Author Topic: Trojan infection found  (Read 3296 times)

Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Trojan infection found
« on: August 20, 2016, 11:32:54 PM »
My Windows XP PC, whose performance has been degrading for a while, has now finally been diagnosed by Malwarebytes with Trojan.FakeMS.ED infecting many files. It's pretty serious and I’d be hugely grateful for any help or advice you can offer. Here are some details:

Computer: Dell Optiplex GX620 , 10-year-old desktop
OS: WIndows XP Pro SP3

Performance has been slow for some time, but not alarmingly so until recently. Because this is an old computer running an unsupported OS, I run hardware checks often and full malware scans every 3 - 4 days, with both of MBAM and Windows Malicious Software Removal Tool.  I use MBAM Premium for real-time protection. The hardware continues to pass everything, and neither MBAM nor MSRT have ever found anything, until just now.

Within the last two weeks I’ve begun to see frequent Chrome failures (“Aw, snap!”), a few BSOD crashes, and quite a few premature program terminations with the Windows message box “[program] has encountered a problem and needs to close...". This includes MBAM and MSRT failures. Most recently MBAM, run in Safe Mode with no network connection, did complete a scan and found and quarantined many instances of Trojan.FakeMS.ED infection. MSRT in Safe Mode also reported 4 instances of infection while running but then hung with the “encountered a problem” message box before completion, so there was no identification of the infection.

I can provide the file locations of MBAM's infection reports if that's useful. I also have bugcheck information and memory dumps for the BSODs.  It's clear that not everything is quarantined, since the woes continue.

Attach.txt below has no entries for Event Viewer Messages From Past Week. In fact there are some relevant event logs, just over a week old.

_________________________      BEGIN ATTACH.TXT     __________________________________________

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 3/1/2006 3:23:21 PM
System Uptime: 8/20/2016 5:36:12 PM (0 hours ago)
.
Motherboard: Dell Inc.           |  | 0F8098
Processor:               Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 49 GiB total, 20.177 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 16 GiB total, 12.644 GiB free.
F: is FIXED (NTFS) - 10 GiB total, 9.065 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1437: 7/6/2016 9:20:46 PM - System Checkpoint
RP1438: 7/8/2016 6:22:32 PM - System Checkpoint
RP1439: 7/9/2016 7:19:00 PM - System Checkpoint
RP1440: 7/12/2016 4:09:15 PM - System Checkpoint
RP1441: 7/22/2016 1:27:01 PM - System Checkpoint
RP1442: 7/22/2016 3:51:39 PM - Software Distribution Service 3.0
RP1443: 7/23/2016 5:55:46 PM - System Checkpoint
RP1444: 7/24/2016 6:30:09 PM - System Checkpoint
RP1445: 7/25/2016 9:21:55 PM - System Checkpoint
RP1446: 7/27/2016 3:28:29 AM - System Checkpoint
RP1447: 7/28/2016 6:07:00 PM - System Checkpoint
RP1448: 7/29/2016 6:21:43 PM - System Checkpoint
RP1449: 7/30/2016 6:51:22 PM - System Checkpoint
RP1450: 7/31/2016 8:44:45 PM - System Checkpoint
RP1451: 8/1/2016 11:53:25 PM - System Checkpoint
RP1452: 8/3/2016 6:33:18 PM - System Checkpoint
RP1453: 8/4/2016 7:08:41 PM - System Checkpoint
RP1454: 8/5/2016 7:36:50 PM - System Checkpoint
RP1455: 8/6/2016 8:58:59 PM - System Checkpoint
RP1456: 8/6/2016 11:57:34 PM - Before correction attempts, Chrome crash & BSOD problems
RP1457: 8/8/2016 5:19:45 PM - System Checkpoint
RP1458: 8/9/2016 1:46:52 AM - Before CCleaner update to v. 520
RP1459: 8/9/2016 2:32:05 AM - Revo Uninstaller's restore point - System Checkup 3.5
RP1460: 8/9/2016 2:39:08 AM - Revo Uninstaller's restore point - System Checkup 3.5
RP1461: 8/9/2016 4:10:06 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
==== Event Viewer Messages From Past Week ========
.
.
==== End Of File ===========================


_________________________      BEGIN DDS.TXT     __________________________________________

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.67.2 
Run by db at 17:45:26 on 2016-08-20
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.678 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BlueSoleil\BlueSoleilCS.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\BlueSoleil\BtTray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\BlueSoleil\BsHelpCS.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://forecast.weather.gov/MapClick.php?lat=33.5800169587903&lon=-111.97540283203125&site=vef&smap=1&unit=0&lg=en&FcstType=text
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.1852\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [BtTray] "c:\program files\bluesoleil\BtTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BootSkin Startup Jobs] "c:\program files\stardock\wincustomize\bootskin\BootSkin.exe" /StartupJobs
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoViewOnDrive = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: dell.com
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///D:/LTOCX14N.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/B/0/6/B06D48C0-917B-44E2-92E0-6B3E159624A6/wmv9vcm.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://www.fcd.maricopa.gov/maps/gismaps/plugin/mgaxctrl6.5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346731156546
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} - hxxps://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup161.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{F50BB614-6FBE-4DCA-AE1F-62F82B425FAE} : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\windows\system32\skype4com.dll
Notify: AutorunsDisabled - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\49.0.2623.112\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
ShellExec: ntbackup.exe: Open=c:\windows\system32\ntbackup.exe
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
.
============= FINISH: 17:46:30.10 ===============

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 444
Re: Trojan infection found
« Reply #1 on: August 21, 2016, 04:46:29 AM »

Hello SpeedBrophy,

I am Platypuss, I will be helping you with your problem.
   Before we begin, please follow my simple rules:-
  • If you do not understand any instructions, Stop & Ask do not risk creating
          further problems.
  • Please do not run any tools unless instructed to do so because it may well
          cause unforseen damage to your machine.
  • It may help you to print out my instructions, so that mistakes are not made.
  • I am a trainee here but my instructions are checked by my mentor, there may be some delay but you will get a high quality of service.
  • Malware removal is frequently complex, it takes time to analyse logs, please be patient.   
  • I will advise you as soon as your computer is clean, until then it may still be infected !
  • While I am examinig your log please do the following:-

Change Downloads  to Desktop 
How to change your download location to Desktop HERE
This will simplify the use of tools that we will be using.

>>>>>>>>>>>>>>>

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File).
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located on the Desktop( FRST.exe)
    Please also paste that together with the FRST.txt into your reply.
Regarding the MBAM scan that you ran in Safe Mode. I would like the complete log too please.
Thank you for the detailed information, very good.

Platypuss



Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #2 on: August 21, 2016, 06:25:59 PM »
Thanks, Platypuss, for your virtually immediate reply. Wow!

I'll get busy on the Farbar Recovery tool, but meanwhile I do have this question:
If there is indeed a trojan infection, is it prudent to avoid networking the affected computer as much as possible? That's what I did for my first communication: downloaded dds.com on a second computer,  copied the download to a thumb drive, then copied from the thumb drive to the desktop of the affected computer and ran it, with networking on the affected computer disabled immediately upon bootup. I could continue to do this, and will unless you tell me it's overkill.
 
About dds.com: the .txt files I posted looked very skimpy. Nothing listed for installed programs, or event viewer logs, or running services. Let me know if this is an error. The program did seem to run normally.

No need for you to reply to this note now unless I've done something mistaken.

Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #3 on: August 22, 2016, 12:14:20 AM »
Hello Platypuss,

Here are the .txt  files from the FRST tool. I ran it in normal Windows, with no network connection.

I recognize  a few things about the files which might be helpful:

FRST.TXT -
All the [No File] entries are actually for files that were put in quarantine by MBAM.

ADDITIONS.TXT-
Event Log Application Errors:    Many of these I recognize as programs that terminated with the Windows "... encountered a problem and needs to close" message.
System Errors:    Those from 8/21 are either because networking was disabled or because I rebooted once into Safe Mode. That was to recover from a blue screen crash, which happened because I blindly clicked on the shortcut to a program that was under quarantine. Oops.

You asked for the MBAM log of the scan that found Trojan.FakeMS.ED and quarantined files. I have it, but MBAM's "exported" (= saved to .xml file) files are useless; no actual file list. Likewise, the contents of MBAM's quarantine folder are equally undescriptive. What I do have is a screen capture from within MBAM, which does give the names and paths of the quarantined files. I can easily send you that (as a .jpg) if you'll tell me the best way.
_________________________________________________________________________________________________

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21-08-2016 01
Ran by db (21-08-2016 19:12:19)
Running from C:\Documents and Settings\db\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) (2006-03-01 22:23:21)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1953364783-748760771-531774410-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1953364783-748760771-531774410-1006 - Limited - Enabled)
db (S-1-5-21-1953364783-748760771-531774410-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\db
Guest (S-1-5-21-1953364783-748760771-531774410-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1953364783-748760771-531774410-1004 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1953364783-748760771-531774410-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Abacast Client (HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Abacast Client) (Version: 2.0 - Abacast, Inc.)
Acronis True Image Home (HKLM\...\{67ED38A3-4882-448B-B44D-3428AB00D7D5}) (Version: 13.0.7160 - Acronis)
Across Lite (HKLM\...\Across Lite) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Download Manager 2.0 (Remove Only) (HKLM\...\AdobeESD) (Version: 2.0 - )
Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.02) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.02 - Adobe Systems Incorporated)
Adobe Shockwave Player 11 (HKLM\...\Adobe Shockwave Player) (Version: 11 - Adobe Systems, Inc.)
Advertising Center (Version: 0.0.0.2 - Nero AG) Hidden
Amazon MP3 Downloader 1.0.12 (HKLM\...\Amazon MP3 Downloader) (Version: 1.0.12 - Amazon Services LLC)
Apple Application Support (HKLM\...\{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ASUS nVidia Driver (Version: 1.00.0000 - ASUSTek) Hidden
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
Bluesoleil 5.4.277.0 (HKLM\...\{25887983-54F3-4F55-A7C5-91229AD67C16}) (Version: 5.4.277.0 - IVT Corporation)
Bonjour (HKLM\...\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}) (Version: 1.0.105 - Apple Inc.)
BootSkin (HKLM\...\BootSkin) (Version:  - )
Broadcom Advanced Control Suite (HKLM\...\{058B32E2-6310-4359-B2D4-1988390C3B83}) (Version: 8.20.01 - Broadcom Corporation)
Canon IJ Network Scanner Selector EX (HKLM\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - )
Canon IJ Network Tool (HKLM\...\Canon_IJ_Network_UTILITY) (Version:  - )
Canon MX890 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX890_series) (Version:  - )
Canon MX890 series On-screen Manual (HKLM\...\Canon MX890 series On-screen Manual) (Version:  - )
Canon My Printer (HKLM\...\CanonMyPrinter) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 5.20 - Piriform)
CheckIt  Diagnostics (HKLM\...\CheckIt  Diagnostics) (Version: 7.1 - Smith Micro Software, Inc.)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.3.6817.133 - Dell)
Dell System Detect (HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\58d94f3ce2c27db0) (Version: 7.6.0.17 - Dell)
Desktop Restore (HKLM\...\{03B48041-B2CD-476A-87D6-79D0488559A2}) (Version: 1.6.2 - JOConnell)
EasyCleaner (HKLM\...\{F5346614-B7C4-4E94-826A-E2363155233D}) (Version: 2.0.6.380 - ToniArts)
FlexPDE (HKLM\...\FlexPDE) (Version:  - )
Freemake Video Converter version 4.1.3 (HKLM\...\Freemake Video Converter_is1) (Version: 4.1.3 - Ellora Assets Corporation)
Google Chrome (HKLM\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.)
Google Drive (HKLM\...\{459CE109-4E46-4340-92BC-054642BC3BC2}) (Version: 1.31.2873.2758 - Google, Inc.)
Google Earth (HKLM\...\{468D22C0-8080-11E2-B86E-B8AC6F98CCE3}) (Version: 7.0.3.8542 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.30.3 - Google Inc.) Hidden
Google Updater (HKLM\...\Google Updater) (Version: 2.3.1334.1308 - Google Inc.)
GPL Ghostscript (HKLM\...\GPL Ghostscript 9.05) (Version: 9.05 - Artifex Software Inc.)
Hanso Burner (HKLM\...\Hanso Burner) (Version: 1.9.0.0 - HansoTools LLC)
HiJackThis (HKLM\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)
ImagXpress (Version: 7.0.74.0 - Nero AG) Hidden
Intel(R) Graphics Media Accelerator Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: 6.14.10.4543 - )
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.38 - Irfan Skiljan)
ISO Recorder (HKLM\...\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}) (Version: 2.0.0 - Alex Feinman)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
LightScribe System Software (HKLM\...\{2FA75B40-17C9-4D22-88CA-80A5D52FAB13}) (Version: 1.18.24.1 - LightScribe)
Logitech Unifying Software 2.50 (HKLM\...\Logitech Unifying) (Version: 2.50.25 - Logitech)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Mathcad 13 (HKLM\...\{E8334783-E2F9-4CA6-86F8-090051418F09}) (Version: 13.1.3.0 - Mathsoft)
MathType 5 (HKLM\...\DSMT5) (Version: 5.2 - Design Science, Inc.)
Menu Templates - Starter Kit (Version: 9.6.0.0 - Nero AG) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Excel 97 (HKLM\...\Excel) (Version:  - )
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MotoHelper MergeModules (Version: 1.2.0 - Motorola) Hidden
Movie Templates - Starter Kit (Version: 9.6.0.0 - Nero AG) Hidden
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB954459) (HKLM\...\{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}) (Version: 6.20.1099.0 - Microsoft Corporation)
Nero 9 Essentials (HKLM\...\{ed616151-5e34-49af-9f3e-64e8016d600b}) (Version:  - Nero AG)
NETGEAR Genie (HKLM\...\NETGEAR Genie) (Version: 2.4.18.00 - NETGEAR Inc.)
NirSoft BlueScreenView (HKLM\...\NirSoft BlueScreenView) (Version:  - )
NVIDIA Graphics Driver 320.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 320.49 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.24.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.24.2 - NVIDIA Corporation)
NVIDIA nView 140.62 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 140.62 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.0604 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0604 - NVIDIA Corporation)
PowerDVD 5.9 (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version:  - )
Quick View Plus (HKLM\...\QVP) (Version:  - )
QuickTime (HKLM\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
RealDownloader (Version: 1.3.3 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM\...\RealPlayer 16.0) (Version: 16.0.3 - RealNetworks)
RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
SafeCast Shared Components (HKLM\...\CdaC13Ba) (Version:  - Macrovision)
SeaTools for Windows (HKLM\...\{98613C99-1399-416C-A07C-1EE1C585D872}) (Version: 1.2.0.5 - Seagate Technology)
SereneScreen Marine Aquarium 2 (HKLM\...\SereneScreen Marine Aquarium 2_is1) (Version: 2.0 - Prolific Publishing, Inc.)
SereneScreen Marine Aquarium 2.6 (HKLM\...\SereneScreen Marine Aquarium 2.6_is1) (Version: 2.6 - Prolific Publishing, Inc.)
Shockwave (HKLM\...\Shockwave) (Version:  - )
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.12.01.5246 - Analog Devices)
Spotify (HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Spotify) (Version: 0.9.15.27.g87efe634 - Spotify AB)
SyncBack (HKLM\...\SyncBack_is1) (Version:  - 2BrightSparks)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows 7 Upgrade Advisor (HKLM\...\{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}) (Version: 2.0.5000.0 - Microsoft Corporation)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0036.0 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Resource Kit Tools - SubInAcl.exe (HKLM\...\{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}) (Version: 5.2.3790.1164 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WordPerfect Office 11 (HKLM\...\{54F90B55-BEB3-4F0D-8802-228822FA5921}) (Version: 11.0 - Corel Corporation)
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\PCDDataUploadTask.job => C:\Program Files\Dell\SupportAssist\uaclauncher.exe
Task: C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\Dell\SupportAssist\uaclauncher.exeq-backgroundmon scripts\backgroundmon.xml
Task: C:\WINDOWS\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-1953364783-748760771-531774410-1005.job => C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
Task: C:\WINDOWS\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-1953364783-748760771-531774410-1005.job => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-1953364783-748760771-531774410-1005.job => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1953364783-748760771-531774410-1005.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1953364783-748760771-531774410-1005.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
Task: C:\WINDOWS\Tasks\shutdown.job => C:\WINDOWS\system32\shutdown.exe
Task: C:\WINDOWS\Tasks\SystemToolsDailyTest.job => C:\Program Files\Dell\SupportAssist\uaclauncher.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\EasyCleaner\The Web\EasyCleaner home.lnk -> hxxp://personal.inet.fi/business/toniarts/ecleane.htm
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\EasyCleaner\The Web\ToniArts.lnk -> hxxp://personal.inet.fi/business/toniarts

ShortcutWithArgument: C:\Documents and Settings\db\Application Data\Microsoft\Internet Explorer\Email\Gmail.lnk -> C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) ->  --profile-directory=Default --app-id=pjkljhegncpnkpknbcohdijeoejaedia

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\dell.com -> dell.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-11 15:00 - 2011-10-14 17:15 - 00000021 _RASH C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1953364783-748760771-531774410-1005\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\db\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: Media is not connected to internet.
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk =>
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk => C:\WINDOWS\pss\Windows Search.lnkCommon Startup
MSCONFIG\startupreg: Acronis Scheduler2 Service => "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: CanonMyPrinter => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
MSCONFIG\startupreg: DVDLauncher => "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
MSCONFIG\startupreg: GoogleChromeAutoLaunch_7D53805D9F3E24B82C0C4DBCC5037007 => "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window
MSCONFIG\startupreg: GoogleDriveSync => "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart
MSCONFIG\startupreg: igfxhkcmd => C:\WINDOWS\system32\hkcmd.exe
MSCONFIG\startupreg: igfxpers => C:\WINDOWS\system32\igfxpers.exe
MSCONFIG\startupreg: igfxtray => C:\WINDOWS\system32\igfxtray.exe
MSCONFIG\startupreg: IJNetworkScannerSelectorEX => C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe /FORCE
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: LightScribe Control Panel => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
MSCONFIG\startupreg: MP10_EnsureFileVer => C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
MSCONFIG\startupreg: NETGEARGenie => "C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe" -mini -redirect
MSCONFIG\startupreg: NvCplDaemon => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
MSCONFIG\startupreg: NvMediaCenter => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
MSCONFIG\startupreg: nwiz => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
MSCONFIG\startupreg: Persistence => C:\WINDOWS\system32\igfxpers.exe
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: TkBellExe => "C:\program files\real\realplayer\update\realsched.exe"  -osboot
MSCONFIG\startupreg: TrueImageMonitor.exe => C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
MSCONFIG\startupreg: WMPNSCFG => C:\Program Files\Windows Media Player\WMPNSCFG.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Abacast\Abaclient.exe] => Enabled:Abaclient
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\usmt\migwiz.exe] => Enabled:Files and Settings Transfer Wizard
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\db\Local Settings\Application Data\Abacast\Abaclient.exe] => Enabled:Abaclient
StandardProfile\AuthorizedApplications: [C:\Program Files\Bonjour\mDNSResponder.exe] => Enabled:Bonjour
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\fxsclnt.exe] => Disabled:Microsoft  Fax Console
StandardProfile\AuthorizedApplications: [C:\Program Files\Motorola\Software Update\msu.exe] => Enabled:msu
StandardProfile\AuthorizedApplications: [C:\Program Files\Internet Explorer\iexplore.exe] => Enabled:Internet Explorer
StandardProfile\AuthorizedApplications: [C:\Program Files\Real\RealPlayer\realplay.exe] => Enabled:RealPlayer
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\mmc.exe] => Disabled:Microsoft Management Console
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe] => Enabled:WebKit
StandardProfile\AuthorizedApplications: [C:\Program Files\BlueSoleil\BlueSoleilCS.exe] => Enabled:BlueSoleilCS
StandardProfile\AuthorizedApplications: [C:\Program Files\NETGEAR Genie\bin\NETGEARGenie.exe] => Enabled:NETGEARGenie
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\dxdiag.exe] => Enabled:Microsoft DirectX Diagnostic Tool
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\db\Application Data\Spotify\spotify.exe] => Enabled:Spotify
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\rundll32.exe] => Enabled:Run a DLL as an App
StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\dpvsetup.exe] => Enabled:Microsoft DirectPlay Voice Test
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
DomainProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
DomainProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
DomainProfile\GloballyOpenPorts: [10243:TCP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10280:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10281:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10282:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10283:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
DomainProfile\GloballyOpenPorts: [10284:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [67:UDP] => Enabled:DHCP Discovery Service
StandardProfile\GloballyOpenPorts: [12345:TCP] => Enabled:Motorola Helper
StandardProfile\GloballyOpenPorts: [10243:TCP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10280:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10281:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10282:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10283:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service
StandardProfile\GloballyOpenPorts: [10284:UDP] => :LocalSubNet:Enabled:Windows Media Player Network Sharing Service

==================== Restore Points =========================

06-07-2016 21:20:46 System Checkpoint
08-07-2016 18:22:32 System Checkpoint
09-07-2016 19:19:00 System Checkpoint
12-07-2016 16:09:15 System Checkpoint
22-07-2016 13:27:01 System Checkpoint
22-07-2016 15:51:39 Software Distribution Service 3.0
23-07-2016 17:55:46 System Checkpoint
24-07-2016 18:30:09 System Checkpoint
25-07-2016 21:21:55 System Checkpoint
27-07-2016 03:28:29 System Checkpoint
28-07-2016 18:07:00 System Checkpoint
29-07-2016 18:21:43 System Checkpoint
30-07-2016 18:51:22 System Checkpoint
31-07-2016 20:44:45 System Checkpoint
01-08-2016 23:53:25 System Checkpoint
03-08-2016 18:33:18 System Checkpoint
04-08-2016 19:08:41 System Checkpoint
05-08-2016 19:36:50 System Checkpoint
06-08-2016 20:58:59 System Checkpoint
06-08-2016 23:57:34 Before correction attempts, Chrome crash & BSOD problems
08-08-2016 17:19:45 System Checkpoint
09-08-2016 01:46:52 Before CCleaner update to v. 520
09-08-2016 02:32:05 Revo Uninstaller's restore point - System Checkup 3.5
09-08-2016 02:39:08 Revo Uninstaller's restore point - System Checkup 3.5
09-08-2016 16:10:06 Software Distribution Service 3.0

==================== Faulty Device Manager Devices =============

Name: Broadcom NetXtreme 57xx Gigabit Controller
Description: Broadcom NetXtreme 57xx Gigabit Controller
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Broadcom
Service: b57w2k
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/15/2016 02:31:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application mbam.exe, version 2.3.173.0, faulting module mbamcore.dll, version 1.3.24.0, fault address 0x000637d2.
Processing media-specific event for [mbam.exe!ws!]

Error: (08/15/2016 02:26:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application i_view32.exe, version 4.3.8.0, faulting module i_view32.exe, version 4.3.8.0, fault address 0x0019a9e4.
Processing media-specific event for [i_view32.exe!ws!]

Error: (08/15/2016 02:23:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application i_view32.exe, version 4.3.8.0, faulting module i_view32.exe, version 4.3.8.0, fault address 0x000b7118.
Processing media-specific event for [i_view32.exe!ws!]

Error: (08/15/2016 02:05:11 PM) (Source: Winlogon) (EventID: 1015) (User: )
Description: A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005.  The machine
must now be restarted.

Error: (08/09/2016 05:13:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application mrt.exe, version 5.39.12900.0, faulting module unknown, version 0.0.0.0, fault address 0x000001c8.
Processing media-specific event for [mrt.exe!ws!]

Error: (08/08/2016 12:25:48 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application trueimage.exe, version 13.0.0.7160, faulting module trueimage.exe, version 13.0.0.7160, fault address 0x00046f81.
Processing media-specific event for [trueimage.exe!ws!]

Error: (08/08/2016 12:24:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application trueimage.exe, version 13.0.0.7160, faulting module trueimage.exe, version 13.0.0.7160, fault address 0x00046289.
Processing media-specific event for [trueimage.exe!ws!]

Error: (08/07/2016 11:09:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application mrt.exe, version 5.38.12803.0, faulting module unknown, version 0.0.0.0, fault address 0xf66af946.
Processing media-specific event for [mrt.exe!ws!]

Error: (08/06/2016 04:07:02 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application everything.exe, version 1.3.2.649, faulting module everything.exe, version 1.3.2.649, fault address 0x0004d1be.
Processing media-specific event for [everything.exe!ws!]

Error: (08/04/2016 06:08:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application wordpad.exe, version 5.1.2600.6010, faulting module msftedit.dll, version 5.41.15.1515, fault address 0x00039be5.
Processing media-specific event for [wordpad.exe!ws!]


System errors:
=============
Error: (08/21/2016 06:51:16 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (08/21/2016 06:50:42 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The HID Input Service service terminated with the following error:
%%2 = The system cannot find the file specified.

Error: (08/21/2016 06:49:49 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/21/2016 06:46:02 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
BtHidBus
Fips
intelppm
IPSec
MpFilter
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Error: (08/21/2016 06:46:02 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31 = A device attached to the system is not functioning.

Error: (08/21/2016 06:46:02 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31 = A device attached to the system is not functioning.

Error: (08/21/2016 06:46:02 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31 = A device attached to the system is not functioning.

Error: (08/21/2016 06:45:18 PM) (Source: DCOM) (EventID: 10005) (User: SPANIEL-REDUX)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (08/21/2016 06:45:15 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/21/2016 06:20:08 PM) (Source: 0) (EventID: 55) (User: )
Description: C:


==================== Memory info ===========================

Processor:  Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of memory in use: 56%
Total physical RAM: 1022.07 MB
Available physical RAM: 449.62 MB
Total Virtual: 2957.07 MB
Available Virtual: 2546.74 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:49.07 GB) (Free:20.03 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive e: (DATA) (Fixed) (Total:15.63 GB) (Free:12.64 GB) NTFS
Drive f: (BACKUP) (Fixed) (Total:9.77 GB) (Free:9.06 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=49.1 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=25.4 GB) - (Type=05)

==================== End of Addition.txt ============================

­­­­­­­________________________________________________________________________________________________

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2016 01
Ran by db (administrator) on SPANIEL-REDUX (21-08-2016 19:11:04)
Running from C:\Documents and Settings\db\Desktop
Loaded Profiles: db (Available Profiles: db & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IVT Corporation) C:\Program Files\BlueSoleil\BlueSoleilCS.exe
(Macrovision) C:\WINDOWS\system32\drivers\CDAC11BA.EXE
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Microsoft Corp., Veritas Software) C:\WINDOWS\system32\dmadmin.exe
(IVT Corporation) C:\Program Files\BlueSoleil\BtTray.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(IVT Corporation) C:\Program Files\BlueSoleil\BsHelpCS.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [BtTray] => C:\Program Files\BlueSoleil\BtTray.exe [315478 2009-09-02] (IVT Corporation)
HKLM\...\Run: [NvCplDaemon] => C:\WINDOWS\system32\NvCpl.dll [15677728 2013-06-21] (NVIDIA Corporation)
HKLM\...\Run: [BootSkin Startup Jobs] => C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe [270336 2004-04-26] ()
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\AutorunsDisabled:
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoStrCmpLogical] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoDriveAutoRun] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {6501fe54-331d-11e0-a976-0014222e7d4a} - H:\setup.exe -a
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {ab542ec4-1bc2-11e2-bf6f-0014222e7d4a} - G:\setup.exe -a
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [9216 2008-04-13] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll No File

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://forecast.weather.gov/MapClick.php?lat=33.5800169587903&lon=-111.97540283203125&site=vef&smap=1&unit=0&lg=en&FcstType=text
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-08-05] (Oracle Corporation)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll [2008-09-17] (Google Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-08-05] (Oracle Corporation)
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} file:///D:/LTOCX14N.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/B/0/6/B06D48C0-917B-44E2-92E0-6B3E159624A6/wmv9vcm.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} hxxp://www.fcd.maricopa.gov/maps/gismaps/plugin/mgaxctrl6.5.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} hxxps://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} hxxp://download.abacast.com/download/files/abasetup161.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll [2007-08-27] (Skype Technologies)

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [No File]
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [No File]
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [No File]
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @pack.google.com/Google Updater;version=13 -> C:\Program Files\Google\Google Updater\2.3.1334.1308\npCIDetect13.dll [No File]
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll [No File]
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [No File]
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [No File]
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [No File]
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll [No File]
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [No File]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-02] [not signed]
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext => not found
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-11] [not signed]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext

Chrome:
=======
CHR HomePage: Default -> hxxp://forecast.weather.gov/MapClick.php?lat=33.5800169587903&lon=-111.97540283203125&site=vef&smap=1&unit=0&lg=en&FcstType=text
CHR StartupUrls: Default -> "hxxp://forecast.weather.gov/MapClick.php?lat=33.576&lon=-111.977&site=vef&smap=1&unit=0&lg=en&FcstType=text#.V1C4rtQrJhE"
CHR Profile: C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-30]
CHR Extension: (Google Docs) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-30]
CHR Extension: (Google Drive) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20]
CHR Extension: (YouTube) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Google Search) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Google Sheets) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-30]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-14]
CHR Extension: (RealDownloader) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2015-04-30]
CHR Extension: (Freemake Video Converter) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj [2015-04-30]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Gmail) - C:\Documents and Settings\db\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-30]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [jbolfgndggfhhpbnkgnpjkfhinclbigj] - C:\Program Files\Freemake\Freemake Video Converter\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx [2014-02-10]
CHR HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [763816 2011-01-28] (Acronis)
S3 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3246040 2012-08-06] (Acronis)
R2 BlueSoleilCS; C:\Program Files\BlueSoleil\BlueSoleilCS.exe [1466476 2009-09-02] (IVT Corporation) [File not signed]
R3 BsHelpCS; C:\Program Files\BlueSoleil\BsHelpCS.exe [102503 2009-09-02] (IVT Corporation) [File not signed]
R2 C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [54784 2006-10-30] (Macrovision) [File not signed]
S2 HidServ; C:\WINDOWS\System32\svchost.exe [14336 2008-04-13] (Microsoft Corporation)
S4 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S3 Imapi Helper; C:\Program Files\ISO Recorder\ImapiHelper.exe [163840 2006-01-05] (Alex Feinman) [File not signed]
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-05] (Oracle Corporation)
S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2011-06-20] (Hewlett-Packard Company) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S4 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S4 NETGEARGenieDaemon; C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [195840 2015-08-26] (NETGEAR)
S4 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S4 Acrjong; no ImagePath
S4 Hkmsmodmid; no ImagePath
S4 Ksrjobunewhe; no ImagePath
S4 Nlatmoacd; no ImagePath

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 BCMNTIO; C:\Program Files\CheckIt\Diagnostics\BCMNTIO.SYS [3744 2004-03-05] () [File not signed]
S3 BlueletAudio; C:\WINDOWS\System32\DRIVERS\blueletaudio.sys [33800 2009-06-17] (IVT Corporation.)
S0 BootScreen; C:\WINDOWS\System32\drivers\vidstub.sys [164608 2016-02-11] () [File not signed]
S3 BT; C:\WINDOWS\System32\DRIVERS\btnetdrv.sys [14088 2009-06-17] (IVT Corporation.)
S3 Btcsrusb; C:\WINDOWS\System32\Drivers\btcusb.sys [39304 2009-07-08] (IVT Corporation.)
R0 BtHidBus; C:\WINDOWS\System32\Drivers\BtHidBus.sys [20744 2009-06-17] (IVT Corporation.)
R3 btnetBUs; C:\WINDOWS\System32\Drivers\btnetBus.sys [29192 2009-06-17] ()
R2 CdaC15BA; C:\WINDOWS\system32\drivers\CdaC15BA.SYS [12464 2006-10-30] (Macrovision Europe Ltd) [File not signed]
S3 GKUPRO2D; C:\WINDOWS\System32\Drivers\GKUPRO2D.sys [62048 2004-07-16] (Gemplus)
R3 IvtBtBUs; C:\WINDOWS\System32\Drivers\IvtBtBus.sys [25480 2009-06-17] (IVT Corporation.)
R2 MAPMEM; C:\Program Files\CheckIt\Diagnostics\MAPMEM.SYS [3904 2004-03-05] () [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2016-08-21] (Malwarebytes)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R2 NPF; C:\WINDOWS\system32\drivers\npf.sys [35088 2016-02-03] (CACE Technologies, Inc.)
R3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [128672 2013-02-24] (NVIDIA Corporation)
S4 Ospdpswmorm; C:\WINDOWS\system32\drivers\i8042prt.sys [52480 2008-04-13] (Microsoft Corporation)
R2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2006-09-27] (Symantec Corporation)
R2 tifsfilter; C:\WINDOWS\System32\DRIVERS\tifsfilt.sys [44384 2010-07-04] (Acronis)
S3 VComm; C:\WINDOWS\System32\DRIVERS\VComm.sys [14856 2009-06-17] (IVT Corporation.)
R3 VcommMgr; C:\WINDOWS\System32\Drivers\VcommMgr.sys [32392 2009-06-17] (IVT Corporation.)
S4 btaudio; system32\drivers\btaudio.sys [X]
S4 BTCFilterService; system32\DRIVERS\motfilt.sys [X]
S4 BTDriver; system32\DRIVERS\btport.sys [X]
S4 BTWDNDIS; system32\DRIVERS\btwdndis.sys [X]
S4 btwhid; system32\DRIVERS\btwhid.sys [X]
S4 BTWUSB; System32\Drivers\btwusb.sys [X]
S4 cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [X]
S4 motccgp; system32\DRIVERS\motccgp.sys [X]
S4 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S4 MotDev; system32\DRIVERS\motodrv.sys [X]
S4 motmodem; system32\DRIVERS\motmodem.sys [X]
S4 MotoSwitchService; system32\DRIVERS\motswch.sys [X]
S4 Motousbnet; system32\DRIVERS\Motousbnet.sys [X]
S4 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-21 19:11 - 2016-08-21 19:11 - 00019306 _____ C:\Documents and Settings\db\Desktop\FRST.txt
2016-08-21 19:10 - 2016-08-21 19:03 - 01746432 _____ (Farbar) C:\Documents and Settings\db\Desktop\FRST.exe
2016-08-21 18:54 - 2016-08-21 19:11 - 00000000 ____D C:\FRST
2016-08-21 18:45 - 2016-08-21 18:46 - 00000000 ____D C:\Documents and Settings\db\Desktop\SpyHammer
2016-08-21 18:44 - 2016-08-21 18:44 - 00090112 _____ C:\WINDOWS\Minidump\Mini082116-01.dmp
2016-08-20 17:55 - 2016-08-20 17:55 - 00000104 _____ C:\Documents and Settings\db\Desktop\README DAVE.txt
2016-08-15 14:06 - 2016-08-21 18:44 - 00263918 _____ C:\WINDOWS\ntbtlog.txt
2016-08-11 12:57 - 2016-08-11 12:57 - 00005746 _____ C:\Documents and Settings\db\My Documents\Glacier.theme
2016-08-09 01:35 - 2016-08-09 01:34 - 00065536 _____ C:\WINDOWS\Minidump\Mini080916-01.dmp
2016-08-07 23:02 - 2016-08-07 23:02 - 00065536 _____ C:\WINDOWS\Minidump\Mini080716-04.dmp
2016-08-07 20:42 - 2016-08-07 20:42 - 00065536 _____ C:\WINDOWS\Minidump\Mini080716-03.dmp
2016-08-07 19:31 - 2016-08-07 16:50 - 135458739 ____N C:\Documents and Settings\db\Desktop\VID_20160807_164946460.mp4
2016-08-07 15:39 - 2016-08-07 15:39 - 00090112 _____ C:\WINDOWS\Minidump\Mini080716-02.dmp
2016-08-07 12:12 - 2016-08-07 12:12 - 00000564 _____ C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job
2016-08-07 12:12 - 2016-08-07 12:12 - 00000502 _____ C:\WINDOWS\Tasks\SystemToolsDailyTest.job
2016-08-07 12:12 - 2016-08-07 12:12 - 00000478 _____ C:\WINDOWS\Tasks\PCDDataUploadTask.job
2016-08-07 12:12 - 2016-08-07 12:12 - 00000000 ____D C:\Program Files\Dell Support Center
2016-08-07 00:45 - 2016-08-07 00:45 - 00065536 _____ C:\WINDOWS\Minidump\Mini080716-01.dmp
2016-08-06 19:16 - 2016-08-06 19:16 - 00065536 _____ C:\WINDOWS\Minidump\Mini080616-01.dmp
2016-08-04 18:15 - 2016-08-04 18:15 - 00000000 ____D C:\Program Files\NirSoft
2016-08-04 18:15 - 2016-08-04 18:15 - 00000000 ____D C:\Documents and Settings\db\Start Menu\Programs\BSOD Viewer
2016-08-03 23:39 - 2016-08-03 23:38 - 00065536 _____ C:\WINDOWS\Minidump\Mini080316-01.dmp
2016-08-02 23:31 - 2016-08-21 18:50 - 00000272 _____ C:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1953364783-748760771-531774410-1005.job
2016-08-02 23:31 - 2016-08-07 20:43 - 00000280 _____ C:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1953364783-748760771-531774410-1005.job
2016-07-28 17:32 - 2016-07-28 17:32 - 07065600 _____ C:\Program Files\GUT17.tmp
2016-07-28 17:32 - 2016-07-28 17:32 - 00000000 ____D C:\Program Files\GUM16.tmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-21 19:11 - 2006-03-01 15:23 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Temp
2016-08-21 18:54 - 2004-08-11 15:20 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2016-08-21 18:54 - 2004-08-11 15:20 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2016-08-21 18:51 - 2015-10-15 00:30 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-21 18:50 - 2016-02-12 00:58 - 00005264 _____ C:\WINDOWS\system32\nvAppTimestamps
2016-08-21 18:50 - 2009-09-07 15:42 - 00000983 _____ C:\WINDOWS\system32\bscs.ini
2016-08-21 18:50 - 2004-08-11 15:20 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-21 18:50 - 2004-08-11 15:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2016-08-21 18:49 - 2006-03-01 15:23 - 00000178 ___SH C:\Documents and Settings\db\ntuser.ini
2016-08-21 17:49 - 2004-08-11 15:20 - 00032462 _____ C:\WINDOWS\SchedLgU.Txt
2016-08-21 16:10 - 2012-08-27 16:28 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive
2016-08-20 17:59 - 2010-02-27 00:28 - 00000000 ____D C:\Program Files\Desktop Restore
2016-08-20 17:59 - 2010-02-27 00:28 - 00000000 ____D C:\Documents and Settings\db\Start Menu\Programs\Desktop Restore
2016-08-15 14:04 - 2009-03-10 09:57 - 00000000 ____D C:\Program Files\Bonjour
2016-08-11 13:34 - 2015-08-25 17:28 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Application Data\Spotify
2016-08-11 13:34 - 2015-08-25 17:28 - 00000000 ____D C:\Documents and Settings\db\Application Data\Spotify
2016-08-11 13:08 - 2008-09-16 16:35 - 00000000 ____D C:\Documents and Settings\db\Application Data\Real
2016-08-11 13:07 - 2010-01-10 01:42 - 00000000 ____D C:\Documents and Settings\db\Application Data\IrfanView
2016-08-11 12:57 - 2006-03-01 15:23 - 00000000 ___RD C:\Documents and Settings\db\My Documents
2016-08-11 12:28 - 2015-06-10 17:20 - 00000000 ____D C:\Program Files\Everything
2016-08-11 12:27 - 2014-02-09 23:26 - 00000000 ____D C:\Documents and Settings\db\Desktop\Landscape docs, pix
2016-08-10 17:05 - 2006-03-01 15:23 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Application Data\ApplicationHistory
2016-08-09 19:01 - 2004-08-11 15:11 - 00000000 ____D C:\WINDOWS\system32\FxsTmp
2016-08-09 18:03 - 2012-08-26 00:25 - 00000000 ____D C:\Documents and Settings\db\My Documents\Home Info, Repair
2016-08-09 16:20 - 2013-08-14 03:35 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-08-09 16:11 - 2009-04-22 00:33 - 144884648 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-08-09 02:41 - 2016-01-22 02:25 - 00000000 ____D C:\Program Files\iolo
2016-08-09 02:32 - 2016-01-22 02:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\iolo
2016-08-09 01:47 - 2013-02-20 15:53 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2016-08-09 01:35 - 2012-11-13 01:32 - 00000000 ____D C:\WINDOWS\Minidump
2016-08-08 23:05 - 2006-03-01 15:23 - 00000000 ____D C:\Documents and Settings\db
2016-08-08 19:08 - 2004-08-11 15:02 - 00000000 ____D C:\WINDOWS\system32\dllcache
2016-08-08 18:48 - 2004-08-11 15:02 - 00000000 ____D C:\WINDOWS\Help
2016-08-07 12:12 - 2016-01-22 02:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Dell
2016-08-07 12:12 - 2016-01-22 01:59 - 00000000 ____D C:\Documents and Settings\db\Application Data\PCDr
2016-08-07 12:10 - 2016-01-22 02:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PCDr
2016-08-07 12:00 - 2011-10-13 23:04 - 00000834 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-07 09:51 - 2008-12-22 20:56 - 00002341 _____ C:\Documents and Settings\All Users\Desktop\WordPerfect.lnk
2016-08-07 00:31 - 2016-01-21 23:17 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Application Data\Deployment
2016-08-06 16:07 - 2011-02-13 06:14 - 03119154 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1953364783-748760771-531774410-1005-0.dat
2016-08-06 16:07 - 2011-02-13 06:14 - 00155074 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2016-08-04 14:44 - 2004-08-11 15:00 - 00000638 _____ C:\WINDOWS\win.ini
2016-08-03 22:48 - 2011-03-09 20:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
2016-08-03 02:43 - 2012-11-17 22:12 - 00000000 ____D C:\Documents and Settings\db\Desktop\TEMP
2016-08-02 23:46 - 2005-10-03 15:08 - 00000211 ___SH C:\boot.ini
2016-08-02 23:46 - 2004-08-11 15:00 - 00000227 _____ C:\WINDOWS\system.ini
2016-08-02 17:57 - 2004-08-11 15:11 - 00000

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 444
Re: Trojan infection found
« Reply #4 on: August 22, 2016, 01:40:08 PM »
 

Hello SpeedBrophy,

Thanks for the logs, I am about to go through them.


The FRST main log appears to be incomplete:-

Please run your copy of FRST located on your Desktop
  • Right click to run as administrator.(XP users click run after receipt of Windows Security Warning - Open File).  when tool opens click Yes to disclaimer
  • Checkmark all boxes under Whitelist
  • Under Optional Scan do not checkmarkany buttons
  • Select Scan & allow it to run.
  • When it finishes, please copy/paste the log back here.
>>>>>>>>>>>>>>>>>>

Quote
Most recently MBAM, run in Safe Mode with no network connection, did complete a scan and found and quarantined many instances of Trojan.FakeMS.ED infection.

If you can still find that log post it back here please.

Posting the Malwarebytes log do the following:-
  • Click on the History tab > Application Logs.
       
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:-
Copy to Clipboard - if selected right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)      - if selected you will have to name the file and save to a place of choice,your"Desktop"          then  attach to reply
      XML file (*.xml)     - if selected you will have to name the file and save to a place of choice, your "Desktop"         then attach to reply

   Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Quote
'll get busy on the Farbar Recovery tool, but meanwhile I do have this question:
If there is indeed a trojan infection, is it prudent to avoid networking the affected computer as much as possible? That's what I did for my first communication: downloaded dds.com on a second computer,  copied the download to a thumb drive, then copied from the thumb drive to the desktop of the affected computer and ran it, with networking on the affected computer disabled immediately upon bootup. I could continue to do this, and will unless you tell me it's overkill.

If, as you suggest, you have a backdoor trojan on your XP computer, it certainly would be prudent.
>>>>>>>>>>>>>>

I need the FRST main log & the MBAM log please

Platypuss


Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #5 on: August 22, 2016, 07:17:29 PM »
Hello Platypuss,

 I reran FRST.exe just as you say.  Below is the new FRST.txt. One wrinkle: both times I've run FRST.exe, immediately upon launch there's a message "Failed to update (1)". When I clear the message box, the program runs apparently normally.

About the MBAM Safe Mode scan: Lots of confusion by me; sorry. The scan I ran found nothing. Then, one hour later, after a reboot and no longer in Safe Mode, MBAM running in real time began a series of trojan warning alerts and quarantines (this is reconstructed from the event viewer). So the quarantines weren't during a manual or automatically scheduled scan and I don't have a log entry, at least not one I can find in the usual MBAM logs folder or elsewhere.
What I do have is a screenshot of the MBAM window History tab > Quarantine. It's readable and identifies files. It's yours if you want it.

______________________________________________________________________________________________________
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2016 01
Ran by Administrator (administrator) on SPANIEL-REDUX (22-08-2016 15:31:28)
Running from C:\Documents and Settings\db\Desktop
Loaded Profiles: db & Administrator (Available Profiles: db & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IVT Corporation) C:\Program Files\BlueSoleil\BlueSoleilCS.exe
(Macrovision) C:\WINDOWS\system32\drivers\CDAC11BA.EXE
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Microsoft Corp., Veritas Software) C:\WINDOWS\system32\dmadmin.exe
(IVT Corporation) C:\Program Files\BlueSoleil\BtTray.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(IVT Corporation) C:\Program Files\BlueSoleil\BsHelpCS.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
HKLM\...\Run: [BtTray] => C:\Program Files\BlueSoleil\BtTray.exe [315478 2009-09-02] (IVT Corporation)
HKLM\...\Run: [NvCplDaemon] => C:\WINDOWS\system32\NvCpl.dll [15677728 2013-06-21] (NVIDIA Corporation)
HKLM\...\Run: [BootSkin Startup Jobs] => C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe [270336 2004-04-26] ()
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\AutorunsDisabled:
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoViewOnDrive] 0
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoStrCmpLogical] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoDriveAutoRun] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoActiveDesktop] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [NoSaveSettings] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x00000000
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {6501fe54-331d-11e0-a976-0014222e7d4a} - H:\setup.exe -a
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {ab542ec4-1bc2-11e2-bf6f-0014222e7d4a} - G:\setup.exe -a
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [9216 2008-04-13] (Microsoft Corporation)
HKU\S-1-5-21-1953364783-748760771-531774410-500\...\Run: [LightScribe Control Panel] => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2736128 2011-06-20] (Hewlett-Packard Company)
HKU\S-1-5-21-1953364783-748760771-531774410-500\...\Policies\Explorer: [NoViewOnDrive] 0
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files\Google\Drive\googledrivesync32.dll [2016-07-29] (Google)
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll No File

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://forecast.weather.gov/MapClick.php?lat=33.5800169587903&lon=-111.97540283203125&site=vef&smap=1&unit=0&lg=en&FcstType=text
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1953364783-748760771-531774410-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.dell.com
HKU\S-1-5-21-1953364783-748760771-531774410-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-1953364783-748760771-531774410-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-23] (Adobe Systems Incorporated)
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll [2013-08-14] (RealDownloader)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-08-05] (Oracle Corporation)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll [2008-09-17] (Google Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-08-05] (Oracle Corporation)
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} file:///D:/LTOCX14N.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/B/0/6/B06D48C0-917B-44E2-92E0-6B3E159624A6/wmv9vcm.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} hxxp://www.fcd.maricopa.gov/maps/gismaps/plugin/mgaxctrl6.5.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} hxxps://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} hxxp://download.abacast.com/download/files/abasetup161.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\WINDOWS\system32\skype4com.dll [2007-08-27] (Skype Technologies)

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [No File]
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [No File]
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [No File]
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @pack.google.com/Google Updater;version=13 -> C:\Program Files\Google\Google Updater\2.3.1334.1308\npCIDetect13.dll [No File]
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll [No File]
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll [No File]
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll [No File]
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll [No File]
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll [No File]
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [No File]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-02] [not signed]
FF HKLM\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext => not found
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-11] [not signed]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-24]
CHR Extension: (Google Docs) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-24]
CHR Extension: (Google Drive) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-04-24]
CHR Extension: (YouTube) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-04-24]
CHR Extension: (Google Search) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-04-24]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-24]
CHR Extension: (Bookmark Manager) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-24]
CHR Extension: (RealDownloader) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2015-04-24]
CHR Extension: (Freemake Video Converter) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj [2015-04-24]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-24]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-04-24]
CHR Extension: (Gmail) - C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-24]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [jbolfgndggfhhpbnkgnpjkfhinclbigj] - C:\Program Files\Freemake\Freemake Video Converter\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx [2014-02-10]
CHR HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [763816 2011-01-28] (Acronis)
S3 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3246040 2012-08-06] (Acronis)
R2 BlueSoleilCS; C:\Program Files\BlueSoleil\BlueSoleilCS.exe [1466476 2009-09-02] (IVT Corporation) [File not signed]
R3 BsHelpCS; C:\Program Files\BlueSoleil\BsHelpCS.exe [102503 2009-09-02] (IVT Corporation) [File not signed]
R2 C-DillaCdaC11BA; C:\WINDOWS\system32\drivers\CDAC11BA.EXE [54784 2006-10-30] (Macrovision) [File not signed]
S2 HidServ; C:\WINDOWS\System32\svchost.exe [14336 2008-04-13] (Microsoft Corporation)
S4 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S3 Imapi Helper; C:\Program Files\ISO Recorder\ImapiHelper.exe [163840 2006-01-05] (Alex Feinman) [File not signed]
S4 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-05] (Oracle Corporation)
S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2011-06-20] (Hewlett-Packard Company) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S4 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S4 NETGEARGenieDaemon; C:\Program Files\NETGEAR Genie\bin\NETGEARGenieDaemon.exe [195840 2015-08-26] (NETGEAR)
S4 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S4 Acrjong; no ImagePath
S4 Hkmsmodmid; no ImagePath
S4 Ksrjobunewhe; no ImagePath
S4 Nlatmoacd; no ImagePath

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
R2 BCMNTIO; C:\Program Files\CheckIt\Diagnostics\BCMNTIO.SYS [3744 2004-03-05] () [File not signed]
S3 BlueletAudio; C:\WINDOWS\System32\DRIVERS\blueletaudio.sys [33800 2009-06-17] (IVT Corporation.)
S0 BootScreen; C:\WINDOWS\System32\drivers\vidstub.sys [164608 2016-02-11] () [File not signed]
S3 BT; C:\WINDOWS\System32\DRIVERS\btnetdrv.sys [14088 2009-06-17] (IVT Corporation.)
S3 Btcsrusb; C:\WINDOWS\System32\Drivers\btcusb.sys [39304 2009-07-08] (IVT Corporation.)
R0 BtHidBus; C:\WINDOWS\System32\Drivers\BtHidBus.sys [20744 2009-06-17] (IVT Corporation.)
R3 btnetBUs; C:\WINDOWS\System32\Drivers\btnetBus.sys [29192 2009-06-17] ()
R2 CdaC15BA; C:\WINDOWS\system32\drivers\CdaC15BA.SYS [12464 2006-10-30] (Macrovision Europe Ltd) [File not signed]
S3 GKUPRO2D; C:\WINDOWS\System32\Drivers\GKUPRO2D.sys [62048 2004-07-16] (Gemplus)
R3 IvtBtBUs; C:\WINDOWS\System32\Drivers\IvtBtBus.sys [25480 2009-06-17] (IVT Corporation.)
R2 MAPMEM; C:\Program Files\CheckIt\Diagnostics\MAPMEM.SYS [3904 2004-03-05] () [File not signed]
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2016-08-22] (Malwarebytes)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R2 NPF; C:\WINDOWS\system32\drivers\npf.sys [35088 2016-02-03] (CACE Technologies, Inc.)
R3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [128672 2013-02-24] (NVIDIA Corporation)
S4 Ospdpswmorm; C:\WINDOWS\system32\drivers\i8042prt.sys [52480 2008-04-13] (Microsoft Corporation)
R2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2006-09-27] (Symantec Corporation)
R2 tifsfilter; C:\WINDOWS\System32\DRIVERS\tifsfilt.sys [44384 2010-07-04] (Acronis)
S3 VComm; C:\WINDOWS\System32\DRIVERS\VComm.sys [14856 2009-06-17] (IVT Corporation.)
R3 VcommMgr; C:\WINDOWS\System32\Drivers\VcommMgr.sys [32392 2009-06-17] (IVT Corporation.)
S4 btaudio; system32\drivers\btaudio.sys [X]
S4 BTCFilterService; system32\DRIVERS\motfilt.sys [X]
S4 BTDriver; system32\DRIVERS\btport.sys [X]
S4 BTWDNDIS; system32\DRIVERS\btwdndis.sys [X]
S4 btwhid; system32\DRIVERS\btwhid.sys [X]
S4 BTWUSB; System32\Drivers\btwusb.sys [X]
S4 cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [X]
S4 motccgp; system32\DRIVERS\motccgp.sys [X]
S4 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S4 MotDev; system32\DRIVERS\motodrv.sys [X]
S4 motmodem; system32\DRIVERS\motmodem.sys [X]
S4 MotoSwitchService; system32\DRIVERS\motswch.sys [X]
S4 Motousbnet; system32\DRIVERS\Motousbnet.sys [X]
S4 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-22 15:31 - 2016-08-22 15:32 - 00020186 _____ C:\Documents and Settings\db\Desktop\FRST.txt
2016-08-21 19:10 - 2016-08-21 19:03 - 01746432 _____ (Farbar) C:\Documents and Settings\db\Desktop\FRST.exe
2016-08-21 18:54 - 2016-08-21 19:13 - 00000000 ____D C:\FRST
2016-08-21 18:45 - 2016-08-22 15:29 - 00000000 ____D C:\Documents and Settings\db\Desktop\SpyHammer
2016-08-21 18:44 - 2016-08-21 18:44 - 00090112 _____ C:\WINDOWS\Minidump\Mini082116-01.dmp
2016-08-20 17:55 - 2016-08-20 17:55 - 00000104 _____ C:\Documents and Settings\db\Desktop\README DAVE.txt
2016-08-15 14:06 - 2016-08-21 18:44 - 00263918 _____ C:\WINDOWS\ntbtlog.txt
2016-08-11 12:57 - 2016-08-11 12:57 - 00005746 _____ C:\Documents and Settings\db\My Documents\Glacier.theme
2016-08-09 01:35 - 2016-08-09 01:34 - 00065536 _____ C:\WINDOWS\Minidump\Mini080916-01.dmp
2016-08-07 23:02 - 2016-08-07 23:02 - 00065536 _____ C:\WINDOWS\Minidump\Mini080716-04.dmp
2016-08-07 20:42 - 2016-08-07 20:42 - 00065536 _____ C:\WINDOWS\Minidump\Mini080716-03.dmp
2016-08-07 19:31 - 2016-08-07 16:50 - 135458739 ____N C:\Documents and Settings\db\Desktop\VID_20160807_164946460.mp4
2016-08-07 15:39 - 2016-08-07 15:39 - 00090112 _____ C:\WINDOWS\Minidump\Mini080716-02.dmp
2016-08-07 12:12 - 2016-08-07 12:12 - 00000564 _____ C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job
2016-08-07 12:12 - 2016-08-07 12:12 - 00000502 _____ C:\WINDOWS\Tasks\SystemToolsDailyTest.job
2016-08-07 12:12 - 2016-08-07 12:12 - 00000478 _____ C:\WINDOWS\Tasks\PCDDataUploadTask.job
2016-08-07 12:12 - 2016-08-07 12:12 - 00000000 ____D C:\Program Files\Dell Support Center
2016-08-07 00:45 - 2016-08-07 00:45 - 00065536 _____ C:\WINDOWS\Minidump\Mini080716-01.dmp
2016-08-06 19:16 - 2016-08-06 19:16 - 00065536 _____ C:\WINDOWS\Minidump\Mini080616-01.dmp
2016-08-04 18:15 - 2016-08-04 18:15 - 00000000 ____D C:\Program Files\NirSoft
2016-08-04 18:15 - 2016-08-04 18:15 - 00000000 ____D C:\Documents and Settings\db\Start Menu\Programs\BSOD Viewer
2016-08-03 23:39 - 2016-08-03 23:38 - 00065536 _____ C:\WINDOWS\Minidump\Mini080316-01.dmp
2016-08-02 23:31 - 2016-08-22 15:20 - 00000272 _____ C:\WINDOWS\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1953364783-748760771-531774410-1005.job
2016-08-02 23:31 - 2016-08-21 20:43 - 00000280 _____ C:\WINDOWS\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1953364783-748760771-531774410-1005.job
2016-07-28 17:32 - 2016-07-28 17:32 - 07065600 _____ C:\Program Files\GUT17.tmp
2016-07-28 17:32 - 2016-07-28 17:32 - 00000000 ____D C:\Program Files\GUM16.tmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-22 15:32 - 2004-08-11 15:20 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2016-08-22 15:20 - 2016-02-12 00:58 - 00005264 _____ C:\WINDOWS\system32\nvAppTimestamps
2016-08-22 15:20 - 2015-10-15 00:30 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-22 15:20 - 2009-09-07 15:42 - 00000983 _____ C:\WINDOWS\system32\bscs.ini
2016-08-22 15:20 - 2004-08-11 15:20 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-22 15:20 - 2004-08-11 15:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2016-08-22 01:02 - 2006-03-01 15:23 - 00000178 ___SH C:\Documents and Settings\db\ntuser.ini
2016-08-22 01:02 - 2004-08-11 15:20 - 00032462 _____ C:\WINDOWS\SchedLgU.Txt
2016-08-22 01:01 - 2006-03-01 15:23 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Temp
2016-08-21 18:54 - 2004-08-11 15:20 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2016-08-21 16:10 - 2012-08-27 16:28 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Drive
2016-08-20 17:59 - 2010-02-27 00:28 - 00000000 ____D C:\Program Files\Desktop Restore
2016-08-20 17:59 - 2010-02-27 00:28 - 00000000 ____D C:\Documents and Settings\db\Start Menu\Programs\Desktop Restore
2016-08-15 14:04 - 2009-03-10 09:57 - 00000000 ____D C:\Program Files\Bonjour
2016-08-11 13:34 - 2015-08-25 17:28 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Application Data\Spotify
2016-08-11 13:34 - 2015-08-25 17:28 - 00000000 ____D C:\Documents and Settings\db\Application Data\Spotify
2016-08-11 13:08 - 2008-09-16 16:35 - 00000000 ____D C:\Documents and Settings\db\Application Data\Real
2016-08-11 13:07 - 2010-01-10 01:42 - 00000000 ____D C:\Documents and Settings\db\Application Data\IrfanView
2016-08-11 12:57 - 2006-03-01 15:23 - 00000000 ___RD C:\Documents and Settings\db\My Documents
2016-08-11 12:28 - 2015-06-10 17:20 - 00000000 ____D C:\Program Files\Everything
2016-08-11 12:27 - 2014-02-09 23:26 - 00000000 ____D C:\Documents and Settings\db\Desktop\Landscape docs, pix
2016-08-10 17:05 - 2006-03-01 15:23 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Application Data\ApplicationHistory
2016-08-09 19:01 - 2004-08-11 15:11 - 00000000 ____D C:\WINDOWS\system32\FxsTmp
2016-08-09 18:03 - 2012-08-26 00:25 - 00000000 ____D C:\Documents and Settings\db\My Documents\Home Info, Repair
2016-08-09 16:20 - 2013-08-14 03:35 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-08-09 16:11 - 2009-04-22 00:33 - 144884648 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-08-09 02:41 - 2016-01-22 02:25 - 00000000 ____D C:\Program Files\iolo
2016-08-09 02:32 - 2016-01-22 02:25 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\iolo
2016-08-09 01:47 - 2013-02-20 15:53 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2016-08-09 01:35 - 2012-11-13 01:32 - 00000000 ____D C:\WINDOWS\Minidump
2016-08-08 23:05 - 2006-03-01 15:23 - 00000000 ____D C:\Documents and Settings\db
2016-08-08 19:08 - 2004-08-11 15:02 - 00000000 ____D C:\WINDOWS\system32\dllcache
2016-08-08 18:48 - 2004-08-11 15:02 - 00000000 ____D C:\WINDOWS\Help
2016-08-07 12:12 - 2016-01-22 02:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Dell
2016-08-07 12:12 - 2016-01-22 01:59 - 00000000 ____D C:\Documents and Settings\db\Application Data\PCDr
2016-08-07 12:10 - 2016-01-22 02:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\PCDr
2016-08-07 12:00 - 2011-10-13 23:04 - 00000834 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-07 09:51 - 2008-12-22 20:56 - 00002341 _____ C:\Documents and Settings\All Users\Desktop\WordPerfect.lnk
2016-08-07 00:31 - 2016-01-21 23:17 - 00000000 ____D C:\Documents and Settings\db\Local Settings\Application Data\Deployment
2016-08-06 16:07 - 2011-02-13 06:14 - 03119154 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1953364783-748760771-531774410-1005-0.dat
2016-08-06 16:07 - 2011-02-13 06:14 - 00155074 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2016-08-04 14:44 - 2004-08-11 15:00 - 00000638 _____ C:\WINDOWS\win.ini
2016-08-03 22:48 - 2011-03-09 20:04 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
2016-08-03 02:43 - 2012-11-17 22:12 - 00000000 ____D C:\Documents and Settings\db\Desktop\TEMP
2016-08-02 23:46 - 2005-10-03 15:08 - 00000211 ___SH C:\boot.ini
2016-08-02 23:46 - 2004-08-11 15:00 - 00000227 _____ C:\WINDOWS\system.ini
2016-08-02 17:57 - 2004-08-11 15:11 - 00000000 ____D C:\WINDOWS\Registration
2016-07-30 15:27 - 2011-10-13 23:04 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-27 18:53 - 2006-10-30 00:46 - 00000000 ____D C:\Program Files\Mathcad 13
2016-07-23 16:44 - 2011-05-26 13:38 - 00000000 ____D C:\Documents and Settings\db\My Documents\Medical

==================== Files in the root of some directories =======

2016-07-28 17:32 - 2016-07-28 17:32 - 7065600 _____ () C:\Program Files\GUT17.tmp
2007-01-01 17:46 - 2008-01-02 20:15 - 0001755 _____ () C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Some files in TEMP:
====================
C:\Documents and Settings\db\Local Settings\Temp\jre-8u101-windows-au.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 444
Re: Trojan infection found
« Reply #6 on: August 23, 2016, 11:32:47 AM »
Hello SpeedBrophy,

 Remove unwanted program

EasyCleaner
This is a Registry Cleaner which you do not need.
Programs like this only remove orphan registry entries which make no noticeable difference to your systems performance
Unless you have sufficient knowledge of the registry to judge what it should and should not remove you should never use one. .
Please uninstall this program in your Add or Remove section



    Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Open notepad. Please copy the contents of the code box below.
  • To do this highlight the contents of the box and right click on it.
  • Then paste it into the open notepad.
  • Save it on the Desktop as fixlist.txt
  • Next Run FRST and press the Fix button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Code: [Select]
Start:
CloseProcesses:
CreateRestorePoint:
S3 Imapi Helper; C:\Program Files\ISO Recorder\ImapiHelper.exe [163840 2006-01-05] (Alex Feinman) [File not signed
S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2011-06-20] (Hewlett-Packard Company) [File not
S4 Acrjong; no ImagePath
S4 Hkmsmodmid; no ImagePath
S4 Ksrjobunewhe; no ImagePath
S4 Nlatmoacd; no ImagePathsigned]NETGE
R2 NPF; C:\WINDOWS\system32\drivers\npf.sys [35088 2016-02-03] (CACE Technologies, Inc.)
U1 WS2IFSL; no ImagePath
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {6501fe54-331d-11e0-a976-0014222e7d4a} - H:\setup.exe -a
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {ab542ec4-1bc2-11e2-bf6f-0014222e7d4a} - G:\setup.exe -a
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
CHR HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
2016-07-28 17:32 - 2016-07-28 17:32 - 07065600 _____ C:\Program Files\GUT17.tmp
2016-07-28 17:32 - 2016-07-28 17:32 - 00000000 ____D C:\Program Files\GUM16.tmp
EmptyTemp:
CMD: ipconfig /flushdns
cmd: bootrec /FixMbr
Reboot:
end
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

RogueKiller by Tigzy


   
  • Download RogueKiller and save it to your desktop
       
  • Close all running programs
  • Right click on the setup.exe icon and select Run as Administrator
       
  • For Windows XP simply double click on the item
       
  • Select Install 32 and 64 bits versions (Recommended for Technicians), then click Next 3 times
       
  • Click OK on and 64 bits versions (Recommended for Technicians), then click Next 3 times
       
  • Click Install
       
  • Click Finish then Accept
       
  • The program will conduct a prescan and when finished you wlll see Prescan Finished. Please hit the scan button
       
  • Click Start Scan twice
       
  • When completed click Open Report
       
  • Click Export Text and save the file on your Desktop as RK.txt
       
  • Close all open RogueKiller windows
       
  • Copy and paste the contents of the report in your reply

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Just a reminder

Please do not run any tools unless instructed to do so because it confuses the issue & may well
      cause unforseen damage to your machine.



Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #7 on: August 23, 2016, 05:00:59 PM »
Thanks, Platypuss.

One question before I run FRST with the fixlist:
Will the script S3 and S4 items be completely deleted? If so, I would like to remove from the fixlist the S4 item Lightscribe Service. It's for burning CDs. It's disabled because I use it only very rarely, and from the listing I gather that it's not even present. But I would still like to have it listed in services.msc as a disabled service, as a reminder.  OK? Just delete this line from fixlist.txt?
 
The other S4s are all disabled services. I don't even know what some of them are or how they got there. But I left them just in case. Out they go.

EasyCleaner I have never used. It's dangerous garbage. But I do use on occasion the registry cleanup parts of CCleaner and of Revo Uninstaller, including Revo in Advanced Mode. Please let me know if you think this too is dangerous.

Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #8 on: August 24, 2016, 05:38:13 PM »
Below is the fixlog from the FRST tool. I forgot to run it from the Administrator account, but my user account has administrative privileges. Is there something wrong with the master boot record instruction?

The installation program setup.exe for RogueKiller failed to run. With no programs running and MBAM also stopped, I got a prompt to choose a language  but after that, nothing, just the desktop. Task Manager shows setup.exe as not responding. I tried *run as Administrator, *run from a user account (but with administrative privileges),  *reboot and try again,  *re-do the download and try again. No luck, "not responding". I have downloaded the "portable version, needs no installation", 32-bit RogueKiller.exe, but I will not try to run it without your OK.
________________________________________________________________________________________________
Fix result of Farbar Recovery Scan Tool (x86) Version: 21-08-2016 01
Ran by db (24-08-2016 13:18:15) Run:1
Running from C:\Documents and Settings\db\Desktop
Loaded Profiles: db (Available Profiles: db & Administrator)
Boot Mode: Normal
==============================================
fixlist content:
*****************
Start:
CloseProcesses:
CreateRestorePoint:
S3 Imapi Helper; C:\Program Files\ISO Recorder\ImapiHelper.exe [163840 2006-01-05] (Alex Feinman) [File not signed
S4 Acrjong; no ImagePath
S4 Hkmsmodmid; no ImagePath
S4 Ksrjobunewhe; no ImagePath
S4 Nlatmoacd; no ImagePathsigned]NETGE
R2 NPF; C:\WINDOWS\system32\drivers\npf.sys [35088 2016-02-03] (CACE Technologies, Inc.)
U1 WS2IFSL; no ImagePath
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {6501fe54-331d-11e0-a976-0014222e7d4a} - H:\setup.exe -a
HKU\S-1-5-21-1953364783-748760771-531774410-1005\...\MountPoints2: {ab542ec4-1bc2-11e2-bf6f-0014222e7d4a} - G:\setup.exe -a
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
CHR HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
2016-07-28 17:32 - 2016-07-28 17:32 - 07065600 _____ C:\Program Files\GUT17.tmp
2016-07-28 17:32 - 2016-07-28 17:32 - 00000000 ____D C:\Program Files\GUM16.tmp
EmptyTemp:
CMD: ipconfig /flushdns
cmd: bootrec /FixMbr
Reboot:
end
*****************

Start: => Error: No automatic fix found for this entry.
Processes closed successfully.
Restore point was successfully created.
Imapi Helper => service removed successfully.
Acrjong => service removed successfully.
Hkmsmodmid => service removed successfully.
Ksrjobunewhe => service removed successfully.
Nlatmoacd => service removed successfully.
NPF => Service stopped successfully.
NPF => service removed successfully.
WS2IFSL => service removed successfully.
"HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6501fe54-331d-11e0-a976-0014222e7d4a}" => key removed successfully.
HKCR\CLSID\{6501fe54-331d-11e0-a976-0014222e7d4a} => key not found.
"HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab542ec4-1bc2-11e2-bf6f-0014222e7d4a}" => key removed successfully.
HKCR\CLSID\{ab542ec4-1bc2-11e2-bf6f-0014222e7d4a} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSharedOverlay" => key removed successfully.
HKCR\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => key not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
"HKU\S-1-5-21-1953364783-748760771-531774410-1005\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => key removed successfully.
C:\Program Files\GUT17.tmp => moved successfully
C:\Program Files\GUM16.tmp => moved successfully

========= ipconfig /flushdns =========

 Windows IP Configuration 
========= End of CMD: =========


========= bootrec /FixMbr =========

'bootrec' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 15369 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 107872 B
Java, Flash, Steam htmlcache => 536584 B
Windows/system/dllcache/drivers => 10145941 B
Edge => 0 B
Chrome => 246063320 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default User => 82430 B
All Users => 0 B
systemprofile => 369021279 B
LocalService => 66644 B
NetworkService => 4411674 B
db => 56072717 B
Administrator => 11044354 B

RecycleBin => 37621661 B
EmptyTemp: => 701.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 13:18:55 ====

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 444
Re: Trojan infection found
« Reply #9 on: August 25, 2016, 08:15:17 AM »


Hello SpeedBrophy,

Quote
I would like to remove from the fixlist the S4 item Lightscribe Service. It's for burning CDs. It's disabled because I use it only very rarely.


Is your Lightscribe software working perfectly ?
Please run it now to confirm.
Assuming that all is well, you may delete that filepath entry from the Fix.
If it is not, we will deal with it later.
>>>>>>>>>>>>>>

Quote
The other S4s are all disabled services. I don't even know what some of them are or how they got there. But I left them just in case. Out they go.

S4 btaudio; system32\drivers\btaudio.sys [X]
S4 BTCFilterService; system32\DRIVERS\motfilt.sys [X]
S4 BTDriver; system32\DRIVERS\btport.sys [X]
S4 BTWDNDIS; system32\DRIVERS\btwdndis.sys [X]
S4 btwhid; system32\DRIVERS\btwhid.sys [X]
S4 BTWUSB; System32\Drivers\btwusb.sys [X]
S4 cpudrv; \??\C:\Program Files\SystemRequirementsLab\cpudrv.sys [X]
S4 motccgp; system32\DRIVERS\motccgp.sys [X]
S4 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S4 MotDev; system32\DRIVERS\motodrv.sys [X]
S4 motmodem; system32\DRIVERS\motmodem.sys [X]
S4 MotoSwitchService; system32\DRIVERS\motswch.sys [X]
S4 Motousbnet; system32\DRIVERS\Motousbnet.sys [X]
S4 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]

These are all perfectly legitimate fiepaths & files appertaining to Bluetooth/Motorola/WiFi services


Quote
But I do use on occasion the registry cleanup parts of CCleaner and of Revo Uninstaller, including Revo in Advanced Mode. Please let me know if you think this too is dangerous

 The usefulness of cleaning the registry is highly overrated and can be dangerous.
 Unless you have a particular problem that requires a registry edit to correct it, (and you are expert in the registry), I would suggest you leave the registry alone. I suggest that you do not use the registry cleaner in CCleaner.
The Revo "cleaner" is an exception, it simply removes registry entries left behind after uninstalling a designated program. I recommend that you use it.
 One of the malware experts, miekiemoes, has an excellent write-up HERE Please read it.
>>>>>>>>>>>>>>>>>>

Quote
I have downloaded the "portable version, needs no installation", 32-bit RogueKiller.exe, but I will not try to run it without your OK.

 (1) Uninstall your original copy in your Add or Remove section  & then download/run a new copy of Rogue Killer first.

 (2) Next, try this HERE

 (3) There is a possibility that your Smartscreen is blocking it. Look HERE
      & check out the SMARTSCREEN instructions.

 (4) If that fails try running your portable copy.
 
 NOTE.  Do not remove any files from the log it produces.
 Platypuss




Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #10 on: August 25, 2016, 09:19:29 PM »
Thanks, Platypuss, for responding to all my questions.

Lightscribe service in FRST fixlist

 I did delete it from fixlist.txt, so it's still on the list of startup services, but just as a reminder. It's disabled. Lightscribe isn't a concern.


Other S4 items in FRST fixlist

None of the ones you listed are on my computer. Did you maybe look at the wrong post?


Registry cleaners

Gotcha.


Failed RogueKiller Installation

[1] There's nothing to uninstall. Neither Add or Remove Programs nor Revo Uninstaller has an entry. Probably because RogueKiller's setup.exe failed to execute, so no installation got completed. I did simply delete setup.exe from the desktop and download and run a new copy, but that too failed the same way.

[2] Nice work! But the tip from bleepingcomputer didn't work. I let setup.exe run for 25 minutes with no result. The difference between the bleepingcomputer case and my case and is that in my case Task Manager reports the application as not responding.

[3] I have Windows XP on an old desktop PC - no SmartScreen.

[4] The portable copy RogueKiller.exe ran OK. RK.txt is below.

_______________________________________________________________________________________________

RogueKiller V12.5.1.0 [Aug 22 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Administrator]
Started from : C:\Documents and Settings\db\Desktop\RogueKiller.exe
Mode : Scan -- Date : 08/25/2016 18:24:47 (Duration : 00:24:22)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD} (C:\WINDOWS\system32\AudFile.dll) -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\SereneScreen -> Found
[PUP] HKEY_USERS\S-1-5-21-1953364783-748760771-531774410-1005\Software\SereneScreen -> Found
[PUP] HKEY_USERS\S-1-5-21-1953364783-748760771-531774410-1005\Software\YahooPartnerToolbar -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Winamp Toolbar -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Internet Explorer\Main | Start Page : http://forecast.weather.gov/MapClick.php?lat=33.5800169587903&lon=-111.97540283203125&site=vef&smap=1&unit=0&lg=en&FcstType=text  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-1953364783-748760771-531774410-500\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.dell.com  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1953364783-748760771-531774410-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\Program Files\SereneScreen -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP][CHROME:Addon] Default : Freemake Video Converter [jbolfgndggfhhpbnkgnpjkfhinclbigj] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Maxtor 6L080M0 +++++
--- User ---
[MBR] e0d44f2b3ae87c0fc0ad2f9ec1df9a18
[BSP] 11d467b9f31927f29d49c85858b51038 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 80325 | Size: 50250 MB [Windows XP Bootstrap | Windows XP Bootloader]
2 - [XXXXXX] EXTEN (0x5) [VISIBLE] Offset (sectors): 102992715 | Size: 26003 MB
User = LL1 ... OK
User = LL2 ... OK

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 444
Re: Trojan infection found
« Reply #11 on: August 27, 2016, 02:59:02 AM »
Hello SpeedBrophy,

Apologies for the delay.

RogueKiller Selecting Deletions (Fix)

  • Close any open programs
  • Please disconnect any USB or external drives from the computer before you run the scan
  • Right click on the RogueKiller icon and select Run as Administrator
       
  • For Windows XP simply double click on the icon
       
  • Allow the Prescan to finish
  • Click Scan
       
  • When the Status box shows Scan Finished place a checkmark in the following and select Delete:-
Registry
[PUP] HKEY_CLASSES_ROOT\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD} (C:\WINDOWS\system32\AudFile.dll) -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\SereneScreen -> Found
[PUP] HKEY_USERS\S-1-5-21-1953364783-748760771-531774410-1005\Software\SereneScreen -> Found
[PUP] HKEY_USERS\S-1-5-21-1953364783-748760771-531774410-1005\Software\YahooPartnerToolbar -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Winamp Toolbar -> Found

Files
[PUP][Folder] C:\Program Files\SereneScreen -> Found

.>>>>>>>>>>>>>>>>>>>>>>>>>>>

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
>>>>>>>>>>>>>>>>>>>>>>>

Please download AdwCleaner]  onto your Desktop.

Take care NOT to click on any ad, such as PC Optimizer Pro. The correct link is the button labeled "Download from Bleeping Computer" to be found in bottom right hand corner.
NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens.
 Then click on the link again.

  • Now close your browser and double click the AdwCleaner icon on your desktop.
  • Click on the Scan in the Actions box
  • Please wait for the scan to finish..
  • .When the scan finishes, you'll see a message in the AdwCleaner window: "Waiting for action. Please uncheck "elements you want to keep."
       
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
       
  • Click OK on the Information box & again OK to allow the necessary reboot
        After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply....
       
  • Should you lose track of the log, it is saved in this folder C:\AdwCleaner\

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I need both logs please.
How is the computer running now ?

Platypuss














Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #12 on: August 27, 2016, 11:14:38 PM »
Hello Platypuss, thanks for your reply. Before I proceed with RogueKiller deletions and more, I would appreciate your comments/advice on changes I propose to make from your recommendations.  Please advise. Perhaps you see red flags in the RogueKiller listings that I miss.
 
Serene Screen folder and registry keys
The Serene Screen programs are not PUPS; I want them. They are two screensaver-like programs which I've had for a long time and trust.

Freemake Video Converter
I'd like to keep this unless there's a risk, and there just might be. The program has a Chrome plug-in to capture web video, which is installed  but is normally disabled because it's so rarely used. I'd like to keep it that way: installed and available if manually enabled. But I wonder about the  [jbolfgndg...] that RogueKiller found after the plug-in name. Is that a red flag? The program is freeware, and comes with added **** which you have to carefully avoid installing. If **** got by me in the plug-in, then I will delete this item. Do you see any suggestion of this?

CLSID for AudFile.dll
I can't tell whether this is a PUP or not.  AudFile.dll is one of 7 ActiveX dll's for audio, all from NCT  Company, Ltd. All were installed at the same time, accompanied by a slew of dll's and ocx's from Microsoft. But I can't figure out what program calls it, or if it's in use at all. Nothing else anywhere on my C: drive was installed at the same time. I haven't knowingly messed with my audio, ever, except for driver updates from Dell, which this isn't. A slight possibility is that these are components of Audacity, an audio editor which I use often and don't want to cripple. But Audacity was installed a week later. Or maybe it was an Audacity update that was installed a week later. ???

How is the computer running now ?  Better. Lots. Faster, no blue screen crashes, no program faults. But it's not really been tested. I'm booting with networking disabled so no activity there, and while MBAM is still running real time it's got nothing to monitor. Also, I haven't used that machine very much. But still, it's better, and for that I thank you. I appreciate the methodical approach.


Offline SpeedBrophy

  • Bronze Member
  • Posts: 20
Re: Trojan infection found
« Reply #13 on: August 27, 2016, 11:24:48 PM »
Oops I forgot: your instructions for AdwCleaner seem to say I'm to go ahead and let the program clean everything it finds, and only then contact you with the results of the cleaning. Correct?

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 444
Re: Trojan infection found
« Reply #14 on: August 28, 2016, 02:15:56 PM »
Hello SpeedBrophy,

A potentially unwanted program is bundled software which computer users are fooled into installing along with a wanted program.

An explanation of PUP activities may be found HERE  Please read it.

I have no wish whatsoever to remove software programs that you wish to keep.
They are not Malware but are an increased risk of attracting it.
However, you are already living dangerously by virtue of accessing the internet using Windows XP.
The article below describes your current situation:-

 What's the real issue about Windows XP ?

    Horror Stories now
    Please be aware that Microsoft has terminated support of Windows XP/SP3 as of April 8, 2014
    That means it will no longer have updates and patches to prevent PC infections.

    Since support has been withdrawn by Microsoft, it will be impossible to secure the XP machine. It won't matter how many firewalls, anti-virus scanners, or other security programs are installed.
    Any XP machine that is online will get infected repeatedly, and any useful information on it will likely be stolen. It will NOT be fixable.

    Expected are cases of Financial / ID theft and Blackmail using Trojans and Keyloggers to intercept private information.

    The Antivirus Providers still supporting XP have said they may discontinue support at any time.

    There is a detailed evaluation in this Microsoft blog:
    https://blogs.microsoft.com/microsoftsecure/
    https://blogs.microsoft.com/microsoftsecure/2016/08/17/rise-in-severe-vulnerabilities-highlights-importance-of-software-updates/


    Don't wait for the XP system to get infected before you take action.

    What do you use the Machine for?
    If the machine is used for Internet purchases, or to contact financial institutions, (banking, etc.) the XP issue is Extremely important.
    All of the credit card or account information could be at risk.
    If Debit card information is stolen, criminals may be able to empty a bank account remotely and disappear.
    If there are multiple PCs on your network at home, steps need to be taken to prevent the XP machine from contaminating others on the     Network. This even if there is no critical information on the XP machine itself. If possible, turn OFF File sharing.

    What Personal Information has passed through or been stored Onboard?
    You need to know all debit/credit card and financial account numbers and passwords, PINs, etc. that have been used on the machine.
    This is especially true if you use a browser to save any account passwords.
    If information is stolen, you may need to replace the accounts or change passwords.
   
    We can check for malware but we cannot make your computer secure.
    If you want to continue with cleaning just let me know.
Platypuss
 

   















 We can check for malware but we cannot make your computer secure. If you want to proceed with cleaning, please run the following scan:[/SIZE]