Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: posting logs for malware help

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default posting logs for malware help

    I read the "before you post" and if I missed something, I apologize in advance if I didn't do something quite right.

    On a Windows XP machine. Problems are an internet browser home page hi-jack, which also opens multiple sub-pages as soon as you go to any web site. Problems started when downloaded and ran the following software:

    KeyFinderInstaller.exe (provides keys for installed software)
    -and-
    WiFiPasswordRevealerInstaller.exe (provides wifipasswords)

    both this morning (11-4-2015).
    both downloaded from www. magicaljellybean. com (NOT RECOMMENDED!)

    One thing I wasn't sure of is whether to post the logs inline in this message or attach. The instructions mention both. I decided to do both. Below (and attached) are the three requested logs, in order:

    FRST.txt
    Addition.txt
    aswMBR.txt

    Any questions or actions to take, please let me know. Thank you,

    Joe

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:04-11-2015
    Ran by Dad (administrator) on JOE (04-11-2015 14:39:15)
    Running from C:\Documents and Settings\Dad\My Documents\Downloads
    Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
    Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
    Internet Explorer Version 8 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
    (AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    (Google Inc.) C:\Program Files\Google\Update\1.3.28.15\GoogleCrashHandler.exe
    (Teruten) C:\WINDOWS\system32\FsUsbExService.Exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    (TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
    (Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
    (Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
    (AVAST Software) C:\Program Files\Alwil Software\Avast5\avastui.exe
    (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
    () C:\Program Files\AT&T tReader\treader.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    (Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
    (Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19523616 2010-05-07] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Alwil Software\Avast5\AvastUI.exe [6111824 2015-08-25] (AVAST Software)
    HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
    HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
    HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
    HKLM\...\RunOnce: [20150107] => C:\Program Files\Alwil Software\Avast5\setup\emupdate\7dd83ed3-c31e-4525-8913-8cfc68352e80.exe [183232 2015-11-04] (AVAST Software)
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Run: [treader.exe] => C:\Program Files\AT&T tReader\treader.exe [1304576 2007-10-23] ()
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [721504 2015-09-02] (Microsoft Corporation)
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [9216 2008-04-13] (Microsoft Corporation)
    ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Alwil Software\Avast5\ashShell.dll [2015-08-11] (AVAST Software)

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 192.168.88.1
    Tcpip\..\Interfaces\{2C5F3C20-16B4-4DFC-A15E-75825F4A8998}: [DhcpNameServer] 192.168.88.1

    Internet Explorer:
    ==================
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    URLSearchHook: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.google.com" <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> DefaultScope {40C1DB81-4E42-4296-B026-A44077934BA1} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7ADRA_en
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {40C1DB81-4E42-4296-B026-A44077934BA1} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7ADRA_en
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
    BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll => No File
    BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-18] (Microsoft Corporation)
    BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2015-09-16] (Oracle Corporation)
    BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [2015-08-11] (AVAST Software)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
    BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-16] (Oracle Corporation)
    BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll => No File
    Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll No File
    Toolbar: HKLM - No Name - {00011268-E188-40DF-A514-835FCD78B1BF} - No File
    Toolbar: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} hxxps://gassl10.vpn.att.com/+CSCOL+/relayp.cab
    DPF: {538793D5-659C-4639-A56C-A179AD87ED44} hxxps://missl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} hxxps://usmiclient.vpn.att.com/CACHE/stc/3/binaries/vpnweb.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
    DPF: {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} hxxps://gassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
    DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
    DPF: {CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} hxxps://gassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll [2011-08-10] (Belarc, Inc.)
    Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\itss.dll [2005-05-26] (Microsoft Corporation)
    Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\itss.dll [2005-05-26] (Microsoft Corporation)

    FireFox:
    ========
    FF ProfilePath: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296
    FF NewTab: hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaB0tXUUEeGGlxR1dMclBCMlpQLFYDRH5NL04=
    FF DefaultSearchEngine: Default
    FF DefaultSearchEngine.US: Default
    FF SelectedSearchEngine: Default
    FF Homepage: www.google.com
    FF Keyword.URL: hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTR0cFME0FB18EURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
    FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll [2015-10-17] ()
    FF Plugin: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-16] (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-16] (Oracle Corporation)
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
    FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
    FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
    FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
    FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
    FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
    FF Plugin HKU\S-1-5-21-1390067357-926492609-839522115-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Dad\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2014-08-27] (Citrix Online)
    FF Plugin HKU\S-1-5-21-1390067357-926492609-839522115-1003: @tnt2npapi.com/Plugin -> C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\npTNT2.dll [No File]
    FF user.js: detected! => C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js [2015-11-04]
    FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npatgpc.dll [2015-02-04] (Cisco WebEx LLC)
    FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Dad\Application Data\mozilla\plugins\npatgpc.dll [2015-02-04] (Cisco WebEx LLC)
    FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Dad\Application Data\mozilla\plugins\npMeetingJoinPluginAOCUser.dll [2014-05-01] ()
    FF SearchPlugin: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\default.xml [2015-11-04]
    FF SearchPlugin: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\search-simple.xml [2015-11-04]
    FF Extension: SearchMoreKnow - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] [not signed]
    FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-11-06] [not signed]
    FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
    FF Extension: Avast Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2015-11-04] [not signed]
    FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff => not found

    Chrome:
    =======
    CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE8TkdGC1dXFg=="
    CHR StartupUrls: Default -> "hxxp://www.google.com/"
    CHR DefaultSearchURL: Default -> hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTQkcFME0FBloEURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> searchinterneat-a.akamaihd.net
    CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP
    CHR Profile: C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default
    CHR Extension: (Google Docs) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
    CHR Extension: (Google Drive) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-07-21]
    CHR Extension: (YouTube) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-04]
    CHR Extension: (Google Search) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-04-18]
    CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-03]
    CHR Extension: (Avast Online Security) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-03-25]
    CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-27]
    CHR Extension: (Gmail) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-18]
    CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2015-05-28]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [146600 2015-08-11] (AVAST Software)
    S3 r_server; C:\WINDOWS\system32\r_server.exe [724992 2004-08-06] () [File not signed]
    R2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [560528 2014-03-12] (Cisco Systems, Inc.)
    S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 acsint; C:\WINDOWS\System32\DRIVERS\acsint.sys [40304 2014-03-12] (Cisco Systems, Inc.)
    S3 acsmux; C:\WINDOWS\System32\DRIVERS\acsmux.sys [58736 2014-03-12] (Cisco Systems, Inc.)
    S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
    R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24016 2015-08-11] (AVAST Software)
    R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [76000 2015-08-11] (AVAST Software)
    R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-08-11] (AVAST Software)
    R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49776 2015-08-11] (AVAST Software)
    R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [788784 2015-08-11] (AVAST Software)
    R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [433264 2015-08-11] (AVAST Software)
    R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [161472 2015-08-11] (AVAST Software)
    S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57888 2015-08-11] (AVAST Software)
    R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [208664 2015-08-11] (AVAST Software)
    R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2011-08-09] () [File not signed]
    S3 CVirtA; C:\WINDOWS\System32\DRIVERS\CVirtA.sys [5315 2005-05-17] (Cisco Systems, Inc.)
    S4 DLPortIO; C:\WINDOWS\System32\DRIVERS\DLPortIO.sys [3584 1999-01-10] () [File not signed]
    R3 FsUsbExDisk; C:\WINDOWS\system32\FsUsbExDisk.SYS [36608 2010-06-14] () [File not signed]
    R2 giveio; C:\WINDOWS\system32\drivers\giveio.sys [5248 1996-05-13] () [File not signed]
    S3 HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [907456 2001-08-17] (Conexant)
    S3 mcdbus; C:\WINDOWS\System32\DRIVERS\mcdbus.sys [116736 2009-02-24] (MagicISO, Inc.) [File not signed]
    S3 mirrorv3; C:\WINDOWS\System32\DRIVERS\rminiv3.sys [3328 2010-04-21] (Famatech International Corp.)
    S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
    R1 oxmf; C:\WINDOWS\System32\DRIVERS\oxmf.sys [15779 2003-06-26] (Lite-On Technology Corporation.)
    S3 Oxmfuf; C:\WINDOWS\System32\DRIVERS\oxmfuf.sys [5111 2003-06-26] (Lite-On Technology Corporation.)
    R1 oxpar; C:\WINDOWS\System32\DRIVERS\oxpar.sys [76800 2003-12-25] (Lite-On Technology Corporation.)
    S1 oxser; C:\WINDOWS\System32\DRIVERS\oxser.sys [51269 2003-06-26] (Lite-On Technology Corporation.)
    S2 RadPciNT; C:\WINDOWS\system32\Drivers\RadPciNT.sys [9417 2000-04-24] (MediaForte Products Pte. Ltd.) [File not signed]
    R2 ScFBPNT; C:\WINDOWS\system32\drivers\ScFBPNT.SYS [16288 2000-02-08] () [File not signed]
    R3 teamviewervpn; C:\WINDOWS\System32\DRIVERS\teamviewervpn.sys [25088 2012-11-28] (TeamViewer GmbH)
    S2 USBRADIO; C:\WINDOWS\System32\Drivers\USBRADIO.sys [49444 2000-03-31] (GemTek Technology Co. LTD.) [File not signed]
    R3 WmBEnum; C:\WINDOWS\System32\drivers\WmBEnum.sys [22856 2010-04-27] (Logitech Inc.)
    S3 WmFilter; C:\WINDOWS\System32\drivers\WmFilter.sys [37704 2010-04-27] (Logitech Inc.)
    S3 WmVirHid; C:\WINDOWS\System32\drivers\WmVirHid.sys [15048 2010-04-27] (Logitech Inc.)
    R3 WmXlCore; C:\WINDOWS\System32\drivers\WmXlCore.sys [66632 2010-04-27] (Logitech Inc.)
    S3 avpnnic; system32\DRIVERS\avpnnic.sys [X]
    S4 IntelIde; no ImagePath
    U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
    S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
    S3 vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys [X]
    U1 WS2IFSL; no ImagePath

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Three Months Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-11-04 14:36 - 2015-11-04 14:39 - 00000000 ____D C:\FRST
    2015-11-04 14:03 - 2015-11-04 14:03 - 00000724 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    2015-11-04 13:50 - 2015-11-04 13:50 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVAST Software
    2015-11-04 13:48 - 2015-11-04 13:48 - 00000000 ____D C:\WINDOWS\LastGood
    2015-11-04 13:46 - 2015-08-11 21:04 - 00788784 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw256.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00433264 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25D.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00208664 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25F.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00161472 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw260.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00076000 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25B.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00057888 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw261.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00055200 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw258.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00049776 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw25C.tmp
    2015-11-04 13:46 - 2015-08-11 21:04 - 00024016 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\asw259.tmp
    2015-11-04 13:44 - 2015-08-11 21:04 - 00313472 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
    2015-11-04 13:38 - 2015-11-04 14:03 - 00000000 ____D C:\Program Files\Mozilla Firefox
    2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134
    2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134
    2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\SearchMoreKnow
    2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\Magical Jelly Bean
    2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\KeyFinder
    2015-11-04 07:49 - 2015-11-04 07:49 - 00001222 _____ C:\search-simple.xml
    2015-10-12 17:25 - 2015-10-12 17:26 - 00000149 _____ C:\Documents and Settings\Dad\Desktop\TV repair.url
    2015-10-09 05:59 - 2015-10-09 05:58 - 00069908 ____H C:\WINDOWS\Minidump\Mini100915-01.dmp
    2015-10-08 06:19 - 2015-10-08 06:18 - 00069908 ____H C:\WINDOWS\Minidump\Mini100815-01.dmp
    2015-10-07 05:55 - 2015-10-07 05:51 - 00069908 ____H C:\WINDOWS\Minidump\Mini100715-01.dmp
    2015-09-26 19:27 - 2015-09-26 19:27 - 00000000 ____D C:\Documents and Settings\Dad\Desktop\Old Firefox Data
    2015-09-25 20:57 - 2015-09-25 20:57 - 00000118 _____ C:\Documents and Settings\Dad\Desktop\card odds.url
    2015-09-24 09:14 - 2015-09-24 09:14 - 00000282 _____ C:\Documents and Settings\Dad\Desktop\cherry master.url
    2015-09-22 08:03 - 2015-09-22 08:03 - 00000126 _____ C:\Documents and Settings\Dad\Desktop\A&A John Lewis.url
    2015-09-19 11:07 - 2015-09-19 11:12 - 00000000 ____D C:\Documents and Settings\Dad\Application Data\dvdcss
    2015-09-18 12:39 - 2015-09-18 12:39 - 00000135 _____ C:\Documents and Settings\Dad\Desktop\website forums3.url
    2015-09-18 12:38 - 2015-09-18 12:38 - 00000164 _____ C:\Documents and Settings\Dad\Desktop\website forums.url
    2015-09-18 12:38 - 2015-09-18 12:38 - 00000115 _____ C:\Documents and Settings\Dad\Desktop\website forums2.url
    2015-09-17 14:20 - 2015-09-17 14:20 - 00000347 _____ C:\Documents and Settings\Dad\My Documents\.htaccess
    2015-09-16 05:04 - 2015-09-16 05:04 - 00000000 ____D C:\Program Files\Common Files\Java
    2015-09-16 05:03 - 2015-09-16 05:03 - 00000000 ____D C:\Documents and Settings\Dad\.oracle_jre_usage
    2015-09-14 18:23 - 2015-09-18 08:39 - 00001692 _____ C:\Documents and Settings\All Users\Start Menu\Full Flush Poker 8.2.lnk
    2015-09-14 18:23 - 2015-09-14 18:24 - 00000000 ____D C:\Program Files\Full Flush Poker 8.2
    2015-09-14 18:23 - 2015-09-14 18:23 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Full Flush Poker 8.2
    2015-08-29 11:03 - 2015-08-29 11:03 - 00000114 _____ C:\Documents and Settings\Dad\Desktop\D&D Surplus.url
    2015-08-24 05:53 - 2015-08-24 05:53 - 00000126 _____ C:\Documents and Settings\Dad\Desktop\Quantum front glass.url
    2015-08-23 12:19 - 2015-08-23 12:19 - 00000731 _____ C:\Documents and Settings\Dad\Desktop\VLC media player.lnk
    2015-08-18 20:35 - 2015-08-18 20:35 - 00000130 _____ C:\Documents and Settings\Dad\Desktop\Windows.url
    2015-08-12 17:07 - 2015-08-12 17:08 - 00000246 _____ C:\Documents and Settings\Dad\Desktop\recycle.url
    2015-08-11 21:05 - 2015-08-11 21:05 - 00000000 __HDC C:\WINDOWS\$NtUninstallWdf01009$
    2015-08-11 21:05 - 2008-11-07 18:55 - 00016928 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsgXP_2k3.dll
    2015-08-11 21:04 - 2015-11-04 13:50 - 00130612 _____ C:\WINDOWS\Wdf01009Inst.log
    2015-08-11 21:04 - 2015-08-11 21:04 - 00161472 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
    2015-08-11 21:04 - 2015-08-11 21:04 - 00043112 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
    2015-08-10 07:31 - 2015-08-10 07:32 - 00000000 ____D C:\Documents and Settings\Dad\Application Data\pdf995
    2015-08-10 07:31 - 2015-08-10 07:31 - 00000028 _____ C:\WINDOWS\pdf995.ini
    2015-08-10 07:31 - 2015-08-10 07:31 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Application Data\pdf995
    2015-08-10 06:48 - 2007-08-24 10:13 - 00000142 _____ C:\WINDOWS\wpd99.drv
    2015-08-10 06:47 - 2015-11-04 13:38 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\pdf995
    2015-08-10 06:47 - 2015-08-10 06:48 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Software995
    2015-08-10 06:47 - 2015-08-10 06:47 - 01667072 _____ (TODO: <Company name>) C:\WINDOWS\system32\pdfmona.dll
    2015-08-10 06:47 - 2015-08-10 06:47 - 00036864 _____ C:\WINDOWS\system32\pdf995mon.dll

    ==================== Three Months Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2015-11-04 14:40 - 2010-09-05 12:30 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Temp
    2015-11-04 14:15 - 2010-09-05 12:15 - 01737484 _____ C:\WINDOWS\WindowsUpdate.log
    2015-11-04 14:14 - 2014-08-27 15:56 - 00000510 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1390067357-926492609-839522115-1003.job
    2015-11-04 14:03 - 2014-06-03 20:55 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
    2015-11-04 14:03 - 2014-06-03 20:55 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
    2015-11-04 13:56 - 2014-06-04 19:57 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    2015-11-04 13:55 - 2013-10-30 15:41 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2015-11-04 13:50 - 2014-11-18 09:10 - 00001700 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
    2015-11-04 13:50 - 2010-12-31 10:00 - 00819640 _____ C:\WINDOWS\setupapi.log
    2015-11-04 13:47 - 2012-07-11 15:38 - 00000318 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
    2015-11-04 13:42 - 2015-05-30 10:25 - 00000606 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1390067357-926492609-839522115-1003.job
    2015-11-04 13:41 - 2001-08-23 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
    2015-11-04 13:40 - 2014-06-04 19:57 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    2015-11-04 13:40 - 2014-03-06 22:25 - 00000218 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
    2015-11-04 13:40 - 2010-09-05 12:28 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2015-11-04 13:40 - 2010-09-05 03:58 - 00000159 _____ C:\WINDOWS\wiadebug.log
    2015-11-04 13:40 - 2010-09-05 03:58 - 00000049 _____ C:\WINDOWS\wiaservc.log
    2015-11-04 13:39 - 2013-01-15 20:27 - 00000000 ____D C:\Documents and Settings\Administrator
    2015-11-04 13:39 - 2010-09-05 12:30 - 00000000 ____D C:\Documents and Settings\Dad
    2015-11-04 13:39 - 2010-09-05 12:28 - 00000000 __SHD C:\Documents and Settings\LocalService
    2015-11-04 13:39 - 2010-09-05 12:18 - 00000000 __SHD C:\Documents and Settings\NetworkService
    2015-11-04 13:39 - 2010-09-05 12:13 - 00000000 ____D C:\WINDOWS\Registration
    2015-11-04 13:38 - 2014-02-05 06:16 - 00000000 ____D C:\sys7y6
    2015-11-04 13:37 - 2013-06-30 21:56 - 03997696 _____ C:\WINDOWS\system32\config\ACVPN.evt
    2015-11-04 13:37 - 2010-09-05 12:28 - 00032640 _____ C:\WINDOWS\SchedLgU.Txt
    2015-11-04 09:06 - 2014-10-02 17:46 - 00131072 _____ C:\WINDOWS\system32\config\OAlerts.evt
    2015-11-02 21:47 - 2010-09-05 12:30 - 00000178 ___SH C:\Documents and Settings\Dad\ntuser.ini
    2015-11-02 14:40 - 2015-02-17 22:36 - 00000000 ____D C:\Program Files\PokerStars
    2015-11-01 06:53 - 2010-09-05 03:56 - 01407864 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2015-10-29 06:05 - 2010-09-05 03:55 - 00176737 _____ C:\WINDOWS\setupact.log
    2015-10-26 17:14 - 2010-09-11 09:02 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2015-10-26 06:19 - 2012-11-15 17:22 - 00000000 ____D C:\Program Files\Savings Bond Wizard
    2015-10-25 07:41 - 2013-08-12 18:38 - 00000000 ____D C:\WINDOWS\system32\MRT
    2015-10-25 07:35 - 2010-09-10 15:47 - 141105520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2015-10-24 13:59 - 2001-08-23 06:00 - 00000618 _____ C:\WINDOWS\win.ini
    2015-10-24 13:57 - 2010-09-05 12:13 - 00000063 _____ C:\WINDOWS\vbaddin.ini
    2015-10-17 07:55 - 2013-10-30 15:41 - 00780488 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
    2015-10-17 07:55 - 2013-10-30 15:41 - 00142536 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
    2015-10-17 07:28 - 2014-03-07 20:11 - 00000000 ____D C:\Program Files\AT&T tReader
    2015-10-14 11:33 - 2015-01-07 12:19 - 00003209 _____ C:\Documents and Settings\Dad\Desktop\myAT&T.lnk
    2015-10-14 11:33 - 2015-01-07 12:19 - 00000000 ____D C:\Documents and Settings\Dad\Start Menu\Programs\AT&T Connect
    2015-10-11 19:45 - 2011-05-03 16:54 - 00000000 ____D C:\Program Files\mIRC
    2015-10-09 05:59 - 2011-09-12 16:05 - 00000000 ____D C:\WINDOWS\Minidump
    2015-10-08 14:00 - 2014-03-06 22:25 - 00000212 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job

    ==================== Files in the root of some directories =======

    2011-12-28 11:20 - 2011-12-28 11:20 - 0002528 _____ () C:\Documents and Settings\Dad\Application Data\$_hpcst$.hpc
    2011-12-14 17:16 - 2014-11-15 15:53 - 0003584 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    Some files in TEMP:
    ====================
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

    ==================== End of FRST.txt ============================

    Additional scan result of Farbar Recovery Scan Tool (x86) Version:04-11-2015
    Ran by Dad (2015-11-04 14:41:11)
    Running from C:\Documents and Settings\Dad\My Documents\Downloads
    Microsoft Windows XP Professional Service Pack 3 (X86) (2010-09-05 18:17:31)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-1390067357-926492609-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
    ASPNET (S-1-5-21-1390067357-926492609-839522115-1006 - Limited - Enabled)
    Dad (S-1-5-21-1390067357-926492609-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Dad
    Guest (S-1-5-21-1390067357-926492609-839522115-501 - Limited - Enabled)
    HelpAssistant (S-1-5-21-1390067357-926492609-839522115-1000 - Limited - Disabled)
    SUPPORT_388945a0 (S-1-5-21-1390067357-926492609-839522115-1002 - Limited - Disabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: avast! Antivirus (Enabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    7-Zip 4.65 (HKLM\...\7-Zip) (Version: - )
    Adobe Flash Player 19 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 19.0.0.226 - Adobe Systems Incorporated)
    Adobe Flash Player 19 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 19.0.0.226 - Adobe Systems Incorporated)
    Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
    Arcade Tournament Manager (HKLM\...\{E27E085D-DAEE-41D1-B047-42DC8A01F545}) (Version: 1.7.4.0 - Danesi Designs)
    ArcSoft Camera Suite (HKLM\...\{4677AAF8-8D7A-4EE2-BCE4-0068BB052353}) (Version: - )
    Arduino (HKLM\...\Arduino) (Version: 1.6.3 - Arduino LLC)
    AT&T Connect Participant Application v9.5.51 (HKLM\...\{E42E8753-9A8E-48E9-9829-B3571D91A945}) (Version: 9.5.51 - AT&T Inc.)
    Avast Free Antivirus (HKLM\...\avast) (Version: 10.3.2225 - AVAST Software)
    Belarc Advisor 8.2 (HKLM\...\Belarc Advisor) (Version: 8.2.6.0 - Belarc Inc.)
    Camera Window (Version: 4.0 - Canon) Hidden
    Canon Camera WIA Driver (Version: 5.0.0 - Canon) Hidden
    Canon Camera Window for ZoomBrowser EX (HKLM\...\InstallShield_{2D6BDF3A-6BDB-4169-909F-E882F23AB795}) (Version: 4.0 - Canon)
    Canon PhotoRecord (HKLM\...\PhotoRecord) (Version: - )
    Canon PowerShot S45 WIA Driver (HKLM\...\InstallShield_{25E671BE-87A0-40F1-ABE5-BCBC6E65B0F5}) (Version: 5.0.0 - Canon)
    Canon Utilities FileViewerUtility 1.0 (HKLM\...\InstallShield_{0627E8E9-6822-4A5E-9225-286741CDC3E4}) (Version: 1.0 - Canon)
    Canon Utilities PhotoStitch 3.1 (HKLM\...\InstallShield_{A3E0FF15-90D5-40CD-8565-B80A433B0D4C}) (Version: 3.1.8 - Canon)
    Canon Utilities RemoteCapture 2.6 (HKLM\...\InstallShield_{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}) (Version: 2.6.0 - Your Company Name)
    Canon Utilities ZoomBrowser EX (HKLM\...\{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}) (Version: 04.00.00024 - CISRA)
    Catan Online World (HKLM\...\Catan Online Welt) (Version: 3.728 - Catan GmbH)
    Cisco AnyConnect Secure Mobility Client (HKLM\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.05160 - Cisco Systems, Inc.)
    Cisco AnyConnect Secure Mobility Client (Version: 3.1.05160 - Cisco Systems, Inc.) Hidden
    Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
    Citrix Online Launcher (HKLM\...\{3D5F07C3-1B93-47F8-9F8A-DE8E47BF1669}) (Version: 1.0.209 - Citrix)
    Data Fax SoftModem with SmartCP (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1) (Version: - )
    eShield Browser Security (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\{5FD52900-79EB-488E-910D-DDFEB09AC8A6}) (Version: - eShield) <==== ATTENTION
    FileViewerUtility 1.0 (Version: 1.0 - Canon) Hidden
    Full Flush Poker 8.2 (HKLM\...\Full Flush Poker 8.2) (Version: 8.2.12.201509140800 - Full Flush Poker)
    Google Chrome (HKLM\...\Google Chrome) (Version: 46.0.2490.80 - Google Inc.)
    Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
    Google Update Helper (Version: 1.3.28.15 - Google Inc.) Hidden
    GoToMeeting 7.4.1.3770 (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\GoToMeeting) (Version: 7.4.1.3770 - CitrixOnline)
    H&R Block Deluxe + Efile + State 2014 (HKLM\...\{BDA77C08-60A6-4AAB-B5A9-849ECF399A49}) (Version: 14.05.7401 - HRB Technology, LLC.)
    H&R Block Illinois 2014 (HKLM\...\{1B7D02B3-464B-4870-83AF-9FC76A8C8554}) (Version: 1.14.3401 - HRB Technology, LLC.)
    High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
    Image Resizer Powertoy for Windows XP (HKLM\...\{1CB92574-96F2-467B-B793-5CEB35C40C29}) (Version: 1.00.0001 - Microsoft Corporation)
    Intel(R) Graphics Media Accelerator Driver (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.10.5273 - Intel Corporation)
    Java 8 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation)
    Juniper Networks Host Checker (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Neoteris_Host_Checker) (Version: 7.1.0.18193 - Juniper Networks)
    Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Juniper_Setup_Client) (Version: 7.1.2.10059 - Juniper Networks, Inc.)
    Juniper Networks, Inc. Setup Client Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
    LivePix 1.1 SE (HKLM\...\LivePix) (Version: - )
    Logitech Gaming Software 5.10 (HKLM\...\{60D32CDC-E3BE-4578-BA10-29322307CDDC}) (Version: 5.10.127 - Logitech)
    MagicDisc 2.7.106 (HKLM\...\MagicDisc 2.7.106) (Version: - )
    Max Loader 4.6r (HKLM\...\Max Loader_is1) (Version: - EETools, Inc.)
    MeasureUp Certification Preparation (HKLM\...\InstallShield_{B9DF865A-C1BD-4DFD-9FF5-9CA5C6E23415}) (Version: 10.03 - MeasureUp Inc.)
    MeasureUp Practice Tests (HKLM\...\InstallShield_{1B53F089-10BA-4538-B977-8CF8A5343E04}) (Version: 10.03 - MeasureUp Inc.)
    MeasureUp Practice Tests (Version: 10.03 - MeasureUp Inc.) Hidden
    MEET MANAGER 2.0 for Swimming (HKLM\...\{7CE480FF-5B49-490E-BC18-1C663ECC0B61}) (Version: 1.00.0001 - Sports-Tek Software)
    MEET MANAGER 3.0 for Swimming (HKLM\...\{ED1D569E-3DA4-4D59-A1C2-80DFF72C962F}) (Version: 1.00.0001 - HY-TEK Sports Software)
    Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
    Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
    Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
    Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
    Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
    Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
    Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
    Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
    Microsoft Lync 2010 Attendee (HKLM\...\{6F72D695-5188-4484-B21E-E16CD89C4008}) (Version: 4.0.7577.4446 - Microsoft Corporation)
    Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
    Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
    Microsoft Office Visio Professional 2007 (HKLM\...\VISPRO) (Version: 12.0.6612.1000 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft Text-to-Speech Engine 4.0 (English) (HKLM\...\MSTTS) (Version: - )
    Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
    mIRC (HKLM\...\mIRC) (Version: - )
    Mozilla Firefox 42.0 (x86 en-US) (HKLM\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
    Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 42.0 - Mozilla)
    MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
    MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
    OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
    Password Safe 1.7.1 (HKLM\...\{9886C963-FB48-4C58-8E75-64816F220D1D}) (Version: 1.7.1 - SBC)
    Pdf995 (installed by H&R Block) (HKLM\...\Pdf995) (Version: - )
    PdfEdit995 (installed by H&R Block) (HKLM\...\PdfEdit995) (Version: - )
    PhotoStitch (Version: 3.1.8 - Canon) Hidden
    PokerStars (HKLM\...\PokerStars) (Version: - PokerStars)
    Radiator (remove only) (HKLM\...\Radiator) (Version: - )
    Radmin Viewer 3.4 (HKLM\...\{2517B7EA-6C03-4D86-A1B1-F3FE1C3BC03B}) (Version: 3.41.0000 - Famatech)
    REALTEK GbE & FE Ethernet PCI-E NIC Driver (HKLM\...\{C9BED750-1211-4480-B1A5-718A3BE15525}) (Version: 1.30.0000 - Realtek)
    Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6106 - Realtek Semiconductor Corp.)
    Remote Administrator v2.2 (HKLM\...\Remote Administrator v2.2) (Version: - )
    RemoteCapture 2.6 (Version: 2.6.0 - Your Company Name) Hidden
    Revo Uninstaller Pro 2.5.9 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.9 - VS Revo Group, Ltd.)
    Samsung New PC Studio (HKLM\...\InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}) (Version: 1.00.0000 - Samsung Electronics Co., Ltd.)
    Samsung New PC Studio (Version: 1.00.0000 - Samsung Electronics Co., Ltd.) Hidden
    SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.3.650.0 - SAMSUNG Electronics Co., Ltd.)
    Savings Bond Wizard (HKLM\...\Savings Bond Wizard) (Version: - )
    ScanCraft CS-P (HKLM\...\ScanCraft CS-P) (Version: - )
    SecureAuthOTP (HKLM\...\{21CBD08B-1E83-4D4B-B1FE-BB5424245BB5}) (Version: 1.11.0000 - SecureAuth)
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
    SketchUp 2013 (HKLM\...\{B75BC01B-4586-43F8-9349-D250DB98F26F}) (Version: 13.0.4812 - Trimble Navigation Limited)
    SketchUp 2014 (HKLM\...\{A608A8D3-E77C-4BEE-8F2A-F8124F5F0FE2}) (Version: 14.0.4900 - Trimble Navigation Limited)
    SmartFTP Client 2.0 (HKLM\...\{C169D3BB-9A27-43F5-9979-09A0D65FE95C}) (Version: 2.0.1000 - SmartFTP)
    SmartFTP Client 2.0 Setup Files (remove only) (HKLM\...\SmartFTP Client 2.0 Setup Files) (Version: "2.0" - "SmartFTP")
    Snagit 10 (HKLM\...\{5BCC634A-58AD-42F9-B3C6-2EA52F81CF85}) (Version: 10.0.0 - TechSmith Corporation)
    Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
    StudioLine Photo (HKLM\...\StudioLine Photo) (Version: - )
    TeamViewer 8 (HKLM\...\TeamViewer 8) (Version: 8.0.16642 - TeamViewer)
    VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
    WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
    Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
    Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
    Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
    Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
    Windows Management Framework Core (HKLM\...\KB968930) (Version: - Microsoft Corporation)
    Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
    Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
    Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
    Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
    WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )
    WinZip 15.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}) (Version: 15.0.9302 - WinZip Computing, S.L. )

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{01E0A80A-97FD-4FC2-B75D-C754396CD255}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0BBFE402-CCA1-4f64-9322-13B66D841049}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}\InprocServer32 -> C:\Program Files\TNT2\TNT2UserPS.dll => No File
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{156B30E4-2D3D-4257-A340-9BDD2E972E2E}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\Video2ActiveXWnd.ocx ()
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{2115F58A-CE09-47CC-A0B1-A8A2EC0C5423}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{25D005BF-FE63-4cce-AA25-CE952B1D9381}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{638B203F-8FB6-49ec-A139-AB8C530F0CAB}\MSPowerPoint.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{48A60FE8-C446-4371-95EB-258B14DCC5AC}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{54050FBB-F2AE-404b-8BFD-7EE3EC784A52}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{18AA4E21-D540-4a3a-9F9F-E6DE33D6F253}\MSExcel.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe" => No F (the data entry has 3 more characters).
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{5A31DC2C-BC50-4F71-93B8-2EC648404AF3}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\Video2ActiveXWnd.ocx ()
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{6B1948B3-9547-42F8-9B37-7AA9768134C4}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{7949C823-54C6-40F0-8D85-2348247E6820}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Utilities\IWMaterials.ocx (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{795B06EA-58E8-482C-AF11-A7E4E34DA16F}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{7A162288-DE78-473C-A6BA-23FF17F768E9}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1440\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{88BE9158-3A40-4907-B2F0-7E72496A9596}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{8A3C5585-D1ED-4EC0-B3C4-94998094E5BB}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{8CC82228-2200-4D22-9859-B762582F6D31}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{CC9F903E-1C4B-4596-B410-982107EC4899}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{DE471660-5535-47A8-949A-9DA95A72951F}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Utilities\IWMaterials.ocx (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{E169D2B5-9411-47B9-A473-345A3FB57090}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{F4A2332C-B453-4424-A142-AB9C51BAE2AF}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{F8ACB9F2-2A7D-4261-AA37-A39448C23CAE}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\dsoframer.ocx (AT&T Inc.)

    ==================== Restore Points =========================

    06-08-2015 21:33:44 System Checkpoint
    06-08-2015 22:31:01 Software Distribution Service 3.0
    07-08-2015 22:48:46 System Checkpoint
    07-08-2015 23:35:54 Software Distribution Service 3.0
    08-08-2015 22:14:06 Software Distribution Service 3.0
    09-08-2015 22:37:28 Software Distribution Service 3.0
    10-08-2015 06:48:03 Printer Driver PDF995 Printer Driver Installed
    10-08-2015 22:19:20 Software Distribution Service 3.0
    11-08-2015 21:04:01 avast! antivirus system restore point
    11-08-2015 21:05:39 Installed Windows XP Wdf01009.
    11-08-2015 22:03:06 Software Distribution Service 3.0
    12-08-2015 21:55:05 Software Distribution Service 3.0
    12-08-2015 23:14:20 Software Distribution Service 3.0
    13-08-2015 21:48:31 Software Distribution Service 3.0
    14-08-2015 05:24:09 Software Distribution Service 3.0
    14-08-2015 22:43:58 Software Distribution Service 3.0
    15-08-2015 23:08:27 System Checkpoint
    16-08-2015 02:00:17 Software Distribution Service 3.0
    16-08-2015 21:10:45 Software Distribution Service 3.0
    17-08-2015 21:19:39 System Checkpoint
    17-08-2015 21:37:32 Software Distribution Service 3.0
    17-08-2015 22:00:48 Software Distribution Service 3.0
    17-08-2015 22:32:23 Software Distribution Service 3.0
    18-08-2015 21:47:58 Software Distribution Service 3.0
    18-08-2015 21:55:59 Software Distribution Service 3.0
    18-08-2015 22:16:55 Software Distribution Service 3.0
    19-08-2015 05:48:08 Software Distribution Service 3.0
    19-08-2015 06:18:04 Software Distribution Service 3.0
    19-08-2015 06:25:38 Software Distribution Service 3.0
    19-08-2015 19:24:33 Software Distribution Service 3.0
    19-08-2015 19:55:52 Software Distribution Service 3.0
    19-08-2015 21:43:31 Software Distribution Service 3.0
    20-08-2015 21:29:27 Software Distribution Service 3.0
    21-08-2015 22:15:46 Software Distribution Service 3.0
    21-08-2015 22:18:40 Software Distribution Service 3.0
    22-08-2015 22:45:35 System Checkpoint
    23-08-2015 02:00:16 Software Distribution Service 3.0
    23-08-2015 21:06:47 Software Distribution Service 3.0
    24-08-2015 21:43:56 Software Distribution Service 3.0
    24-08-2015 22:19:04 Software Distribution Service 3.0
    25-08-2015 10:17:39 Software Distribution Service 3.0
    25-08-2015 22:19:44 Software Distribution Service 3.0
    26-08-2015 19:39:01 Software Distribution Service 3.0
    26-08-2015 21:23:34 Software Distribution Service 3.0
    27-08-2015 21:51:18 Software Distribution Service 3.0
    28-08-2015 19:32:16 Software Distribution Service 3.0
    28-08-2015 22:49:37 Software Distribution Service 3.0
    29-08-2015 15:06:00 Software Distribution Service 3.0
    30-08-2015 02:00:16 Software Distribution Service 3.0
    30-08-2015 22:06:42 Software Distribution Service 3.0
    31-08-2015 21:26:35 Software Distribution Service 3.0
    01-09-2015 21:49:26 System Checkpoint
    01-09-2015 22:00:56 Software Distribution Service 3.0
    02-09-2015 21:35:59 Software Distribution Service 3.0
    02-09-2015 21:42:06 Software Distribution Service 3.0
    03-09-2015 07:35:43 Software Distribution Service 3.0
    03-09-2015 07:42:52 Software Distribution Service 3.0
    03-09-2015 22:02:08 Software Distribution Service 3.0
    04-09-2015 22:01:23 Software Distribution Service 3.0
    05-09-2015 22:06:04 Software Distribution Service 3.0
    05-09-2015 22:11:03 Software Distribution Service 3.0
    05-09-2015 22:16:39 Software Distribution Service 3.0
    05-09-2015 22:18:13 Software Distribution Service 3.0
    06-09-2015 11:27:13 Software Distribution Service 3.0
    06-09-2015 22:03:20 Software Distribution Service 3.0
    07-09-2015 22:08:30 Software Distribution Service 3.0
    08-09-2015 21:53:50 Software Distribution Service 3.0
    09-09-2015 21:20:20 Software Distribution Service 3.0
    09-09-2015 21:22:30 Software Distribution Service 3.0
    10-09-2015 05:02:39 Software Distribution Service 3.0
    10-09-2015 22:18:21 Software Distribution Service 3.0
    11-09-2015 22:21:48 Software Distribution Service 3.0
    12-09-2015 22:49:51 Software Distribution Service 3.0
    13-09-2015 22:17:29 Software Distribution Service 3.0
    14-09-2015 08:01:30 Software Distribution Service 3.0
    14-09-2015 08:18:31 Software Distribution Service 3.0
    14-09-2015 09:27:38 Software Distribution Service 3.0
    14-09-2015 09:46:20 Software Distribution Service 3.0
    14-09-2015 10:00:52 Software Distribution Service 3.0
    14-09-2015 20:01:00 Software Distribution Service 3.0
    15-09-2015 20:11:08 System Checkpoint
    15-09-2015 21:46:14 Software Distribution Service 3.0
    16-09-2015 08:23:25 Software Distribution Service 3.0
    16-09-2015 21:38:56 Software Distribution Service 3.0
    17-09-2015 21:36:51 Software Distribution Service 3.0
    18-09-2015 22:11:16 System Checkpoint
    18-09-2015 22:13:45 Software Distribution Service 3.0
    19-09-2015 21:03:09 Software Distribution Service 3.0
    20-09-2015 06:04:34 Software Distribution Service 3.0
    20-09-2015 22:36:11 Software Distribution Service 3.0
    21-09-2015 09:21:00 Software Distribution Service 3.0
    21-09-2015 09:28:43 Software Distribution Service 3.0
    21-09-2015 09:29:24 Software Distribution Service 3.0
    21-09-2015 10:42:42 Software Distribution Service 3.0
    21-09-2015 21:05:13 Software Distribution Service 3.0
    22-09-2015 21:48:01 Software Distribution Service 3.0
    23-09-2015 07:40:23 Software Distribution Service 3.0
    23-09-2015 21:48:45 Software Distribution Service 3.0
    24-09-2015 05:01:25 Software Distribution Service 3.0
    24-09-2015 22:16:34 Software Distribution Service 3.0
    25-09-2015 21:00:01 Software Distribution Service 3.0
    25-09-2015 21:02:39 Software Distribution Service 3.0
    26-09-2015 05:09:09 Software Distribution Service 3.0
    26-09-2015 21:49:19 Software Distribution Service 3.0
    27-09-2015 22:46:30 Software Distribution Service 3.0
    28-09-2015 21:37:54 Software Distribution Service 3.0
    29-09-2015 20:38:46 Software Distribution Service 3.0
    29-09-2015 21:44:19 Software Distribution Service 3.0
    30-09-2015 20:07:52 Software Distribution Service 3.0
    01-10-2015 20:12:48 System Checkpoint
    01-10-2015 21:47:44 Software Distribution Service 3.0
    02-10-2015 22:08:36 Software Distribution Service 3.0
    03-10-2015 23:02:14 Software Distribution Service 3.0
    04-10-2015 21:47:21 Software Distribution Service 3.0
    06-10-2015 06:00:12 System Checkpoint
    07-10-2015 06:37:02 System Checkpoint
    08-10-2015 10:01:48 System Checkpoint
    09-10-2015 10:37:38 System Checkpoint
    10-10-2015 10:56:48 System Checkpoint
    11-10-2015 11:07:52 System Checkpoint
    12-10-2015 12:01:50 System Checkpoint
    13-10-2015 13:00:19 System Checkpoint
    14-10-2015 15:08:02 System Checkpoint
    15-10-2015 15:09:19 System Checkpoint
    17-10-2015 07:10:13 System Checkpoint
    18-10-2015 07:58:04 System Checkpoint
    19-10-2015 08:53:12 System Checkpoint
    20-10-2015 09:00:04 System Checkpoint
    21-10-2015 09:32:27 System Checkpoint
    22-10-2015 19:48:01 System Checkpoint
    24-10-2015 08:14:38 System Checkpoint
    24-10-2015 13:56:12 Software Distribution Service 3.0
    25-10-2015 07:23:03 Software Distribution Service 3.0
    25-10-2015 07:25:08 Software Distribution Service 3.0
    25-10-2015 07:35:03 Software Distribution Service 3.0
    25-10-2015 07:53:53 Software Distribution Service 3.0
    25-10-2015 08:26:12 Software Distribution Service 3.0
    25-10-2015 08:39:05 Software Distribution Service 3.0
    25-10-2015 21:47:11 Software Distribution Service 3.0
    26-10-2015 05:25:03 Software Distribution Service 3.0
    26-10-2015 17:13:54 Software Distribution Service 3.0
    27-10-2015 17:23:22 System Checkpoint
    28-10-2015 17:50:16 System Checkpoint
    29-10-2015 18:35:42 System Checkpoint
    31-10-2015 11:55:54 System Checkpoint
    01-11-2015 14:10:18 System Checkpoint
    02-11-2015 16:12:44 System Checkpoint
    03-11-2015 18:02:17 System Checkpoint
    04-11-2015 13:37:42 Restore Operation
    04-11-2015 13:41:47 avast! antivirus system restore point
    04-11-2015 13:50:21 Installed Windows XP Wdf01009.

    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2001-08-23 06:00 - 2015-08-04 05:58 - 00000859 ____N C:\WINDOWS\system32\Drivers\etc\hosts

    127.0.0.1 localhost
    144.160.5.48 missl9.vpn.att.com
    144.160.7.171 usmiclient.vpn.att.com

    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\Alwil Software\Avast5\AvastEmUpdate.exe
    Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1390067357-926492609-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\3770\g2mupdate.exe
    Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1390067357-926492609-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\3770\g2mupload.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
    Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

    ==================== Loaded Modules (Whitelisted) ==============

    2014-03-12 14:53 - 2014-03-12 14:53 - 00063376 _____ () C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\zlib1.dll
    2015-05-28 20:06 - 2015-08-11 21:04 - 00102864 _____ () C:\Program Files\Alwil Software\Avast5\log.dll
    2015-05-28 20:06 - 2015-08-11 21:04 - 00123976 _____ () C:\Program Files\Alwil Software\Avast5\JsonRpcServer.dll
    2015-11-03 06:01 - 2015-11-03 06:01 - 03014608 _____ () C:\Program Files\Alwil Software\Avast5\defs\15110300\algo.dll
    2015-11-04 13:51 - 2015-11-04 13:51 - 02989568 _____ () C:\Program Files\Alwil Software\Avast5\defs\15110400\algo.dll
    2013-09-04 23:14 - 2013-09-04 23:14 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
    2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2012-05-23 16:05 - 2009-08-16 16:06 - 00141312 _____ () C:\Program Files\WinRAR\rarext.dll
    2015-08-10 06:47 - 2015-08-10 06:47 - 00036864 _____ () C:\WINDOWS\system32\pdf995mon.dll
    2013-02-17 21:21 - 2012-11-28 11:50 - 00018856 _____ () C:\WINDOWS\System32\spool\PRTPROCS\W32X86\TeamViewer_PrintProcessor.dll
    2015-03-13 16:23 - 2015-05-28 20:07 - 40540672 _____ () C:\Program Files\Alwil Software\Avast5\libcef.dll
    2014-03-07 20:11 - 2007-10-23 16:24 - 01304576 _____ () C:\Program Files\AT&T tReader\treader.exe
    2014-03-07 20:11 - 2007-10-23 16:24 - 00434688 _____ () C:\Program Files\AT&T tReader\theme.dll
    2015-10-17 07:55 - 2015-10-17 07:55 - 17599688 _____ () C:\WINDOWS\system32\Macromed\Flash\NPSWF32_19_0_0_226.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

    ==================== EXE Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)

    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\att.com -> hxxps://*.vpn.att.com
    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\fixme.it -> hxxps://fixme.it
    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\fujitsu.com -> hxxps://sslvpn2.fai.fujitsu.com
    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\measureup.com -> measureup.com

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    DNS Servers: 192.168.88.1
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)


    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    StandardProfile\AuthorizedApplications: [C:\Program Files\mIRC\mirc.exe] => Enabled:mIRC
    StandardProfile\AuthorizedApplications: [C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe] => Enabled:SmartFTP Client 2.0
    StandardProfile\AuthorizedApplications: [C:\Hy-Sport\SwMM2\SwimMM2.exe] => Enabled:Swim Meet Manager
    StandardProfile\AuthorizedApplications: [D:\C_2010_09_04\Program Files\mIRC\mirc.exe] => Enabled:mIRC
    StandardProfile\AuthorizedApplications: [C:\Program Files\NetAcquire\NetAcquire.exe] => Enabled:Play the Acquire board game on the Internet.
    StandardProfile\AuthorizedApplications: [C:\Program Files\AT&T Global Network Client\SwiApiMux.exe] => Enabled:SwiApiMux
    StandardProfile\AuthorizedApplications: [C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe] => Enabled:KTF MUSIC AoD Server
    StandardProfile\AuthorizedApplications: [C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe] => Enabled:KTF MUSIC VoD Server
    StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Enabled:Yahoo! Messenger
    StandardProfile\AuthorizedApplications: [D:\Program Files\Savings Bond Wizard\SBWizard.exe] => Enabled:Savings Bond Wizard
    StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version8\TeamViewer.exe] => Enabled:Teamviewer Remote Control Application
    StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe] => Enabled:Teamviewer Remote Control Service
    StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
    StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\GROOVE.EXE] => Enabled:Microsoft SharePoint Workspace
    StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE] => Enabled:Microsoft OneNote
    StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
    StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft Lync Attendee\AttendeeCommunicator.exe] => Enabled:Lync Attendee
    StandardProfile\AuthorizedApplications: [C:\Program Files\Arduino\java\bin\javaw.exe] => Enabled:Java(TM) Platform SE binary
    StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:'Firefox' (C:\Program Files\Mozilla Firefox)
    DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
    DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
    DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
    DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
    StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
    StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
    StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
    StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
    StandardProfile\GloballyOpenPorts: [5985:TCP] => Disabled:Windows Remote Management
    StandardProfile\GloballyOpenPorts: [80:TCP] => Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
    StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
    StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008

    ==================== Faulty Device Manager Devices =============

    Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Manufacturer: Cisco Systems
    Service: vpnva
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
    Description: The application cannot be initialized.

    Context: Windows Application

    Details:
    The content index cannot be read. (0xc0041800)

    Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
    Description: The gatherer object cannot be initialized.

    Context: Windows Application, SystemIndex Catalog

    Details:
    The content index cannot be read. (0xc0041800)

    Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
    Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

    Context: Windows Application, SystemIndex Catalog

    Details:
    The content index cannot be read. (0xc0041800)

    Error: (11/04/2015 01:40:51 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
    Description: The search service has detected corrupted data files in the index. The service will attempt to automatically correct this problem by rebuilding the index.

    Context: Windows Application, SystemIndex Catalog

    Details:
    0xc0041801 (0xc0041801)

    Error: (10/30/2015 05:13:59 AM) (Source: Microsoft Office 14) (EventID: 1000) (User: )
    Description: Faulting application outlook.exe, version 14.0.7160.5000, stamp 55fb0b2c, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x178bcc58.

    Error: (10/28/2015 06:00:46 AM) (Source: Windows Search Service) (EventID: 3024) (User: )
    Description: The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again.

    Context: Application, SystemIndex Catalog

    Error: (10/26/2015 10:28:52 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
    Description: office12proofingtoolswinword.exe14.0.7155.5001mssp7en.dll14.0.7107.50001033ignoreonceNILNILNILNIL

    Error: (10/26/2015 10:28:51 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
    Description: office12proofingtoolswinword.exe14.0.7155.5001msgr3en.dll3.1.0.175191033ignoreonceNILNILNILNIL

    Error: (10/26/2015 10:28:51 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
    Description: office12proofingtoolswinword.exe14.0.7149.5000msgr3en.dll3.1.0.175191033acceptsuggestionNILNILNILNIL

    Error: (10/26/2015 10:28:51 AM) (Source: Office12ProofingTools) (EventID: 5000) (User: )
    Description: office12proofingtoolswinword.exe14.0.7149.5000mssp7en.dll14.0.7107.50001033acceptcsssuggestionNILNILNILNIL


    System errors:
    =============
    Error: (11/04/2015 01:41:12 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
    Description: The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).

    Error: (11/04/2015 01:40:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The RadPciNT service failed to start due to the following error:
    %%55

    Error: (11/04/2015 01:40:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The Java Quick Starter service failed to start due to the following error:
    %%2

    Error: (11/04/2015 01:40:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The GemTek USB FM Radio 21 driver service failed to start due to the following error:
    %%1058

    Error: (11/04/2015 01:40:47 PM) (Source: 0) (EventID: 2) (User: )
    Description:

    Error: (11/04/2015 01:26:01 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
    Description: The Service Mgr SearchMoreKnow service hung on starting.

    Error: (11/04/2015 01:24:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The RadPciNT service failed to start due to the following error:
    %%55

    Error: (11/04/2015 01:24:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The Java Quick Starter service failed to start due to the following error:
    %%2

    Error: (11/04/2015 01:24:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The GemTek USB FM Radio 21 driver service failed to start due to the following error:
    %%1058

    Error: (11/04/2015 01:24:26 PM) (Source: 0) (EventID: 2) (User: )
    Description:


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz
    Percentage of memory in use: 83%
    Total physical RAM: 2009.74 MB
    Available physical RAM: 337.37 MB
    Total Virtual: 3902.79 MB
    Available Virtual: 2250.35 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:298.09 GB) (Free:231.83 GB) NTFS ==>[drive with boot components (Windows XP)]
    Drive d: () (Fixed) (Total:298.09 GB) (Free:118.69 GB) NTFS ==>[drive with boot components (Windows XP)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: C5ABC5AB)
    Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: 3F0C8D80)
    Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

    ==================== End of Addition.txt ============================

    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2015-11-04 14:43:13
    -----------------------------
    14:43:13.515 OS Version: Windows 5.1.2600 Service Pack 3
    14:43:13.515 Number of processors: 2 586 0x170A
    14:43:13.515 ComputerName: JOE UserName: Dad
    14:43:17.812 Initialize success
    14:43:17.843 VM: initialized successfully
    14:43:17.843 VM: Intel CPU virtualization not supported
    14:43:30.000 AVAST engine defs: 15110400
    14:43:38.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    14:43:38.968 Disk 0 Vendor: WDC_WD3200AAJB-00WGA0 00.02C01 Size: 305245MB BusType: 3
    14:43:38.984 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
    14:43:38.984 Disk 1 Vendor: WDC_WD3200AAJB-00WGA0 00.02C01 Size: 305245MB BusType: 3
    14:43:39.171 Disk 0 MBR read successfully
    14:43:39.171 Disk 0 MBR scan
    14:43:39.296 Disk 0 Windows XP default MBR code
    14:43:39.296 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305242 MB offset 63
    14:43:39.312 Disk 0 default boot code
    14:43:39.312 Disk 0 scanning sectors +625137345
    14:43:39.390 Disk 0 scanning C:\WINDOWS\system32\drivers
    14:44:05.843 Service scanning
    14:44:42.203 Modules scanning
    14:44:42.218 Disk 0 trace - called modules:
    14:44:42.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    14:44:42.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5dbab8]
    14:44:42.234 3 CLASSPNP.SYS[b98e8fd7] -> nt!IofCallDriver -> \Device\00000071[0x8a60ef18]
    14:44:42.234 5 ACPI.sys[b977f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a5f6d98]
    14:44:45.578 AVAST engine scan C:\WINDOWS
    14:45:40.781 AVAST engine scan C:\WINDOWS\system32
    14:52:30.937 AVAST engine scan C:\WINDOWS\system32\drivers
    14:53:08.515 AVAST engine scan C:\Documents and Settings\Dad
    15:40:56.968 AVAST engine scan C:\Documents and Settings\All Users
    15:45:07.546 Disk 0 statistics 2879708/0/0 @ 0.47 MB/s
    15:45:07.562 Scan finished successfully
    15:46:20.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dad\My Documents\Downloads\MBR.dat"
    15:46:20.578 The log file has been saved successfully to "C:\Documents and Settings\Dad\My Documents\Downloads\aswMBR.txt"

    (END LOGS)
    Attached Files Attached Files
    Last edited by tashi; 2015-11-05 at 07:06. Reason: Disabled live link

  2. #2
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,846

    Default

    eShield Browser Security <== please go to add remove progrmas list and uninstall/remove this



    Please go to one of the below sites to scan the following files:
    Virus Total (Recommended)
    jotti.org
    VirScan
    click on Browse, search for and upload the following file for analysis:

    C:\WINDOWS\system32\r_server.exe


    Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
    If it says already scanned -- click "reanalyze now"
    Please post the results in your next reply.


    ~~~~~~~~~~~~~~~~~~~
    Running from C:\Documents and Settings\Dad\My Documents\Downloads

    It's best we move Farbar's to desktop.

    Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
    Go to an open spot on your desktop, right click and select PASTE
    You should now have Farbar Recovery Scan Tool on your desktop.


    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:
    URLSearchHook: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.google.com" <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {40C1DB81-4E42-4296-B026-A44077934BA1} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
    BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll => No File
    Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll No File
    Toolbar: HKLM - No Name - {00011268-E188-40DF-A514-835FCD78B1BF} - No File
    Toolbar: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    FF NewTab: hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaB0tXUUEeGGlxR1dMclBCMlpQLFYDRH5NL04=
    FF Keyword.URL: hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTR0cFME0FB18EURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
    FF user.js: detected! => C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js [2015-11-04]
    FF Extension: SearchMoreKnow - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] [not signed]
    FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff => not found
    CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE8TkdGC1dXFg=="
    CHR DefaultSearchURL: Default -> hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTQkcFME0FBloEURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> searchinterneat-a.akamaihd.net
    CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP
    2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134
    2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134
    2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\SearchMoreKnow
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}\InprocServer32 -> C:\Program Files\TNT2\TNT2UserPS.dll => No File
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe" => No F (the data entry has 3 more characters).
    EmptyTemp:
    Hosts:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~`

    AdwCleaner
    • Please download AdwCleaner and save the file to your Desktop.
    • Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
    • Follow the prompts.
    • Click Scan.
    • Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
    • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
    • Follow the prompts and allow your computer to reboot.
    • After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Please download Junkware Removal Tool
    or from here http://downloads.malwarebytes.org/file/jrt
    to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    ~~
    please post
    File requested scanned
    Fixlog.txt
    AdwCleaner[CX].txt
    JRT.txt
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default

    Quote Originally Posted by Juliet View Post
    please post
    File requested scanned
    Fixlog.txt
    AdwCleaner[CX].txt
    JRT.txt
    >eShield Browser Security <== please go to add remove progrmas list and uninstall/remove this

    I did this and got a message along the lines of “uninstall failed, it may have already been uninstalled”.

    >Please go to one of the below sites to scan the following files:
    Virus Total (Recommended)
    click on Browse, search for and upload the following file for analysis:
    C:\WINDOWS\system32\r_server.exe
    Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
    Please post the results in your next reply.

    Results:

    SHA256: c16db9cdf09b66b402dce462aecce3f400ed14a39b6a216220ef24232ec67297
    File name: r_server.exe
    Detection ratio: 23 / 54
    Analysis date: 2015-11-05 02:33:54 UTC ( 1 minute ago )

    0
    0
    • Analysis
    • File detail
    • Relationships
    • Additional information
    • Comments
    • Votes
    Antivirus Result Update
    AVG RemoteAdmin.AU 20151105
    AhnLab-V3 Trojan/Win32.Radmin 20151104
    Antiy-AVL Trojan[RemoteAdmin:not-a-virus]/Win32.RAdmin 20151105
    Avast Win32:Radmin-BV [PUP] 20151105
    Avira SPR/RServer.1 20151105
    Baidu-International Malware.Win32.Radmin.40 20151104
    Comodo UnclassifiedMalware 20151105
    Cyren W32/RemoteAdmin.HKXT-5475 20151105
    ESET-NOD32 Win32/RAdmin.22 potentially unsafe 20151105
    F-Prot W32/RemoteAdmin.K 20151105
    Fortinet Riskware/RemoteAdmin 20151105
    Jiangmin AdWare/RAdmin.b 20151104
    K7AntiVirus Riskware ( 0040eff71 ) 20151104
    K7GW Riskware ( 0040eff71 ) 20151104
    Kaspersky not-a-virus:RemoteAdmin.Win32.RAdmin.22 20151105
    McAfee RemAdm-Generic 20151105
    McAfee-GW-Edition RemAdm-Generic 20151105
    NANO-Antivirus Riskware.Win32.RAdmin.fzut 20151105
    Rising PE:Trojan.Win32.Generic.11E3B80D!300136461 [F] 20151104
    Sophos RemoteAdmin (PUA) 20151105
    Symantec Remacc.Radmin 20151104
    VIPRE Radmin (not malicious) 20151104
    ViRobot Trojan.Win32.S.Agent.724992.BQ[h] 20151104
    ALYac 20151105
    AVware 20151104
    Ad-Aware 20151105
    AegisLab 20151104
    Agnitum 20151104
    Alibaba 20151104
    Arcabit 20151105
    BitDefender 20151105
    Bkav 20151104
    ByteHero 20151105
    CAT-QuickHeal 20151103
    CMC 20151102
    ClamAV 20151103
    DrWeb 20151105
    Emsisoft 20151105
    F-Secure 20151105
    GData 20151105
    Ikarus 20151105
    Malwarebytes 20151105
    MicroWorld-eScan 20151105
    Microsoft 20151104
    Panda 20151104
    SUPERAntiSpyware 20151105
    Tencent 20151105
    TheHacker 20151103
    TrendMicro 20151105
    TrendMicro-HouseCall 20151105
    VBA32 20151104
    Zillya 20151104
    Zoner 20151105
    nProtect 20151104

    (END)

    >It's best we move Farbar's to desktop.

    Completed.

    >Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    Completed. Fixlog.txt attached and listed below:

    Fix result of Farbar Recovery Scan Tool (x86) Version:04-11-2015
    Ran by Dad (2015-11-04 20:10:39) Run:2
    Running from C:\Documents and Settings\Dad\Desktop
    Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
    Boot Mode: Normal

    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:
    URLSearchHook: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "hxxp://www.google.com" <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {40C1DB81-4E42-4296-B026-A44077934BA1} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
    BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\Snagit 10\SnagitBHO.dll => No File
    Toolbar: HKLM - Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll No File
    Toolbar: HKLM - No Name - {00011268-E188-40DF-A514-835FCD78B1BF} - No File
    Toolbar: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    FF NewTab: hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaB0tXUUEeGGlxR1dMclBCMlpQLFYDRH5NL04=
    FF Keyword.URL: hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTR0cFME0FB18EURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
    FF user.js: detected! => C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js [2015-11-04]
    FF Extension: SearchMoreKnow - C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] [not signed]
    FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff => not found
    CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE8TkdGC1dXFg=="
    CHR DefaultSearchURL: Default -> hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfV0JUA5BQ1EWbQlbB19cFVEVeRQBWQwTDFYRJQkJVlpEEwRFdx9aFQQTQkcFME0FBloEURNNfWpdAEsSSXhMMlxzD1YG&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> searchinterneat-a.akamaihd.net
    CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP
    2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134
    2015-11-04 07:49 - 2015-11-04 13:40 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134
    2015-11-04 07:49 - 2015-11-04 13:38 - 00000000 ____D C:\Program Files\SearchMoreKnow
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe
    C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}\InprocServer32 -> C:\Program Files\TNT2\TNT2UserPS.dll => No File
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}\localserver32 -> "C:\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe" => No F (the data entry has 3 more characters).
    EmptyTemp:
    Hosts:
    End
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\ => value not found.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
    HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
    HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
    HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
    HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{40C1DB81-4E42-4296-B026-A44077934BA1} => key not found.
    HKCR\CLSID\{40C1DB81-4E42-4296-B026-A44077934BA1} => key not found.
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
    HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208} => key not found.
    "HKCR\CLSID\{00C6482D-C502-44C8-8409-FCE54AD9C208}" => key removed successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} => value removed successfully.
    "HKCR\CLSID\{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" => key removed successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{00011268-E188-40DF-A514-835FCD78B1BF} => value removed successfully.
    HKCR\CLSID\{00011268-E188-40DF-A514-835FCD78B1BF} => key not found.
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
    HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
    Firefox "newtab" removed successfully.
    Firefox "Keyword.URL" removed successfully.
    C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\user.js => moved successfully
    C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi [2015-11-03] => not found.
    HKLM\Software\Mozilla\Firefox\Extensions\\jqs@sun.com => value removed successfully.
    Chrome RestoreOnStartup => removed successfully.
    Chrome DefaultSearchURL => removed successfully.
    Chrome DefaultSearchKeyword => removed successfully.
    CHR DefaultNewTabURL: Default -> hxxp://searchinterneat-a.akamaihd.net/t?eq=U0EeFFhaR1oWHFEScQ4IA11EDAVAJl8VVV1HGBgaeAxaTFpDRAUSd1oNUwgXFhNBNARaAktXUUEeJ1pNER8fHGZGIUtbCXQeU1BoLlZP => Error: No automatic fix found for this entry.
    C:\Program Files\Common Files\3a08aecf-996c-434c-872d-c3768a6d9134 => moved successfully
    C:\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134 => moved successfully
    C:\Program Files\SearchMoreKnow => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714052212265jniverify.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\20130714054412734jniverify.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\AMPing.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\BetOnline Updater.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\CitrixOnlineLauncher.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDJavaInstaller.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\CSDWebLaunch.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\cstub.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\dsHostCheckerSetup.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\fp_pl_pfs_installer.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\GdiPlus.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallerMessageBox.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\InstallManager_BAB_BAB.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\install_flashplayer14x32au_mssa_aaa_aih.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u23-windows-i586-iftw-rv.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u24-windows-i586-iftw-rv.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u29-windows-i586-iftw-rv.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u31-windows-i586-iftw-rv.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u32-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u33-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u35-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-6u37-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u11-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u13-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u15-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u21-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u45-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\mirc71.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\miunst_.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxy.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\NPSInstallerProxyMessageBoxHookDll.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00000.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\ose00001.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\Quarantine.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\Relay.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\sbwcrv.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\sqlite3.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.1.5-win32.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\vlc-2.2.1-win32.exe => moved successfully
    C:\Documents and Settings\Dad\Local Settings\Temp\wget.exe => moved successfully
    "HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0FEB2313-F89B-4AC6-8153-84025604A06A}" => key removed successfully.
    "HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{554EBE31-AEC1-4E34-BCE3-606467760D88}" => key removed successfully.
    C:\Windows\System32\Drivers\etc\hosts => moved successfully
    Hosts restored successfully.
    EmptyTemp: => 5.1 GB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 20:18:17 ====

    >AdwCleaner
    • Please download AdwCleaner and save the file to your Desktop.
    • Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
    • Follow the prompts.
    • Click Scan.
    • Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
    • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
    • Follow the prompts and allow your computer to reboot.
    • After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.
    Had a little trouble on this one. As best I know, my PC’s administrator account did not have a password. But when I tried to run as admin, it said password failed. My PC reports that my accound is an admin account. So I couldn’t run this under the administrator account. I ran it under the “dad” account which is supposed to be an administrator level. Completed. Log:
    # AdwCleaner v5.017 - Logfile created 04/11/2015 at 21:00:25
    # Updated 03/11/2015 by Xplode
    # Database : 2015-11-03.2 [Server]
    # Operating system : Microsoft Windows XP Service Pack 3 (x86)
    # Username : Dad - JOE
    # Running from : C:\Documents and Settings\Dad\Desktop\AdwCleaner.exe
    # Option : Cleaning
    # Support : http://toolslib.net/forum
    ***** [ Services ] *****
    ***** [ Folders ] *****
    ***** [ Files ] *****
    [-] File Deleted : C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\search-simple.xml
    [-] File Deleted : C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\yahoo.xml
    [-] File Deleted : C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\default.xml
    ***** [ DLLs ] *****
    ***** [ Shortcuts ] *****
    ***** [ Scheduled tasks ] *****
    ***** [ Registry ] *****
    [-] Key Deleted : HKCU\SOFTWARE\MOZILLAPLUGINS\@tnt2npapi.com/Plugin
    [-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
    [-] Key Deleted : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
    [-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00011268-E188-40DF-A514-835FCD78B1BF}
    [-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00011268-E188-40DF-A514-835FCD78B1BF}
    [-] Key Deleted : HKCU\Software\Yahoo\Companion
    [-] Key Deleted : HKCU\Software\Yahoo\YFriendsBar
    [-] Key Deleted : HKLM\SOFTWARE\Yahoo\Companion
    [-] Key Deleted : HKLM\SOFTWARE\SmartPCFixer
    [-] Key Deleted : HKU\.DEFAULT\Software\Yahoo\Companion
    [!] Key Not Deleted : HKU\S-1-5-18\Software\Yahoo\Companion
    ***** [ Web browsers ] *****
    [-] [C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA18DB0VXfWFoKB8fHGZGIUtbCXQeU1BoLlZP");
    [-] [C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : searchinterneat-a.akamaihd.net
    *************************
    :: "Tracing" keys removed
    :: Winsock settings cleared
    ########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [2396 bytes] ##########
    >Please download Junkware Removal Tool
    to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Completed. Log:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 7.6.4 (09.28.2015:1)
    OS: Microsoft Windows XP x86
    Ran by Dad on Wed 11/04/2015 at 21:41:18.70
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~ Services
    ~~~ Tasks
    ~~~ Registry Values
    ~~~ Registry Keys
    ~~~ Files
    ~~~ Folders
    ~~~ Chrome
    [C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - default search provider reset
    [C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
    [C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
    [C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Wed 11/04/2015 at 21:44:11.42
    End of JRT log
    All items completed. All logs attached. Thank you very much for the help so far. Please advise on next steps.
    Joe
    Attached Files Attached Files

  4. #4
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,846

    Default

    Please just post log results, no need to include my instructions.

    NOTE: It is good practice to copy and paste the instructions into notepad and save to desktop and/or print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.
    ~~~~~~~~~~~~~~~~~~~~~~~


    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

    start
    CloseProcesses:
    S3 r_server; C:\WINDOWS\system32\r_server.exe [724992 2004-08-06] () [File not signed]
    C:\WINDOWS\system32\r_server.exe
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~

    Download Malwarebytes' Anti-Malware TO YOUR DESKTOP


    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"







    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Detections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan
    • When the scan is finished and the log pops up...select Copy to Clipboard
    • Please paste the log back into this thread for review
    • Exit Malwarebytes


    After the restart once you are back at your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click 'Copy to Clipboard'
    Paste the contents of the clipboard into your reply


    Please post these 2 logs when finished. Also, how is the computer now?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #5
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Thumbs up

    Quote Originally Posted by Juliet View Post
    [b][color=#ff0000]Please post these 2 logs when finished. Also, how is the computer now?
    The PC and internet browser (checked Chrome, Firefox and IE), all appear to be ok, based on a less than 3 minute test). THANK YOU!

    The instructions for the Malwarebytes could be taken two ways, with either posting the log for first scan or the last scan or both. To cover all bases, I'm posting 3 logs:

    The FRST log of the newest Fixlist.txt input that you provided
    The first Malwarebytes log
    The last Malwarebytes log (after restart)

    Right now, I think I'm all good, but if you have further instructions or steps to take, let me know. Otherwise, thank you again for helping me through this.

    Fix result of Farbar Recovery Scan Tool (x86) Version:04-11-2015
    Ran by Dad (2015-11-05 06:14:13) Run:3
    Running from C:\Documents and Settings\Dad\Desktop
    Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
    Boot Mode: Normal

    ==============================================

    fixlist content:
    *****************
    start
    CloseProcesses:
    S3 r_server; C:\WINDOWS\system32\r_server.exe [724992 2004-08-06] () [File not signed]
    C:\WINDOWS\system32\r_server.exe
    EmptyTemp:
    End
    *****************

    Processes closed successfully.
    r_server => service removed successfully.
    C:\WINDOWS\system32\r_server.exe => moved successfully
    EmptyTemp: => 115.8 MB temporary data Removed.

    The system needed a reboot.

    ==== End of Fixlog 06:15:30 ====

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 11/5/2015
    Scan Time: 6:51:50 AM
    Logfile:
    Administrator: Yes

    Version: 2.2.0.1024
    Malware Database: v2015.11.05.03
    Rootkit Database: v2015.11.04.02
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows XP Service Pack 3
    CPU: x86
    File System: NTFS
    User: Dad

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 338817
    Time Elapsed: 40 min, 35 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 6
    PUP.Optional.eShield, HKLM\SOFTWARE\GOOGLE\CHROME\NATIVEMESSAGINGHOSTS\com.eshield.extension_host, Quarantined, [105725552269d85e90faae1573907888],
    PUP.Optional.TidyNetwork, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\DRAGDROP\{70BC1CDB-0744-4172-BDA0-B5A487D00C3A}, Quarantined, [3e29a5d5632840f61c27c3cbfd063cc4],
    PUP.Optional.OpenApp, HKLM\SOFTWARE\WOW6432NODE\GOOGLE\CHROME\EXTENSIONS\kincjchfokkeneeofpeefomkikfkiedl, Quarantined, [db8c8eec1972f3437497d7a504ff629e],
    PUP.Optional.TidyNetwork, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\DRAGDROP\{70BC1CDB-0744-4172-BDA0-B5A487D00C3A}, Quarantined, [3f28a3d7d3b874c266d31975ee15bc44],
    PUP.Optional.TNT, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}, Quarantined, [3037ef8b78130135b1b2a8e643c033cd],
    PUP.Optional.SmartBar, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\SMARTBAR, Quarantined, [363188f253380432a5536423c63d7f81],

    Registry Values: 2
    PUP.Optional.TNT, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{72A6AB0F-2FA8-4C73-9FCB-1E62A608F001}|AppName, TNT2User.exe, Quarantined, [3037ef8b78130135b1b2a8e643c033cd]
    PUP.Optional.SmartBar, HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\SMARTBAR|GlobalUserId, 61866C50-084F-4CD7-B44B-8AC92F7FA013, Quarantined, [363188f253380432a5536423c63d7f81]

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 3
    PUP.Optional.Yontoo, C:\search-simple.xml, Quarantined, [16510773f893aa8c71be1db119eae31d],
    PUP.Optional.Yontoo, C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\prefs.js, Good: (browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/), Bad: (browser.startup.homepage", "http://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRghHcQgPUVsVFBgTI19eTA0VFwwOeQENAxQSE1ATcQ5bVAtARwIFIk0FA18DB0VXfWFoKB8fHGZGIUtbCXQeU1BoLlZP"), Replaced,[9bcc8ceed8b31a1c2d811d5351b3fe02]
    PUP.Optional.BDYahoo, C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\searchplugins\default.xml, Quarantined, [41264337711a2d096cdd0668976d24dc],

    Physical Sectors: 0
    (No malicious items detected)


    (end)

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 11/5/2015
    Scan Time: 8:19:56 AM
    Logfile:
    Administrator: Yes

    Version: 2.2.0.1024
    Malware Database: v2015.11.05.03
    Rootkit Database: v2015.11.04.02
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows XP Service Pack 3
    CPU: x86
    File System: NTFS
    User: Dad

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 339092
    Time Elapsed: 18 min, 23 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)
    Attached Files Attached Files

  6. #6
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,846

    Default

    The PC and internet browser (checked Chrome, Firefox and IE), all appear to be ok, based on a less than 3 minute test). THANK YOU!
    Your very welcome

    The instructions for the Malwarebytes could be taken two ways, with either posting the log for first scan or the last scan or both. To cover all bases, I'm posting 3 logs:
    Yes, and I apologize for that but myself and other helpers have an ongoing battle trying to explain how to post the finished logs from MBAM to show all it quarantined.
    The steps you took show me the results and I thank you.

    ~~~~~~~~~~~~~~~~~~~~
    I think the next scan will probably be our last. It can take quite a while, but I really think it's needed.


    ******
    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.



    Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

    ESET Online Scan
    Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
    • Please download ESET Online Scan and save the file to your Desktop.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Double-click esetsmartinstaller_enu.exe to run the programme.
    • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
    • Agree to the Terms of Use once more and click Start. Allow components to download.
    • Place a checkmark next to Enable detection of potentially unwanted applications.
    • Click Advanced settings. Place a checkmark next to:
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

    • Ensure Remove found threats is unchecked.
    • Click Start.
    • Wait for the scan to finish. Please be patient as this can take some time.
    • Upon completion, click . If no threats were found, skip the next two bullet points.
    • Click and save the file to your Desktop, naming it something such as "MyEsetScan".
    • Push the Back button.
    • Place a checkmark next to and click .
    • Re-enable your anti-virus software.
    • Copy the contents of the log and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #7
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default

    Quote Originally Posted by Juliet View Post
    save the file to your Desktop, naming it something such as "MyEsetScan".
    Copy the contents of the log and paste in your next reply.
    Ok, here's the Eset scan log. If there is anything else, let me know. Should the items found in the last scan be deleted (other than a few on the list I see that I know are ok)?

    THANKS AGAIN!

    Joe

    C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\apn\APN-Stub\W3IV6-G(2)\APNIC.7z.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
    C:\AdwCleaner\Quarantine\C\Documents and Settings\All Users\Application Data\apn\APN-Stub\W3IV6-G(2)\BIT28.tmp.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
    C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\Autorun.inf.vir Win32/Toolbar.TNT2.F potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\IEToolbar.dll.vir a variant of Win32/Toolbar.TNT2.B potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\npTNT2.dll.vir a variant of Win32/Toolbar.TNT2.H potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\TNT2User.exe.vir a variant of Win32/Toolbar.TNT2.A potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\2.0.0.1995\xpi.tar.vir Win32/Toolbar.TNT2.G potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Documents and Settings\Dad\Local Settings\Application Data\TNT2\Profiles\11515\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi.vir Win32/Toolbar.TNT2.G potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Program Files\TNT2\2.0.0.1995\IEToolbar.dll.vir a variant of Win32/Toolbar.TNT2.B potentially unwanted application
    C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi JS/BrowseFox.A potentially unwanted application
    C:\Documents and Settings\Dad\Desktop\Old Firefox Data\r26vc2ze.default\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi Win32/Toolbar.TNT2.G potentially unwanted application
    C:\Documents and Settings\Dad\Local Settings\Application Data\Downloaded Installations\{382B7E08-8EB6-435F-A474-CE7C90770D2D}\rserv34.msi a variant of Win32/RemoteAdmin.RAdmin.AC potentially unsafe application
    C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\2(2)\Plugin(2).exe a variant of Win32/BrowseFox.BT potentially unwanted application
    C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\3(2)\Plugin(2).exe a variant of Win32/BrowseFox.BZ potentially unwanted application
    C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\5(2)\Plugin(2).exe a variant of Win32/BrowseFox.BH potentially unwanted application
    C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\7(2)\Plugin(2).exe a variant of Win32/BrowseFox.BZ potentially unwanted application
    C:\FRST\Quarantine\C\Documents and Settings\All Users\Application Data\3a08aecf-996c-434c-872d-c3768a6d9134\plugins\8(2)\Plugin(2).exe a variant of Win32/BrowseFox.BT potentially unwanted application
    C:\FRST\Quarantine\C\Documents and Settings\Dad\Local Settings\Temp\GLF8.tmp.tbElf_.dll.xBAD a variant of Win32/Toolbar.Conduit.B potentially unwanted application
    C:\FRST\Quarantine\C\Documents and Settings\Dad\Local Settings\Temp\tbWhit.dll.xBAD a variant of Win32/Toolbar.Conduit.P potentially unwanted application
    C:\FRST\Quarantine\C\Program Files\SearchMoreKnow\Extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi JS/BrowseFox.A potentially unwanted application
    C:\FRST\Quarantine\C\Windows\System32\r_server.exe.xBAD Win32/RAdmin.22 potentially unsafe application
    C:\Program Files\Radmin\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
    C:\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    C:\Program Files\Radmin\r_server.exe Win32/RAdmin.22 potentially unsafe application
    C:\sys7y6\GeeGo.exe a variant of Win32/Spy.VB.NWM trojan
    C:\sys7y6\gojoee.exe a variant of Win32/TrojanDropper.VB.ONT trojan
    C:\sys7y6\syswin7u8.exe Win32/BitCoinMiner.W potentially unsafe application
    C:\WINDOWS\system32\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
    C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe a variant of Win32/Spy.VB.NWM trojan
    D:\C_2010_09_04\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\C_2010_09_04\Program Files\XPMedic\XPMedic.exe Win32/Adware.XPMedic application
    D:\Downloads\7zip-setup.exe a variant of Win32/DownloadAdmin.M potentially unwanted application
    D:\Downloads\ipscan.exe Win32/NetTool.Portscan.C potentially unsafe application
    D:\Downloads\Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip a variant of Win32/Keygen.EM potentially unsafe application
    D:\Downloads\soldering_desoldering Win32/InstalleRex.M potentially unwanted application
    D:\Downloads\winrarSetup.exe a variant of MSIL/DomaIQ.AB potentially unwanted application
    D:\Downloads\XPMedic_Setup.exe Win32/Adware.XPMedic application
    D:\Downloads\XPMedic_Setup.zip Win32/Adware.XPMedic application
    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe a variant of Win32/Keygen.HC potentially unsafe application
    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key.exe a variant of Win32/Keygen.CW potentially unsafe application
    D:\Downloads\Remote_Administrator\RADMIN22.EXE Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Downloads\Remote_Administrator\radmin22.zip Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe Win32/PrcView potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe Win32/PrcView potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe Win32/Shutdown.NAA potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22de.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22en.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22ru.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    Attached Files Attached Files

  8. #8
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,846

    Default

    Should the items found in the last scan be deleted (other than a few on the list I see that I know are ok)?
    We do need to delete out some files that were found. Which ones are you seeing that you know are OK?

    Win32/RAdmin.22 potentially unsafe application
    Remote access degrades your security.

    I see a few Radmin references. Have you intentionally had Radmin remote admin application installed on this machine?

    Remote Administrator v2.2

    Let me point out the difference between Infected: and in most cases Infected: not-a-virus

    Infected: --> When labeled this way no bones about it.....it's infected.
    Infected: not-a-virus/Win32/RemoteAdmin potentially unsafe application --> Here it can be become a tiddle bit interesting. We'll use what was found as an example.

    RAdmin.22
    Win32/RemoteAdmin potentially unsafe application:RemoteAdmin.Win32.RAdmin.22 (RAdmin.22 can also be run as a service, which means that you can log in remotely, do some work, and log out again) <--files -- they are always flagged as a "risk" program.

    Long as you use any VCN program responsibly, like any other chat program -- (like not clicking unknown links, not excepting files from unknown people, not giving personal info in chat, etc) -- its fine.

    If you did not download and use RAdmin.22, please uninstall this Application.

    Also, if this program was downloaded as a cracked with keygen tool, then it's not OK.

    ~~~~
    This forum as well as most of the other malware removal forums do not support the use of illegal software, if I was to continue helping you it could be construed in the eyes of the law as aiding and abetting a crime. In using the crack, the 'cracker' has broken the 'End User Licence Agreement' (EULA) of the product concerned. The distribution and use of cracked software is illegal in almost every developed country. They are also one of the biggest causes of infection. This applies to Cracks, Keygens and Warez

    Forum Policy
    I strongly suggest you remove any cracked software that is installed.
    We do not approve of nor support illegal software. Cracked software is not only unethical, it's a good way to get your machine infected. Malware and virus authors love to spread their infections via cracks. I recommend you cease this activity and get rid of any cracked software.
    In the future I strongly suggest you stay away from using cracks and/or Keygens. If you want to continue, uninstall all the illegal software that you have downloaded and installed.

    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe a variant of Win32/Keygen
    Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip a variant of Win32/Keygen

    ~~~~~~~~~~~~~`

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

    start
    CreateRestorePoint:
    CloseProcesses:
    C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\extensions\{44c81f55-fe84-4145-8f1c-0da2c7ea8500}.xpi
    C:\Documents and Settings\Dad\Desktop\Old Firefox Data\r26vc2ze.default\extensions\{cf15270e-cf08-4def-b4ea-6a5ac23f3bca}.xpi
    C:\sys7y6\GeeGo.exe
    C:\sys7y6\gojoee.exe
    C:\sys7y6\syswin7u8.exe
    C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe
    D:\Downloads\7zip-setup.exe
    D:\Downloads\ipscan.exe
    D:\Downloads\soldering_desoldering
    D:\Downloads\winrarSetup.exe
    D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~`

    Download CKScanner by askey127 from Here & save it to your Desktop.
    • Doubleclick CKScanner.exe then click Search For Files
    • When the cursor hourglass disappears, click Save List To File
    • A message box will verify the file saved
    • Please Run this program only once


    Please post these 2 logs when finished with an update on how your computer is now.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #9
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default

    Quote Originally Posted by Juliet View Post
    Which ones are you seeing that you know are OK?
    Have you intentionally had Radmin remote admin application installed on this machine?
    If you did not download and use RAdmin.22, please uninstall this Application.
    Also, if this program was downloaded as a cracked with keygen tool, then it's not OK.
    If you want to continue, uninstall all the illegal software that you have downloaded and installed.
    Juliet,

    Thank you for your help and guidance to date.

    As to which ones I am seeing that I know is ok... I have reviewed the eSet scan output. I have edited and deleted all output for files/programs that I either don't know about or can be deleted. There are three areas that are left:

    1) The following are part of another PC for back up purposes only. They are not installed on my PC. They are all properly licensed software on that PC. They are present for backup purposes only. I know there are other PC & hard drive back up methods. For this particular situation, this is the easiest & fastest method. If you feel this is still not appropriate, I will remove them. But otherwise, I would like to save them.

    D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe Win32/PrcView potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe Win32/PrcView potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe Win32/Shutdown.NAA potentially unsafe application

    2) I could be mistaken on this, but as best I can recall, this is a properly licensed/paid for application with a non-cracked key. I would like to keep it. However, if you see evidence otherwise, let me know and I will remove.

    D:\Downloads\7zip-setup.exe a variant of Win32/DownloadAdmin.M potentially unwanted application

    3) All below refer to Remote Administrator and Radmin. One is an upgraded version of another (I don't recall which is which). This is how I connect remotely to my work. This was provided by my work and should be a licensed legal version. If it's not, I plead ignorance, as I just followed instructions from my company.

    C:\Documents and Settings\Dad\Local Settings\Application Data\Downloaded Installations\{382B7E08-8EB6-435F-A474-CE7C90770D2D}\rserv34.msi a variant of Win32/RemoteAdmin.RAdmin.AC potentially unsafe application
    C:\Program Files\Radmin\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
    C:\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    C:\Program Files\Radmin\r_server.exe Win32/RAdmin.22 potentially unsafe application
    C:\WINDOWS\system32\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
    D:\C_2010_09_04\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Downloads\Remote_Administrator\RADMIN22.EXE Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Downloads\Remote_Administrator\radmin22.zip Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22de.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22en.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22ru.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application

    As to illegal software, it appears the only thing you listed was PowerDVD. I checked and while that install download is obviously present on my PC, the software is not installed. This can and should be deleted.

    I did not run the scans & fixes you selected just yet. I definitely would like to continue and will be glad to run the steps you outlined. I wanted to present my feedback in case you needed to change the FRST fix file based on my feedback. Please consider and advise. Thanks,

    Joe

  10. #10
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,846

    Default

    2) I could be mistaken on this, but as best I can recall, this is a properly licensed/paid for application with a non-cracked key. I would like to keep it. However, if you see evidence otherwise, let me know and I will remove.

    D:\Downloads\7zip-setup.exe a variant of Win32/DownloadAdmin.M potentially unwanted application
    7zip is fine but what it may have alerted to is that when it was downloaded it is very possible to have been bundled with adware.
    The scan is also set to alert for
    Detection of potentially unwanted applications is, optional as they don't pose a threat unless the adware/malware that could had been downloaded with the install was not deleted.

    Remote Administrator and Radmin. One is an upgraded version of another (I don't recall which is which). This is how I connect remotely to my work. This was provided by my work and should be a licensed legal version. If it's not, I plead ignorance, as I just followed instructions from my company.
    Correct. And I gave the warning of potentials related to these type of remote connection tools.

    RAdmin.22 VCN program
    As Long as you use any VCN program responsibly, like any other chat program -- (like not clicking unknown links, not excepting files from unknown people, not giving personal info in chat, etc) -- its fine.

    If you did not download and use RAdmin.22, please uninstall this Application.
    Now, for what we have left to remove leaves me a bit confused but let's try to continue.

    If you see a file in the list you think should be removed, I leave that up to you.

    lease open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


    start
    CreateRestorePoint:
    CloseProcesses:
    C:\sys7y6\GeeGo.exe
    C:\sys7y6\gojoee.exe
    C:\sys7y6\syswin7u8.exe
    C:\winxz100598228412mkeo\100598228412mkeo\100598228412mkeo.exe
    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key -.exe
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •