - 2014-12-30 16:29 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\HP Photo Creations Communicator.job => C:\Documents and Settings\All Users\Application Data\HP Photo Creations\Communicator.exe

==================== Loaded Modules (whitelisted) =============

2012-05-04 09:19 - 2009-04-27 17:22 - 00271760 ____N () C:\Program Files\CyberLink\Shared files\RichVideo.exe
2002-09-11 08:41 - 2002-09-11 08:41 - 00217088 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\SpiffyExt.dll
2002-09-11 09:35 - 2002-09-11 09:35 - 00716800 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\VistaControls.dll
2002-09-11 08:46 - 2002-09-11 08:46 - 00049152 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\kUti40.dll
2002-09-16 08:03 - 2002-09-16 08:03 - 00102400 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\kpri40.dll
2002-09-16 14:23 - 2002-09-16 14:23 - 00167936 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\VistaPrintOnLine.dll
2002-09-11 09:07 - 2002-09-11 09:07 - 00073728 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\VPrintOnlineHelper40.dll
2002-09-16 14:21 - 2002-09-16 14:21 - 00282624 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\VPrintOnline.dll
2002-09-11 09:37 - 2002-09-11 09:37 - 00266240 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\VistaEmail.dll
2002-09-11 09:09 - 2002-09-11 09:09 - 00049152 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\keml40.dll
2002-09-11 08:28 - 2002-09-11 08:28 - 00180224 _____ () C:\Program Files\KODAK\Kodak EasyShare software\bin\LocAcqMod.dll
2002-03-13 07:08 - 2002-03-13 07:08 - 00016384 _____ () C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
2002-03-13 06:56 - 2002-03-13 06:56 - 00049152 _____ () C:\Program Files\Kodak\Kodak Software Updater\7288971\6.1.4.37-7288971L\Program\clntutil.dll
2002-03-13 07:08 - 2002-03-13 07:08 - 00020480 _____ () C:\Program Files\Kodak\Kodak Software Updater\7288971\Program\BWfiles-7288971.dll
2002-03-13 06:54 - 2002-03-13 06:54 - 00143360 _____ () C:\Program Files\Kodak\Kodak Software Updater\7288971\6.1.4.37-7288971L\Program\BWfiles.dll
2002-03-13 07:09 - 2002-03-13 07:09 - 00020480 _____ () C:\Program Files\Kodak\Kodak Software Updater\7288971\Program\frext-7288971.dll
2002-03-13 06:57 - 2002-03-13 06:57 - 00094208 _____ () C:\Program Files\Kodak\Kodak Software Updater\7288971\6.1.4.37-7288971L\Program\frext.dll
2002-04-09 08:05 - 2002-04-09 08:05 - 00135168 _____ () C:\Program Files\Kodak\Kodak Software Updater\7288971\Program\BWTargetInf.dll
2014-12-07 19:39 - 2014-11-26 10:40 - 03758192 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist Remote Support Customer => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1935655697-329068152-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1935655697-329068152-839522115-1005 - Limited - Enabled)
default (S-1-5-21-1935655697-329068152-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\default
Ellie Wierson (S-1-5-21-1935655697-329068152-839522115-1007 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Ellie Wierson
Guest (S-1-5-21-1935655697-329068152-839522115-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1935655697-329068152-839522115-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1935655697-329068152-839522115-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/10/2015 07:45:59 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Error: (01/10/2015 07:45:59 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (01/10/2015 05:07:08 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Error: (01/10/2015 05:07:08 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (01/10/2015 04:52:35 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Error: (01/10/2015 04:52:35 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (01/05/2015 09:46:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x03b11019.
Processing media-specific event for [iexplore.exe!ws!]

Error: (01/03/2015 06:53:23 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket 734562961.

Error: (01/03/2015 06:53:19 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application rundll32.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/30/2014 04:39:49 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.


System errors:
=============
Error: (12/30/2014 03:35:19 PM) (Source: 0) (EventID: 1) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (12/29/2014 11:50:06 AM) (Source: 0) (EventID: 1) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (12/26/2014 07:06:59 PM) (Source: System Error) (EventID: 1003) (User: )
Description: Error code 1000008e, parameter1 c0000005, parameter2 bec7caed, parameter3 8add2b88, parameter4 00000000.

Error: (10/24/2014 02:25:31 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (10/24/2014 02:25:31 PM) (Source: W32Time) (EventID: 17) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (10/24/2014 02:24:57 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (10/24/2014 02:24:57 PM) (Source: W32Time) (EventID: 17) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (10/24/2014 02:24:54 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (10/24/2014 02:24:54 PM) (Source: W32Time) (EventID: 17) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (10/24/2014 11:36:35 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 239 minutes.
NtpClient has no source of accurate time.


Microsoft Office Sessions:
=========================
Error: (01/10/2015 07:45:59 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description:

Error: (01/10/2015 07:45:59 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description:

Error: (01/10/2015 05:07:08 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description:

Error: (01/10/2015 05:07:08 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description:

Error: (01/10/2015 04:52:35 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description:

Error: (01/10/2015 04:52:35 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description:

Error: (01/05/2015 09:46:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.003b11019

Error: (01/03/2015 06:53:23 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: 734562961

Error: (01/03/2015 06:53:19 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: rundll32.exe5.1.2600.5512hungapp0.0.0.000000000

Error: (12/30/2014 04:39:49 PM) (Source: SecurityCenter) (EventID: 1802) (User: )
Description:


==================== Memory info ===========================

Processor:  Intel® Core i3-2100 CPU @ 3.10GHz
Percentage of memory in use: 74%
Total physical RAM: 1942.35 MB
Available physical RAM: 503.28 MB
Total Pagefile: 3834.85 MB
Available Pagefile: 2204.24 MB
Total Virtual: 2047.88 MB
Available Virtual: 1915.75 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.76 GB) (Free:445.49 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 18561856)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-01-2015
Ran by default (administrator) on WIERSON on 11-01-2015 09:40:49
Running from C:\Documents and Settings\default\Desktop
Loaded Profile: default (Available profiles: default & Ellie Wierson & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe
(Intel Corporation) C:\WINDOWS\system32\IPROSetMonitor.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Eastman Kodak Company) C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
() C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19722344 2011-01-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
ShortcutTarget: KODAK Software Updater.lnk -> C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\default\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1935655697-329068152-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://cableone.net/
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {5828B99C-25EC-47B9-A363-B04BF50F4B14} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {87B4AD04-1AFD-470B-9F3D-CCDDC868A750} URL = http://www.bing.com/search?FORM=UP94DF&PC=UP94&dt=092813&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart Print Helper -> {FD6C6509-FE36-44B0-A917-6C2A0DDBDF88} -> C:\Program Files\Hewlett-Packard\Smart Print 2.1\Espresso.dll (Hewlett-Packard)
Toolbar: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341700385640
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50

FireFox:
========
FF ProfilePath: C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default
FF DefaultSearchEngine: Wikipedia (en)
FF SelectedSearchEngine: Wikipedia (en)
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-03]

Chrome:
=======
CHR Profile: C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-01]
CHR Extension: (Google Wallet) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-01]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe [610888 2014-12-29] (Citrix Online, a division of Citrix Systems, Inc.)
R2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-09-26] (Oracle Corporation)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed]
R2 NAV; C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [262968 2014-09-21] (Symantec Corporation)
S3 NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-23] (Nero AG) [File not signed]
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [271760 2009-04-27] ()
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{37A67D94-70A9-4397-BE5B-E044A7070AA0}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2011-01-26] (Creative)
S3 AON325; C:\WINDOWS\System32\DRIVERS\AON325.SYS [46976 2003-01-22] (AOpen Inc                               )
R1 BHDrvx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation)
R1 ccSet_NAV; C:\WINDOWS\system32\drivers\NAV\1506000.020\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c5132.sys [174248 2011-01-03] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-15] (Symantec Corporation)
R3 IDSxpx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150107.001\IDSxpx86.sys [453264 2015-01-07] (Symantec Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41088 2011-01-23] (Intel Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2011-01-26] (Creative Technology Ltd.)
R3 NAVENG; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150110.001\NAVENG.SYS [95704 2015-01-07] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150110.001\NAVEX15.SYS [1636696 2015-01-07] (Symantec Corporation)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NAV\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMDS.SYS [367704 2013-07-31] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMEFA.SYS [936152 2014-03-03] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-10-07] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NAV\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SYMTDI.SYS [423256 2014-02-17] (Symantec Corporation)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [122942 2004-05-20] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [99002 2004-05-20] (Intel Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-11 09:40 - 2015-01-11 09:41 - 00015167 _____ () C:\Documents and Settings\default\Desktop\FRST.txt
2015-01-11 09:40 - 2015-01-11 09:40 - 01115648 _____ (Farbar) C:\Documents and Settings\default\Desktop\FRST.exe
2015-01-10 19:38 - 2015-01-10 19:38 - 02191360 _____ () C:\Documents and Settings\default\Desktop\adwcleaner_4.107.exe
2015-01-10 19:33 - 2015-01-10 19:33 - 00000476 _____ () C:\Documents and Settings\default\Desktop\defogger_disable.log
2015-01-10 19:33 - 2015-01-10 19:33 - 00000000 _____ () C:\Documents and Settings\default\defogger_reenable
2015-01-10 19:31 - 2015-01-10 19:31 - 00050477 _____ () C:\Documents and Settings\default\Desktop\Defogger.exe
2014-12-30 16:49 - 2014-12-30 16:49 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2014-12-30 16:49 - 2014-12-30 16:49 - 00001734 _____ () C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk
2014-12-30 16:48 - 2014-12-30 16:49 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-12-30 16:30 - 2014-12-30 16:30 - 00017398 _____ () C:\ComboFix.txt
2014-12-30 16:30 - 2014-12-30 16:30 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-12-30 16:30 - 2014-12-30 16:30 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-12-30 16:30 - 2014-12-30 16:30 - 00000000 ____D () C:\Documents and Settings\Ellie Wierson\Local Settings\temp
2014-12-30 16:30 - 2014-12-30 16:30 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-12-30 16:25 - 2014-12-30 16:25 - 00000000 _RSHD () C:\cmdcons
2014-12-30 16:25 - 2012-07-07 09:38 - 00000211 _____ () C:\Boot.bak
2014-12-30 16:25 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-12-30 16:23 - 2014-12-30 16:30 - 00000000 ____D () C:\Qoobox
2014-12-30 16:23 - 2011-06-26 00:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-12-30 16:23 - 2010-11-07 11:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-12-30 16:23 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-12-30 16:22 - 2014-12-30 16:29 - 00000000 ____D () C:\WINDOWS\erdnt
2014-12-30 13:49 - 2014-12-30 13:49 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-12-30 13:18 - 2014-12-30 13:18 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-12-30 13:18 - 2014-12-30 13:18 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-12-30 13:18 - 2014-09-26 18:42 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-12-30 13:18 - 2014-09-26 18:36 - 00272808 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-12-30 13:18 - 2014-09-26 18:36 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-12-30 13:18 - 2014-09-26 18:35 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-12-30 13:18 - 2014-09-26 18:16 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-12-30 13:17 - 2014-12-30 13:18 - 00004673 _____ () C:\WINDOWS\system32\jupdate-1.7.0_71-b14.log
2014-12-29 18:07 - 2014-12-29 18:08 - 00000000 ____D () C:\Documents and Settings\default\Desktop\Spyware removal
2014-12-29 16:04 - 2015-01-11 09:40 - 00000000 ____D () C:\FRST
2014-12-29 15:56 - 2014-12-29 15:56 - 00000000 ____D () C:\Documents and Settings\default\Start Menu\Programs\Citrix
2014-12-29 15:40 - 2014-12-29 15:56 - 00001219 _____ () C:\Documents and Settings\default\Desktop\GoToAssist Customer.lnk
2014-12-29 13:06 - 2015-01-10 19:44 - 00000000 ____D () C:\AdwCleaner
2014-12-29 10:06 - 2015-01-10 19:51 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-12-29 10:05 - 2014-12-30 14:29 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-12-29 10:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-12-29 10:05 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-12-26 19:05 - 2014-12-26 19:05 - 00065536 _____ () C:\WINDOWS\Minidump\Mini122614-01.dmp
2014-12-25 16:37 - 2015-01-10 19:46 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
2014-12-13 16:37 - 2014-12-17 16:12 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Yahoo!
2014-12-13 16:35 - 2014-12-17 16:14 - 00000000 ____D () C:\Program Files\Yahoo!

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-11 09:41 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Temp
2015-01-11 09:32 - 2010-11-06 22:16 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-11 09:25 - 2012-05-01 13:38 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-11 09:16 - 2013-09-23 17:01 - 00000494 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2015-01-10 19:46 - 2007-08-08 12:32 - 01915920 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-10 19:46 - 2001-08-23 06:00 - 00012620 _____ () C:\WINDOWS\system32\wpa.dbl
2015-01-10 19:45 - 2007-08-08 12:40 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-10 19:45 - 2007-08-08 07:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-01-10 19:45 - 2007-08-08 07:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-01-10 19:44 - 2007-08-08 12:41 - 00000178 ___SH () C:\Documents and Settings\default\ntuser.ini
2015-01-10 19:44 - 2007-08-08 12:40 - 00032386 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-10 19:33 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default
2015-01-10 17:41 - 2007-08-08 14:48 - 00000000 ____D () C:\Program Files\Common Files\LightScribe
2015-01-10 16:58 - 2012-05-01 13:38 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-10 16:58 - 2011-06-02 12:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-10 16:57 - 2010-01-03 18:22 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Application Data\Adobe
2014-12-31 17:13 - 2007-08-08 12:36 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-12-30 16:52 - 2012-05-04 12:20 - 00002341 _____ () C:\Documents and Settings\default\Desktop\WordPerfect.lnk
2014-12-30 16:52 - 2007-08-08 20:00 - 00002483 _____ () C:\Documents and Settings\default\Desktop\Microsoft Word.lnk
2014-12-30 16:48 - 2010-01-03 18:23 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe
2014-12-30 16:48 - 2007-08-08 13:12 - 00000000 ____D () C:\Program Files\Adobe
2014-12-30 16:29 - 2001-08-23 06:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-12-30 16:25 - 2007-08-08 07:19 - 00000327 __RSH () C:\boot.ini
2014-12-30 16:18 - 2007-08-08 12:42 - 00000000 ____D () C:\download
2014-12-30 15:34 - 2012-07-07 16:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB958644$
2014-12-30 13:18 - 2012-04-29 18:44 - 00000000 ____D () C:\Program Files\Java
2014-12-30 07:52 - 2007-08-08 07:15 - 00000000 ____D () C:\WINDOWS\Help
2014-12-29 11:48 - 2012-07-07 16:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478971$
2014-12-29 11:26 - 2012-05-01 12:33 - 00025992 ____C (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\pgdfgsvc.exe
2014-12-29 11:14 - 2010-01-03 15:50 - 00000667 ____C () C:\WINDOWS\pkzipw.INI
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Malwarebytes
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-12-29 10:04 - 2014-02-17 10:34 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-12-26 19:05 - 2013-10-20 06:42 - 00000000 ____D () C:\WINDOWS\Minidump
2014-12-26 19:05 - 2012-07-07 04:24 - 2036809728 _____ () C:\WINDOWS\MEMORY.DMP
2014-12-24 23:40 - 2013-09-16 17:16 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
2014-12-24 23:40 - 2013-09-16 17:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations
2014-12-17 16:15 - 2014-02-17 11:26 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-12-17 16:12 - 2012-11-09 23:11 - 00000000 ____D () C:\Program Files\Google
ZeroAccess:
C:\Documents and Settings\default\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Documents and Settings\default\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\default\Local Settings\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

The problems I'm having are as stated in my original post.  There are multiple (usually 2) explorer.exe processes showing in task manager.  One of them will sometimes show 700k-800k of memory useage and 20-30 (or more) CPU cycles.  The entire system is extremely slow.

 

Thanks for your help.

 

gmer.log

Link to post
Share on other sites

Hi,

WARNING: Outdated version of Windows

Windows XP is not supported anymore by Microsoft. Therefor, you won't receive any Security Updates and other patches! This could be VERY harmful to the security state of your computer!!
I REALLY advise you to look for an upgrade to a supported version of Microsoft Windows, like Windows Vista, 7 or 8. For more information, please read this article by Microsoft: Support for Windows XP has ended.
Malware takes advantage of security leaks, and systems that are not patched against the latest security threats. Please consider upgrading!



1. Download RKill and save it to your Desktop.
  • Double-click RKill.exe to run the application.
  • If a Windows Security prompt shows up, please allow the program to start.
  • The program will start immediately with it's tasks. When the program has finished, a logfile will appear.
    Please copy the contents of this logfile in your next reply.



2. Go to Start > Control Panel.

  • Double-click Add/Remove a Program (You'll be shown the uninstall list).
  • Please delete the following from your computer, as it is a very outdated version:
    • Java 7 Update 71

    [*]You can install a new version of Java Runtime Environment, once we have succesfully cleaned up your computer.



3. Please download fixlist.txt to your Desktop.

  • Please make sure to put fixlist.txt in the same location as where FRST.exe/FRST64.exe is located!


4. Start Farbar Recovery Scan Tool by double-clicking it.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called fixlog.txt. Please include this logfile in your next reply.



5. If not already removed by FRST, please delete fixlist.txt from your computer. (Important!!)

6. Reboot your computer. (Important!!)

7. Press Windows key + R.

  • In the window that opens, please type notepad and press the ENTER key.
  • Notepad will open. Paste this into the Notepad-file (copy/paste exactly like I posted it here!!):
    • @ECHO OFFECHO Checking services...sc start winmgmtsc config winmgmt start= autowinmgmt /clearadapwinmgmt /resyncperfECHO Fixing MSIExec process...msiexec /unregmsiexec /regserverECHO.ECHO Reset of services finished.PAUSE>NulEXIT

    [*]In the menu, go to File > Save as... [*]Please type in/check the following values:

    • File Type: All Files (*.*)
    • File name: winmgmt_fix.bat
    • Location: Desktop
  • Click the Save button and close Notepad.



  • Double-click winmgmt_fix.bat that just appeared on your Desktop, and wait untill the "Press any key to continue" message is displayed.
  • If that message shows up, press any key to close the script.
  • Please report back to me if you succeeded in running this fix and if any errors occured.


8. Download ComboFix to your Desktop.

WARNING: ComboFix is a very powerful tool that can damage your system when not used properly. ONLY use this tool under supervision of a trained Malware Analyst. Never use it on your own!!!

NOTE: Don't use your computer for other purposes while running ComboFix. It may cause it to stall!

  • Temporary disable your own anti-virus and other anti-malware programs. For instructions, take a look here.
  • Close all open windows.
  • Right-click ComboFix.exe and select Run as Administrator.
  • Accept the Disclaimer.
  • If you're asked to install the Recovery Console, allow the program to do so.
  • The scan may take some time to finish. Wait for it, please.
  • If ComboFix asks to restart the system, please allow so immediately.
  • When finished, ComboFix will show you a logfile. Please copy/paste the contents of this logfile in your next reply.


If somehow the logfile didn't open or if you can't find it anymore, it's saved as C:\ComboFix.txt.

9. Start Farbar Recovery Scan Tool

  • If asked, click Yes at the Disclaimer window.
  • Click Scan once the program has opened.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.


10. Please give me an update on your PC problems and also please post the logfiles from:
  • RKill
  • Farbar Recovery Scan Tool - using fixlist.txt
  • ComboFix
  • Farbar Recovery Scan Tool - regular scan


Please also tell me if you succeeded in removing Java Runtime Environment and running the "winmgmt_fix" repair fix.

Good luck! :)

Link to post
Share on other sites

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/11/2015 12:10:40 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 01/11/2015 12:12:04 PM
Execution time: 0 hours(s), 1 minute(s), and 24 seconds(s)

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-01-2015
Ran by default at 2015-01-11 12:33:32 Run:3
Running from C:\Documents and Settings\default\Desktop
Loaded Profile: default (Available profiles: default & Ellie Wierson & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1935655697-329068152-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
C:\Documents and Settings\default\Desktop\fdw36l2r.exe
*****************

[HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\******<*>] => Subkey with invalid name deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1935655697-329068152-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
C:\Documents and Settings\default\Desktop\fdw36l2r.exe => Moved successfully.

==== End of Fixlog 12:33:32 ====

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Results of running winmgmt_fix.bat.  This is the only error.

 

[sC] Startservice failed 1056:

An instance of the service is already running

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 15-01-08.01 - default 01/11/2015  14:32:51.2.4 - x86
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-11 to 2015-01-11  )))))))))))))))))))))))))))))))
.
.
2015-01-11 18:23 . 2015-01-11 18:23    --------    d-----w-    c:\program files\Common Files\Java
2015-01-11 18:19 . 2015-01-11 18:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Oracle
2014-12-30 22:48 . 2014-12-30 22:49    --------    d-----w-    c:\program files\Common Files\Adobe
2014-12-30 19:49 . 2014-12-30 19:49    --------    d-----w-    c:\windows\ERUNT
2014-12-30 19:18 . 2015-01-11 18:21    146432    ----a-w-    c:\windows\system32\javacpl.cpl
2014-12-30 19:18 . 2015-01-11 18:21    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-29 22:04 . 2015-01-11 18:33    --------    d-----w-    C:\FRST
2014-12-29 19:06 . 2015-01-11 01:44    --------    d-----w-    C:\AdwCleaner
2014-12-29 16:06 . 2015-01-11 01:51    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-29 16:05 . 2014-12-30 20:29    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-29 16:05 . 2014-11-21 12:14    54360    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-29 16:05 . 2014-11-21 12:14    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-25 22:37 . 2015-01-11 20:33    --------    d--h--w-    c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
2014-12-13 22:37 . 2014-12-17 22:12    --------    d-----w-    c:\documents and settings\default\Application Data\Yahoo!
2014-12-13 22:35 . 2014-12-17 22:14    --------    d-----w-    c:\program files\Yahoo!
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-10 22:58 . 2012-05-01 19:38    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-01-10 22:58 . 2011-06-02 18:37    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-29 17:26 . 2012-05-01 18:33    25992    -c--a-w-    c:\windows\system32\pgdfgsvc.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944]
"RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008]
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2014-12-29 21:55    610888    ----a-w-    c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
.
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480]
R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152]
S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392]
S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624]
S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408]
S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150107.001\IDSxpx86.sys [2015-01-07 453264]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58]
.
2015-01-11 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cableone.net/
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 24.116.0.53 24.116.2.50
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-01-11 14:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS"
"TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
- - - - - - - > 'explorer.exe'(1684)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll
.
Completion time: 2015-01-11  14:51:57
ComboFix-quarantined-files.txt  2015-01-11 20:51
ComboFix2.txt  2014-12-30 22:30
.
Pre-Run: 478,064,476,160 bytes free
Post-Run: 478,179,602,432 bytes free
.
- - End Of File - - 661561583E8E2A2AB0DCFE23D8CC9D1E
8F558EB6672622401DA993E1E865C861

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-01-2015
Ran by default (administrator) on WIERSON on 11-01-2015 15:11:20
Running from C:\Documents and Settings\default\Desktop
Loaded Profile: default (Available profiles: default & Ellie Wierson & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe
(Intel Corporation) C:\WINDOWS\system32\IPROSetMonitor.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Eastman Kodak Company) C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19722344 2011-01-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
ShortcutTarget: KODAK Software Updater.lnk -> C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\default\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1935655697-329068152-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://cableone.net/
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {5828B99C-25EC-47B9-A363-B04BF50F4B14} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {87B4AD04-1AFD-470B-9F3D-CCDDC868A750} URL = http://www.bing.com/search?FORM=UP94DF&PC=UP94&dt=092813&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart Print Helper -> {FD6C6509-FE36-44B0-A917-6C2A0DDBDF88} -> C:\Program Files\Hewlett-Packard\Smart Print 2.1\Espresso.dll (Hewlett-Packard)
Toolbar: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341700385640
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50

FireFox:
========
FF ProfilePath: C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default
FF DefaultSearchEngine: Wikipedia (en)
FF SelectedSearchEngine: Wikipedia (en)
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-03]

Chrome:
=======
CHR Profile: C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-01]
CHR Extension: (Google Wallet) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-01]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe [610888 2014-12-29] (Citrix Online, a division of Citrix Systems, Inc.)
R2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed]
R2 NAV; C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [262968 2014-09-21] (Symantec Corporation)
S3 NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-23] (Nero AG) [File not signed]
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [271760 2009-04-27] ()
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{37A67D94-70A9-4397-BE5B-E044A7070AA0}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2011-01-26] (Creative)
S3 AON325; C:\WINDOWS\System32\DRIVERS\AON325.SYS [46976 2003-01-22] (AOpen Inc                               )
R1 BHDrvx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation)
R1 ccSet_NAV; C:\WINDOWS\system32\drivers\NAV\1506000.020\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c5132.sys [174248 2011-01-03] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-15] (Symantec Corporation)
R3 IDSxpx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150107.001\IDSxpx86.sys [453264 2015-01-07] (Symantec Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41088 2011-01-23] (Intel Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2011-01-26] (Creative Technology Ltd.)
R3 NAVENG; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150111.002\NAVENG.SYS [95704 2015-01-07] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150111.002\NAVEX15.SYS [1636696 2015-01-07] (Symantec Corporation)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NAV\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMDS.SYS [367704 2013-07-31] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMEFA.SYS [936152 2014-03-03] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-10-07] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NAV\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SYMTDI.SYS [423256 2014-02-17] (Symantec Corporation)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [122942 2004-05-20] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [99002 2004-05-20] (Intel Corporation)
U3 catchme; \??\C:\DOCUME~1\default\LOCALS~1\Temp\catchme.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 mbr; \??\C:\ComboFix\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-11 14:52 - 2015-01-11 14:52 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2015-01-11 14:52 - 2015-01-11 14:52 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2015-01-11 14:52 - 2015-01-11 14:52 - 00000000 ____D () C:\Documents and Settings\Ellie Wierson\Local Settings\temp
2015-01-11 14:52 - 2015-01-11 14:52 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2015-01-11 14:51 - 2015-01-11 14:51 - 00009894 _____ () C:\ComboFix.txt
2015-01-11 14:27 - 2015-01-11 14:27 - 05609736 ____R (Swearware) C:\Documents and Settings\default\Desktop\ComboFix.exe
2015-01-11 14:19 - 2015-01-11 14:19 - 00000252 _____ () C:\Documents and Settings\default\Desktop\winmgmt_fix.bat
2015-01-11 12:30 - 2015-01-11 12:29 - 00000409 _____ () C:\Documents and Settings\default\My Documents\fixlist.txt.don.txt
2015-01-11 12:23 - 2015-01-11 12:23 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-11 12:19 - 2015-01-11 12:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-11 12:10 - 2015-01-11 12:12 - 00003022 _____ () C:\Documents and Settings\default\Desktop\Rkill.txt
2015-01-11 12:09 - 2015-01-11 12:09 - 01943800 _____ (Bleeping Computer, LLC) C:\Documents and Settings\default\Desktop\rkill.exe
2015-01-11 10:05 - 2015-01-11 10:05 - 00017351 _____ () C:\Documents and Settings\default\Desktop\gmer.log
2015-01-11 09:41 - 2015-01-11 09:41 - 00025807 _____ () C:\Documents and Settings\default\Desktop\Addition.txt
2015-01-11 09:40 - 2015-01-11 15:11 - 00014536 _____ () C:\Documents and Settings\default\Desktop\FRST.txt
2015-01-11 09:40 - 2015-01-11 09:40 - 01115648 _____ (Farbar) C:\Documents and Settings\default\Desktop\FRST.exe
2015-01-10 19:38 - 2015-01-10 19:38 - 02191360 _____ () C:\Documents and Settings\default\Desktop\adwcleaner_4.107.exe
2015-01-10 19:33 - 2015-01-10 19:33 - 00000476 _____ () C:\Documents and Settings\default\Desktop\defogger_disable.log
2015-01-10 19:33 - 2015-01-10 19:33 - 00000000 _____ () C:\Documents and Settings\default\defogger_reenable
2015-01-10 19:31 - 2015-01-10 19:31 - 00050477 _____ () C:\Documents and Settings\default\Desktop\Defogger.exe
2014-12-30 16:49 - 2014-12-30 16:49 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2014-12-30 16:49 - 2014-12-30 16:49 - 00001734 _____ () C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk
2014-12-30 16:48 - 2014-12-30 16:49 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-12-30 16:25 - 2014-12-30 16:25 - 00000000 _RSHD () C:\cmdcons
2014-12-30 16:25 - 2012-07-07 09:38 - 00000211 _____ () C:\Boot.bak
2014-12-30 16:25 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-12-30 16:23 - 2015-01-11 14:52 - 00000000 ____D () C:\Qoobox
2014-12-30 16:23 - 2011-06-26 00:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-12-30 16:23 - 2010-11-07 11:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-12-30 16:23 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-12-30 16:22 - 2014-12-30 16:29 - 00000000 ____D () C:\WINDOWS\erdnt
2014-12-30 13:49 - 2014-12-30 13:49 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-12-30 13:18 - 2015-01-11 12:21 - 00272296 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-12-30 13:18 - 2015-01-11 12:21 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-12-30 13:18 - 2014-12-30 13:18 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-12-30 13:17 - 2014-12-30 13:18 - 00004673 _____ () C:\WINDOWS\system32\jupdate-1.7.0_71-b14.log
2014-12-29 18:07 - 2014-12-29 18:08 - 00000000 ____D () C:\Documents and Settings\default\Desktop\Spyware removal
2014-12-29 16:04 - 2015-01-11 15:11 - 00000000 ____D () C:\FRST
2014-12-29 15:56 - 2014-12-29 15:56 - 00000000 ____D () C:\Documents and Settings\default\Start Menu\Programs\Citrix
2014-12-29 15:40 - 2014-12-29 15:56 - 00001219 _____ () C:\Documents and Settings\default\Desktop\GoToAssist Customer.lnk
2014-12-29 13:06 - 2015-01-10 19:44 - 00000000 ____D () C:\AdwCleaner
2014-12-29 10:06 - 2015-01-10 19:51 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-12-29 10:05 - 2014-12-30 14:29 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-12-29 10:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-12-29 10:05 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-12-26 19:05 - 2014-12-26 19:05 - 00065536 _____ () C:\WINDOWS\Minidump\Mini122614-01.dmp
2014-12-25 16:37 - 2015-01-11 14:50 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
2014-12-13 16:37 - 2014-12-17 16:12 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Yahoo!
2014-12-13 16:35 - 2014-12-17 16:14 - 00000000 ____D () C:\Program Files\Yahoo!

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-11 15:11 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Temp
2015-01-11 15:03 - 2010-11-06 22:16 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-11 14:51 - 2013-09-23 17:01 - 00000494 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2015-01-11 14:51 - 2007-08-08 12:40 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-11 14:49 - 2001-08-23 06:00 - 00000227 _____ () C:\WINDOWS\system.ini
2015-01-11 14:30 - 2007-08-08 12:40 - 00032386 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-11 14:25 - 2012-05-01 13:38 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-11 13:16 - 2007-08-08 14:48 - 00000000 ____D () C:\Program Files\Common Files\LightScribe
2015-01-11 12:49 - 2001-08-23 06:00 - 00012620 _____ () C:\WINDOWS\system32\wpa.dbl
2015-01-11 12:39 - 2007-08-08 12:32 - 01919788 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-11 12:39 - 2007-08-08 07:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-01-11 12:38 - 2007-08-08 07:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-01-11 12:36 - 2007-08-08 12:41 - 00000178 ___SH () C:\Documents and Settings\default\ntuser.ini
2015-01-11 12:29 - 2012-04-29 18:44 - 00000000 ____D () C:\Program Files\Java
2015-01-11 12:15 - 2007-08-08 12:42 - 00000000 ____D () C:\download
2015-01-10 19:33 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default
2015-01-10 16:58 - 2012-05-01 13:38 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-10 16:58 - 2011-06-02 12:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-10 16:57 - 2010-01-03 18:22 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Application Data\Adobe
2014-12-31 17:13 - 2007-08-08 12:36 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-12-30 16:52 - 2012-05-04 12:20 - 00002341 _____ () C:\Documents and Settings\default\Desktop\WordPerfect.lnk
2014-12-30 16:52 - 2007-08-08 20:00 - 00002483 _____ () C:\Documents and Settings\default\Desktop\Microsoft Word.lnk
2014-12-30 16:48 - 2010-01-03 18:23 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe
2014-12-30 16:48 - 2007-08-08 13:12 - 00000000 ____D () C:\Program Files\Adobe
2014-12-30 16:25 - 2007-08-08 07:19 - 00000327 __RSH () C:\boot.ini
2014-12-30 15:34 - 2012-07-07 16:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB958644$
2014-12-30 07:52 - 2007-08-08 07:15 - 00000000 ____D () C:\WINDOWS\Help
2014-12-29 11:48 - 2012-07-07 16:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478971$
2014-12-29 11:26 - 2012-05-01 12:33 - 00025992 ____C (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\pgdfgsvc.exe
2014-12-29 11:14 - 2010-01-03 15:50 - 00000667 ____C () C:\WINDOWS\pkzipw.INI
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Malwarebytes
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-12-29 10:04 - 2014-02-17 10:34 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-12-26 19:05 - 2013-10-20 06:42 - 00000000 ____D () C:\WINDOWS\Minidump
2014-12-26 19:05 - 2012-07-07 04:24 - 2036809728 _____ () C:\WINDOWS\MEMORY.DMP
2014-12-24 23:40 - 2013-09-16 17:16 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
2014-12-24 23:40 - 2013-09-16 17:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations
2014-12-17 16:15 - 2014-02-17 11:26 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-12-17 16:12 - 2012-11-09 23:11 - 00000000 ____D () C:\Program Files\Google
ZeroAccess:
C:\Documents and Settings\default\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Problem still exists..... explorer.exe process is over 1 mb of memory useage now, and 40-60 cpu .

Link to post
Share on other sites

Hi,

 

Your logs seem to be clean... Nevertheless we're going to take a deeper look into your system.

 

1. Download ComboFix to your Desktop.

WARNING: ComboFix is a very powerful tool that can damage your system when not used properly. ONLY use this tool under supervision of a trained Malware Analyst. Never use it on your own!!!

NOTE: Don't use your computer for other purposes while running ComboFix. It may cause it to stall!

  • Temporary disable your own anti-virus and other anti-malware programs. For instructions, take a look here.
  • Close all open windows.
  • Right-click ComboFix.exe and select Run as Administrator.
  • Accept the Disclaimer.
  • If you're asked to install the Recovery Console, allow the program to do so.
  • The scan may take some time to finish. Wait for it, please.
  • If ComboFix asks to restart the system, please allow so immediately.
  • When finished, ComboFix will show you a logfile. Please copy/paste the contents of this logfile in your next reply.


If somehow the logfile didn't open or if you can't find it anymore, it's saved as C:\ComboFix.txt.

 

2. Start Farbar Recovery Scan Tool

  • If asked, click Yes at the Disclaimer window.
  • Click Scan once the program has opened.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

 

3. Please give me an update on your computer problems and also enclose the logfiles from ComboFix and Farbar Recovery Scan Tool, please. :)

Link to post
Share on other sites

Computer is still very slow and still has 2 explorer.exe processes running, one is taking up 90k of memory at the moment.

Just FYI, earlier you asked me to uninstall Java since it was an old version.  I need Java to remotely connect to this machine, so I upgraded it to the newest version and uninstalled the old version.

 

Here are the current logs.  Thanks for your help.

 

 

ComboFix 15-01-08.01 - default 01/11/2015  20:40:18.3.4 - x86
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-12 to 2015-01-12  )))))))))))))))))))))))))))))))
.
.
2015-01-11 18:23 . 2015-01-11 18:23    --------    d-----w-    c:\program files\Common Files\Java
2015-01-11 18:19 . 2015-01-11 18:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Oracle
2014-12-30 22:48 . 2014-12-30 22:49    --------    d-----w-    c:\program files\Common Files\Adobe
2014-12-30 19:49 . 2014-12-30 19:49    --------    d-----w-    c:\windows\ERUNT
2014-12-30 19:18 . 2015-01-11 18:21    146432    ----a-w-    c:\windows\system32\javacpl.cpl
2014-12-30 19:18 . 2015-01-11 18:21    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-29 22:04 . 2015-01-11 21:11    --------    d-----w-    C:\FRST
2014-12-29 19:06 . 2015-01-11 01:44    --------    d-----w-    C:\AdwCleaner
2014-12-29 16:06 . 2015-01-11 01:51    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-29 16:05 . 2014-12-30 20:29    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-29 16:05 . 2014-11-21 12:14    54360    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-29 16:05 . 2014-11-21 12:14    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-25 22:37 . 2015-01-12 02:40    --------    d--h--w-    c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
2014-12-13 22:37 . 2014-12-17 22:12    --------    d-----w-    c:\documents and settings\default\Application Data\Yahoo!
2014-12-13 22:35 . 2014-12-17 22:14    --------    d-----w-    c:\program files\Yahoo!
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-10 22:58 . 2012-05-01 19:38    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-01-10 22:58 . 2011-06-02 18:37    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-29 17:26 . 2012-05-01 18:33    25992    -c--a-w-    c:\windows\system32\pgdfgsvc.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944]
"RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008]
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2014-12-29 21:55    610888    ----a-w-    c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
.
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480]
R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152]
S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392]
S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624]
S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408]
S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [2015-01-11 475288]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58]
.
2015-01-12 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cableone.net/
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 24.116.0.53 24.116.2.50
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-01-11 20:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS"
"TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(6660)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll
.
Completion time: 2015-01-11  20:59:55
ComboFix-quarantined-files.txt  2015-01-12 02:59
ComboFix2.txt  2015-01-11 20:51
ComboFix3.txt  2014-12-30 22:30
.
Pre-Run: 478,141,112,320 bytes free
Post-Run: 478,153,256,960 bytes free
.
- - End Of File - - 354FD222D2DA25667699A16EDEB021CC
8F558EB6672622401DA993E1E865C861

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-01-2015
Ran by default (administrator) on WIERSON on 12-01-2015 11:20:54
Running from C:\Documents and Settings\default\Desktop
Loaded Profile: default (Available profiles: default & Ellie Wierson & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe
(Intel Corporation) C:\WINDOWS\system32\IPROSetMonitor.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Eastman Kodak Company) C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19722344 2011-01-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
ShortcutTarget: KODAK Software Updater.lnk -> C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\default\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1935655697-329068152-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://cableone.net/
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {5828B99C-25EC-47B9-A363-B04BF50F4B14} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {87B4AD04-1AFD-470B-9F3D-CCDDC868A750} URL = http://www.bing.com/search?FORM=UP94DF&PC=UP94&dt=092813&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart Print Helper -> {FD6C6509-FE36-44B0-A917-6C2A0DDBDF88} -> C:\Program Files\Hewlett-Packard\Smart Print 2.1\Espresso.dll (Hewlett-Packard)
Toolbar: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341700385640
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50

FireFox:
========
FF ProfilePath: C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default
FF DefaultSearchEngine: Wikipedia (en)
FF SelectedSearchEngine: Wikipedia (en)
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-03]

Chrome:
=======
CHR Profile: C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-01]
CHR Extension: (Google Wallet) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-01]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe [610888 2014-12-29] (Citrix Online, a division of Citrix Systems, Inc.)
R2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed]
R2 NAV; C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [262968 2014-09-21] (Symantec Corporation)
S3 NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-23] (Nero AG) [File not signed]
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [271760 2009-04-27] ()
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{37A67D94-70A9-4397-BE5B-E044A7070AA0}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2011-01-26] (Creative)
S3 AON325; C:\WINDOWS\System32\DRIVERS\AON325.SYS [46976 2003-01-22] (AOpen Inc                               )
R1 BHDrvx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation)
R1 ccSet_NAV; C:\WINDOWS\system32\drivers\NAV\1506000.020\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c5132.sys [174248 2011-01-03] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-15] (Symantec Corporation)
R3 IDSxpx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [475288 2015-01-11] (Symantec Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41088 2011-01-23] (Intel Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2011-01-26] (Creative Technology Ltd.)
R3 NAVENG; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150111.025\NAVENG.SYS [95704 2015-01-07] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150111.025\NAVEX15.SYS [1636696 2015-01-07] (Symantec Corporation)
R3 SRTSP; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NAV\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMDS.SYS [367704 2013-07-31] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMEFA.SYS [936152 2014-03-03] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-10-07] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NAV\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SYMTDI.SYS [423256 2014-02-17] (Symantec Corporation)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [122942 2004-05-20] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [99002 2004-05-20] (Intel Corporation)
U3 catchme; \??\C:\DOCUME~1\default\LOCALS~1\Temp\catchme.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 mbr; \??\C:\ComboFix\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-12 11:20 - 2015-01-12 11:21 - 00014536 _____ () C:\Documents and Settings\default\Desktop\FRST.txt
2015-01-12 11:20 - 2015-01-12 11:20 - 01115648 _____ (Farbar) C:\Documents and Settings\default\Desktop\frst.exe
2015-01-11 20:59 - 2015-01-11 20:59 - 00009960 _____ () C:\ComboFix.txt
2015-01-11 20:59 - 2015-01-11 20:59 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2015-01-11 20:59 - 2015-01-11 20:59 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2015-01-11 20:59 - 2015-01-11 20:59 - 00000000 ____D () C:\Documents and Settings\Ellie Wierson\Local Settings\temp
2015-01-11 20:59 - 2015-01-11 20:59 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2015-01-11 14:27 - 2015-01-11 14:27 - 05609736 ____R (Swearware) C:\Documents and Settings\default\Desktop\ComboFix.exe
2015-01-11 14:19 - 2015-01-11 14:19 - 00000252 _____ () C:\Documents and Settings\default\Desktop\winmgmt_fix.bat
2015-01-11 12:30 - 2015-01-11 12:29 - 00000409 _____ () C:\Documents and Settings\default\My Documents\fixlist.txt.don.txt
2015-01-11 12:23 - 2015-01-11 12:23 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-11 12:19 - 2015-01-11 12:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-11 12:10 - 2015-01-11 12:12 - 00003022 _____ () C:\Documents and Settings\default\Desktop\Rkill.txt
2015-01-11 12:09 - 2015-01-11 12:09 - 01943800 _____ (Bleeping Computer, LLC) C:\Documents and Settings\default\Desktop\rkill.exe
2015-01-11 10:05 - 2015-01-11 10:05 - 00017351 _____ () C:\Documents and Settings\default\Desktop\gmer.log
2015-01-11 09:41 - 2015-01-11 09:41 - 00025807 _____ () C:\Documents and Settings\default\Desktop\Addition.txt
2015-01-10 19:38 - 2015-01-10 19:38 - 02191360 _____ () C:\Documents and Settings\default\Desktop\adwcleaner_4.107.exe
2015-01-10 19:33 - 2015-01-10 19:33 - 00000476 _____ () C:\Documents and Settings\default\Desktop\defogger_disable.log
2015-01-10 19:33 - 2015-01-10 19:33 - 00000000 _____ () C:\Documents and Settings\default\defogger_reenable
2015-01-10 19:31 - 2015-01-10 19:31 - 00050477 _____ () C:\Documents and Settings\default\Desktop\Defogger.exe
2014-12-30 16:49 - 2014-12-30 16:49 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2014-12-30 16:49 - 2014-12-30 16:49 - 00001734 _____ () C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk
2014-12-30 16:48 - 2014-12-30 16:49 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-12-30 16:25 - 2014-12-30 16:25 - 00000000 _RSHD () C:\cmdcons
2014-12-30 16:25 - 2012-07-07 09:38 - 00000211 _____ () C:\Boot.bak
2014-12-30 16:25 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-12-30 16:23 - 2015-01-11 20:59 - 00000000 ____D () C:\Qoobox
2014-12-30 16:23 - 2011-06-26 00:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-12-30 16:23 - 2010-11-07 11:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-12-30 16:23 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-12-30 16:22 - 2014-12-30 16:29 - 00000000 ____D () C:\WINDOWS\erdnt
2014-12-30 13:49 - 2014-12-30 13:49 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-12-30 13:18 - 2015-01-11 12:21 - 00272296 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-12-30 13:18 - 2015-01-11 12:21 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-12-30 13:18 - 2014-12-30 13:18 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-12-30 13:17 - 2014-12-30 13:18 - 00004673 _____ () C:\WINDOWS\system32\jupdate-1.7.0_71-b14.log
2014-12-29 18:07 - 2014-12-29 18:08 - 00000000 ____D () C:\Documents and Settings\default\Desktop\Spyware removal
2014-12-29 16:04 - 2015-01-12 11:21 - 00000000 ____D () C:\FRST
2014-12-29 15:56 - 2014-12-29 15:56 - 00000000 ____D () C:\Documents and Settings\default\Start Menu\Programs\Citrix
2014-12-29 15:40 - 2014-12-29 15:56 - 00001219 _____ () C:\Documents and Settings\default\Desktop\GoToAssist Customer.lnk
2014-12-29 13:06 - 2015-01-10 19:44 - 00000000 ____D () C:\AdwCleaner
2014-12-29 10:06 - 2015-01-10 19:51 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-12-29 10:05 - 2014-12-30 14:29 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-12-29 10:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-12-29 10:05 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-12-26 19:05 - 2014-12-26 19:05 - 00065536 _____ () C:\WINDOWS\Minidump\Mini122614-01.dmp
2014-12-25 16:37 - 2015-01-11 20:59 - 00000000 ___HD () C:\Documents and Settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
2014-12-13 16:37 - 2014-12-17 16:12 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Yahoo!
2014-12-13 16:35 - 2014-12-17 16:14 - 00000000 ____D () C:\Program Files\Yahoo!

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-12 11:21 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Temp
2015-01-12 11:16 - 2013-09-23 17:01 - 00000494 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2015-01-12 11:12 - 2010-11-06 22:16 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-12 10:25 - 2012-05-01 13:38 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-12 05:20 - 2007-08-08 12:36 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-01-12 02:04 - 2007-08-08 14:48 - 00000000 ____D () C:\Program Files\Common Files\LightScribe
2015-01-11 22:25 - 2007-08-08 12:40 - 00032542 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-11 20:59 - 2007-08-08 12:40 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-11 20:57 - 2001-08-23 06:00 - 00000227 _____ () C:\WINDOWS\system.ini
2015-01-11 12:49 - 2001-08-23 06:00 - 00012620 _____ () C:\WINDOWS\system32\wpa.dbl
2015-01-11 12:39 - 2007-08-08 12:32 - 01919788 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-11 12:39 - 2007-08-08 07:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-01-11 12:38 - 2007-08-08 07:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-01-11 12:36 - 2007-08-08 12:41 - 00000178 ___SH () C:\Documents and Settings\default\ntuser.ini
2015-01-11 12:29 - 2012-04-29 18:44 - 00000000 ____D () C:\Program Files\Java
2015-01-11 12:15 - 2007-08-08 12:42 - 00000000 ____D () C:\download
2015-01-10 19:33 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default
2015-01-10 16:58 - 2012-05-01 13:38 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-10 16:58 - 2011-06-02 12:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-10 16:57 - 2010-01-03 18:22 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Application Data\Adobe
2014-12-30 16:52 - 2012-05-04 12:20 - 00002341 _____ () C:\Documents and Settings\default\Desktop\WordPerfect.lnk
2014-12-30 16:52 - 2007-08-08 20:00 - 00002483 _____ () C:\Documents and Settings\default\Desktop\Microsoft Word.lnk
2014-12-30 16:48 - 2010-01-03 18:23 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe
2014-12-30 16:48 - 2007-08-08 13:12 - 00000000 ____D () C:\Program Files\Adobe
2014-12-30 16:25 - 2007-08-08 07:19 - 00000327 __RSH () C:\boot.ini
2014-12-30 15:34 - 2012-07-07 16:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB958644$
2014-12-30 07:52 - 2007-08-08 07:15 - 00000000 ____D () C:\WINDOWS\Help
2014-12-29 11:48 - 2012-07-07 16:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478971$
2014-12-29 11:26 - 2012-05-01 12:33 - 00025992 ____C (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\pgdfgsvc.exe
2014-12-29 11:14 - 2010-01-03 15:50 - 00000667 ____C () C:\WINDOWS\pkzipw.INI
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Malwarebytes
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-12-29 10:04 - 2014-02-17 10:34 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-12-26 19:05 - 2013-10-20 06:42 - 00000000 ____D () C:\WINDOWS\Minidump
2014-12-26 19:05 - 2012-07-07 04:24 - 2036809728 _____ () C:\WINDOWS\MEMORY.DMP
2014-12-24 23:40 - 2013-09-16 17:16 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
2014-12-24 23:40 - 2013-09-16 17:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations
2014-12-17 16:15 - 2014-02-17 11:26 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-12-17 16:12 - 2012-11-09 23:11 - 00000000 ____D () C:\Program Files\Google
ZeroAccess:
C:\Documents and Settings\default\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Link to post
Share on other sites

Please download CFScript.txt and save it to your Desktop.

  • Make sure CFScript.txt is located in the same location as ComboFix.exe!!
  • Make sure you save it with it's original name!! Other filenames won't work, only "CFScript.txt" will!!
  • Please drag-and-drop CFScript.txt on to ComboFix.exe as shown here:

    cfscript10.gif

  • ComboFix will start and will perform some deletions. Please don't use your PC for other purposes while ComboFix is running, or it may cause your system to stall!!
  • Once completed, please include the contents of the logfile that opens into your next reply.

 

Good luck! :)

Link to post
Share on other sites

ComboFix 15-01-08.01 - default 01/12/2015  13:05:06.4.4 - x86
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896} . . . . Failed to delete
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-12 to 2015-01-12  )))))))))))))))))))))))))))))))
.
.
2015-01-11 18:23 . 2015-01-11 18:23    --------    d-----w-    c:\program files\Common Files\Java
2015-01-11 18:19 . 2015-01-11 18:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Oracle
2014-12-30 22:48 . 2014-12-30 22:49    --------    d-----w-    c:\program files\Common Files\Adobe
2014-12-30 19:49 . 2014-12-30 19:49    --------    d-----w-    c:\windows\ERUNT
2014-12-30 19:18 . 2015-01-11 18:21    146432    ----a-w-    c:\windows\system32\javacpl.cpl
2014-12-30 19:18 . 2015-01-11 18:21    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-29 22:04 . 2015-01-12 17:21    --------    d-----w-    C:\FRST
2014-12-29 19:06 . 2015-01-11 01:44    --------    d-----w-    C:\AdwCleaner
2014-12-29 16:06 . 2015-01-11 01:51    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-29 16:05 . 2014-12-30 20:29    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-29 16:05 . 2014-11-21 12:14    54360    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-29 16:05 . 2014-11-21 12:14    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-25 22:37 . 2015-01-12 19:27    --------    d-----w-    c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
2014-12-13 22:37 . 2014-12-17 22:12    --------    d-----w-    c:\documents and settings\default\Application Data\Yahoo!
2014-12-13 22:35 . 2014-12-17 22:14    --------    d-----w-    c:\program files\Yahoo!
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-10 22:58 . 2012-05-01 19:38    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-01-10 22:58 . 2011-06-02 18:37    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-29 17:26 . 2012-05-01 18:33    25992    -c--a-w-    c:\windows\system32\pgdfgsvc.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944]
"RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008]
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2014-12-29 21:55    610888    ----a-w-    c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
.
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480]
R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152]
S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392]
S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624]
S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408]
S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [2015-01-11 475288]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58]
.
2015-01-12 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cableone.net/
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 24.116.0.53 24.116.2.50
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-01-12 13:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS"
"TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
- - - - - - - > 'explorer.exe'(1064)
c:\windows\system32\WININET.dll
c:\docume~1\default\LOCALS~1\TempIadHide3.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
c:\windows\system32\RunDll32.exe
c:\program files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
.
**************************************************************************
.
Completion time: 2015-01-12  13:33:14 - machine was rebooted
ComboFix-quarantined-files.txt  2015-01-12 19:33
ComboFix2.txt  2015-01-12 02:59
ComboFix3.txt  2015-01-11 20:51
ComboFix4.txt  2014-12-30 22:30
.
Pre-Run: 477,895,602,176 bytes free
Post-Run: 478,050,889,728 bytes free
.
- - End Of File - - 8C30F9EA15FD2FEBBC4A8216AC7A0422
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

Hi,

 

Please download CFScript.txt and save it to your Desktop.

  • Make sure CFScript.txt is located in the same location as ComboFix.exe!!
  • Make sure you save it with it's original name!! Other filenames won't work, only "CFScript.txt" will!!
  • Please drag-and-drop CFScript.txt on to ComboFix.exe as shown here:

    cfscript10.gif

  • ComboFix will start and will perform some deletions. Please don't use your PC for other purposes while ComboFix is running, or it may cause your system to stall!!
  • Once completed, please include the contents of the logfile that opens into your next reply.

 

Good luck! :)

 

Link to post
Share on other sites

ComboFix 15-01-08.01 - default 01/12/2015  14:50:31.5.4 - x86
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt
 * Created a new restore point
.
FILE ::
"c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll"
"c:\documents and settings\default\Local Settings\TempIadHide3.dll"
"c:\windows\system32\wscntfy.exe"
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-12 to 2015-01-12  )))))))))))))))))))))))))))))))
.
.
2015-01-11 18:23 . 2015-01-11 18:23    --------    d-----w-    c:\program files\Common Files\Java
2015-01-11 18:19 . 2015-01-11 18:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Oracle
2014-12-30 22:48 . 2014-12-30 22:49    --------    d-----w-    c:\program files\Common Files\Adobe
2014-12-30 19:49 . 2014-12-30 19:49    --------    d-----w-    c:\windows\ERUNT
2014-12-30 19:18 . 2015-01-11 18:21    146432    ----a-w-    c:\windows\system32\javacpl.cpl
2014-12-30 19:18 . 2015-01-11 18:21    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-29 22:04 . 2015-01-12 17:21    --------    d-----w-    C:\FRST
2014-12-29 19:06 . 2015-01-11 01:44    --------    d-----w-    C:\AdwCleaner
2014-12-29 16:06 . 2015-01-11 01:51    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-29 16:05 . 2014-12-30 20:29    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-29 16:05 . 2014-11-21 12:14    54360    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-29 16:05 . 2014-11-21 12:14    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-25 22:37 . 2015-01-12 21:31    --------    d-----w-    c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
2014-12-13 22:37 . 2014-12-17 22:12    --------    d-----w-    c:\documents and settings\default\Application Data\Yahoo!
2014-12-13 22:35 . 2014-12-17 22:14    --------    d-----w-    c:\program files\Yahoo!
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-10 22:58 . 2012-05-01 19:38    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-01-10 22:58 . 2011-06-02 18:37    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-29 17:26 . 2012-05-01 18:33    25992    -c--a-w-    c:\windows\system32\pgdfgsvc.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944]
"RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008]
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2014-12-29 21:55    610888    ----a-w-    c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
.
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480]
R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152]
S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392]
S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624]
S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408]
S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [2015-01-11 475288]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58]
.
2015-01-12 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cableone.net/
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 24.116.0.53 24.116.2.50
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-01-12 15:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS"
"TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
- - - - - - - > 'explorer.exe'(280)
c:\windows\system32\WININET.dll
c:\docume~1\default\LOCALS~1\TempIadHide3.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
c:\windows\system32\RunDll32.exe
c:\program files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2015-01-12  15:35:04 - machine was rebooted
ComboFix-quarantined-files.txt  2015-01-12 21:34
ComboFix2.txt  2015-01-12 19:33
ComboFix3.txt  2015-01-12 02:59
ComboFix4.txt  2015-01-11 20:51
ComboFix5.txt  2015-01-12 20:48
.
Pre-Run: 478,034,300,928 bytes free
Post-Run: 478,018,093,056 bytes free
.
- - End Of File - - C2DC7B0134D6F0455A7E024AB1697FC1
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

Sorry to take so long to get back to you.  For some reason the forums did not email me this time, that you had replied.

To work on this machine, I'm using a program called Citrix Goto Assist, which allows me to remote control the PC without user intervention.

It does allow me to reboot in safe mode, but when I dragged the CFScript on top of the Combofix icon, it disconnects me and I have to re-connect to the machine after a few minutes.  When I re-connected, the PC was back in normal mode so I assume it rebooted, but combofix was still running and here is the log.  However, I don't know whether it actually ran in safe mode or not.

 

ComboFix 15-01-08.01 - default 01/13/2015   1:19.6.4 - x86 NETWORK
Running from: c:\documents and settings\default\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\default\Desktop\CFScript.txt
 * Created a new restore point
.
FILE ::
"c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll"
"c:\documents and settings\default\Local Settings\TempIadHide3.dll"
"c:\windows\system32\wscntfy.exe"
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-13 to 2015-01-13  )))))))))))))))))))))))))))))))
.
.
2015-01-11 18:23 . 2015-01-11 18:23    --------    d-----w-    c:\program files\Common Files\Java
2015-01-11 18:19 . 2015-01-11 18:26    --------    d-----w-    c:\documents and settings\All Users\Application Data\Oracle
2014-12-30 22:48 . 2014-12-30 22:49    --------    d-----w-    c:\program files\Common Files\Adobe
2014-12-30 19:49 . 2014-12-30 19:49    --------    d-----w-    c:\windows\ERUNT
2014-12-30 19:18 . 2015-01-11 18:21    146432    ----a-w-    c:\windows\system32\javacpl.cpl
2014-12-30 19:18 . 2015-01-11 18:21    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-12-29 22:04 . 2015-01-12 17:21    --------    d-----w-    C:\FRST
2014-12-29 19:06 . 2015-01-11 01:44    --------    d-----w-    C:\AdwCleaner
2014-12-29 16:06 . 2015-01-11 01:51    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-29 16:05 . 2014-12-30 20:29    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-29 16:05 . 2014-11-21 12:14    54360    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-29 16:05 . 2014-11-21 12:14    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-25 22:37 . 2015-01-13 17:31    --------    d-----w-    c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-10 22:58 . 2012-05-01 19:38    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-01-10 22:58 . 2011-06-02 18:37    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-29 17:26 . 2012-05-01 18:33    25992    -c--a-w-    c:\windows\system32\pgdfgsvc.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 142360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 176152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 145944]
"RTHDCPL"="RTHDCPL.EXE" [2011-01-27 19722344]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
.
c:\documents and settings\default\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart 6520 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=TH36F120YM05XP;CONNECTION=NW;MONITOR=1; [2008-4-14 33280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe -h [2002-9-16 299008]
KODAK Software Updater.lnk - c:\program files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2002-3-13 16384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE -b -l [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2014-12-29 21:55    610888    ----a-w-    c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
.
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-01-27 1691480]
R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1506000.020\SYMDS.SYS [2013-08-01 367704]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1506000.020\SYMEFA.SYS [2014-03-04 936152]
S1 BHDrvx86;BHDrvx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [2014-10-03 1138392]
S1 ccSet_NAV;NAV Settings Manager;c:\windows\system32\drivers\NAV\1506000.020\ccSetx86.sys [2013-09-26 127064]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1506000.020\Ironx86.SYS [2014-08-06 209624]
S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe Start=service [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2010-09-22 110752]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [2014-09-21 262968]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-01-24 2656280]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-15 111408]
S3 IDSxpx86;IDSxpx86;c:\program files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [2015-01-11 475288]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2011-01-24 41088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-01 22:58]
.
2015-01-13 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\Communicator.exe [2014-12-25 05:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://cableone.net/
uInternet Settings,ProxyOverride = localhost
TCP: DhcpNameServer = 24.116.0.53 24.116.2.50
FF - ProfilePath - c:\documents and settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-01-13 11:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\NAV\1506000.020\SYMTDI.SYS"
"TrustedImagePaths"="c:\program files\Norton AntiVirus\Engine\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll
.
- - - - - - - > 'explorer.exe'(284)
c:\windows\system32\WININET.dll
c:\docume~1\default\LOCALS~1\TempIadHide3.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe
c:\windows\RTHDCPL.EXE
c:\program files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
c:\windows\system32\RunDll32.exe
c:\program files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
.
**************************************************************************
.
Completion time: 2015-01-13  11:34:59 - machine was rebooted
ComboFix-quarantined-files.txt  2015-01-13 17:34
ComboFix2.txt  2015-01-12 21:35
ComboFix3.txt  2015-01-12 19:33
ComboFix4.txt  2015-01-12 02:59
ComboFix5.txt  2015-01-13 07:18
.
Pre-Run: 477,971,271,680 bytes free
Post-Run: 478,100,668,416 bytes free
.
- - End Of File - - 73C9A31E99A5765AACE64F412BBC3533
8F558EB6672622401DA993E1E865C861
 

Link to post
Share on other sites

The only file that wouldn't delete, even in safe mode, was:

c:\documents and settings\All Users\Application Data\{377B2A12-6A01-40D9-977F-FDB9149D3896}\ListSvc.dll

 

It said the file was in use and couldn't be deleted.  I downloaded the program UNlocker, which is a program that tries to unlock files that are locked by a windows process, so it can be deleted.  It didn't work in safe mode, but it DID work in normal mode.  The folder {377B2A12-6A01-40D9-977F-FDB9149D3896} has been deleted.  I rebooted and I now only have one explorer.exe process and it's only taking up 27K of memory.

 

I think you found the problem.

Link to post
Share on other sites

Here's the log file.

Everything seems to be working better.  Should I run defogger again and re-enable emulation ?

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-01-2015
Ran by default (administrator) on WIERSON on 13-01-2015 13:25:10
Running from C:\Documents and Settings\default\Desktop
Loaded Profile: default (Available profiles: default & Ellie Wierson & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe
(Intel Corporation) C:\WINDOWS\system32\IPROSetMonitor.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_comm_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_system_customer.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_host.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_user_customer.exe
(Symantec Corporation) C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\nav.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
() C:\Program Files\Unlocker\UnlockerAssistant.exe
(Eastman Kodak Company) C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
() C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NeroFilterCheck] => C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [155648 2006-01-12] (Nero AG)
HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19722344 2011-01-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [unlockerAssistant] => C:\Program Files\Unlocker\UnlockerAssistant.exe [17408 2010-07-04] ()
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_winlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-18\...\Policies\Explorer: [CDRAutoRun] 0
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
ShortcutTarget: KODAK Software Updater.lnk -> C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\default\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Photosmart 6520 series (Network).lnk -> C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1935655697-329068152-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://cableone.net/
HKU\S-1-5-21-1935655697-329068152-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {5828B99C-25EC-47B9-A363-B04BF50F4B14} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {87B4AD04-1AFD-470B-9F3D-CCDDC868A750} URL = http://www.bing.com/search?FORM=UP94DF&PC=UP94&dt=092813&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart Print Helper -> {FD6C6509-FE36-44B0-A917-6C2A0DDBDF88} -> C:\Program Files\Hewlett-Packard\Smart Print 2.1\Espresso.dll (Hewlett-Packard)
Toolbar: HKU\S-1-5-21-1935655697-329068152-839522115-1003 -> No Name - {A13C2648-91D4-4BF3-BC6D-0079707C4389} -  No File
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341700385640
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 24.116.0.53 24.116.2.50

FireFox:
========
FF ProfilePath: C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\yl60un9q.default
FF DefaultSearchEngine: Wikipedia (en)
FF SelectedSearchEngine: Wikipedia (en)
FF Homepage: www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-01-03]

Chrome:
=======
CHR Profile: C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-01]
CHR Extension: (Google Wallet) - C:\Documents and Settings\default\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-08-01]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\726\g2ax_service.exe [610888 2014-12-29] (Citrix Online, a division of Citrix Systems, Inc.)
R2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [110752 2010-09-22] (Intel Corporation)
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2006-12-14] (Hewlett-Packard Company) [File not signed]
R2 NAV; C:\Program Files\Norton AntiVirus\Engine\21.6.0.32\NAV.exe [262968 2014-09-21] (Symantec Corporation)
S3 NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [262144 2006-12-23] (Nero AG) [File not signed]
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [271760 2009-04-27] ()
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{37A67D94-70A9-4397-BE5B-E044A7070AA0}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2011-01-26] (Creative)
S3 AON325; C:\WINDOWS\System32\DRIVERS\AON325.SYS [46976 2003-01-22] (AOpen Inc                               )
R1 BHDrvx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\BASHDefs\20141209.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation)
R1 ccSet_NAV; C:\WINDOWS\system32\drivers\NAV\1506000.020\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
R3 e1cexpress; C:\WINDOWS\System32\DRIVERS\e1c5132.sys [174248 2011-01-03] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-15] (Symantec Corporation)
R3 IDSxpx86; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\IPSDefs\20150108.002\IDSxpx86.sys [475288 2015-01-11] (Symantec Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41088 2011-01-23] (Intel Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2011-01-26] (Creative Technology Ltd.)
S3 NAVENG; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150112.035\NAVENG.SYS [95704 2015-01-07] (Symantec Corporation)
S3 NAVEX15; C:\Program Files\Norton AntiVirus\NortonData\21.0.2.1\Definitions\VirusDefs\20150112.035\NAVEX15.SYS [1636696 2015-01-07] (Symantec Corporation)
S3 SRTSP; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\NAV\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMDS.SYS [367704 2013-07-31] (Symantec Corporation)
R0 SymEFA; C:\WINDOWS\System32\drivers\NAV\1506000.020\SYMEFA.SYS [936152 2014-03-03] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [142936 2013-10-07] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\NAV\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\NAV\1506000.020\SYMTDI.SYS [423256 2014-02-17] (Symantec Corporation)
S3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [122942 2004-05-20] (Intel Corporation)
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [99002 2004-05-20] (Intel Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 13:25 - 2015-01-13 13:25 - 00014886 _____ () C:\Documents and Settings\default\Desktop\FRST.txt
2015-01-13 12:23 - 2002-03-13 06:57 - 00024576 _____ (BackWeb) C:\Documents and Settings\default\Local Settings\TempIadHide3.dll
2015-01-13 12:09 - 2015-01-13 12:26 - 00000000 ____D () C:\Program Files\Unlocker
2015-01-13 12:09 - 2015-01-13 12:09 - 00000000 ____D () C:\Documents and Settings\default\Start Menu\Programs\Unlocker
2015-01-13 11:35 - 2015-01-13 11:35 - 00011449 _____ () C:\ComboFix.txt
2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\Ellie Wierson\Local Settings\temp
2015-01-13 11:35 - 2015-01-13 11:35 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2015-01-13 01:30 - 2015-01-13 13:25 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\temp
2015-01-12 12:58 - 2015-01-12 12:56 - 00000114 _____ () C:\Documents and Settings\default\My Documents\CFScript.txt
2015-01-12 11:20 - 2015-01-12 11:20 - 01115648 _____ (Farbar) C:\Documents and Settings\default\Desktop\frst.exe
2015-01-11 12:30 - 2015-01-11 12:29 - 00000409 _____ () C:\Documents and Settings\default\My Documents\fixlist.txt.don.txt
2015-01-11 12:23 - 2015-01-11 12:23 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-11 12:19 - 2015-01-11 12:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2015-01-10 19:33 - 2015-01-10 19:33 - 00000000 _____ () C:\Documents and Settings\default\defogger_reenable
2014-12-30 16:49 - 2014-12-30 16:49 - 00002347 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader XI.lnk
2014-12-30 16:49 - 2014-12-30 16:49 - 00001734 _____ () C:\Documents and Settings\All Users\Desktop\Adobe Reader XI.lnk
2014-12-30 16:48 - 2014-12-30 16:49 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-12-30 16:25 - 2014-12-30 16:25 - 00000000 _RSHD () C:\cmdcons
2014-12-30 16:25 - 2012-07-07 09:38 - 00000211 _____ () C:\Boot.bak
2014-12-30 16:25 - 2004-08-03 23:00 - 00260272 __RSH () C:\cmldr
2014-12-30 16:23 - 2015-01-13 11:35 - 00000000 ____D () C:\Qoobox
2014-12-30 16:23 - 2011-06-26 00:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-12-30 16:23 - 2010-11-07 11:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-12-30 16:23 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-12-30 16:23 - 2000-08-30 18:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-12-30 16:22 - 2014-12-30 16:29 - 00000000 ____D () C:\WINDOWS\erdnt
2014-12-30 13:49 - 2014-12-30 13:49 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-12-30 13:18 - 2015-01-11 12:21 - 00272296 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00176552 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-12-30 13:18 - 2015-01-11 12:21 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-12-30 13:18 - 2015-01-11 12:21 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-12-30 13:18 - 2014-12-30 13:18 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-12-30 13:17 - 2014-12-30 13:18 - 00004673 _____ () C:\WINDOWS\system32\jupdate-1.7.0_71-b14.log
2014-12-29 18:07 - 2015-01-13 13:24 - 00000000 ____D () C:\Documents and Settings\default\Desktop\Spyware removal
2014-12-29 16:04 - 2015-01-13 13:25 - 00000000 ____D () C:\FRST
2014-12-29 15:56 - 2014-12-29 15:56 - 00000000 ____D () C:\Documents and Settings\default\Start Menu\Programs\Citrix
2014-12-29 15:40 - 2014-12-29 15:56 - 00001219 _____ () C:\Documents and Settings\default\Desktop\GoToAssist Customer.lnk
2014-12-29 13:06 - 2015-01-10 19:44 - 00000000 ____D () C:\AdwCleaner
2014-12-29 10:06 - 2015-01-10 19:51 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-12-29 10:05 - 2014-12-30 14:29 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-12-29 10:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-29 10:05 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-12-29 10:05 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-12-26 19:05 - 2014-12-26 19:05 - 00065536 _____ () C:\WINDOWS\Minidump\Mini122614-01.dmp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 13:25 - 2012-05-01 13:38 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-13 13:16 - 2013-09-23 17:01 - 00000494 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2015-01-13 12:40 - 2012-05-04 12:20 - 00002341 _____ () C:\Documents and Settings\default\Desktop\WordPerfect.lnk
2015-01-13 12:32 - 2001-08-23 06:00 - 00012620 _____ () C:\WINDOWS\system32\wpa.dbl
2015-01-13 12:30 - 2007-08-08 12:32 - 01942697 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-13 12:29 - 2007-08-08 07:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-01-13 12:29 - 2007-08-08 07:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-01-13 12:28 - 2007-08-08 12:40 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-13 12:27 - 2007-08-08 12:41 - 00000178 ___SH () C:\Documents and Settings\default\ntuser.ini
2015-01-13 12:27 - 2007-08-08 12:40 - 00032542 _____ () C:\WINDOWS\SchedLgU.Txt
2015-01-13 12:12 - 2010-11-06 22:16 - 00001324 _____ () C:\WINDOWS\system32\d3d9caps.dat
2015-01-13 12:08 - 2007-08-08 12:42 - 00000000 ____D () C:\download
2015-01-13 11:35 - 2007-08-08 12:36 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2015-01-13 11:31 - 2001-08-23 06:00 - 00000227 _____ () C:\WINDOWS\system.ini
2015-01-13 01:13 - 2007-08-08 12:41 - 00000000 ____D () C:\Documents and Settings\default
2015-01-12 02:04 - 2007-08-08 14:48 - 00000000 ____D () C:\Program Files\Common Files\LightScribe
2015-01-11 12:29 - 2012-04-29 18:44 - 00000000 ____D () C:\Program Files\Java
2015-01-10 16:58 - 2012-05-01 13:38 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-10 16:58 - 2011-06-02 12:37 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-10 16:57 - 2010-01-03 18:22 - 00000000 ____D () C:\Documents and Settings\default\Local Settings\Application Data\Adobe
2014-12-30 16:52 - 2007-08-08 20:00 - 00002483 _____ () C:\Documents and Settings\default\Desktop\Microsoft Word.lnk
2014-12-30 16:48 - 2010-01-03 18:23 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe
2014-12-30 16:48 - 2007-08-08 13:12 - 00000000 ____D () C:\Program Files\Adobe
2014-12-30 16:25 - 2007-08-08 07:19 - 00000327 ___SH () C:\boot.ini
2014-12-30 15:34 - 2012-07-07 16:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB958644$
2014-12-30 07:52 - 2007-08-08 07:15 - 00000000 ____D () C:\WINDOWS\Help
2014-12-29 11:48 - 2012-07-07 16:52 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2478971$
2014-12-29 11:26 - 2012-05-01 12:33 - 00025992 ____C (Sysinternals - www.sysinternals.com) C:\WINDOWS\system32\pgdfgsvc.exe
2014-12-29 11:14 - 2010-01-03 15:50 - 00000667 ____C () C:\WINDOWS\pkzipw.INI
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Malwarebytes
2014-12-29 10:05 - 2014-02-17 10:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-12-29 10:04 - 2014-02-17 10:34 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-12-26 19:05 - 2013-10-20 06:42 - 00000000 ____D () C:\WINDOWS\Minidump
2014-12-26 19:05 - 2012-07-07 04:24 - 2036809728 _____ () C:\WINDOWS\MEMORY.DMP
2014-12-24 23:40 - 2013-09-16 17:16 - 00001742 _____ () C:\Documents and Settings\All Users\Desktop\HP Photo Creations.lnk
2014-12-24 23:40 - 2013-09-16 17:16 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HP Photo Creations
2014-12-17 16:15 - 2014-02-17 11:26 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-12-17 16:14 - 2014-12-13 16:35 - 00000000 ____D () C:\Program Files\Yahoo!
2014-12-17 16:12 - 2014-12-13 16:37 - 00000000 ____D () C:\Documents and Settings\default\Application Data\Yahoo!
2014-12-17 16:12 - 2012-11-09 23:11 - 00000000 ____D () C:\Program Files\Google
ZeroAccess:
C:\Documents and Settings\default\Local Settings\Application Data\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Link to post
Share on other sites

Hi,

 

1. You can indeed run Defogger again and re-enable emulation.

 

2. Please press Windows Key + R.

In the dialog window, please type combofix /uninstall and press ENTER.

This will delete ComboFix and also it's quarantined files, eventually infected system restore points and logfiles. Beside that it will also create a new system restore point.

 

All Clean!
Congratulations, your computer seems to be clean again! I don't see anymore signs of malware on your system. I feel glad to tell you that we are done here! The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of recourses and tools that you might find useful.

AFZxnZc.jpg Download DelFix and save the file to your Desktop.

  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings

    [*]Click the Run button.


-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + Delete).

==============================================================

I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.



The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpgAdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
  • EG85Vjt.pngMalwarebytes' Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpgMalwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.pngNoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.pngSandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.pngSecunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpgSpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.pngWeb of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.



My help will always be free! However, if you're happy with the help provided and/or want to buy me a drink, you can consider a donation:


btn_donate_SM.gif



==============================================================

Please confirm if you have no outstanding issues, and are happy with the state of your computer. Also please tell me if you got any questions left regarding the removal process we went through and the information I gave you in this post.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.