PDA

View Full Version : posting logs for malware help



joemagiera
2015-11-05, 00:20
I read the "before you post" and if I missed something, I apologize in advance if I didn't do something quite right.

On a Windows XP machine. Problems are an internet browser home page hi-jack, which also opens multiple sub-pages as soon as you go to any web site. Problems started when downloaded and ran the following software:

KeyFinderInstaller.exe (provides keys for installed software)
-and-
WiFiPasswordRevealerInstaller.exe (provides wifipasswords)

both this morning (11-4-2015).
both downloaded from www. magicaljellybean. com (NOT RECOMMENDED!)

One thing I wasn't sure of is whether to post the logs inline in this message or attach. The instructions mention both. I decided to do both. Below (and attached) are the three requested logs, in order:

FRST.txt
Addition.txt
aswMBR.txt

Any questions or actions to take, please let me know. Thank you,

Joe

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:04-11-2015
Ran by Dad (administrator) on JOE (04-11-2015 14:39:15)
Running from C:\Documents and Settings\Dad\My Documents\Downloads
Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.28.15\GoogleCrashHandler.exe
(Teruten) C:\WINDOWS\system32\FsUsbExService.Exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\avastui.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\AT&T tReader\treader.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19523616 2010-05-07] (Realtek Semiconductor Corp.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Alwil Software\Avast5\AvastUI.exe [6111824 2015-08-25] (AVAST Software)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
HKLM\...\RunOnce: [20150107] => C:\Program Files\Alwil Software\Avast5\setup\emupdate\7dd83ed3-c31e-4525-8913-8cfc68352e80.exe [183232 2015-11-04] (AVAST Software)
HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Run: [treader.exe] => C:\Program Files\AT&T tReader\treader.exe [1304576 2007-10-23] ()
HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [721504 2015-09-02] (Microsoft Corporation)
HKU\S-1-5-21-1390067357-926492609-839522115-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [9216 2008-04-13] (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Alwil Software\Avast5\ashShell.dll [2015-08-11] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.88.1
Tcpip\..\Interfaces\{2C5F3C20-16B4-4DFC-A15E-75825F4A8998}: [DhcpNameServer] 192.168.88.1

Internet Explorer:
==================
HKU\S-1-5-21-1390067357-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.google.com" <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> DefaultScope {40C1DB81-4E42-4296-B026-A44077934BA1} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7ADRA_en
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {40C1DB81-4E42-4296-B026-A44077934BA1} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7ADRA_en
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll => No File
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-18] (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2015-09-16] (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [2015-08-11] (AVAST Software)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-16] (Oracle Corporation)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll => No File
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll No File
Toolbar: HKLM - No Name - {00011268-E188-40DF-A514-835FCD78B1BF} - No File
Toolbar: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} hxxps://gassl10.vpn.att.com/+CSCOL+/relayp.cab
DPF: {538793D5-659C-4639-A56C-A179AD87ED44} hxxps://missl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} hxxps://usmiclient.vpn.att.com/CACHE/stc/3/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} hxxps://gassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} hxxps://gassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll [2011-08-10] (Belarc, Inc.)
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\itss.dll [2005-05-26] (Microsoft Corporation)
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\itss.dll [2005-05-26] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296
FF NewTab: hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaB0tXUUEeGGlxR1dMclBCMlpQLFYDRH5NL04=
FF DefaultSearchEngine: Default
FF DefaultSearchEngine.US: Default
FF SelectedSearchEngine: Default
FF Homepage: www.google.com (http://www.google.com)
FF Keyword.URL: hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTR0cFME0FB18EURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-17] ()
FF Plugin: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-16] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-16] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1390067357-926492609-839522115-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Dad\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2014-08-27] (Citrix Online)
FF Plugin HKU\S-1-5-21-1390067357-926492609-839522115-1003: @tnt2npapi.com/Plugin -> C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\npTNT2.dll [No File]
FF user.js: detected! => C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js [2015-11-04]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npatgpc.dll [2015-02-04] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Dad\Application Data\mozilla\plugins\npatgpc.dll [2015-02-04] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Dad\Application Data\mozilla\plugins\npMeetingJoinPluginAOCUser.dll [2014-05-01] ()
FF SearchPlugin: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\default.xml [2015-11-04]
FF SearchPlugin: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\search-simple.xml [2015-11-04]
FF Extension: SearchMoreKnow - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-11-06] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2015-11-04] [not signed]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff => not found

Chrome:
=======
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE8TkdGC1dXFg=="
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchURL: Default -> hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTQkcFME0FBloEURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
CHR DefaultSearchKeyword: Default -> searchinterneat-a.akamaihd.net
CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP
CHR Profile: C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-21]
CHR Extension: (YouTube) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-04]
CHR Extension: (Google Search) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-04-18]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-03]
CHR Extension: (Avast Online Security) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-03-25]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-27]
CHR Extension: (Gmail) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-18]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2015-05-28]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [146600 2015-08-11] (AVAST Software)
S3 r_server; C:\WINDOWS\system32\r_server.exe [724992 2004-08-06] () [File not signed]
R2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [560528 2014-03-12] (Cisco Systems, Inc.)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 acsint; C:\WINDOWS\System32\DRIVERS\acsint.sys [40304 2014-03-12] (Cisco Systems, Inc.)
S3 acsmux; C:\WINDOWS\System32\DRIVERS\acsmux.sys [58736 2014-03-12] (Cisco Systems, Inc.)
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24016 2015-08-11] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [76000 2015-08-11] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-08-11] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49776 2015-08-11] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [788784 2015-08-11] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [433264 2015-08-11] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [161472 2015-08-11] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57888 2015-08-11] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [208664 2015-08-11] (AVAST Software)
R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2011-08-09] () [File not signed]
S3 CVirtA; C:\WINDOWS\System32\DRIVERS\CVirtA.sys [5315 2005-05-17] (Cisco Systems, Inc.)
S4 DLPortIO; C:\WINDOWS\System32\DRIVERS\DLPortIO.sys [3584 1999-01-10] () [File not signed]
R3 FsUsbExDisk; C:\WINDOWS\system32\FsUsbExDisk.SYS [36608 2010-06-14] () [File not signed]
R2 giveio; C:\WINDOWS\system32\drivers\giveio.sys [5248 1996-05-13] () [File not signed]
S3 HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [907456 2001-08-17] (Conexant)
S3 mcdbus; C:\WINDOWS\System32\DRIVERS\mcdbus.sys [116736 2009-02-24] (MagicISO, Inc.) [File not signed]
S3 mirrorv3; C:\WINDOWS\System32\DRIVERS\rminiv3.sys [3328 2010-04-21] (Famatech International Corp.)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
R1 oxmf; C:\WINDOWS\System32\DRIVERS\oxmf.sys [15779 2003-06-26] (Lite-On Technology Corporation.)
S3 Oxmfuf; C:\WINDOWS\System32\DRIVERS\oxmfuf.sys [5111 2003-06-26] (Lite-On Technology Corporation.)
R1 oxpar; C:\WINDOWS\System32\DRIVERS\oxpar.sys [76800 2003-12-25] (Lite-On Technology Corporation.)
S1 oxser; C:\WINDOWS\System32\DRIVERS\oxser.sys [51269 2003-06-26] (Lite-On Technology Corporation.)
S2 RadPciNT; C:\WINDOWS\system32\Drivers\RadPciNT.sys [9417 2000-04-24] (MediaForte Products Pte. Ltd.) [File not signed]
R2 ScFBPNT; C:\WINDOWS\system32\drivers\ScFBPNT.SYS [16288 2000-02-08] () [File not signed]
R3 teamviewervpn; C:\WINDOWS\System32\DRIVERS\teamviewervpn.sys [25088 2012-11-28] (TeamViewer GmbH)
S2 USBRADIO; C:\WINDOWS\System32\Drivers\USBRADIO.sys [49444 2000-03-31] (GemTek Technology Co. LTD.) [File not signed]
R3 WmBEnum; C:\WINDOWS\System32\drivers\WmBEnum.sys [22856 2010-04-27] (Logitech Inc.)
S3 WmFilter; C:\WINDOWS\System32\drivers\WmFilter.sys [37704 2010-04-27] (Logitech Inc.)
S3 WmVirHid; C:\WINDOWS\System32\drivers\WmVirHid.sys [15048 2010-04-27] (Logitech Inc.)
R3 WmXlCore; C:\WINDOWS\System32\drivers\WmXlCore.sys [66632 2010-04-27] (Logitech Inc.)
S3 avpnnic; system32\DRIVERS\avpnnic.sys [X]
S4 IntelIde; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
S3 vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys [X]
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Three Months Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-04 14:36 - 2015-11-04 14:39 - 00000000 ____D C:\FRST
2015-11-04 14:03 - 2015-11-04 14:03 - 00000724 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2015-11-04 13:50 - 2015-11-04 13:50 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVAST Software
2015-11-04 13:48 - 2015-11-04 13:48 - 00000000 ____D C:\WINDOWS\LastGood
2015-11-04 13:46 - 2015-08-11 21:04 - 00788784 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw256.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00433264 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25D.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00208664 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25F.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00161472 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw260.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00076000 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25B.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00057888 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw261.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00055200 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw258.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00049776 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25C.tmp
2015-11-04 13:46 - 2015-08-11 21:04 - 00024016 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw259.tmp
2015-11-04 13:44 - 2015-08-11 21:04 - 00313472 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2015-11-04 13:38 - 2015-11-04 14:03 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134
2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134
2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\SearchMoreKnow
2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\Magical Jelly Bean
2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\KeyFinder
2015-11-04 07:49 - 2015-11-04 07:49 - 00001222 _____ C:\search-simple.xml
2015-10-12 17:25 - 2015-10-12 17:26 - 00000149 _____ C:\Documents and Settings\Dad\Desktop\TV repair.url
2015-10-09 05:59 - 2015-10-09 05:58 - 00069908 ____H C:\WINDOWS\Minidump\Mini100915-01.dmp
2015-10-08 06:19 - 2015-10-08 06:18 - 00069908 ____H C:\WINDOWS\Minidump\Mini100815-01.dmp
2015-10-07 05:55 - 2015-10-07 05:51 - 00069908 ____H C:\WINDOWS\Minidump\Mini100715-01.dmp
2015-09-26 19:27 - 2015-09-26 19:27 - 00000000 ____D C:\Documents and Settings\Dad\Desktop\Old Firefox Data
2015-09-25 20:57 - 2015-09-25 20:57 - 00000118 _____ C:\Documents and Settings\Dad\Desktop\card odds.url
2015-09-24 09:14 - 2015-09-24 09:14 - 00000282 _____ C:\Documents and Settings\Dad\Desktop\cherry master.url
2015-09-22 08:03 - 2015-09-22 08:03 - 00000126 _____ C:\Documents and Settings\Dad\Desktop\A&A John Lewis.url
2015-09-19 11:07 - 2015-09-19 11:12 - 00000000 ____D C:\Documents and Settings\Dad\Application Data\dvdcss
2015-09-18 12:39 - 2015-09-18 12:39 - 00000135 _____ C:\Documents and Settings\Dad\Desktop\website forums3.url
2015-09-18 12:38 - 2015-09-18 12:38 - 00000164 _____ C:\Documents and Settings\Dad\Desktop\website forums.url
2015-09-18 12:38 - 2015-09-18 12:38 - 00000115 _____ C:\Documents and Settings\Dad\Desktop\website forums2.url
2015-09-17 14:20 - 2015-09-17 14:20 - 00000347 _____ C:\Documents and Settings\Dad\My Documents\.htaccess
2015-09-16 05:04 - 2015-09-16 05:04 - 00000000 ____D C:\Program Files\Common Files\Java
2015-09-16 05:03 - 2015-09-16 05:03 - 00000000 ____D C:\Documents and Settings\Dad\.oracle_jre_usage
2015-09-14 18:23 - 2015-09-18 08:39 - 00001692 _____ C:\Documents and Settings\All Users\Start Menu\Full Flush Poker 8.2.lnk
2015-09-14 18:23 - 2015-09-14 18:24 - 00000000 ____D C:\Program Files\Full Flush Poker 8.2
2015-09-14 18:23 - 2015-09-14 18:23 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Full Flush Poker 8.2
2015-08-29 11:03 - 2015-08-29 11:03 - 00000114 _____ C:\Documents and Settings\Dad\Desktop\D&D Surplus.url
2015-08-24 05:53 - 2015-08-24 05:53 - 00000126 _____ C:\Documents and Settings\Dad\Desktop\Quantum front glass.url
2015-08-23 12:19 - 2015-08-23 12:19 - 00000731 _____ C:\Documents and Settings\Dad\Desktop\VLC media player.lnk
2015-08-18 20:35 - 2015-08-18 20:35 - 00000130 _____ C:\Documents and Settings\Dad\Desktop\Windows.url
2015-08-12 17:07 - 2015-08-12 17:08 - 00000246 _____ C:\Documents and Settings\Dad\Desktop\recycle.url
2015-08-11 21:05 - 2015-08-11 21:05 - 00000000 __HDC C:\WINDOWS\$NtUninstallWdf01009$
2015-08-11 21:05 - 2008-11-07 18:55 - 00016928 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsgXP_2k3.dll
2015-08-11 21:04 - 2015-11-04 13:50 - 00130612 _____ C:\WINDOWS\Wdf01009Inst.log
2015-08-11 21:04 - 2015-08-11 21:04 - 00161472 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
2015-08-11 21:04 - 2015-08-11 21:04 - 00043112 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2015-08-10 07:31 - 2015-08-10 07:32 - 00000000 ____D C:\Documents and Settings\Dad\Application Data\pdf995
2015-08-10 07:31 - 2015-08-10 07:31 - 00000028 _____ C:\WINDOWS\pdf995.ini
2015-08-10 07:31 - 2015-08-10 07:31 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Application Data\pdf995
2015-08-10 06:48 - 2007-08-24 10:13 - 00000142 _____ C:\WINDOWS\wpd99.drv
2015-08-10 06:47 - 2015-11-04 13:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\pdf995
2015-08-10 06:47 - 2015-08-10 06:48 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Software995
2015-08-10 06:47 - 2015-08-10 06:47 - 01667072 _____ (TODO: <Company name>) C:\WINDOWS\system32\pdfmona.dll
2015-08-10 06:47 - 2015-08-10 06:47 - 00036864 _____ C:\WINDOWS\system32\pdf995mon.dll

==================== Three Months Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-04 14:40 - 2010-09-05 12:30 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Temp
2015-11-04 14:15 - 2010-09-05 12:15 - 01737484 _____ C:\WINDOWS\WindowsUpdate.log
2015-11-04 14:14 - 2014-08-27 15:56 - 00000510 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1390067357-926492609-839522115-1003.job
2015-11-04 14:03 - 2014-06-03 20:55 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2015-11-04 14:03 - 2014-06-03 20:55 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-11-04 13:56 - 2014-06-04 19:57 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-11-04 13:55 - 2013-10-30 15:41 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-11-04 13:50 - 2014-11-18 09:10 - 00001700 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2015-11-04 13:50 - 2010-12-31 10:00 - 00819640 _____ C:\WINDOWS\setupapi.log
2015-11-04 13:47 - 2012-07-11 15:38 - 00000318 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-11-04 13:42 - 2015-05-30 10:25 - 00000606 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1390067357-926492609-839522115-1003.job
2015-11-04 13:41 - 2001-08-23 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-11-04 13:40 - 2014-06-04 19:57 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-11-04 13:40 - 2014-03-06 22:25 - 00000218 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-11-04 13:40 - 2010-09-05 12:28 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-11-04 13:40 - 2010-09-05 03:58 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-11-04 13:40 - 2010-09-05 03:58 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-11-04 13:39 - 2013-01-15 20:27 - 00000000 ____D C:\Documents and Settings\Administrator
2015-11-04 13:39 - 2010-09-05 12:30 - 00000000 ____D C:\Documents and Settings\Dad
2015-11-04 13:39 - 2010-09-05 12:28 - 00000000 __SHD C:\Documents and Settings\LocalService
2015-11-04 13:39 - 2010-09-05 12:18 - 00000000 __SHD C:\Documents and Settings\NetworkService
2015-11-04 13:39 - 2010-09-05 12:13 - 00000000 ____D C:\WINDOWS\Registration
2015-11-04 13:38 - 2014-02-05 06:16 - 00000000 ____D C:\sys7y6
2015-11-04 13:37 - 2013-06-30 21:56 - 03997696 _____ C:\WINDOWS\system32\config\ACVPN.evt
2015-11-04 13:37 - 2010-09-05 12:28 - 00032640 _____ C:\WINDOWS\SchedLgU.Txt
2015-11-04 09:06 - 2014-10-02 17:46 - 00131072 _____ C:\WINDOWS\system32\config\OAlerts.evt
2015-11-02 21:47 - 2010-09-05 12:30 - 00000178 ___SH C:\Documents and Settings\Dad\ntuser.ini
2015-11-02 14:40 - 2015-02-17 22:36 - 00000000 ____D C:\Program Files\PokerStars
2015-11-01 06:53 - 2010-09-05 03:56 - 01407864 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-10-29 06:05 - 2010-09-05 03:55 - 00176737 _____ C:\WINDOWS\setupact.log
2015-10-26 17:14 - 2010-09-11 09:02 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2015-10-26 06:19 - 2012-11-15 17:22 - 00000000 ____D C:\Program Files\Savings Bond Wizard
2015-10-25 07:41 - 2013-08-12 18:38 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-10-25 07:35 - 2010-09-10 15:47 - 141105520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-10-24 13:59 - 2001-08-23 06:00 - 00000618 _____ C:\WINDOWS\win.ini
2015-10-24 13:57 - 2010-09-05 12:13 - 00000063 _____ C:\WINDOWS\vbaddin.ini
2015-10-17 07:55 - 2013-10-30 15:41 - 00780488 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-10-17 07:55 - 2013-10-30 15:41 - 00142536 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-10-17 07:28 - 2014-03-07 20:11 - 00000000 ____D C:\Program Files\AT&T tReader
2015-10-14 11:33 - 2015-01-07 12:19 - 00003209 _____ C:\Documents and Settings\Dad\Desktop\myAT&T.lnk
2015-10-14 11:33 - 2015-01-07 12:19 - 00000000 ____D C:\Documents and Settings\Dad\Start Menu\Programs\AT&T Connect
2015-10-11 19:45 - 2011-05-03 16:54 - 00000000 ____D C:\Program Files\mIRC
2015-10-09 05:59 - 2011-09-12 16:05 - 00000000 ____D C:\WINDOWS\Minidump
2015-10-08 14:00 - 2014-03-06 22:25 - 00000212 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

==================== Files in the root of some directories =======

2011-12-28 11:20 - 2011-12-28 11:20 - 0002528 _____ () C:\Documents and Settings\Dad\Application Data\$_hpcst$.hpc
2011-12-14 17:16 - 2014-11-15 15:53 - 0003584 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some files in TEMP:
====================
C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll
C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll
C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe
C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe
C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe
C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll
C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe
C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe
C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe
C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe
C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll
C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll
C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe
C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe
C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe
C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll
C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe
C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll
C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe
C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:04-11-2015
Ran by Dad (2015-11-04 14:41:11)
Running from C:\Documents and Settings\Dad\My Documents\Downloads
Microsoft Windows XP Professional Service Pack 3 (X86) (2010-09-05 18:17:31)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1390067357-926492609-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1390067357-926492609-839522115-1006 - Limited - Enabled)
Dad (S-1-5-21-1390067357-926492609-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Dad
Guest (S-1-5-21-1390067357-926492609-839522115-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1390067357-926492609-839522115-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1390067357-926492609-839522115-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.65 (HKLM\...\7-Zip) (Version: - )
Adobe Flash Player 19 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 19.0.0.226 - Adobe Systems Incorporated)
Adobe Flash Player 19 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 19.0.0.226 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Arcade Tournament Manager (HKLM\...\{E27E085D-DAEE-41D1-B047-42DC8A01F545}) (Version: 1.7.4.0 - Danesi Designs)
ArcSoft Camera Suite (HKLM\...\{4677AAF8-8D7A-4EE2-BCE4-0068BB052353}) (Version: - )
Arduino (HKLM\...\Arduino) (Version: 1.6.3 - Arduino LLC)
AT&T Connect Participant Application v9.5.51 (HKLM\...\{E42E8753-9A8E-48E9-9829-B3571D91A945}) (Version: 9.5.51 - AT&T Inc.)
Avast Free Antivirus (HKLM\...\avast) (Version: 10.3.2225 - AVAST Software)
Belarc Advisor 8.2 (HKLM\...\Belarc Advisor) (Version: 8.2.6.0 - Belarc Inc.)
Camera Window (Version: 4.0 - Canon) Hidden
Canon Camera WIA Driver (Version: 5.0.0 - Canon) Hidden
Canon Camera Window for ZoomBrowser EX (HKLM\...\InstallShield_{2D6BDF3A-6BDB-4169-909F-E882F23AB795}) (Version: 4.0 - Canon)
Canon PhotoRecord (HKLM\...\PhotoRecord) (Version: - )
Canon PowerShot S45 WIA Driver (HKLM\...\InstallShield_{25E671BE-87A0-40F1-ABE5-BCBC6E65B0F5}) (Version: 5.0.0 - Canon)
Canon Utilities FileViewerUtility 1.0 (HKLM\...\InstallShield_{0627E8E9-6822-4A5E-9225-286741CDC3E4}) (Version: 1.0 - Canon)
Canon Utilities PhotoStitch 3.1 (HKLM\...\InstallShield_{A3E0FF15-90D5-40CD-8565-B80A433B0D4C}) (Version: 3.1.8 - Canon)
Canon Utilities RemoteCapture 2.6 (HKLM\...\InstallShield_{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}) (Version: 2.6.0 - Your Company Name)
Canon Utilities ZoomBrowser EX (HKLM\...\{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}) (Version: 04.00.00024 - CISRA)
Catan Online World (HKLM\...\Catan Online Welt) (Version: 3.728 - Catan GmbH)
Cisco AnyConnect Secure Mobility Client (HKLM\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.05160 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (Version: 3.1.05160 - Cisco Systems, Inc.) Hidden
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{3D5F07C3-1B93-47F8-9F8A-DE8E47BF1669}) (Version: 1.0.209 - Citrix)
Data Fax SoftModem with SmartCP (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1) (Version: - )
eShield Browser Security (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\{5FD52900-79EB-488E-910D-DDFEB09AC8A6}) (Version: - eShield) <==== ATTENTION
FileViewerUtility 1.0 (Version: 1.0 - Canon) Hidden
Full Flush Poker 8.2 (HKLM\...\Full Flush Poker 8.2) (Version: 8.2.12.201509140800 - Full Flush Poker)
Google Chrome (HKLM\...\Google Chrome) (Version: 46.0.2490.80 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
GoToMeeting 7.4.1.3770 (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\GoToMeeting) (Version: 7.4.1.3770 - CitrixOnline)
H&R Block Deluxe + Efile + State 2014 (HKLM\...\{BDA77C08-60A6-4AAB-B5A9-849ECF399A49}) (Version: 14.05.7401 - HRB Technology, LLC.)
H&R Block Illinois 2014 (HKLM\...\{1B7D02B3-464B-4870-83AF-9FC76A8C8554}) (Version: 1.14.3401 - HRB Technology, LLC.)
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
Image Resizer Powertoy for Windows XP (HKLM\...\{1CB92574-96F2-467B-B793-5CEB35C40C29}) (Version: 1.00.0001 - Microsoft Corporation)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.10.5273 - Intel Corporation)
Java 8 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation)
Juniper Networks Host Checker (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Neoteris_Host_Checker) (Version: 7.1.0.18193 - Juniper Networks)
Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Juniper_Setup_Client) (Version: 7.1.2.10059 - Juniper Networks, Inc.)
Juniper Networks, Inc. Setup Client Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
LivePix 1.1 SE (HKLM\...\LivePix) (Version: - )
Logitech Gaming Software 5.10 (HKLM\...\{60D32CDC-E3BE-4578-BA10-29322307CDDC}) (Version: 5.10.127 - Logitech)
MagicDisc 2.7.106 (HKLM\...\MagicDisc 2.7.106) (Version: - )
Max Loader 4.6r (HKLM\...\Max Loader_is1) (Version: - EETools, Inc.)
MeasureUp Certification Preparation (HKLM\...\InstallShield_{B9DF865A-C1BD-4DFD-9FF5-9CA5C6E23415}) (Version: 10.03 - MeasureUp Inc.)
MeasureUp Practice Tests (HKLM\...\InstallShield_{1B53F089-10BA-4538-B977-8CF8A5343E04}) (Version: 10.03 - MeasureUp Inc.)
MeasureUp Practice Tests (Version: 10.03 - MeasureUp Inc.) Hidden
MEET MANAGER 2.0 for Swimming (HKLM\...\{7CE480FF-5B49-490E-BC18-1C663ECC0B61}) (Version: 1.00.0001 - Sports-Tek Software)
MEET MANAGER 3.0 for Swimming (HKLM\...\{ED1D569E-3DA4-4D59-A1C2-80DFF72C962F}) (Version: 1.00.0001 - HY-TEK Sports Software)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Lync 2010 Attendee (HKLM\...\{6F72D695-5188-4484-B21E-E16CD89C4008}) (Version: 4.0.7577.4446 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Visio Professional 2007 (HKLM\...\VISPRO) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Text-to-Speech Engine 4.0 (English) (HKLM\...\MSTTS) (Version: - )
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
mIRC (HKLM\...\mIRC) (Version: - )
Mozilla Firefox 42.0 (x86 en-US) (HKLM\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 42.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Password Safe 1.7.1 (HKLM\...\{9886C963-FB48-4C58-8E75-64816F220D1D}) (Version: 1.7.1 - SBC)
Pdf995 (installed by H&R Block) (HKLM\...\Pdf995) (Version: - )
PdfEdit995 (installed by H&R Block) (HKLM\...\PdfEdit995) (Version: - )
PhotoStitch (Version: 3.1.8 - Canon) Hidden
PokerStars (HKLM\...\PokerStars) (Version: - PokerStars)
Radiator (remove only) (HKLM\...\Radiator) (Version: - )
Radmin Viewer 3.4 (HKLM\...\{2517B7EA-6C03-4D86-A1B1-F3FE1C3BC03B}) (Version: 3.41.0000 - Famatech)
REALTEK GbE & FE Ethernet PCI-E NIC Driver (HKLM\...\{C9BED750-1211-4480-B1A5-718A3BE15525}) (Version: 1.30.0000 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6106 - Realtek Semiconductor Corp.)
Remote Administrator v2.2 (HKLM\...\Remote Administrator v2.2) (Version: - )
RemoteCapture 2.6 (Version: 2.6.0 - Your Company Name) Hidden
Revo Uninstaller Pro 2.5.9 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.9 - VS Revo Group, Ltd.)
Samsung New PC Studio (HKLM\...\InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}) (Version: 1.00.0000 - Samsung Electronics Co., Ltd.)
Samsung New PC Studio (Version: 1.00.0000 - Samsung Electronics Co., Ltd.) Hidden
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.3.650.0 - SAMSUNG Electronics Co., Ltd.)
Savings Bond Wizard (HKLM\...\Savings Bond Wizard) (Version: - )
ScanCraft CS-P (HKLM\...\ScanCraft CS-P) (Version: - )
SecureAuthOTP (HKLM\...\{21CBD08B-1E83-4D4B-B1FE-BB5424245BB5}) (Version: 1.11.0000 - SecureAuth)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
SketchUp 2013 (HKLM\...\{B75BC01B-4586-43F8-9349-D250DB98F26F}) (Version: 13.0.4812 - Trimble Navigation Limited)
SketchUp 2014 (HKLM\...\{A608A8D3-E77C-4BEE-8F2A-F8124F5F0FE2}) (Version: 14.0.4900 - Trimble Navigation Limited)
SmartFTP Client 2.0 (HKLM\...\{C169D3BB-9A27-43F5-9979-09A0D65FE95C}) (Version: 2.0.1000 - SmartFTP)
SmartFTP Client 2.0 Setup Files (remove only) (HKLM\...\SmartFTP Client 2.0 Setup Files) (Version: "2.0" - "SmartFTP")
Snagit 10 (HKLM\...\{5BCC634A-58AD-42F9-B3C6-2EA52F81CF85}) (Version: 10.0.0 - TechSmith Corporation)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
StudioLine Photo (HKLM\...\StudioLine Photo) (Version: - )
TeamViewer 8 (HKLM\...\TeamViewer 8) (Version: 8.0.16642 - TeamViewer)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version: - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )
WinZip 15.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}) (Version: 15.0.9302 - WinZip Computing, S.L. )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{01E0A80A-97FD-4FC2-B75D-C754396CD255}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0BBFE402-CCA1-4f64-9322-13B66D841049}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}\InprocServer32 -> C:\Program Files\TNT2\TNT2UserPS.dll => No File
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{156B30E4-2D3D-4257-A340-9BDD2E972E2E}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\Video2ActiveXWnd.ocx ()
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{2115F58A-CE09-47CC-A0B1-A8A2EC0C5423}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{25D005BF-FE63-4cce-AA25-CE952B1D9381}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{638B203F-8FB6-49ec-A139-AB8C530F0CAB}\MSPowerPoint.dll (TechSmith Corporation)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{48A60FE8-C446-4371-95EB-258B14DCC5AC}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{54050FBB-F2AE-404b-8BFD-7EE3EC784A52}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{18AA4E21-D540-4a3a-9F9F-E6DE33D6F253}\MSExcel.dll (TechSmith Corporation)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe" => No F (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{5A31DC2C-BC50-4F71-93B8-2EC648404AF3}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\Video2ActiveXWnd.ocx ()
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{6B1948B3-9547-42F8-9B37-7AA9768134C4}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{7949C823-54C6-40F0-8D85-2348247E6820}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Utilities\IWMaterials.ocx (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{795B06EA-58E8-482C-AF11-A7E4E34DA16F}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{7A162288-DE78-473C-A6BA-23FF17F768E9}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1440\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{88BE9158-3A40-4907-B2F0-7E72496A9596}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{8A3C5585-D1ED-4EC0-B3C4-94998094E5BB}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{8CC82228-2200-4D22-9859-B762582F6D31}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{CC9F903E-1C4B-4596-B410-982107EC4899}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{DE471660-5535-47A8-949A-9DA95A72951F}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Utilities\IWMaterials.ocx (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{E169D2B5-9411-47B9-A473-345A3FB57090}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{F4A2332C-B453-4424-A142-AB9C51BAE2AF}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{F8ACB9F2-2A7D-4261-AA37-A39448C23CAE}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\dsoframer.ocx (AT&T Inc.)

==================== Restore Points =========================

06-08-2015 21:33:44 System Checkpoint
06-08-2015 22:31:01 Software Distribution Service 3.0
07-08-2015 22:48:46 System Checkpoint
07-08-2015 23:35:54 Software Distribution Service 3.0
08-08-2015 22:14:06 Software Distribution Service 3.0
09-08-2015 22:37:28 Software Distribution Service 3.0
10-08-2015 06:48:03 Printer Driver PDF995 Printer Driver Installed
10-08-2015 22:19:20 Software Distribution Service 3.0
11-08-2015 21:04:01 avast! antivirus system restore point
11-08-2015 21:05:39 Installed Windows XP Wdf01009.
11-08-2015 22:03:06 Software Distribution Service 3.0
12-08-2015 21:55:05 Software Distribution Service 3.0
12-08-2015 23:14:20 Software Distribution Service 3.0
13-08-2015 21:48:31 Software Distribution Service 3.0
14-08-2015 05:24:09 Software Distribution Service 3.0
14-08-2015 22:43:58 Software Distribution Service 3.0
15-08-2015 23:08:27 System Checkpoint
16-08-2015 02:00:17 Software Distribution Service 3.0
16-08-2015 21:10:45 Software Distribution Service 3.0
17-08-2015 21:19:39 System Checkpoint
17-08-2015 21:37:32 Software Distribution Service 3.0
17-08-2015 22:00:48 Software Distribution Service 3.0
17-08-2015 22:32:23 Software Distribution Service 3.0
18-08-2015 21:47:58 Software Distribution Service 3.0
18-08-2015 21:55:59 Software Distribution Service 3.0
18-08-2015 22:16:55 Software Distribution Service 3.0
19-08-2015 05:48:08 Software Distribution Service 3.0
19-08-2015 06:18:04 Software Distribution Service 3.0
19-08-2015 06:25:38 Software Distribution Service 3.0
19-08-2015 19:24:33 Software Distribution Service 3.0
19-08-2015 19:55:52 Software Distribution Service 3.0
19-08-2015 21:43:31 Software Distribution Service 3.0
20-08-2015 21:29:27 Software Distribution Service 3.0
21-08-2015 22:15:46 Software Distribution Service 3.0
21-08-2015 22:18:40 Software Distribution Service 3.0
22-08-2015 22:45:35 System Checkpoint
23-08-2015 02:00:16 Software Distribution Service 3.0
23-08-2015 21:06:47 Software Distribution Service 3.0
24-08-2015 21:43:56 Software Distribution Service 3.0
24-08-2015 22:19:04 Software Distribution Service 3.0
25-08-2015 10:17:39 Software Distribution Service 3.0
25-08-2015 22:19:44 Software Distribution Service 3.0
26-08-2015 19:39:01 Software Distribution Service 3.0
26-08-2015 21:23:34 Software Distribution Service 3.0
27-08-2015 21:51:18 Software Distribution Service 3.0
28-08-2015 19:32:16 Software Distribution Service 3.0
28-08-2015 22:49:37 Software Distribution Service 3.0
29-08-2015 15:06:00 Software Distribution Service 3.0
30-08-2015 02:00:16 Software Distribution Service 3.0
30-08-2015 22:06:42 Software Distribution Service 3.0
31-08-2015 21:26:35 Software Distribution Service 3.0
01-09-2015 21:49:26 System Checkpoint
01-09-2015 22:00:56 Software Distribution Service 3.0
02-09-2015 21:35:59 Software Distribution Service 3.0
02-09-2015 21:42:06 Software Distribution Service 3.0
03-09-2015 07:35:43 Software Distribution Service 3.0
03-09-2015 07:42:52 Software Distribution Service 3.0
03-09-2015 22:02:08 Software Distribution Service 3.0
04-09-2015 22:01:23 Software Distribution Service 3.0
05-09-2015 22:06:04 Software Distribution Service 3.0
05-09-2015 22:11:03 Software Distribution Service 3.0
05-09-2015 22:16:39 Software Distribution Service 3.0
05-09-2015 22:18:13 Software Distribution Service 3.0
06-09-2015 11:27:13 Software Distribution Service 3.0
06-09-2015 22:03:20 Software Distribution Service 3.0
07-09-2015 22:08:30 Software Distribution Service 3.0
08-09-2015 21:53:50 Software Distribution Service 3.0
09-09-2015 21:20:20 Software Distribution Service 3.0
09-09-2015 21:22:30 Software Distribution Service 3.0
10-09-2015 05:02:39 Software Distribution Service 3.0
10-09-2015 22:18:21 Software Distribution Service 3.0
11-09-2015 22:21:48 Software Distribution Service 3.0
12-09-2015 22:49:51 Software Distribution Service 3.0
13-09-2015 22:17:29 Software Distribution Service 3.0
14-09-2015 08:01:30 Software Distribution Service 3.0
14-09-2015 08:18:31 Software Distribution Service 3.0
14-09-2015 09:27:38 Software Distribution Service 3.0
14-09-2015 09:46:20 Software Distribution Service 3.0
14-09-2015 10:00:52 Software Distribution Service 3.0
14-09-2015 20:01:00 Software Distribution Service 3.0
15-09-2015 20:11:08 System Checkpoint
15-09-2015 21:46:14 Software Distribution Service 3.0
16-09-2015 08:23:25 Software Distribution Service 3.0
16-09-2015 21:38:56 Software Distribution Service 3.0
17-09-2015 21:36:51 Software Distribution Service 3.0
18-09-2015 22:11:16 System Checkpoint
18-09-2015 22:13:45 Software Distribution Service 3.0
19-09-2015 21:03:09 Software Distribution Service 3.0
20-09-2015 06:04:34 Software Distribution Service 3.0
20-09-2015 22:36:11 Software Distribution Service 3.0
21-09-2015 09:21:00 Software Distribution Service 3.0
21-09-2015 09:28:43 Software Distribution Service 3.0
21-09-2015 09:29:24 Software Distribution Service 3.0
21-09-2015 10:42:42 Software Distribution Service 3.0
21-09-2015 21:05:13 Software Distribution Service 3.0
22-09-2015 21:48:01 Software Distribution Service 3.0
23-09-2015 07:40:23 Software Distribution Service 3.0
23-09-2015 21:48:45 Software Distribution Service 3.0
24-09-2015 05:01:25 Software Distribution Service 3.0
24-09-2015 22:16:34 Software Distribution Service 3.0
25-09-2015 21:00:01 Software Distribution Service 3.0
25-09-2015 21:02:39 Software Distribution Service 3.0
26-09-2015 05:09:09 Software Distribution Service 3.0
26-09-2015 21:49:19 Software Distribution Service 3.0
27-09-2015 22:46:30 Software Distribution Service 3.0
28-09-2015 21:37:54 Software Distribution Service 3.0
29-09-2015 20:38:46 Software Distribution Service 3.0
29-09-2015 21:44:19 Software Distribution Service 3.0
30-09-2015 20:07:52 Software Distribution Service 3.0
01-10-2015 20:12:48 System Checkpoint
01-10-2015 21:47:44 Software Distribution Service 3.0
02-10-2015 22:08:36 Software Distribution Service 3.0
03-10-2015 23:02:14 Software Distribution Service 3.0
04-10-2015 21:47:21 Software Distribution Service 3.0
06-10-2015 06:00:12 System Checkpoint
07-10-2015 06:37:02 System Checkpoint
08-10-2015 10:01:48 System Checkpoint
09-10-2015 10:37:38 System Checkpoint
10-10-2015 10:56:48 System Checkpoint
11-10-2015 11:07:52 System Checkpoint
12-10-2015 12:01:50 System Checkpoint
13-10-2015 13:00:19 System Checkpoint
14-10-2015 15:08:02 System Checkpoint
15-10-2015 15:09:19 System Checkpoint
17-10-2015 07:10:13 System Checkpoint
18-10-2015 07:58:04 System Checkpoint
19-10-2015 08:53:12 System Checkpoint
20-10-2015 09:00:04 System Checkpoint
21-10-2015 09:32:27 System Checkpoint
22-10-2015 19:48:01 System Checkpoint
24-10-2015 08:14:38 System Checkpoint
24-10-2015 13:56:12 Software Distribution Service 3.0
25-10-2015 07:23:03 Software Distribution Service 3.0
25-10-2015 07:25:08 Software Distribution Service 3.0
25-10-2015 07:35:03 Software Distribution Service 3.0
25-10-2015 07:53:53 Software Distribution Service 3.0
25-10-2015 08:26:12 Software Distribution Service 3.0
25-10-2015 08:39:05 Software Distribution Service 3.0
25-10-2015 21:47:11 Software Distribution Service 3.0
26-10-2015 05:25:03 Software Distribution Service 3.0
26-10-2015 17:13:54 Software Distribution Service 3.0
27-10-2015 17:23:22 System Checkpoint
28-10-2015 17:50:16 System Checkpoint
29-10-2015 18:35:42 System Checkpoint
31-10-2015 11:55:54 System Checkpoint
01-11-2015 14:10:18 System Checkpoint
02-11-2015 16:12:44 System Checkpoint
03-11-2015 18:02:17 System Checkpoint
04-11-2015 13:37:42 Restore Operation
04-11-2015 13:41:47 avast! antivirus system restore point
04-11-2015 13:50:21 Installed Windows XP Wdf01009.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2001-08-23 06:00 - 2015-08-04 05:58 - 00000859 ____N C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost
144.160.5.48 missl9.vpn.att.com
144.160.7.171 usmiclient.vpn.att.com

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\Alwil Software\Avast5\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1390067357-926492609-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\3770\g2mupdate.exe
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1390067357-926492609-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\3770\g2mupload.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (Whitelisted) ==============

2014-03-12 14:53 - 2014-03-12 14:53 - 00063376 _____ () C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\zlib1.dll
2015-05-28 20:06 - 2015-08-11 21:04 - 00102864 _____ () C:\Program Files\Alwil Software\Avast5\log.dll
2015-05-28 20:06 - 2015-08-11 21:04 - 00123976 _____ () C:\Program Files\Alwil Software\Avast5\JsonRpcServer.dll
2015-11-03 06:01 - 2015-11-03 06:01 - 03014608 _____ () C:\Program Files\Alwil Software\Avast5\defs\15110300\algo.dll
2015-11-04 13:51 - 2015-11-04 13:51 - 02989568 _____ () C:\Program Files\Alwil Software\Avast5\defs\15110400\algo.dll
2013-09-04 23:14 - 2013-09-04 23:14 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2012-05-23 16:05 - 2009-08-16 16:06 - 00141312 _____ () C:\Program Files\WinRAR\rarext.dll
2015-08-10 06:47 - 2015-08-10 06:47 - 00036864 _____ () C:\WINDOWS\system32\pdf995mon.dll
2013-02-17 21:21 - 2012-11-28 11:50 - 00018856 _____ () C:\WINDOWS\System32\spool\PRTPROCS\W32X86\TeamViewer_PrintProcessor.dll
2015-03-13 16:23 - 2015-05-28 20:07 - 40540672 _____ () C:\Program Files\Alwil Software\Avast5\libcef.dll
2014-03-07 20:11 - 2007-10-23 16:24 - 01304576 _____ () C:\Program Files\AT&T tReader\treader.exe
2014-03-07 20:11 - 2007-10-23 16:24 - 00434688 _____ () C:\Program Files\AT&T tReader\theme.dll
2015-10-17 07:55 - 2015-10-17 07:55 - 17599688 _____ () C:\WINDOWS\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\att.com -> hxxps://*.vpn.att.com
IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\fixme.it -> hxxps://fixme.it
IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\fujitsu.com -> hxxps://sslvpn2.fai.fujitsu.com
IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\measureup.com -> measureup.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1390067357-926492609-839522115-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 192.168.88.1
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\mIRC\mirc.exe] => Enabled:mIRC
StandardProfile\AuthorizedApplications: [C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe] => Enabled:SmartFTP Client 2.0
StandardProfile\AuthorizedApplications: [C:\Hy-Sport\SwMM2\SwimMM2.exe] => Enabled:Swim Meet Manager
StandardProfile\AuthorizedApplications: [D:\C_2010_09_04\Program Files\mIRC\mirc.exe] => Enabled:mIRC
StandardProfile\AuthorizedApplications: [C:\Program Files\NetAcquire\NetAcquire.exe] => Enabled:Play the Acquire board game on the Internet.
StandardProfile\AuthorizedApplications: [C:\Program Files\AT&T Global Network Client\SwiApiMux.exe] => Enabled:SwiApiMux
StandardProfile\AuthorizedApplications: [C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe] => Enabled:KTF MUSIC AoD Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe] => Enabled:KTF MUSIC VoD Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Enabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [D:\Program Files\Savings Bond Wizard\SBWizard.exe] => Enabled:Savings Bond Wizard
StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version8\TeamViewer.exe] => Enabled:Teamviewer Remote Control Application
StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe] => Enabled:Teamviewer Remote Control Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\GROOVE.EXE] => Enabled:Microsoft SharePoint Workspace
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE] => Enabled:Microsoft OneNote
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft Lync Attendee\AttendeeCommunicator.exe] => Enabled:Lync Attendee
StandardProfile\AuthorizedApplications: [C:\Program Files\Arduino\java\bin\javaw.exe] => Enabled:Java(TM) Platform SE binary
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:'Firefox' (C:\Program Files\Mozilla Firefox)
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [5985:TCP] => Disabled:Windows Remote Management
StandardProfile\GloballyOpenPorts: [80:TCP] => Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008

==================== Faulty Device Manager Devices =============

Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
The content index cannot be read. (0xc0041800)

Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index cannot be read. (0xc0041800)

Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index cannot be read. (0xc0041800)

Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index. The service will attempt to automatically correct this problem by rebuilding the index.

Context: Windows Application, SystemIndex Catalog

Details:
0xc0041801 (0xc0041801)

Error: (10/30/2015 05:13:59 AM) (Source: Microsoft Office 14) (EventID: 1000) (User: )
Description: Faulting application outlook.exe, version 14.0.7160.5000, stamp 55fb0b2c, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x178bcc58.

Error: (10/28/2015 06:00:46 AM) (Source: Windows Search Service) (EventID: 3024) (User: )
Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

Context: Application, SystemIndex Catalog

Error: (10/26/2015 10:28:52 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
Description: office12proofingtoolswinword.exe14.0.7155.5001mssp7en.dll14.0.7107.50001033ignoreonceNILNILNILNIL

Error: (10/26/2015 10:28:51 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
Description: office12proofingtoolswinword.exe14.0.7155.5001msgr3en.dll3.1.0.175191033ignoreonceNILNILNILNIL

Error: (10/26/2015 10:28:51 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
Description: office12proofingtoolswinword.exe14.0.7149.5000msgr3en.dll3.1.0.175191033acceptsuggestionNILNILNILNIL

Error: (10/26/2015 10:28:51 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
Description: office12proofingtoolswinword.exe14.0.7149.5000mssp7en.dll14.0.7107.50001033acceptcsssuggestionNILNILNILNIL


System errors:
=============
Error: (11/04/2015 01:41:12 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

Error: (11/04/2015 01:40:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The RadPciNT service failed to start due to the following error:
%%55

Error: (11/04/2015 01:40:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Java Quick Starter service failed to start due to the following error:
%%2

Error: (11/04/2015 01:40:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The GemTek USB FM Radio 21 driver service failed to start due to the following error:
%%1058

Error: (11/04/2015 01:40:47 PM) (Source: 0) (EventID: 2) (User: )
Description:

Error: (11/04/2015 01:26:01 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Service Mgr SearchMoreKnow service hung on starting.

Error: (11/04/2015 01:24:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The RadPciNT service failed to start due to the following error:
%%55

Error: (11/04/2015 01:24:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Java Quick Starter service failed to start due to the following error:
%%2

Error: (11/04/2015 01:24:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The GemTek USB FM Radio 21 driver service failed to start due to the following error:
%%1058

Error: (11/04/2015 01:24:26 PM) (Source: 0) (EventID: 2) (User: )
Description:


==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz
Percentage of memory in use: 83%
Total physical RAM: 2009.74 MB
Available physical RAM: 337.37 MB
Total Virtual: 3902.79 MB
Available Virtual: 2250.35 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:298.09 GB) (Free:231.83 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:298.09 GB) (Free:118.69 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: C5ABC5AB)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: 3F0C8D80)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2015-11-04 14:43:13
-----------------------------
14:43:13.515 OS Version: Windows 5.1.2600 Service Pack 3
14:43:13.515 Number of processors: 2 586 0x170A
14:43:13.515 ComputerName: JOE UserName: Dad
14:43:17.812 Initialize success
14:43:17.843 VM: initialized successfully
14:43:17.843 VM: Intel CPU virtualization not supported
14:43:30.000 AVAST engine defs: 15110400
14:43:38.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
14:43:38.968 Disk 0 Vendor: WDC_WD3200AAJB-00WGA0 00.02C01 Size: 305245MB BusType: 3
14:43:38.984 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
14:43:38.984 Disk 1 Vendor: WDC_WD3200AAJB-00WGA0 00.02C01 Size: 305245MB BusType: 3
14:43:39.171 Disk 0 MBR read successfully
14:43:39.171 Disk 0 MBR scan
14:43:39.296 Disk 0 Windows XP default MBR code
14:43:39.296 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305242 MB offset 63
14:43:39.312 Disk 0 default boot code
14:43:39.312 Disk 0 scanning sectors +625137345
14:43:39.390 Disk 0 scanning C:\WINDOWS\system32\drivers
14:44:05.843 Service scanning
14:44:42.203 Modules scanning
14:44:42.218 Disk 0 trace - called modules:
14:44:42.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:44:42.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5dbab8]
14:44:42.234 3 CLASSPNP.SYS[b98e8fd7] -> nt!IofCallDriver -> \Device\00000071[0x8a60ef18]
14:44:42.234 5 ACPI.sys[b977f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a5f6d98]
14:44:45.578 AVAST engine scan C:\WINDOWS
14:45:40.781 AVAST engine scan C:\WINDOWS\system32
14:52:30.937 AVAST engine scan C:\WINDOWS\system32\drivers
14:53:08.515 AVAST engine scan C:\Documents and Settings\Dad
15:40:56.968 AVAST engine scan C:\Documents and Settings\All Users
15:45:07.546 Disk 0 statistics 2879708/0/0 @ 0.47 MB/s
15:45:07.562 Scan finished successfully
15:46:20.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dad\My Documents\Downloads\MBR.dat"
15:46:20.578 The log file has been saved successfully to "C:\Documents and Settings\Dad\My Documents\Downloads\aswMBR.txt"

(END LOGS)

Juliet
2015-11-05, 02:31
eShield Browser Security <== please go to add remove progrmas list and uninstall/remove this



Please go to one of the below sites to scan the following files:
Virus Total (Recommended) (http://www.virustotal.com/)
jotti.org (http://virusscan.jotti.org/)
VirScan (http://virscan.org/)
click on Browse, search for and upload the following file for analysis:

C:\WINDOWS\system32\r_server.exe


Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.


~~~~~~~~~~~~~~~~~~~
Running from C:\Documents and Settings\Dad\My Documents\Downloads

It's best we move Farbar's to desktop.

Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG




start
CreateRestorePoint:
CloseProcesses:
URLSearchHook: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.google.com" <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {40C1DB81-4E42-4296-B026-A44077934BA1} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll => No File
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll No File
Toolbar: HKLM - No Name - {00011268-E188-40DF-A514-835FCD78B1BF} - No File
Toolbar: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF NewTab: hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaB0tXUUEeGGlxR1dMclBCMlpQLFYDRH5NL04=
FF Keyword.URL: hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTR0cFME0FB18EURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
FF user.js: detected! => C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js [2015-11-04]
FF Extension: SearchMoreKnow - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] [not signed]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff => not found
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE8TkdGC1dXFg=="
CHR DefaultSearchURL: Default -> hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTQkcFME0FBloEURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
CHR DefaultSearchKeyword: Default -> searchinterneat-a.akamaihd.net
CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP
2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134
2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134
2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\SearchMoreKnow
C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll
C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll
C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe
C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe
C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe
C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll
C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe
C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe
C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe
C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe
C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll
C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll
C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe
C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe
C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe
C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll
C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe
C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll
C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe
C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}\InprocServer32 -> C:\Program Files\TNT2\TNT2UserPS.dll => No File
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe" => No F (the data entry has 3 more characters).
EmptyTemp:
Hosts:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


~~~~~~~~~~~~~~~~~~~~~~~~~~`

http://i.imgur.com/BY4dvz9.png AdwCleaner

Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) and save the file to your Desktop.
Right-Click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.


~~
please post
File requested scanned
Fixlog.txt
AdwCleaner[CX].txt
JRT.txt

joemagiera
2015-11-05, 05:54
please post
File requested scanned
Fixlog.txt
AdwCleaner[CX].txt
JRT.txt

>eShield Browser Security <== please go to add remove progrmas list and uninstall/remove this

I did this and got a message along the lines of “uninstall failed, it may have already been uninstalled”.

>Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
click on Browse, search for and upload the following file for analysis:
C:\WINDOWS\system32\r_server.exe
Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
Please post the results in your next reply.

Results:

SHA256: c16db9cdf09b66b402dce462aecce3f400ed14a39b6a216220ef24232ec67297
File name: r_server.exe
Detection ratio: 23 / 54
Analysis date: 2015-11-05 02:33:54 UTC ( 1 minute ago )

0
0
• Analysis
• File detail
• Relationships
• Additional information
• Comments
• Votes
Antivirus Result Update
AVG RemoteAdmin.AU 20151105
AhnLab-V3 Trojan/Win32.Radmin 20151104
Antiy-AVL Trojan[RemoteAdmin:not-a-virus]/Win32.RAdmin 20151105
Avast Win32:Radmin-BV [PUP] 20151105
Avira SPR/RServer.1 20151105
Baidu-International Malware.Win32.Radmin.40 20151104
Comodo UnclassifiedMalware 20151105
Cyren W32/RemoteAdmin.HKXT-5475 20151105
ESET-NOD32 Win32/RAdmin.22 potentially unsafe 20151105
F-Prot W32/RemoteAdmin.K 20151105
Fortinet Riskware/RemoteAdmin 20151105
Jiangmin AdWare/RAdmin.b 20151104
K7AntiVirus Riskware ( 0040eff71 ) 20151104
K7GW Riskware ( 0040eff71 ) 20151104
Kaspersky not-a-virus:RemoteAdmin.Win32.RAdmin.22 20151105
McAfee RemAdm-Generic 20151105
McAfee-GW-Edition RemAdm-Generic 20151105
NANO-Antivirus Riskware.Win32.RAdmin.fzut 20151105
Rising PE:Trojan.Win32.Generic.11E3B80D!300136461 [F] 20151104
Sophos RemoteAdmin (PUA) 20151105
Symantec Remacc.Radmin 20151104
VIPRE Radmin (not malicious) 20151104
ViRobot Trojan.Win32.S.Agent.724992.BQ[h] 20151104
ALYac 20151105
AVware 20151104
Ad-Aware 20151105
AegisLab 20151104
Agnitum 20151104
Alibaba 20151104
Arcabit 20151105
BitDefender 20151105
Bkav 20151104
ByteHero 20151105
CAT-QuickHeal 20151103
CMC 20151102
ClamAV 20151103
DrWeb 20151105
Emsisoft 20151105
F-Secure 20151105
GData 20151105
Ikarus 20151105
Malwarebytes 20151105
MicroWorld-eScan 20151105
Microsoft 20151104
Panda 20151104
SUPERAntiSpyware 20151105
Tencent 20151105
TheHacker 20151103
TrendMicro 20151105
TrendMicro-HouseCall 20151105
VBA32 20151104
Zillya 20151104
Zoner 20151105
nProtect 20151104

(END)

>It's best we move Farbar's to desktop.

Completed.

>Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Completed. Fixlog.txt attached and listed below:

Fix result of Farbar Recovery Scan Tool (x86) Version:04-11-2015
Ran by Dad (2015-11-04 20:10:39) Run:2
Running from C:\Documents and Settings\Dad\Desktop
Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
URLSearchHook: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.google.com" <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {40C1DB81-4E42-4296-B026-A44077934BA1} URL =
SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll => No File
Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll No File
Toolbar: HKLM - No Name - {00011268-E188-40DF-A514-835FCD78B1BF} - No File
Toolbar: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF NewTab: hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaB0tXUUEeGGlxR1dMclBCMlpQLFYDRH5NL04=
FF Keyword.URL: hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTR0cFME0FB18EURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
FF user.js: detected! => C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js [2015-11-04]
FF Extension: SearchMoreKnow - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] [not signed]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff => not found
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE8TkdGC1dXFg=="
CHR DefaultSearchURL: Default -> hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTQkcFME0FBloEURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
CHR DefaultSearchKeyword: Default -> searchinterneat-a.akamaihd.net
CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP
2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134
2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134
2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\SearchMoreKnow
C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll
C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll
C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe
C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe
C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe
C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll
C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe
C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe
C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe
C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe
C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll
C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll
C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe
C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe
C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe
C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll
C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe
C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe
C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll
C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe
C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe
C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}\InprocServer32 -> C:\Program Files\TNT2\TNT2UserPS.dll => No File
CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe" => No F (the data entry has 3 more characters).
EmptyTemp:
Hosts:
End
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-1390067357-926492609-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\ => value not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{40C1DB81-4E42-4296-B026-A44077934BA1} => key not found.
HKCR\CLSID\{40C1DB81-4E42-4296-B026-A44077934BA1} => key not found.
HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208} => key not found.
"HKCR\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} => value removed successfully.
"HKCR\CLSID\{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{00011268-E188-40DF-A514-835FCD78B1BF} => value removed successfully.
HKCR\CLSID\{00011268-E188-40DF-A514-835FCD78B1BF} => key not found.
HKU\S-1-5-21-1390067357-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
Firefox "newtab" removed successfully.
Firefox "Keyword.URL" removed successfully.
C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js => moved successfully
C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] => not found.
HKLM\Software\Mozilla\Firefox\Extensions\\jqs@sun.com => value removed successfully.
Chrome RestoreOnStartup => removed successfully.
Chrome DefaultSearchURL => removed successfully.
Chrome DefaultSearchKeyword => removed successfully.
CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP => Error: No automatic fix found for this entry.
C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134 => moved successfully
C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134 => moved successfully
C:\Program Files\SearchMoreKnow => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe => moved successfully
C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe => moved successfully
"HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}" => key removed successfully.
"HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}" => key removed successfully.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 5.1 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 20:18:17 ====

>AdwCleaner
• Please download AdwCleaner and save the file to your Desktop.
• Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
• Follow the prompts.
• Click Scan.
• Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
• Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
• Follow the prompts and allow your computer to reboot.
• After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.
Had a little trouble on this one. As best I know, my PC’s administrator account did not have a password. But when I tried to run as admin, it said password failed. My PC reports that my accound is an admin account. So I couldn’t run this under the administrator account. I ran it under the “dad” account which is supposed to be an administrator level. Completed. Log:
# AdwCleaner v5.017 - Logfile created 04/11/2015 at 21:00:25
# Updated 03/11/2015 by Xplode
# Database : 2015-11-03.2 [Server]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Dad - JOE
# Running from : C:\Documents and Settings\Dad\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum
***** [ Services ] *****
***** [ Folders ] *****
***** [ Files ] *****
[-] File Deleted : C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\search-simple.xml
[-] File Deleted : C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\yahoo.xml
[-] File Deleted : C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\default.xml
***** [ DLLs ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
[-] Key Deleted : HKCU\SOFTWARE\MOZILLAPLUGINS\@tnt2npapi.com/Plugin
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00011268-E188-40DF-A514-835FCD78B1BF}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00011268-E188-40DF-A514-835FCD78B1BF}
[-] Key Deleted : HKCU\Software\Yahoo\Companion
[-] Key Deleted : HKCU\Software\Yahoo\YFriendsBar
[-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
[-] Key Deleted : HKLM\SOFTWARE\SmartPCFixer
[-] Key Deleted : HKU\.DEFAULT\Software\Yahoo\Companion
[!] Key Not Deleted : HKU\S-1-5-18\Software\Yahoo\Companion
***** [ Web browsers ] *****
[-] [C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA18DB0VXfWFoKB8fHGZGIUtbCXQeU1BoLlZP");
[-] [C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : searchinterneat-a.akamaihd.net
*************************
:: "Tracing" keys removed
:: Winsock settings cleared
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2396 bytes] ##########
>Please download Junkware Removal Tool
to your desktop.
• Shut down your protection software now to avoid potential conflicts.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
Completed. Log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Microsoft Windows XP x86
Ran by Dad on Wed 11/04/2015 at 21:41:18.70
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Tasks
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Chrome
[C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - default search provider reset
[C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
[C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
[C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/04/2015 at 21:44:11.42
End of JRT log
All items completed. All logs attached. Thank you very much for the help so far. Please advise on next steps.
Joe

Juliet
2015-11-05, 13:52
Please just post log results, no need to include my instructions.

NOTE: It is good practice to copy and paste the instructions into notepad and save to desktop and/or print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.
~~~~~~~~~~~~~~~~~~~~~~~


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



start
CloseProcesses:
S3 r_server; C:\WINDOWS\system32\r_server.exe [724992 2004-08-06] () [File not signed]
C:\WINDOWS\system32\r_server.exe
EmptyTemp:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~

Download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) TO YOUR DESKTOP




Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"




http://i24.photobucket.com/albums/c30/ken545/0841859c-1a35-4dbd-b41a-e720629e3e22_zpst0yckuua.png



On the Dashboard click on Update Now

Go to the Setting Tab

Under Setting go to Detection and Protection

Under PUP and PUM make sure both are set to show Treat Detections as Malware

Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked

Then on the Dashboard click on Scan

Make sure to select THREAT SCAN

Then click on Scan

When the scan is finished and the log pops up...select Copy to Clipboard

Please paste the log back into this thread for review

Exit Malwarebytes


After the restart once you are back at your desktop, open MBAM once more.
Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Copy to Clipboard'
Paste the contents of the clipboard into your reply


Please post these 2 logs when finished. Also, how is the computer now?

joemagiera
2015-11-05, 17:12
[b][color=#ff0000]Please post these 2 logs when finished. Also, how is the computer now?

The PC and internet browser (checked Chrome, Firefox and IE), all appear to be ok, based on a less than 3 minute test). THANK YOU!

The instructions for the Malwarebytes could be taken two ways, with either posting the log for first scan or the last scan or both. To cover all bases, I'm posting 3 logs:

The FRST log of the newest Fixlist.txt input that you provided
The first Malwarebytes log
The last Malwarebytes log (after restart)

Right now, I think I'm all good, but if you have further instructions or steps to take, let me know. Otherwise, thank you again for helping me through this.

Fix result of Farbar Recovery Scan Tool (x86) Version:04-11-2015
Ran by Dad (2015-11-05 06:14:13) Run:3
Running from C:\Documents and Settings\Dad\Desktop
Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CloseProcesses:
S3 r_server; C:\WINDOWS\system32\r_server.exe [724992 2004-08-06] () [File not signed]
C:\WINDOWS\system32\r_server.exe
EmptyTemp:
End
*****************

Processes closed successfully.
r_server => service removed successfully.
C:\WINDOWS\system32\r_server.exe => moved successfully
EmptyTemp: => 115.8 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 06:15:30 ====

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/5/2015
Scan Time: 6:51:50 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.05.03
Rootkit Database: v2015.11.04.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Dad

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 338817
Time Elapsed: 40 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 6
PUP.Optional.eShield, HKLM\SOFTWARE\GOOGLE\CHROME\NATIVEMESSAGINGHOSTS\com.eshield.extension_host, Quarantined, [105725552269d85e90faae1573907888],
PUP.Optional.TidyNetwork, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\DRAGDROP\{70BC1CDB-0744-4172-BDA0-B5A487D00C3A}, Quarantined, [3e29a5d5632840f61c27c3cbfd063cc4],
PUP.Optional.OpenApp, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\kincjchfokkeneeofpeefomkikfkiedl, Quarantined, [db8c8eec1972f3437497d7a504ff629e],
PUP.Optional.TidyNetwork, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\DRAGDROP\{70BC1CDB-0744-4172-BDA0-B5A487D00C3A}, Quarantined, [3f28a3d7d3b874c266d31975ee15bc44],
PUP.Optional.TNT, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}, Quarantined, [3037ef8b78130135b1b2a8e643c033cd],
PUP.Optional.SmartBar, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\SMARTBAR, Quarantined, [363188f253380432a5536423c63d7f81],

Registry Values: 2
PUP.Optional.TNT, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}|AppName, TNT2User.exe, Quarantined, [3037ef8b78130135b1b2a8e643c033cd]
PUP.Optional.SmartBar, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\SMARTBAR|GlobalUserId, 61866C50-084F-4CD7-B44B-8AC92F7FA013, Quarantined, [363188f253380432a5536423c63d7f81]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
PUP.Optional.Yontoo, C:\search-simple.xml, Quarantined, [16510773f893aa8c71be1db119eae31d],
PUP.Optional.Yontoo, C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\prefs.js, Good: (browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/), Bad: (browser.startup.homepage", "http://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA18DB0VXfWFoKB8fHGZGIUtbCXQeU1BoLlZP");), Replaced,[9bcc8ceed8b31a1c2d811d5351b3fe02]
PUP.Optional.BDYahoo, C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\default.xml, Quarantined, [41264337711a2d096cdd0668976d24dc],

Physical Sectors: 0
(No malicious items detected)


(end)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/5/2015
Scan Time: 8:19:56 AM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.05.03
Rootkit Database: v2015.11.04.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Dad

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 339092
Time Elapsed: 18 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Juliet
2015-11-05, 19:40
The PC and internet browser (checked Chrome, Firefox and IE), all appear to be ok, based on a less than 3 minute test). THANK YOU!
Your very welcome :)


The instructions for the Malwarebytes could be taken two ways, with either posting the log for first scan or the last scan or both. To cover all bases, I'm posting 3 logs:
Yes, and I apologize for that but myself and other helpers have an ongoing battle trying to explain how to post the finished logs from MBAM to show all it quarantined.
The steps you took show me the results and I thank you.

~~~~~~~~~~~~~~~~~~~~
I think the next scan will probably be our last. It can take quite a while, but I really think it's needed.


******
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.



Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

http://i.imgur.com/GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

Please download ESET Online Scan (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe) and save the file to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/).
Double-click esetsmartinstaller_enu.exe to run the programme.
Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
Agree to the Terms of Use once more and click Start. Allow components to download.
Place a checkmark next to Enable detection of potentially unwanted applications.
Click Advanced settings. Place a checkmark next to:

Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology


Ensure Remove found threats is unchecked.
Click Start.
Wait for the scan to finish. Please be patient as this can take some time.
Upon completion, click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png. If no threats were found, skip the next two bullet points.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
Push the Back button.
Place a checkmark next to http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
Re-enable your anti-virus software.
Copy the contents of the log and paste in your next reply.

joemagiera
2015-11-06, 03:43
save the file to your Desktop, naming it something such as "MyEsetScan".
Copy the contents of the log and paste in your next reply.

Ok, here's the Eset scan log. If there is anything else, let me know. Should the items found in the last scan be deleted (other than a few on the list I see that I know are ok)?

THANKS AGAIN!

Joe

C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\apn\APN-Stub\W3IV6-G(2)\APNIC.7z.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\apn\APN-Stub\W3IV6-G(2)\BIT28.tmp.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\Autorun.inf.vir Win32/Toolbar.TNT2.F potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\IEToolbar.dll.vir a variant of Win32/Toolbar.TNT2.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\npTNT2.dll.vir a variant of Win32/Toolbar.TNT2.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe.vir a variant of Win32/Toolbar.TNT2.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\xpi.tar.vir Win32/Toolbar.TNT2.G potentially unwanted application
C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\Profiles\11515\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi.vir Win32/Toolbar.TNT2.G potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\TNT2\2.0.0.1995\IEToolbar.dll.vir a variant of Win32/Toolbar.TNT2.B potentially unwanted application
C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi JS/BrowseFox.A potentially unwanted application
C:\Documents and Settings\Dad\Desktop\Old Firefox Data\r26vc2ze.default\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi Win32/Toolbar.TNT2.G potentially unwanted application
C:\Documents and Settings\Dad\Local Settings\Application Data\Downloaded Installations\{382B7E08-8EB6-435F-A474-CE7C90770D2D}\rserv34.msi a variant of Win32/RemoteAdmin.RAdmin.AC potentially unsafe application
C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\2(2)\Plugin(2).exe a variant of Win32/BrowseFox.BT potentially unwanted application
C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\3(2)\Plugin(2).exe a variant of Win32/BrowseFox.BZ potentially unwanted application
C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\5(2)\Plugin(2).exe a variant of Win32/BrowseFox.BH potentially unwanted application
C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\7(2)\Plugin(2).exe a variant of Win32/BrowseFox.BZ potentially unwanted application
C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\8(2)\Plugin(2).exe a variant of Win32/BrowseFox.BT potentially unwanted application
C:\FRST\Quarantine\C\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll.xBAD a variant of Win32/Toolbar.Conduit.B potentially unwanted application
C:\FRST\Quarantine\C\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll.xBAD a variant of Win32/Toolbar.Conduit.P potentially unwanted application
C:\FRST\Quarantine\C\Program Files\SearchMoreKnow\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi JS/BrowseFox.A potentially unwanted application
C:\FRST\Quarantine\C\Windows\System32\r_server.exe.xBAD Win32/RAdmin.22 potentially unsafe application
C:\Program Files\Radmin\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
C:\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
C:\Program Files\Radmin\r_server.exe Win32/RAdmin.22 potentially unsafe application
C:\sys7y6\GeeGo.exe a variant of Win32/Spy.VB.NWM trojan
C:\sys7y6\gojoee.exe a variant of Win32/TrojanDropper.VB.ONT trojan
C:\sys7y6\syswin7u8.exe Win32/BitCoinMiner.W potentially unsafe application
C:\WINDOWS\system32\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe a variant of Win32/Spy.VB.NWM trojan
D:\C_2010_09_04\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\C_2010_09_04\Program Files\XPMedic\XPMedic.exe Win32/Adware.XPMedic application
D:\Downloads\7zip-setup.exe a variant of Win32/DownloadAdmin.M potentially unwanted application
D:\Downloads\ipscan.exe Win32/NetTool.Portscan.C potentially unsafe application
D:\Downloads\Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip a variant of Win32/Keygen.EM potentially unsafe application
D:\Downloads\soldering_desoldering Win32/InstalleRex.M potentially unwanted application
D:\Downloads\winrarSetup.exe a variant of MSIL/DomaIQ.AB potentially unwanted application
D:\Downloads\XPMedic_Setup.exe Win32/Adware.XPMedic application
D:\Downloads\XPMedic_Setup.zip Win32/Adware.XPMedic application
D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe a variant of Win32/Keygen.HC potentially unsafe application
D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key.exe a variant of Win32/Keygen.CW potentially unsafe application
D:\Downloads\Remote_Administrator\RADMIN22.EXE Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Downloads\Remote_Administrator\radmin22.zip Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe Win32/PrcView potentially unsafe application
D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe Win32/PrcView potentially unsafe application
D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe Win32/Shutdown.NAA potentially unsafe application
D:\Radmin22\Radmin22 (F)\Setup\radmin22de.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Radmin22\Radmin22 (F)\Setup\radmin22en.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Radmin22\Radmin22 (F)\Setup\radmin22ru.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application

Juliet
2015-11-06, 15:09
Should the items found in the last scan be deleted (other than a few on the list I see that I know are ok)?

We do need to delete out some files that were found. Which ones are you seeing that you know are OK?

Win32/RAdmin.22 potentially unsafe application
Remote access degrades your security.

I see a few Radmin references. Have you intentionally had Radmin remote admin application installed on this machine?

Remote Administrator v2.2

Let me point out the difference between Infected: and in most cases Infected: not-a-virus

Infected: --> When labeled this way no bones about it.....it's infected.
Infected: not-a-virus/Win32/RemoteAdmin potentially unsafe application --> Here it can be become a tiddle bit interesting. We'll use what was found as an example.

RAdmin.22
Win32/RemoteAdmin potentially unsafe application:RemoteAdmin.Win32.RAdmin.22 (RAdmin.22 can also be run as a service, which means that you can log in remotely, do some work, and log out again) <--files -- they are always flagged as a "risk" program.

Long as you use any VCN program responsibly, like any other chat program -- (like not clicking unknown links, not excepting files from unknown people, not giving personal info in chat, etc) -- its fine.

If you did not download and use RAdmin.22, please uninstall this Application.

Also, if this program was downloaded as a cracked with keygen tool, then it's not OK.

~~~~
This forum as well as most of the other malware removal forums do not support the use of illegal software, if I was to continue helping you it could be construed in the eyes of the law as aiding and abetting a crime. In using the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product concerned. The distribution and use of cracked software is illegal in almost every developed country. They are also one of the biggest causes of infection. This applies to Cracks, Keygens and Warez

Forum Policy
I strongly suggest you remove any cracked software that is installed.
We do not approve of nor support illegal software. Cracked software is not only unethical, it's a good way to get your machine infected. Malware and virus authors love to spread their infections via cracks. I recommend you cease this activity and get rid of any cracked software.
In the future I strongly suggest you stay away from using cracks and/or Keygens. If you want to continue, uninstall all the illegal software that you have downloaded and installed.

D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe a variant of Win32/Keygen
Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip a variant of Win32/Keygen

~~~~~~~~~~~~~`

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



start
CreateRestorePoint:
CloseProcesses:
C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi
C:\Documents and Settings\Dad\Desktop\Old Firefox Data\r26vc2ze.default\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi
C:\sys7y6\GeeGo.exe
C:\sys7y6\gojoee.exe
C:\sys7y6\syswin7u8.exe
C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe
D:\Downloads\7zip-setup.exe
D:\Downloads\ipscan.exe
D:\Downloads\soldering_desoldering
D:\Downloads\winrarSetup.exe
D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe
D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe
D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe
EmptyTemp:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~`

Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop.


Doubleclick CKScanner.exe then click Search For Files

When the cursor hourglass disappears, click Save List To File

A message box will verify the file saved

Please Run this program only once


Please post these 2 logs when finished with an update on how your computer is now.

joemagiera
2015-11-06, 17:33
Which ones are you seeing that you know are OK?
Have you intentionally had Radmin remote admin application installed on this machine?
If you did not download and use RAdmin.22, please uninstall this Application.
Also, if this program was downloaded as a cracked with keygen tool, then it's not OK.
If you want to continue, uninstall all the illegal software that you have downloaded and installed.


Juliet,

Thank you for your help and guidance to date.

As to which ones I am seeing that I know is ok... I have reviewed the eSet scan output. I have edited and deleted all output for files/programs that I either don't know about or can be deleted. There are three areas that are left:

1) The following are part of another PC for back up purposes only. They are not installed on my PC. They are all properly licensed software on that PC. They are present for backup purposes only. I know there are other PC & hard drive back up methods. For this particular situation, this is the easiest & fastest method. If you feel this is still not appropriate, I will remove them. But otherwise, I would like to save them.

D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe Win32/PrcView potentially unsafe application
D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe Win32/PrcView potentially unsafe application
D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe Win32/Shutdown.NAA potentially unsafe application

2) I could be mistaken on this, but as best I can recall, this is a properly licensed/paid for application with a non-cracked key. I would like to keep it. However, if you see evidence otherwise, let me know and I will remove.

D:\Downloads\7zip-setup.exe a variant of Win32/DownloadAdmin.M potentially unwanted application

3) All below refer to Remote Administrator and Radmin. One is an upgraded version of another (I don't recall which is which). This is how I connect remotely to my work. This was provided by my work and should be a licensed legal version. If it's not, I plead ignorance, as I just followed instructions from my company.

C:\Documents and Settings\Dad\Local Settings\Application Data\Downloaded Installations\{382B7E08-8EB6-435F-A474-CE7C90770D2D}\rserv34.msi a variant of Win32/RemoteAdmin.RAdmin.AC potentially unsafe application
C:\Program Files\Radmin\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
C:\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
C:\Program Files\Radmin\r_server.exe Win32/RAdmin.22 potentially unsafe application
C:\WINDOWS\system32\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
D:\C_2010_09_04\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Downloads\Remote_Administrator\RADMIN22.EXE Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Downloads\Remote_Administrator\radmin22.zip Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Radmin22\Radmin22 (F)\Setup\radmin22de.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Radmin22\Radmin22 (F)\Setup\radmin22en.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
D:\Radmin22\Radmin22 (F)\Setup\radmin22ru.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application

As to illegal software, it appears the only thing you listed was PowerDVD. I checked and while that install download is obviously present on my PC, the software is not installed. This can and should be deleted.

I did not run the scans & fixes you selected just yet. I definitely would like to continue and will be glad to run the steps you outlined. I wanted to present my feedback in case you needed to change the FRST fix file based on my feedback. Please consider and advise. Thanks,

Joe

Juliet
2015-11-07, 00:34
2) I could be mistaken on this, but as best I can recall, this is a properly licensed/paid for application with a non-cracked key. I would like to keep it. However, if you see evidence otherwise, let me know and I will remove.

D:\Downloads\7zip-setup.exe a variant of Win32/DownloadAdmin.M potentially unwanted application
7zip is fine but what it may have alerted to is that when it was downloaded it is very possible to have been bundled with adware.
The scan is also set to alert for
Detection of potentially unwanted applications is, optional as they don't pose a threat unless the adware/malware that could had been downloaded with the install was not deleted.


Remote Administrator and Radmin. One is an upgraded version of another (I don't recall which is which). This is how I connect remotely to my work. This was provided by my work and should be a licensed legal version. If it's not, I plead ignorance, as I just followed instructions from my company.
Correct. And I gave the warning of potentials related to these type of remote connection tools.


RAdmin.22 VCN program
As Long as you use any VCN program responsibly, like any other chat program -- (like not clicking unknown links, not excepting files from unknown people, not giving personal info in chat, etc) -- its fine.

If you did not download and use RAdmin.22, please uninstall this Application.

Now, for what we have left to remove leaves me a bit confused but let's try to continue.

If you see a file in the list you think should be removed, I leave that up to you.

lease open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)




start
CreateRestorePoint:
CloseProcesses:
C:\sys7y6\GeeGo.exe
C:\sys7y6\gojoee.exe
C:\sys7y6\syswin7u8.exe
C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe
D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe
EmptyTemp:
End


Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

joemagiera
2015-11-07, 01:38
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

FRST fix log below. Anything else? Very happy to get my PC cleaned up. Can't believe how much garbage was out there.

Joe

Fix result of Farbar Recovery Scan Tool (x86) Version:05-11-2015
Ran by Dad (2015-11-06 17:20:50) Run:4
Running from C:\Documents and Settings\Dad\Desktop
Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\sys7y6\GeeGo.exe
C:\sys7y6\gojoee.exe
C:\sys7y6\syswin7u8.exe
C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe
D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe
C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi
C:\Documents and Settings\Dad\Desktop\Old Firefox Data\r26vc2ze.default\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi
D:\Downloads\ipscan.exe
D:\Downloads\soldering_desoldering
D:\Downloads\winrarSetup.exe
EmptyTemp:
End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\sys7y6\GeeGo.exe => moved successfully
C:\sys7y6\gojoee.exe => moved successfully
C:\sys7y6\syswin7u8.exe => moved successfully
C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe => moved successfully
D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe => moved successfully
C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi => moved successfully
C:\Documents and Settings\Dad\Desktop\Old Firefox Data\r26vc2ze.default\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi => moved successfully
D:\Downloads\ipscan.exe => moved successfully
D:\Downloads\soldering_desoldering => moved successfully
D:\Downloads\winrarSetup.exe => moved successfully
EmptyTemp: => 211 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:22:43 ====

joemagiera
2015-11-07, 01:42
Anything else?

Should I now do the CKScanner step you mentioned in the previous reply?

Joe

Juliet
2015-11-07, 04:28
Yes please.

joemagiera
2015-11-07, 06:31
CKScanner log below. Anything else?

PC appears to be working normally, in fact (probably my imagination), maybe even a little faster than before the virus.

Joe

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.GONAUZ
----- EOF -----

Juliet
2015-11-07, 14:51
PC appears to be working normally, in fact (probably my imagination), maybe even a little faster than before the virus.
Thats always good to hear.

Since this is a Windows XP machine I have an article I would like for you to read.
Important information regarding Windows XP (http://forums.whatthetech.com/index.php?showtopic=127901)

~~~~~~~~~~~`

Time to remove tools and quarantine folders.

http://i.imgur.com/AFZxnZc.jpg DelFix

Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.

Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:
~~~~~~~~~~
Remove disinfection tools
~~~~~~~~~~
Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).


~~~~~~~~~~~


Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP


The following programmes come highly recommended in the security community.

http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpgAdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpgMalwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.pngWeb of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.


Want to help others? Join the ClassRoom (http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html) and learn how.

joemagiera
2015-11-09, 00:00
Since this is a Windows XP machine I have an article I would like for you to read.
Please download DelFix and save the file to your Desktop.

Sorry was slow on this step. Downloaded and ran DelFix. Read the XP article. Thanks for the recommendations on the other tools.

Thanks again for all your help. If there are any final steps, let me know.

Below is the Delfix log (even though you didn't ask for it).

Joe

# DelFix v1.011 - Logfile created 08/11/2015 at 15:55:05
# Updated 18/08/2015 by Xplode
# Username : Dad - JOE
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Documents and Settings\Dad\Desktop\FRST-OlderVersion
Deleted : C:\Documents and Settings\Dad\Desktop\AdwCleaner.exe
Deleted : C:\Documents and Settings\Dad\Desktop\AdwCleaner[C2].txt
Deleted : C:\Documents and Settings\Dad\Desktop\CKScanner.exe
Deleted : C:\Documents and Settings\Dad\Desktop\esetsmartinstaller_enu.exe
Deleted : C:\Documents and Settings\Dad\Desktop\Fixlog.txt
Deleted : C:\Documents and Settings\Dad\Desktop\Fixlog_1.txt
Deleted : C:\Documents and Settings\Dad\Desktop\FRST.exe
Deleted : C:\Documents and Settings\Dad\Desktop\JRT.exe
Deleted : C:\Documents and Settings\Dad\Desktop\JRT.txt
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\Addition.txt
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\AdwCleaner.exe
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\aswMBR.exe
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\aswMBR.txt
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\CKScanner.exe
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\FRST.txt
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\JRT.exe
Deleted : C:\Documents and Settings\Dad\My Documents\Downloads\MBR.dat
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

########## - EOF - ##########

Juliet
2015-11-09, 04:07
Joe
We're finished.

Safe Surfing :)

Juliet
2015-11-12, 16:21
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif

Since this issue appears resolved ... this Topic is closed.