Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: PC hi-jacked (again)

  1. #1
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default PC hi-jacked (again)

    On a Windows XP machine. Problem is an internet browser home page hi-jack. Problems started when downloaded what I thought was a safe MS Excel template, about 4PM (central), 1-12-2016.

    Below are the three requested logs, in order:

    FRST.txt
    Addition.txt
    aswMBR.txt

    Any questions or actions to take, please let me know. Please help. Thank you,

    Joe

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:10-01-2015 01
    Ran by Dad (administrator) on JOE (12-01-2016 17:20:35)
    Running from C:\Documents and Settings\Dad\Desktop\virus-fix
    Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
    Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
    Internet Explorer Version 8 (Default browser: FF)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
    (AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    (Google Inc.) C:\Program Files\Google\Update\1.3.29.1\GoogleCrashHandler.exe
    (Teruten) C:\WINDOWS\system32\FsUsbExService.Exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    (TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
    (Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
    (Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
    (AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    (Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
    (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
    (Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe


    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19523616 2010-05-07] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Alwil Software\Avast5\AvastUI.exe [7021880 2015-12-16] (AVAST Software)
    HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
    HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
    HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Run: [treader.exe] => C:\Program Files\AT&T tReader\treader.exe [1304576 2007-10-23] ()
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [721504 2015-09-02] (Microsoft Corporation)
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\scrnsave.scr [9216 2008-04-13] (Microsoft Corporation)
    ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Documents and Settings\All Users\Application Data\MEGAsync\ShellExtX32.dll No File
    ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Documents and Settings\All Users\Application Data\MEGAsync\ShellExtX32.dll No File
    ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Documents and Settings\All Users\Application Data\MEGAsync\ShellExtX32.dll No File
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Alwil Software\Avast5\ashShell.dll [2015-12-16] (AVAST Software)

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 192.168.88.1
    Tcpip\..\Interfaces\{2C5F3C20-16B4-4DFC-A15E-75825F4A8998}: [DhcpNameServer] 192.168.88.1

    Internet Explorer:
    ==================
    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
    SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-968125b7&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-968125b7&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-968125b7&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {fcd9f10e-0daa-405f-bca0-0dd3f37c59d9} URL =
    BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-18] (Microsoft Corporation)
    BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_60\bin\ssv.dll [2015-09-16] (Oracle Corporation)
    BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll [2015-12-16] (AVAST Software)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
    BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-16] (Oracle Corporation)
    BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll => No File
    DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} hxxps://gassl10.vpn.att.com/+CSCOL+/relayp.cab
    DPF: {538793D5-659C-4639-A56C-A179AD87ED44} hxxps://missl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} hxxps://usmiclient.vpn.att.com/CACHE/stc/3/binaries/vpnweb.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
    DPF: {A5A5E1FF-FFEF-3FEF-B592-C6D194F4383F} hxxps://gassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
    DPF: {CAFEEFAC-0017-0000-0045-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_45-windows-i586.cab
    DPF: {CAFEEFAC-0018-0000-0025-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_25-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} hxxps://gassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll [2011-08-10] (Belarc, Inc.)
    Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\itss.dll [2005-05-26] (Microsoft Corporation)
    Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\itss.dll [2005-05-26] (Microsoft Corporation)

    FireFox:
    ========
    FF ProfilePath: C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296
    FF DefaultSearchEngine: Default
    FF DefaultSearchEngine.US: Google
    FF SelectedSearchEngine: Default
    FF Homepage: hxxp://www.bing.com/search?FORM=INCOH1&PC=IC04&PTAG=ICO-968125b7
    FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_20_0_0_267.dll [2015-12-29] ()
    FF Plugin: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-09-16] (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-16] (Oracle Corporation)
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
    FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
    FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
    FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
    FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
    FF Plugin HKU\S-1-5-21-1390067357-926492609-839522115-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\Dad\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2014-08-27] (Citrix Online)
    FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\browser\plugins\npatgpc.dll [2015-02-04] (Cisco WebEx LLC)
    FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Dad\Application Data\mozilla\plugins\npatgpc.dll [2015-02-04] (Cisco WebEx LLC)
    FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\Dad\Application Data\mozilla\plugins\npMeetingJoinPluginAOCUser.dll [2014-05-01] ()
    FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-11-06] [not signed]
    FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
    FF Extension: Avast Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2015-12-16]
    FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\Alwil Software\Avast5\SafePrice\FF
    FF Extension: Avast SafePrice - C:\Program Files\Alwil Software\Avast5\SafePrice\FF [2015-12-16]

    Chrome:
    =======
    CHR HomePage: Default -> hxxp://www.bing.com/search?FORM=INCOH1&PC=IC03&PTAG=ICO-968125b7
    CHR StartupUrls: Default -> "hxxp://www.bing.com/search?FORM=INCOH1&PC=IC03&PTAG=ICO-968125b7"
    CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=INCOH2&PC=IC03&PTAG=ICO-968125b7&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> Search Provided by Bing.com
    CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
    CHR Profile: C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default
    CHR Extension: (Avast Online Security) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-11-05]
    CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Dad\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-11-09]
    CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2015-12-16]

    ==================== Services (Whitelisted) ========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [226440 2015-12-16] (AVAST Software)
    S4 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
    S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
    R2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [560528 2014-03-12] (Cisco Systems, Inc.)
    S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

    ===================== Drivers (Whitelisted) ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 acsint; C:\WINDOWS\System32\DRIVERS\acsint.sys [40304 2014-03-12] (Cisco Systems, Inc.)
    S3 acsmux; C:\WINDOWS\System32\DRIVERS\acsmux.sys [58736 2014-03-12] (Cisco Systems, Inc.)
    S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
    R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24016 2015-12-16] (AVAST Software)
    R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [81168 2015-12-18] (AVAST Software)
    R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55200 2015-12-16] (AVAST Software)
    R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49776 2015-12-16] (AVAST Software)
    R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [794952 2015-12-16] (AVAST Software)
    R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [436360 2015-12-18] (AVAST Software)
    R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [165104 2015-12-16] (AVAST Software)
    S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [58016 2015-12-16] (AVAST Software)
    R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [209432 2015-12-16] (AVAST Software)
    R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2011-08-09] () [File not signed]
    S3 CVirtA; C:\WINDOWS\System32\DRIVERS\CVirtA.sys [5315 2005-05-17] (Cisco Systems, Inc.)
    S4 DLPortIO; C:\WINDOWS\System32\DRIVERS\DLPortIO.sys [3584 1999-01-10] () [File not signed]
    R3 FsUsbExDisk; C:\WINDOWS\system32\FsUsbExDisk.SYS [36608 2010-06-14] () [File not signed]
    R2 giveio; C:\WINDOWS\system32\drivers\giveio.sys [5248 1996-05-13] () [File not signed]
    S3 HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [907456 2001-08-17] (Conexant)
    R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
    S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2015-11-05] (Malwarebytes)
    S3 mcdbus; C:\WINDOWS\System32\DRIVERS\mcdbus.sys [116736 2009-02-24] (MagicISO, Inc.) [File not signed]
    S3 mirrorv3; C:\WINDOWS\System32\DRIVERS\rminiv3.sys [3328 2010-04-21] (Famatech International Corp.)
    S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
    R1 oxmf; C:\WINDOWS\System32\DRIVERS\oxmf.sys [15779 2003-06-26] (Lite-On Technology Corporation.)
    S3 Oxmfuf; C:\WINDOWS\System32\DRIVERS\oxmfuf.sys [5111 2003-06-26] (Lite-On Technology Corporation.)
    R1 oxpar; C:\WINDOWS\System32\DRIVERS\oxpar.sys [76800 2003-12-25] (Lite-On Technology Corporation.)
    S1 oxser; C:\WINDOWS\System32\DRIVERS\oxser.sys [51269 2003-06-26] (Lite-On Technology Corporation.)
    S2 RadPciNT; C:\WINDOWS\system32\Drivers\RadPciNT.sys [9417 2000-04-24] (MediaForte Products Pte. Ltd.) [File not signed]
    R2 ScFBPNT; C:\WINDOWS\system32\drivers\ScFBPNT.SYS [16288 2000-02-08] () [File not signed]
    R3 teamviewervpn; C:\WINDOWS\System32\DRIVERS\teamviewervpn.sys [25088 2012-11-28] (TeamViewer GmbH)
    S2 USBRADIO; C:\WINDOWS\System32\Drivers\USBRADIO.sys [49444 2000-03-31] (GemTek Technology Co. LTD.) [File not signed]
    R3 WmBEnum; C:\WINDOWS\System32\drivers\WmBEnum.sys [22856 2010-04-27] (Logitech Inc.)
    S3 WmFilter; C:\WINDOWS\System32\drivers\WmFilter.sys [37704 2010-04-27] (Logitech Inc.)
    S3 WmVirHid; C:\WINDOWS\System32\drivers\WmVirHid.sys [15048 2010-04-27] (Logitech Inc.)
    R3 WmXlCore; C:\WINDOWS\System32\drivers\WmXlCore.sys [66632 2010-04-27] (Logitech Inc.)
    S3 avpnnic; system32\DRIVERS\avpnnic.sys [X]
    S3 eapihdrv; \??\C:\DOCUME~1\Dad\LOCALS~1\Temp\ehdrv.sys [X]
    S4 IntelIde; no ImagePath
    U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
    S3 UIUSys; system32\DRIVERS\UIUSYS.SYS [X]
    S3 vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys [X]
    U1 WS2IFSL; no ImagePath

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-12 17:20 - 2016-01-12 17:20 - 00000000 ____D C:\FRST
    2016-01-12 17:10 - 2016-01-12 17:09 - 00069908 ____H C:\WINDOWS\Minidump\Mini011216-01.dmp
    2016-01-12 17:08 - 2016-01-12 17:08 - 00000000 ____D C:\RegBackup
    2016-01-12 17:07 - 2016-01-12 17:07 - 00015884 _____ C:\WINDOWS\Tweaking.com - Registry Backup Setup Log.txt
    2016-01-12 17:07 - 2016-01-12 17:07 - 00001876 _____ C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
    2016-01-12 17:07 - 2016-01-12 17:07 - 00000000 ____D C:\Program Files\Tweaking.com
    2016-01-12 17:07 - 2016-01-12 17:07 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
    2016-01-12 16:55 - 2016-01-12 17:20 - 00000000 ____D C:\Documents and Settings\Dad\Desktop\virus-fix
    2016-01-12 16:28 - 2016-01-12 16:28 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Application Data\IsolatedStorage
    2016-01-12 16:27 - 2016-01-12 16:31 - 00000000 ____D C:\Program Files\Common Files\COMODO
    2016-01-12 16:26 - 2016-01-12 16:29 - 00000000 __HDC C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}
    2016-01-12 16:26 - 2016-01-12 16:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\COMODO
    2016-01-12 16:26 - 2016-01-12 16:26 - 00000000 ____D C:\Program Files\COMODO
    2016-01-11 20:24 - 2016-01-11 20:24 - 00000808 _____ C:\Documents and Settings\All Users\Desktop\Full Flush Poker 8.2.lnk
    2016-01-11 11:18 - 2016-01-11 11:18 - 00000124 _____ C:\Documents and Settings\Dad\Desktop\Postage.url
    2016-01-06 20:51 - 2016-01-07 06:50 - 00000000 ____D C:\Program Files\Mozilla Firefox
    2015-12-21 21:14 - 2015-12-21 21:14 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Application Data\Mega Limited
    2015-12-16 06:00 - 2015-12-16 06:00 - 00322760 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
    2015-12-16 06:00 - 2015-12-16 06:00 - 00043112 _____ (AVAST Software) C:\WINDOWS\avastSS.scr

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2016-01-12 17:21 - 2010-09-05 12:30 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Temp
    2016-01-12 17:20 - 2010-09-05 03:50 - 00000000 ____D C:\WINDOWS
    2016-01-12 17:13 - 2014-08-27 15:56 - 00000510 _____ C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1390067357-926492609-839522115-1003.job
    2016-01-12 17:12 - 2012-07-11 15:38 - 00000366 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
    2016-01-12 17:11 - 2014-06-04 19:57 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    2016-01-12 17:11 - 2014-03-06 22:25 - 00000218 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
    2016-01-12 17:11 - 2001-08-23 06:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
    2016-01-12 17:10 - 2011-09-12 16:05 - 00000000 ____D C:\WINDOWS\Minidump
    2016-01-12 17:10 - 2010-09-05 12:28 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2016-01-12 17:01 - 2014-06-04 19:57 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    2016-01-12 16:55 - 2013-10-30 15:41 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
    2016-01-12 16:39 - 2015-05-30 10:25 - 00000606 _____ C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1390067357-926492609-839522115-1003.job
    2016-01-11 23:20 - 2014-10-02 17:46 - 00131072 _____ C:\WINDOWS\system32\config\OAlerts.evt
    2016-01-11 23:20 - 2013-06-30 21:56 - 03997696 _____ C:\WINDOWS\system32\config\ACVPN.evt
    2016-01-11 23:20 - 2010-09-05 12:30 - 00000178 ___SH C:\Documents and Settings\Dad\ntuser.ini
    2016-01-11 23:20 - 2010-09-05 12:28 - 00032632 _____ C:\WINDOWS\SchedLgU.Txt
    2016-01-11 15:39 - 2015-02-17 22:36 - 00000000 ____D C:\Program Files\PokerStars
    2016-01-08 15:00 - 2014-03-06 22:25 - 00000212 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
    2016-01-08 05:57 - 2014-06-03 20:55 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
    2016-01-02 22:55 - 2013-10-30 15:41 - 00796864 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
    2016-01-02 22:55 - 2013-10-30 15:41 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
    2015-12-25 23:32 - 2010-09-05 12:30 - 00000000 ____D C:\Documents and Settings\Dad
    2015-12-18 13:53 - 2013-03-19 15:16 - 00081168 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswmonflt.sys
    2015-12-18 13:53 - 2010-09-11 08:31 - 00436360 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsp.sys
    2015-12-16 13:40 - 2010-12-25 19:01 - 00000000 ____D C:\Documents and Settings\Dad\Local Settings\Application Data\WinZip
    2015-12-16 13:38 - 2014-04-02 18:48 - 00001688 _____ C:\Documents and Settings\All Users\Start Menu\BetOnline Poker 8.2.lnk
    2015-12-16 13:38 - 2014-04-02 18:32 - 00000000 ____D C:\Program Files\BetOnline Poker 8.2
    2015-12-16 06:39 - 2010-09-05 03:50 - 00000000 ___HD C:\WINDOWS\inf
    2015-12-16 06:00 - 2015-08-11 21:04 - 00165104 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
    2015-12-16 06:00 - 2014-05-28 16:16 - 00024016 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
    2015-12-16 06:00 - 2013-03-19 15:16 - 00209432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
    2015-12-16 06:00 - 2013-03-19 15:16 - 00049776 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
    2015-12-16 06:00 - 2010-09-11 08:31 - 00058016 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
    2015-12-16 06:00 - 2010-09-11 08:31 - 00055200 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
    2015-12-16 05:59 - 2011-11-30 16:40 - 00794952 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys

    ==================== Files in the root of some directories =======

    2011-12-28 11:20 - 2011-12-28 11:20 - 0002528 _____ () C:\Documents and Settings\Dad\Application Data\$_hpcst$.hpc
    2011-12-14 17:16 - 2014-11-15 15:53 - 0003584 _____ () C:\Documents and Settings\Dad\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

    Some files in TEMP:
    ====================
    C:\Documents and Settings\Dad\Local Settings\Temp\Full Flush Poker Updater.exe


    ==================== Bamital & volsnap =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

    ==================== End of FRST.txt ============================

    Additional scan result of Farbar Recovery Scan Tool (x86) Version:10-01-2015 01
    Ran by Dad (2016-01-12 17:22:15)
    Running from C:\Documents and Settings\Dad\Desktop\virus-fix
    Microsoft Windows XP Professional Service Pack 3 (X86) (2010-09-05 18:17:31)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-1390067357-926492609-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
    ASPNET (S-1-5-21-1390067357-926492609-839522115-1006 - Limited - Enabled)
    Dad (S-1-5-21-1390067357-926492609-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Dad
    Guest (S-1-5-21-1390067357-926492609-839522115-501 - Limited - Enabled)
    HelpAssistant (S-1-5-21-1390067357-926492609-839522115-1000 - Limited - Disabled)
    SUPPORT_388945a0 (S-1-5-21-1390067357-926492609-839522115-1002 - Limited - Disabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    7-Zip 4.65 (HKLM\...\7-Zip) (Version: - )
    Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.270 - Adobe Systems Incorporated)
    Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.267 - Adobe Systems Incorporated)
    Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
    Arcade Tournament Manager (HKLM\...\{E27E085D-DAEE-41D1-B047-42DC8A01F545}) (Version: 1.7.4.0 - Danesi Designs)
    ArcSoft Camera Suite (HKLM\...\{4677AAF8-8D7A-4EE2-BCE4-0068BB052353}) (Version: - )
    Arduino (HKLM\...\Arduino) (Version: 1.6.3 - Arduino LLC)
    AT&T Connect Participant Application v9.5.51 (HKLM\...\{E42E8753-9A8E-48E9-9829-B3571D91A945}) (Version: 9.5.51 - AT&T Inc.)
    Avast Free Antivirus (HKLM\...\avast) (Version: 11.1.2245 - AVAST Software)
    Belarc Advisor 8.2 (HKLM\...\Belarc Advisor) (Version: 8.2.6.0 - Belarc Inc.)
    BetOnline Poker 8.2 (HKLM\...\BetOnline Poker 8.2) (Version: 8.2.12.201511170400 - Hero Poker Network)
    Camera Window (Version: 4.0 - Canon) Hidden
    Canon Camera WIA Driver (Version: 5.0.0 - Canon) Hidden
    Canon Camera Window for ZoomBrowser EX (HKLM\...\InstallShield_{2D6BDF3A-6BDB-4169-909F-E882F23AB795}) (Version: 4.0 - Canon)
    Canon PhotoRecord (HKLM\...\PhotoRecord) (Version: - )
    Canon PowerShot S45 WIA Driver (HKLM\...\InstallShield_{25E671BE-87A0-40F1-ABE5-BCBC6E65B0F5}) (Version: 5.0.0 - Canon)
    Canon Utilities FileViewerUtility 1.0 (HKLM\...\InstallShield_{0627E8E9-6822-4A5E-9225-286741CDC3E4}) (Version: 1.0 - Canon)
    Canon Utilities PhotoStitch 3.1 (HKLM\...\InstallShield_{A3E0FF15-90D5-40CD-8565-B80A433B0D4C}) (Version: 3.1.8 - Canon)
    Canon Utilities RemoteCapture 2.6 (HKLM\...\InstallShield_{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}) (Version: 2.6.0 - Your Company Name)
    Canon Utilities ZoomBrowser EX (HKLM\...\{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}) (Version: 04.00.00024 - CISRA)
    Catan Online World (HKLM\...\Catan Online Welt) (Version: 3.728 - Catan GmbH)
    Cisco AnyConnect Secure Mobility Client (HKLM\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.05160 - Cisco Systems, Inc.)
    Cisco AnyConnect Secure Mobility Client (Version: 3.1.05160 - Cisco Systems, Inc.) Hidden
    Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
    Citrix Online Launcher (HKLM\...\{3D5F07C3-1B93-47F8-9F8A-DE8E47BF1669}) (Version: 1.0.209 - Citrix)
    Data Fax SoftModem with SmartCP (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1) (Version: - )
    FileViewerUtility 1.0 (Version: 1.0 - Canon) Hidden
    Full Flush Poker 8.2 (HKLM\...\Full Flush Poker 8.2) (Version: 8.2.12.201509140800 - Full Flush Poker)
    Google Chrome (HKLM\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)
    Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
    Google Update Helper (Version: 1.3.29.1 - Google Inc.) Hidden
    GoToMeeting 7.8.1.4190 (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\GoToMeeting) (Version: 7.8.1.4190 - CitrixOnline)
    H&R Block Deluxe + Efile + State 2014 (HKLM\...\{BDA77C08-60A6-4AAB-B5A9-849ECF399A49}) (Version: 14.05.7401 - HRB Technology, LLC.)
    H&R Block Illinois 2014 (HKLM\...\{1B7D02B3-464B-4870-83AF-9FC76A8C8554}) (Version: 1.14.3401 - HRB Technology, LLC.)
    High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
    Image Resizer Powertoy for Windows XP (HKLM\...\{1CB92574-96F2-467B-B793-5CEB35C40C29}) (Version: 1.00.0001 - Microsoft Corporation)
    Intel(R) Graphics Media Accelerator Driver (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.10.5273 - Intel Corporation)
    Java 8 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218060F0}) (Version: 8.0.600.27 - Oracle Corporation)
    Juniper Networks Host Checker (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Neoteris_Host_Checker) (Version: 7.1.0.18193 - Juniper Networks)
    Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\Juniper_Setup_Client) (Version: 7.1.2.10059 - Juniper Networks, Inc.)
    Juniper Networks, Inc. Setup Client Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
    LivePix 1.1 SE (HKLM\...\LivePix) (Version: - )
    Logitech Gaming Software 5.10 (HKLM\...\{60D32CDC-E3BE-4578-BA10-29322307CDDC}) (Version: 5.10.127 - Logitech)
    MagicDisc 2.7.106 (HKLM\...\MagicDisc 2.7.106) (Version: - )
    Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
    Max Loader 4.6r (HKLM\...\Max Loader_is1) (Version: - EETools, Inc.)
    MeasureUp Certification Preparation (HKLM\...\InstallShield_{B9DF865A-C1BD-4DFD-9FF5-9CA5C6E23415}) (Version: 10.03 - MeasureUp Inc.)
    MeasureUp Practice Tests (HKLM\...\InstallShield_{1B53F089-10BA-4538-B977-8CF8A5343E04}) (Version: 10.03 - MeasureUp Inc.)
    MeasureUp Practice Tests (Version: 10.03 - MeasureUp Inc.) Hidden
    MEET MANAGER 2.0 for Swimming (HKLM\...\{7CE480FF-5B49-490E-BC18-1C663ECC0B61}) (Version: 1.00.0001 - Sports-Tek Software)
    MEET MANAGER 3.0 for Swimming (HKLM\...\{ED1D569E-3DA4-4D59-A1C2-80DFF72C962F}) (Version: 1.00.0001 - HY-TEK Sports Software)
    Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
    Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
    Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
    Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
    Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
    Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
    Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
    Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
    Microsoft Lync 2010 Attendee (HKLM\...\{6F72D695-5188-4484-B21E-E16CD89C4008}) (Version: 4.0.7577.4446 - Microsoft Corporation)
    Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
    Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUSR) (Version: 14.0.7015.1000 - Microsoft Corporation)
    Microsoft Office Visio 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{CE144BF4-4950-4CDB-A5F7-CCE1888F49CB}) (Version: - Microsoft)
    Microsoft Office Visio Professional 2007 (HKLM\...\VISPRO) (Version: 12.0.6612.1000 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft Text-to-Speech Engine 4.0 (English) (HKLM\...\MSTTS) (Version: - )
    Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
    mIRC (HKLM\...\mIRC) (Version: - )
    Mozilla Firefox 43.0.4 (x86 en-US) (HKLM\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
    Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
    MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
    MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
    OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
    Password Safe 1.7.1 (HKLM\...\{9886C963-FB48-4C58-8E75-64816F220D1D}) (Version: 1.7.1 - SBC)
    Pdf995 (installed by H&R Block) (HKLM\...\Pdf995) (Version: - )
    PdfEdit995 (installed by H&R Block) (HKLM\...\PdfEdit995) (Version: - )
    PhotoStitch (Version: 3.1.8 - Canon) Hidden
    PokerStars (HKLM\...\PokerStars) (Version: - PokerStars)
    Radiator (remove only) (HKLM\...\Radiator) (Version: - )
    Radmin Viewer 3.4 (HKLM\...\{2517B7EA-6C03-4D86-A1B1-F3FE1C3BC03B}) (Version: 3.41.0000 - Famatech)
    REALTEK GbE & FE Ethernet PCI-E NIC Driver (HKLM\...\{C9BED750-1211-4480-B1A5-718A3BE15525}) (Version: 1.30.0000 - Realtek)
    Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6106 - Realtek Semiconductor Corp.)
    Remote Administrator v2.2 (HKLM\...\Remote Administrator v2.2) (Version: - )
    RemoteCapture 2.6 (Version: 2.6.0 - Your Company Name) Hidden
    Revo Uninstaller Pro 2.5.9 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 2.5.9 - VS Revo Group, Ltd.)
    Samsung New PC Studio (HKLM\...\InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}) (Version: 1.00.0000 - Samsung Electronics Co., Ltd.)
    Samsung New PC Studio (Version: 1.00.0000 - Samsung Electronics Co., Ltd.) Hidden
    SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.3.650.0 - SAMSUNG Electronics Co., Ltd.)
    Savings Bond Wizard (HKLM\...\Savings Bond Wizard) (Version: - )
    ScanCraft CS-P (HKLM\...\ScanCraft CS-P) (Version: - )
    SecureAuthOTP (HKLM\...\{21CBD08B-1E83-4D4B-B1FE-BB5424245BB5}) (Version: 1.11.0000 - SecureAuth)
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
    SketchUp 2013 (HKLM\...\{B75BC01B-4586-43F8-9349-D250DB98F26F}) (Version: 13.0.4812 - Trimble Navigation Limited)
    SketchUp 2014 (HKLM\...\{A608A8D3-E77C-4BEE-8F2A-F8124F5F0FE2}) (Version: 14.0.4900 - Trimble Navigation Limited)
    SmartFTP Client 2.0 (HKLM\...\{C169D3BB-9A27-43F5-9979-09A0D65FE95C}) (Version: 2.0.1000 - SmartFTP)
    SmartFTP Client 2.0 Setup Files (remove only) (HKLM\...\SmartFTP Client 2.0 Setup Files) (Version: "2.0" - "SmartFTP")
    Snagit 10 (HKLM\...\{5BCC634A-58AD-42F9-B3C6-2EA52F81CF85}) (Version: 10.0.0 - TechSmith Corporation)
    Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
    StudioLine Photo (HKLM\...\StudioLine Photo) (Version: - )
    TeamViewer 8 (HKLM\...\TeamViewer 8) (Version: 8.0.16642 - TeamViewer)
    Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.3.1 - Tweaking.com)
    Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
    VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
    WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
    Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
    Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
    Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
    Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
    Windows Management Framework Core (HKLM\...\KB968930) (Version: - Microsoft Corporation)
    Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
    Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
    Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
    Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
    WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )
    WinZip 15.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BE}) (Version: 15.0.9302 - WinZip Computing, S.L. )

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{01E0A80A-97FD-4FC2-B75D-C754396CD255}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{0BBFE402-CCA1-4f64-9322-13B66D841049}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{156B30E4-2D3D-4257-A340-9BDD2E972E2E}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\Video2ActiveXWnd.ocx ()
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{2115F58A-CE09-47CC-A0B1-A8A2EC0C5423}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{25D005BF-FE63-4cce-AA25-CE952B1D9381}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{638B203F-8FB6-49ec-A139-AB8C530F0CAB}\MSPowerPoint.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{48A60FE8-C446-4371-95EB-258B14DCC5AC}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{54050FBB-F2AE-404b-8BFD-7EE3EC784A52}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{18AA4E21-D540-4a3a-9F9F-E6DE33D6F253}\MSExcel.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{5A31DC2C-BC50-4F71-93B8-2EC648404AF3}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\Video2ActiveXWnd.ocx ()
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{6B1948B3-9547-42F8-9B37-7AA9768134C4}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{7949C823-54C6-40F0-8D85-2348247E6820}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Utilities\IWMaterials.ocx (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{795B06EA-58E8-482C-AF11-A7E4E34DA16F}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{7A162288-DE78-473C-A6BA-23FF17F768E9}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1440\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{88BE9158-3A40-4907-B2F0-7E72496A9596}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{8A3C5585-D1ED-4EC0-B3C4-94998094E5BB}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{8CC82228-2200-4D22-9859-B762582F6D31}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\InstallDetect8557.OCX (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{CC9F903E-1C4B-4596-B410-982107EC4899}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{DE471660-5535-47A8-949A-9DA95A72951F}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Utilities\IWMaterials.ocx (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{E169D2B5-9411-47B9-A473-345A3FB57090}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\AxWebInstaller8750.ocx (Interwise)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{F4A2332C-B453-4424-A142-AB9C51BAE2AF}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\ScheduleEvent.dll (AT&T Inc.)
    CustomCLSID: HKU\S-1-5-21-1390067357-926492609-839522115-1003_Classes\CLSID\{F8ACB9F2-2A7D-4261-AA37-A39448C23CAE}\InprocServer32 -> C:\Documents and Settings\Dad\Local Settings\Application Data\ATT Connect\Participant\dsoframer.ocx (AT&T Inc.)

    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\Alwil Software\Avast5\AvastEmUpdate.exe
    Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1390067357-926492609-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\4190\g2mupdate.exe
    Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-1390067357-926492609-839522115-1003.job => C:\Program Files\Citrix\GoToMeeting\4190\g2mupload.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
    Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2014-03-12 14:53 - 2014-03-12 14:53 - 00063376 _____ () C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\zlib1.dll
    2015-05-28 20:06 - 2015-12-16 06:00 - 00103888 _____ () C:\Program Files\Alwil Software\Avast5\log.dll
    2015-05-28 20:06 - 2015-12-16 06:00 - 00125512 _____ () C:\Program Files\Alwil Software\Avast5\JsonRpcServer.dll
    2016-01-12 13:57 - 2016-01-12 13:57 - 02822144 _____ () C:\Program Files\Alwil Software\Avast5\defs\16011200\algo.dll
    2015-12-16 06:00 - 2015-12-16 06:00 - 00469008 _____ () C:\Program Files\Alwil Software\Avast5\ffl2.dll
    2013-09-04 23:14 - 2013-09-04 23:14 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
    2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2012-05-23 16:05 - 2009-08-16 16:06 - 00141312 _____ () C:\Program Files\WinRAR\rarext.dll
    2015-08-10 06:47 - 2015-08-10 06:47 - 00036864 _____ () C:\WINDOWS\system32\pdf995mon.dll
    2013-02-17 21:21 - 2012-11-28 11:50 - 00018856 _____ () C:\WINDOWS\System32\spool\PRTPROCS\W32X86\TeamViewer_PrintProcessor.dll
    2015-03-13 16:23 - 2015-12-16 06:00 - 40539648 _____ () C:\Program Files\Alwil Software\Avast5\libcef.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

    ==================== EXE Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)

    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\att.com -> hxxps://*.vpn.att.com
    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\fixme.it -> hxxps://fixme.it
    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\fujitsu.com -> hxxps://sslvpn2.fai.fujitsu.com
    IE trusted site: HKU\S-1-5-21-1390067357-926492609-839522115-1003\...\measureup.com -> measureup.com

    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2001-08-23 06:00 - 2015-11-04 20:10 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts

    127.0.0.1 localhost

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-1390067357-926492609-839522115-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    DNS Servers: 192.168.88.1
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    (Currently there is no automatic fix for this section.)


    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    StandardProfile\AuthorizedApplications: [C:\Program Files\mIRC\mirc.exe] => Enabled:mIRC
    StandardProfile\AuthorizedApplications: [C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe] => Enabled:SmartFTP Client 2.0
    StandardProfile\AuthorizedApplications: [C:\Hy-Sport\SwMM2\SwimMM2.exe] => Enabled:Swim Meet Manager
    StandardProfile\AuthorizedApplications: [D:\C_2010_09_04\Program Files\mIRC\mirc.exe] => Enabled:mIRC
    StandardProfile\AuthorizedApplications: [C:\Program Files\NetAcquire\NetAcquire.exe] => Enabled:Play the Acquire board game on the Internet.
    StandardProfile\AuthorizedApplications: [C:\Program Files\AT&T Global Network Client\SwiApiMux.exe] => Enabled:SwiApiMux
    StandardProfile\AuthorizedApplications: [C:\Program Files\Samsung\Samsung New PC Studio\npsasvr.exe] => Enabled:KTF MUSIC AoD Server
    StandardProfile\AuthorizedApplications: [C:\Program Files\Samsung\Samsung New PC Studio\npsvsvr.exe] => Enabled:KTF MUSIC VoD Server
    StandardProfile\AuthorizedApplications: [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe] => Enabled:Yahoo! Messenger
    StandardProfile\AuthorizedApplications: [D:\Program Files\Savings Bond Wizard\SBWizard.exe] => Enabled:Savings Bond Wizard
    StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version8\TeamViewer.exe] => Enabled:Teamviewer Remote Control Application
    StandardProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe] => Enabled:Teamviewer Remote Control Service
    StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
    StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\GROOVE.EXE] => Enabled:Microsoft SharePoint Workspace
    StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\ONENOTE.EXE] => Enabled:Microsoft OneNote
    StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
    StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft Lync Attendee\AttendeeCommunicator.exe] => Enabled:Lync Attendee
    StandardProfile\AuthorizedApplications: [C:\Program Files\Arduino\java\bin\javaw.exe] => Enabled:Java(TM) Platform SE binary
    StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
    DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
    DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
    DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
    DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
    StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
    StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
    StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
    StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
    StandardProfile\GloballyOpenPorts: [5985:TCP] => Disabled:Windows Remote Management
    StandardProfile\GloballyOpenPorts: [80:TCP] => Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)
    StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
    StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008

    ==================== Restore Points =========================

    14-10-2015 15:08:02 System Checkpoint
    15-10-2015 15:09:19 System Checkpoint
    17-10-2015 07:10:13 System Checkpoint
    18-10-2015 07:58:04 System Checkpoint
    19-10-2015 08:53:12 System Checkpoint
    20-10-2015 09:00:04 System Checkpoint
    21-10-2015 09:32:27 System Checkpoint
    22-10-2015 19:48:01 System Checkpoint
    24-10-2015 08:14:38 System Checkpoint
    24-10-2015 13:56:12 Software Distribution Service 3.0
    25-10-2015 07:23:03 Software Distribution Service 3.0
    25-10-2015 07:25:08 Software Distribution Service 3.0
    25-10-2015 07:35:03 Software Distribution Service 3.0
    25-10-2015 07:53:53 Software Distribution Service 3.0
    25-10-2015 08:26:12 Software Distribution Service 3.0
    25-10-2015 08:39:05 Software Distribution Service 3.0
    25-10-2015 21:47:11 Software Distribution Service 3.0
    26-10-2015 05:25:03 Software Distribution Service 3.0
    26-10-2015 17:13:54 Software Distribution Service 3.0
    27-10-2015 17:23:22 System Checkpoint
    28-10-2015 17:50:16 System Checkpoint
    29-10-2015 18:35:42 System Checkpoint
    31-10-2015 11:55:54 System Checkpoint
    01-11-2015 14:10:18 System Checkpoint
    02-11-2015 16:12:44 System Checkpoint
    03-11-2015 18:02:17 System Checkpoint
    04-11-2015 13:37:42 Restore Operation
    04-11-2015 13:41:47 avast! antivirus system restore point
    04-11-2015 13:50:21 Installed Windows XP Wdf01009.
    04-11-2015 20:03:13 Restore Point Created by FRST
    04-11-2015 20:10:50 Restore Point Created by FRST
    04-11-2015 21:41:25 JRT Pre-Junkware Removal
    05-11-2015 21:47:42 System Checkpoint
    06-11-2015 17:21:01 Restore Point Created by FRST
    07-11-2015 17:56:01 System Checkpoint
    08-11-2015 18:28:51 System Checkpoint
    09-11-2015 19:21:03 System Checkpoint
    10-11-2015 19:30:58 System Checkpoint
    11-11-2015 21:17:22 System Checkpoint
    12-11-2015 16:20:20 Software Distribution Service 3.0
    12-11-2015 23:11:52 Software Distribution Service 3.0
    13-11-2015 05:50:59 Software Distribution Service 3.0
    13-11-2015 06:29:39 Software Distribution Service 3.0
    13-11-2015 06:47:56 Software Distribution Service 3.0
    13-11-2015 06:55:46 Software Distribution Service 3.0
    13-11-2015 07:20:58 Software Distribution Service 3.0
    14-11-2015 11:28:32 System Checkpoint
    15-11-2015 12:16:12 System Checkpoint
    16-11-2015 12:34:32 System Checkpoint
    17-11-2015 13:03:46 System Checkpoint
    18-11-2015 14:55:28 System Checkpoint
    19-11-2015 16:39:00 System Checkpoint
    22-11-2015 18:57:54 System Checkpoint
    23-11-2015 19:29:53 System Checkpoint
    24-11-2015 20:17:53 System Checkpoint
    25-11-2015 20:42:58 System Checkpoint
    27-11-2015 09:26:53 System Checkpoint
    28-11-2015 09:31:11 System Checkpoint
    29-11-2015 10:05:51 System Checkpoint
    30-11-2015 11:36:05 System Checkpoint
    01-12-2015 12:16:46 System Checkpoint
    02-12-2015 12:17:03 System Checkpoint
    03-12-2015 13:00:24 System Checkpoint
    04-12-2015 13:38:51 System Checkpoint
    05-12-2015 17:44:45 System Checkpoint
    06-12-2015 19:28:14 System Checkpoint
    07-12-2015 20:07:15 System Checkpoint
    08-12-2015 21:15:00 System Checkpoint
    09-12-2015 21:18:23 System Checkpoint
    10-12-2015 11:39:17 Software Distribution Service 3.0
    10-12-2015 16:17:15 Software Distribution Service 3.0
    10-12-2015 17:17:50 Software Distribution Service 3.0
    10-12-2015 17:29:41 Software Distribution Service 3.0
    11-12-2015 17:42:33 System Checkpoint
    12-12-2015 18:40:31 System Checkpoint
    13-12-2015 18:50:00 System Checkpoint
    14-12-2015 19:32:24 System Checkpoint
    15-12-2015 20:09:52 System Checkpoint
    16-12-2015 06:07:20 Installed Windows XP Wdf01009.
    17-12-2015 06:58:18 System Checkpoint
    18-12-2015 07:28:14 System Checkpoint
    19-12-2015 08:59:54 System Checkpoint
    20-12-2015 09:20:57 System Checkpoint
    21-12-2015 10:54:25 System Checkpoint
    22-12-2015 11:20:11 System Checkpoint
    23-12-2015 20:03:23 System Checkpoint
    24-12-2015 20:39:21 System Checkpoint
    25-12-2015 21:35:47 System Checkpoint
    26-12-2015 22:55:15 System Checkpoint
    28-12-2015 10:07:28 System Checkpoint
    29-12-2015 12:15:36 System Checkpoint
    30-12-2015 12:17:55 System Checkpoint
    31-12-2015 13:43:45 System Checkpoint
    01-01-2016 15:17:53 System Checkpoint
    02-01-2016 15:42:24 System Checkpoint
    03-01-2016 17:55:47 System Checkpoint
    04-01-2016 18:32:55 System Checkpoint
    05-01-2016 19:24:45 System Checkpoint
    06-01-2016 19:56:54 System Checkpoint
    07-01-2016 20:03:11 System Checkpoint
    09-01-2016 07:46:30 System Checkpoint
    10-01-2016 10:29:06 System Checkpoint
    11-01-2016 10:37:51 System Checkpoint
    12-01-2016 11:41:48 System Checkpoint

    ==================== Faulty Device Manager Devices =============

    Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Manufacturer: Cisco Systems
    Service: vpnva
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (01/07/2016 06:58:14 AM) (Source: Microsoft Office 14) (EventID: 1000) (User: )
    Description: Faulting application outlook.exe, version 14.0.7162.5003, stamp 56344207, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0xffff0000.

    Error: (01/02/2016 10:41:56 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application jucheck.exe, version 2.8.60.27, faulting module jucheck.exe, version 2.8.60.27, fault address 0x00052d24.
    Processing media-specific event for [jucheck.exe!ws!]

    Error: (12/30/2015 08:29:26 AM) (Source: Microsoft Office 14) (EventID: 1000) (User: )
    Description: Faulting application outlook.exe, version 14.0.7162.5003, stamp 56344207, faulting module urlmon.dll, version 8.0.6001.23580, stamp 5318b77b, debug? 0, fault address 0x000059b4.

    Error: (12/13/2015 11:47:29 AM) (Source: Microsoft Office 14) (EventID: 1000) (User: )
    Description: Faulting application outlook.exe, version 14.0.7162.5003, stamp 56344207, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x6e757220.

    Error: (12/10/2015 11:42:46 AM) (Source: MsiInstaller) (EventID: 1024) (User: JOE)
    Description: Product: Microsoft Office Professional Plus 2010 - Update 'Security Update for Microsoft Office 2010 (KB3085612) 32-Bit Edition' could not be installed. Error code 1624. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

    Error: (12/10/2015 11:42:38 AM) (Source: MsiInstaller) (EventID: 1024) (User: JOE)
    Description: Product: Microsoft Office Professional Plus 2010 - Update 'Security Update for Microsoft Office 2010 (KB3085528) 32-Bit Edition' could not be installed. Error code 1624. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

    Error: (12/10/2015 11:41:04 AM) (Source: MsiInstaller) (EventID: 1024) (User: JOE)
    Description: Product: Microsoft Office Professional Plus 2010 - Update 'Update for Microsoft Office 2010 (KB3114404) 32-Bit Edition' could not be installed. Error code 1624. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

    Error: (12/04/2015 07:33:27 PM) (Source: Application Error) (EventID: 1001) (User: )
    Description: Fault bucket 200400471.
    The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

    Error: (12/04/2015 07:33:22 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application betonline poker.exe, version 0.0.0.0, faulting module betonline poker.exe, version 0.0.0.0, fault address 0x00393a67.
    Processing media-specific event for [betonline poker.exe!ws!]

    Error: (12/04/2015 07:32:10 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application betonline poker.exe, version 0.0.0.0, faulting module betonline poker.exe, version 0.0.0.0, fault address 0x00393a67.
    Processing media-specific event for [betonline poker.exe!ws!]


    System errors:
    =============
    Error: (01/12/2016 05:14:15 PM) (Source: System Error) (EventID: 1003) (User: )
    Description: Error code 000000ea, parameter1 897e1da0, parameter2 8a312e20, parameter3 8a510638, parameter4 00000001.

    Error: (01/12/2016 05:11:14 PM) (Source: 0) (EventID: 2) (User: )
    Description:

    Error: (01/12/2016 05:11:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The RadPciNT service failed to start due to the following error:
    %%55

    Error: (01/12/2016 05:11:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The Java Quick Starter service failed to start due to the following error:
    %%2

    Error: (01/12/2016 05:11:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The GemTek USB FM Radio 21 driver service failed to start due to the following error:
    %%1058

    Error: (01/12/2016 05:09:37 PM) (Source: 0) (EventID: 108) (User: )
    Description: \Device\Video0displayigxprd32

    Error: (01/12/2016 04:59:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The RadPciNT service failed to start due to the following error:
    %%55

    Error: (01/12/2016 04:59:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The Java Quick Starter service failed to start due to the following error:
    %%2

    Error: (01/12/2016 04:59:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The GemTek USB FM Radio 21 driver service failed to start due to the following error:
    %%1058

    Error: (01/12/2016 04:59:36 PM) (Source: 0) (EventID: 2) (User: )
    Description:


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz
    Percentage of memory in use: 39%
    Total physical RAM: 2009.74 MB
    Available physical RAM: 1223.73 MB
    Total Virtual: 3902.79 MB
    Available Virtual: 3233.93 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:298.09 GB) (Free:236.17 GB) NTFS ==>[drive with boot components (Windows XP)]
    Drive d: () (Fixed) (Total:298.09 GB) (Free:115.95 GB) NTFS ==>[drive with boot components (Windows XP)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: C5ABC5AB)
    Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: 3F0C8D80)
    Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

    ==================== End of Addition.txt ============================

    aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
    Run date: 2016-01-12 17:23:04
    -----------------------------
    17:23:04.015 OS Version: Windows 5.1.2600 Service Pack 3
    17:23:04.015 Number of processors: 2 586 0x170A
    17:23:04.015 ComputerName: JOE UserName: Dad
    17:23:04.718 Initialize success
    17:23:04.718 VM: initialized successfully
    17:23:04.718 VM: Intel CPU virtualization not supported
    17:23:06.484 AVAST engine defs: 16011200
    17:23:27.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    17:23:27.625 Disk 0 Vendor: WDC_WD3200AAJB-00WGA0 00.02C01 Size: 305245MB BusType: 3
    17:23:27.625 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
    17:23:27.625 Disk 1 Vendor: WDC_WD3200AAJB-00WGA0 00.02C01 Size: 305245MB BusType: 3
    17:23:27.828 Disk 0 MBR read successfully
    17:23:27.828 Disk 0 MBR scan
    17:23:27.828 Disk 0 Windows XP default MBR code
    17:23:27.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305242 MB offset 63
    17:23:27.843 Disk 0 default boot code
    17:23:27.843 Disk 0 scanning sectors +625137345
    17:23:27.921 Disk 0 scanning C:\WINDOWS\system32\drivers
    17:23:39.218 Service scanning
    17:23:56.125 Modules scanning
    17:23:56.125 Disk 0 trace - called modules:
    17:23:56.140 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    17:23:56.140 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a602ab8]
    17:23:56.140 3 CLASSPNP.SYS[b98e8fd7] -> nt!IofCallDriver -> \Device\00000071[0x8a6053b8]
    17:23:56.140 5 ACPI.sys[b977f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8a5f5d98]
    17:23:56.718 AVAST engine scan C:\WINDOWS
    17:24:28.968 AVAST engine scan C:\WINDOWS\system32
    17:28:47.375 AVAST engine scan C:\WINDOWS\system32\drivers
    17:29:18.140 AVAST engine scan C:\Documents and Settings\Dad
    17:59:25.953 AVAST engine scan C:\Documents and Settings\All Users
    18:02:22.546 Disk 0 statistics 2447246/0/0 @ 0.62 MB/s
    18:02:22.562 Scan finished successfully
    18:22:49.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dad\Desktop\virus-fix\MBR.dat"
    18:22:49.109 The log file has been saved successfully to "C:\Documents and Settings\Dad\Desktop\virus-fix\aswMBR.txt"

    (END LOGS)

  2. #2
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,847

    Default

    Hi

    Not much that stands out.

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {fcd9f10e-0daa-405f-bca0-0dd3f37c59d9} URL =
    CMD: ipconfig /flushdns
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~~~

    AdwCleaner
    • Please download AdwCleaner and save the file to your Desktop.
    • Right-Click AdwCleaner.exe and select Run as administrator to run the programme.
    • Follow the prompts.
    • Click Scan.
    • Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
    • Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
    • Follow the prompts and allow your computer to reboot.
    • After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Please download Junkware Removal Tool
    or from here http://downloads.malwarebytes.org/file/jrt
    to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.


    ~~~~
    please post
    Fixlog.txt
    AdwCleaner[CX].txt
    JRT.txt
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default

    Quote Originally Posted by Juliet View Post
    please post
    Fixlog.txt
    AdwCleaner[CX].txt
    JRT.txt
    Sorry for the delay. I had forgotten to mark the thread with instant email notification. Here are the requested logs:

    Fixlog.txt:

    Fix result of Farbar Recovery Scan Tool (x86) Version:10-01-2015 01
    Ran by Dad (2016-01-13 23:15:49) Run:1
    Running from C:\Documents and Settings\Dad\Desktop\virus-fix
    Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
    Boot Mode: Normal

    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
    SearchScopes: HKU\S-1-5-21-1390067357-926492609-839522115-1003 -> {fcd9f10e-0daa-405f-bca0-0dd3f37c59d9} URL =
    CMD: ipconfig /flushdns
    EmptyTemp:
    End
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
    "HKU\S-1-5-21-1390067357-926492609-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fcd9f10e-0daa-405f-bca0-0dd3f37c59d9}" => key removed successfully.
    HKCR\CLSID\{fcd9f10e-0daa-405f-bca0-0dd3f37c59d9} => key not found.

    ========= ipconfig /flushdns =========



    Windows IP Configuration



    Successfully flushed the DNS Resolver Cache.


    ========= End of CMD: =========

    EmptyTemp: => 667.8 MB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 23:20:14 ====

    AdwCleaner[CX].txt:

    # AdwCleaner v5.029 - Logfile created 13/01/2016 at 23:32:56
    # Updated 11/01/2016 by Xplode
    # Database : 2016-01-12.1 [Server]
    # Operating system : Microsoft Windows XP Service Pack 3 (x86)
    # Username : Dad - JOE
    # Running from : C:\Documents and Settings\Dad\Desktop\virus-fix\AdwCleaner.exe
    # Option : Cleaning
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****


    ***** [ Folders ] *****

    [-] Folder Deleted : C:\WINDOWS\system32\GroupPolicy\Adm

    ***** [ Files ] *****

    [-] File Deleted : C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\invalidprefs.js

    ***** [ DLLs ] *****


    ***** [ Shortcuts ] *****


    ***** [ Scheduled tasks ] *****


    ***** [ Registry ] *****

    [-] Key Deleted : HKCU\Software\PRODUCTSETUP
    [-] Key Deleted : HKCU\Software\ICSW1.17

    ***** [ Web browsers ] *****

    [-] [C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\81ilz7pn.default-1443317241296\prefs.js] [Preference] Deleted : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,DuckDuckGo,eBay,Twitter,Wikipedia (en),Yahoo Search!");

    *************************

    :: "Tracing" keys removed
    :: Winsock settings cleared

    ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1238 bytes] ##########

    JRT.txt:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.0.2 (01.06.2016)
    Operating System: Microsoft Windows XP x86
    Ran by Dad (Administrator) on Wed 01/13/2016 at 23:46:02.31
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 1

    Successfully deleted: C:\WINDOWS\wininit.ini (File)



    Registry: 2

    Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
    Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Wed 01/13/2016 at 23:48:00.76
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    (END LOGS)

    Ready for next step. Thanks so far.

    Joe

  4. #4
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,847

    Default

    Still having browser hijacks?

    Let's update MalwareBytes and run a scan.




    • On the Dashboard click on Update Now
    • Go to the Setting Tab
    • Under Setting go to Detection and Protection
    • Under PUP and PUM make sure both are set to show Treat Detections as Malware
    • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
    • Then on the Dashboard click on Scan
    • Make sure to select THREAT SCAN
    • Then click on Scan


    After the restart once you are back at your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click 'Copy to Clipboard'
    Paste the contents of the clipboard into your reply
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #5
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default

    Quote Originally Posted by Juliet View Post
    Still having browser hijacks?[*]Make sure to select THREAT SCAN
    Paste the contents of the clipboard into your reply
    The browser hi-jack appears to have been fixed.

    I must have missed something, I don't see a "threat scan" option.

    Here is the log of the scan:

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 1/14/2016
    Scan Time: 8:08:13 AM
    Logfile:
    Administrator: Yes

    Version: 2.2.0.1024
    Malware Database: v2016.01.14.03
    Rootkit Database: v2016.01.09.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows XP Service Pack 3
    CPU: x86
    File System: NTFS
    User: Dad

    Scan Type: Threat Scan
    Result: Cancelled
    Objects Scanned: 41202
    Time Elapsed: 2 min, 36 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 0
    (No malicious items detected)

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 0
    (No malicious items detected)

    Physical Sectors: 0
    (No malicious items detected)


    (end)

    The log you requestd didn't show it, but from the same scan, on the "threats detected" these were identified. I didn't take any action on this (as I await direction from you), but I would like to get rid of these too...

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 1/14/2016
    Scan Time: 8:11:12 AM
    Logfile:
    Administrator: Yes

    Version: 2.2.0.1024
    Malware Database: v2016.01.14.03
    Rootkit Database: v2016.01.09.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows XP Service Pack 3
    CPU: x86
    File System: NTFS
    User: Dad

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 348936
    Time Elapsed: 20 min, 15 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 1
    PUP.Optional.WeatherBug, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{1B9604EE-B104-45C8-8551-5F63BA631E23}, , [deade257c6d3171f28c8ebf6fe05d927],

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 25
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1194B90A, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2AF55881, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2F536942, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\4D8E513, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\557E91D7, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\76981FF9, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\88EF8CFE, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B16299D3, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B2735F12, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B2890989, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\D759BF7C, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\F1B200E5, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\FB6F57A0, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mDown.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mFileBagIDE.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mFileBagIDE.dll\bag, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mIDEFunc.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mMSI.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mWinRun.dll, , [deade257c6d3171f28c8ebf6fe05d927],

    Files: 80
    PUP.Optional.APNToolBar, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\WeatherBugSetup.res, , [1972e4556c2dd0666667a18e669bf10f],
    PUP.Optional.FlvDownloader, C:\Documents and Settings\Dad\My Documents\Downloads\FlashPlayer_Updater [1].exe, , [1d6ef1483564e6509ac9bff245bc6e92],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\WeatherBugSetup.msi, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\instance.dat, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\mia.lib, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\WeatherBugSetup.dat, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\WeatherBugSetup.exe, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\WeatherBugSetup.lnk, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\WeatherBugSetup.par, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\{1B9604EE-B104-45C8-8551-5F63BA631E23}, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\{1B9604EE-B104-45C8-8551-5F63BA631E23}.native.bitness.log, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\{1B9604EE-B104-45C8-8551-5F63BA631E23}.native.data.log, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\{1B9604EE-B104-45C8-8551-5F63BA631E23}.native.elements.log, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\{1B9604EE-B104-45C8-8551-5F63BA631E23}.native.weight.log, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\{FA77A43D-F6ED-4924-87B5-517C061388C6}, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\backbone.analytics.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\backbone.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\backbone.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\bootstrap.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\jquery.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\json2.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\stacktrace.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\10755C93\underscore.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1194B90A\dWeather.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1194B90A\runtime.html, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA\background.png, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA\client.html, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA\layout.xml, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA\MiniBugIcon.ico, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA\noconnection.html, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA\runtime.html, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\1382EDFA\testPage.html, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2AF55881\GalaSoft.MvvmLight.Extras.WPF4.xml, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2AF55881\GalaSoft.MvvmLight.WPF4.xml, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2AF55881\Microsoft.Practices.ServiceLocation.xml, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2AF55881\System.Windows.Interactivity.xml, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2AF55881\WeatherBug.exe.config, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\2F536942\dWeatherUnitTests.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\4D8E513\backbone.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\4D8E513\jquery.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\4D8E513\json2.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\4D8E513\underscore.min.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\557E91D7\qunit.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\CustomActions.exe, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\GalaSoft.MvvmLight.Extras.WPF4.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\GalaSoft.MvvmLight.WPF4.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\Hardcodet.Wpf.TaskbarNotification.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\Microsoft.Maps.MapControl.WPF.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\Microsoft.Practices.ServiceLocation.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\Newtonsoft.Json.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\NLog.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\System.Windows.Interactivity.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\WeatherBug.exe, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\WeatherBugLib.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\609C82D7\WebResources.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\76981FF9\timeSpan.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\88EF8CFE\bootstrap.min.css, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B16299D3\configuration.json, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B16299D3\dWeather.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B16299D3\dWeather_dMiniExtensions.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B16299D3\locations.json, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B2735F12\configuration.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\B2890989\qunit.css, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\D759BF7C\environment.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\D759BF7C\shell.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\F1B200E5\glyphicons-halflings-white.png, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\F1B200E5\glyphicons-halflings.png, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\FB6F57A0\configurationStore.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\FB6F57A0\dataStore.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\FB6F57A0\locationStore.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\FB6F57A0\notificationCenter.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\FB6F57A0\settingsStore.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\ED87AFBD\FB6F57A0\timeEventSource.js, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mDown.dll\mDownExec.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mFileBagIDE.dll\mFileBagEXE.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mFileBagIDE.dll\bag\ga.exe, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mFileBagIDE.dll\bag\ga.exe.config, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mIDEFunc.dll\mEXEFunc.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mMSI.dll\mMSIExec.dll, , [deade257c6d3171f28c8ebf6fe05d927],
    PUP.Optional.WeatherBug, C:\Documents and Settings\All Users\Application Data\{FA77A43D-F6ED-4924-87B5-517C061388C6}\OFFLINE\mWinRun.dll\mWinRunExec.dll, , [deade257c6d3171f28c8ebf6fe05d927],

    Physical Sectors: 0
    (No malicious items detected)


    (end)

  6. #6
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,847

    Default

    The browser hi-jack appears to have been fixed.
    Good deal

    From the same scan, on the "threats detected"
    Working off a Windows XP machine maybe the difference?...but, you did get the results posted. MBAM doesn't like WeatherBug, probably a good idea to uninstall.

    You can run MBAM again and this time please allow it to quarantine/remove what it found.

    ~~~``

    What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
    Most reliable and thorough.
    The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
    This scanner can take quite a bit of time to run, depending of course how full your computer is.



    Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

    ESET Online Scan
    Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
    • Please download ESET Online Scan and save the file to your Desktop.
    • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
    • Double-click esetsmartinstaller_enu.exe to run the programme.
    • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
    • Agree to the Terms of Use once more and click Start. Allow components to download.
    • Place a checkmark next to Enable detection of potentially unwanted applications.
    • Click Advanced settings. Place a checkmark next to:
      • Scan archives
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth technology

    • Ensure Remove found threats is unchecked.
    • Click Start.
    • Wait for the scan to finish. Please be patient as this can take some time.
    • Upon completion, click . If no threats were found, skip the next two bullet points.
    • Click and save the file to your Desktop, naming it something such as "MyEsetScan".
    • Push the Back button.
    • Place a checkmark next to and click .
    • Re-enable your anti-virus software.
    • Copy the contents of the log and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #7
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default

    Quote Originally Posted by Juliet View Post
    You can run MBAM again and this time please allow it to quarantine/remove what it found.
    Copy the contents of the log and paste in your next reply.
    I re-ran MBAM and removed what it found. Here is the Eset scan log:

    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_11\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_13\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_71\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application
    C:\Documents and Settings\Dad\Local Settings\Application Data\Downloaded Installations\{382B7E08-8EB6-435F-A474-CE7C90770D2D}\rserv34.msi a variant of Win32/RemoteAdmin.RAdmin.AC potentially unsafe application
    C:\Program Files\Radmin\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
    C:\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    C:\Program Files\Radmin\r_server.exe Win32/RAdmin.22 potentially unsafe application
    C:\WINDOWS\system32\raddrv.dll a variant of Win32/RemoteAdmin potentially unsafe application
    D:\C_2010_09_04\Program Files\Radmin\radmin.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\C_2010_09_04\Program Files\XPMedic\XPMedic.exe Win32/Adware.XPMedic application
    D:\Downloads\7zip-setup.exe a variant of Win32/DownloadAdmin.M potentially unwanted application
    D:\Downloads\FlashPlayer_Updater.exe a variant of Win32/InstallCore.ACY.gen potentially unwanted application
    D:\Downloads\Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip a variant of Win32/Keygen.EM potentially unsafe application
    D:\Downloads\XPMedic_Setup.exe Win32/Adware.XPMedic application
    D:\Downloads\XPMedic_Setup.zip Win32/Adware.XPMedic application
    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key.exe a variant of Win32/Keygen.CW potentially unsafe application
    D:\Downloads\Remote_Administrator\RADMIN22.EXE Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Downloads\Remote_Administrator\radmin22.zip Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe Win32/PrcView potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe Win32/PrcView potentially unsafe application
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe Win32/Shutdown.NAA potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22de.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22en.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application
    D:\Radmin22\Radmin22 (F)\Setup\radmin22ru.exe Win32/RemoteAdmin.RAdmin.22 potentially unsafe application

    Of the items mentioned, I need Remote Administrator and Radmin for work. They are licensed products.
    The items in the "D:\Hank" folder are for back up purposes only.
    7zip, I believe is a properly licensed/paid for application with a non-cracked key. However, if you see evidence otherwise, let me know and I will delete.

    Everything else can (should?) go away.

    Joe

  8. #8
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,847

    Default

    We'll be removing a couple of items from the backup folder that shouldn't be on a clean computer. Afterwards, you should delete this backup and create a clean one.

    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

    start
    CreateRestorePoint:
    CloseProcesses:
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_11\java_sp.dll
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_13\java_sp.dll
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_71\java_sp.dll
    D:\C_2010_09_04\Program Files\XPMedic\XPMedic.exe
    D:\Downloads\FlashPlayer_Updater.exe
    D:\Downloads\Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip
    D:\Downloads\XPMedic_Setup.exe
    D:\Downloads\XPMedic_Setup.zip
    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key.exe
    D:\Hank\Hank_back_PC\ac\SmitfraudFix.exe
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\Process.exe
    D:\Hank\Hank_back_PC\ac\SmitfraudFix\restart.exe
    EmptyTemp:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~`

    We need to check and see which version of Java your using

    Update Outdated Software
    Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.
    • Adobe Flash Player (uncheck the "Optional Offer") <== if you use this program
    • Adobe Reader (uncheck the "Optional Offer") <== if you use this program
    • Java (watch out for "Optional Offers" or bundled software) <== if you use this program
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #9
    Junior Member
    Join Date
    Jan 2006
    Posts
    29

    Default

    Quote Originally Posted by Juliet View Post
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    I am very sorry for the delay. I think I clicked on "preview post", instead of "submit reply". I was wondering why you hadn't replied. Here is the fixlog.txt.

    Joe

    Fix result of Farbar Recovery Scan Tool (x86) Version:10-01-2015 01
    Ran by Dad (2016-01-16 08:23:23) Run:2
    Running from C:\Documents and Settings\Dad\Desktop\virus-fix
    Loaded Profiles: Dad (Available Profiles: Dad & Administrator)
    Boot Mode: Normal

    ==============================================

    fixlist content:
    *****************
    start
    CreateRestorePoint:
    CloseProcesses:
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_11\java_sp.dll
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_13\java_sp.dll
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_71\java_sp.dll
    D:\C_2010_09_04\Program Files\XPMedic\XPMedic.exe
    D:\Downloads\FlashPlayer_Updater.exe
    D:\Downloads\Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip
    D:\Downloads\XPMedic_Setup.exe
    D:\Downloads\XPMedic_Setup.zip
    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key.exe
    EmptyTemp:
    End
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_11\java_sp.dll => moved successfully
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_13\java_sp.dll => moved successfully
    C:\Documents and Settings\Dad\Application Data\Sun\Java\jre1.7.0_71\java_sp.dll => moved successfully
    D:\C_2010_09_04\Program Files\XPMedic\XPMedic.exe => moved successfully
    D:\Downloads\FlashPlayer_Updater.exe => moved successfully
    D:\Downloads\Kingdia.Video.to.AVI.WMV.MPEG.MOV.SWF.FLV.Converter.v1.0.4_KEYGEN-FFF.zip => moved successfully
    D:\Downloads\XPMedic_Setup.exe => moved successfully
    D:\Downloads\XPMedic_Setup.zip => moved successfully
    D:\Downloads\mom\PowerDVD 6.0.01102\PowerDVD 6 Deluxe - Key.exe => moved successfully
    EmptyTemp: => 220.5 MB temporary data Removed.


    The system needed a reboot.

    ==== End of Fixlog 08:25:57 ====

  10. #10
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,847

    Default

    Welcome back

    By chance, were you able to do this?

    ~~~~~
    Update Outdated Software
    Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.
    • Adobe Flash Player (uncheck the "Optional Offer") <== if you use this program
    • Adobe Reader (uncheck the "Optional Offer") <== if you use this program
    • Java (watch out for "Optional Offers" or bundled software) <== if you use this program
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •