Jump to content

Can't Run Windows Update After PUP.Optional.Spigot.A Removal


Recommended Posts

I have been unable to successfully complete a Windows Update on my 32-bit Vista machine since a MBAM v2.0.8.1057 Threat Scan detected and quarantined two registry entries for PUP.Optional.Spigot.A on 11-Aug-2015 (see attached MBAM scan log).  I'm not sure if the Spigot detection and problems with Windows Update are simply a coincidence or if remants of Spigot might be preventing a connection to the Windows Update server.

I do not see an error when Windows Update runs - it just reports that it is checking for updates and never finishes, even if I leave Windows Update runnning for over an hour.  Process Explorer shows that the Windows process svchost.exe constantly consumes ~50% of my CPU while Windows Update is running (i.e., complete saturation of one of my Intel Duo cores) and that a thread for the Windows Update service (wuauserv) is responsible for that CPU activity.

I ran full scans of my system with both MBAM and NIS yesterday, as well as a system file check ("sfc /verifyonly" from elevated command prompt) and none of these scans reported any further detections or problems.

This might be unrelated, but please note that I have a paid Premium license for MBAM but deactivated my MBAM realtime protection about a month ago because of an ongoing issue with MBAM v2.x Malicious Website Protection that prevents my Norton Internet Security from running automatic LiveUpdates - see my 07-Dec-2014 thread Norton Pulse Updates Fail when Malicious Website Protection Enabled.  I have a support ticket for this problem and was told by the Product Support Specialist on 04-Jun-2015 (and again on 03-Aug-2015) that they were preparing instructions for collecting further data but I still haven't received those instructions and don't want to continue waiting for assistance from the Help Desk if it means leaving my MBAM realtime protection disabled for long periods of time.
-------------
32-bit Vista Home Premium SP2 * Firefox 40.0 (default) * IE9 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.0.8.1057

HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

FRST.txt

Addition.txt

MBAM Scan Log Spigot Registry Entries 11 Aug 2015.txt

Link to post
Share on other sites

I ran another Threat Scan today and it detected and quarantined a new registry key for PUP.Optional.Hicosmea (see attached MBAM scan log).

 

Please note that I've installed the latest Adobe Flash Player v18.0.0.232 add-on in my IE9 browser (downloaded from the official Abobe site at https://www.adobe.com/ca/products/flashplayer/distribution3.html) and upgraded from Firefox v40.0 to v40.0.2 since my original post, so here are the results of a new FRST scan:

_________________________________

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:13-08-2015
Ran by Lori (administrator) on LORI-PC (15-08-2015 15:03:33)
Running from C:\Users\Lori\Desktop
Loaded Profiles: Lori & UpdatusUser (Available Profiles: Lori & Backup Administrator & UpdatusUser & Vista Standard)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.7.0.11\nis.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.7.0.11\nis.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [iAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2008-12-04] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7539232 2009-06-09] (Realtek Semiconductor)
HKLM\...\Run: [QlbCtrl.exe] => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] => C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554288 2007-11-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2015-04-07] (Apple Inc.)
HKU\S-1-5-21-3086198521-800258848-3831315664-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Mystify.scr [221184 2008-01-20] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3086198521-800258848-3831315664-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.ca/
HKU\S-1-5-21-3086198521-800258848-3831315664-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3086198521-800258848-3831315664-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
HKU\S-1-5-21-3086198521-800258848-3831315664-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
SearchScopes: HKLM -> DefaultScope {D5BA47E8-9799-47EE-A7B8-F142CFA6B57E} URL = hxxp://ca.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKLM -> {D5BA47E8-9799-47EE-A7B8-F142CFA6B57E} URL = hxxp://ca.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKU\S-1-5-21-3086198521-800258848-3831315664-1000 -> DefaultScope {5C1BA458-C49C-4223-8CA2-D81D95C4F6A2} URL = hxxp://www.google.ca/search?hl=en&q={searchTerms}&btnG=Google+Search&meta=
SearchScopes: HKU\S-1-5-21-3086198521-800258848-3831315664-1000 -> {5C1BA458-C49C-4223-8CA2-D81D95C4F6A2} URL = hxxp://www.google.ca/search?hl=en&q={searchTerms}&btnG=Google+Search&meta=
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-06-26] (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL [2015-03-04] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-06-26] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-3086198521-800258848-3831315664-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-06-26] (Symantec Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-08] (Microsoft Corporation)
Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{8DA183E0-602C-4F03-BDA0-535201848968}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{B9AF306D-1378-499B-BBF3-D235DE55172C}: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test
FF Homepage: https://www.google.ca/
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF SearchPlugin: C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\searchplugins\safesearch.xml [2015-04-06]
FF Extension: WOT - C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-07-12]
FF Extension: Mozilla Archive Format - C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\Extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi [2015-04-06]
FF Extension: Video DownloadHelper - C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-04-06]
FF Extension: Adblock Plus - C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-04-06]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn [2015-08-15]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-04-03]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.7.0.11\Exts\Chrome.crx [2015-03-18]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-12-04] (Hewlett-Packard) [File not signed]
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
S3 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [135168 2008-03-25] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S4 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2008-07-18] (Hewlett-Packard) [File not signed]
R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.7.0.11\NIS.exe [276336 2015-03-07] (Symantec Corporation)
S3 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2008-07-18] (Hewlett-Packard) [File not signed]
S3 QPCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [292216 2010-03-08] ()
S3 QPSched; C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [116080 2010-03-08] ()
S3 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [146560 2007-08-28] (AuthenTec, Inc.)
R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\BASHDefs\20150810.001\BHDrvx86.sys [1181936 2015-07-23] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1507000.00B\ccSetx86.sys [127064 2014-02-20] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389456 2015-07-28] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [122192 2015-07-28] (Symantec Corporation)
R3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\IPSDefs\20150814.002\IDSvix86.sys [523512 2015-06-19] (Symantec Corporation)
R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20150814.016\NAVENG.SYS [104440 2015-07-28] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20150814.016\NAVEX15.SYS [1645432 2015-07-28] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\NIS\1507000.00B\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1507000.00B\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NIS\1507000.00B\SYMDS.SYS [367704 2014-07-23] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NIS\1507000.00B\SYMEFA.SYS [936152 2014-07-23] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2015-03-12] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1507000.00B\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1507000.00B\SYMTDIV.SYS [384728 2014-07-23] (Symantec Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 cpuz132; \??\C:\Users\Lori\AppData\Local\Temp\cpuz132\cpuz132_x32.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PROCEXP150; \??\C:\Windows\system32\Drivers\PROCEXP150.SYS [X]
S3 PROCEXP151; \??\C:\Windows\system32\Drivers\PROCEXP151.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-14 13:04 - 2015-08-14 13:04 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-08-14 13:04 - 2015-08-14 13:04 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-08-14 08:41 - 2015-08-14 08:42 - 00000000 ____D C:\Users\Lori\Downloads\Panda Free Antiviris 16.0.1
2015-08-13 17:16 - 2015-08-14 17:49 - 00000000 ____D C:\Users\Lori\Downloads\Firefox 40.0.2
2015-08-13 12:52 - 2015-08-13 12:54 - 00034610 _____ C:\Users\Lori\Desktop\Addition.txt
2015-08-13 12:51 - 2015-08-15 15:03 - 00013837 _____ C:\Users\Lori\Desktop\FRST.txt
2015-08-13 08:33 - 2015-08-13 12:50 - 01678336 _____ (Farbar) C:\Users\Lori\Desktop\FRST.exe
2015-08-13 08:33 - 2015-08-13 08:33 - 00169925 _____ C:\Users\Lori\Desktop\I'm infected - What do I do now  - Malware Removal Help - Malwarebytes Forum.mht
2015-08-12 21:51 - 2015-08-12 21:51 - 01173801 _____ C:\Users\Lori\Desktop\How to solve connection problems concerning Windows Update or Microsoft Update.mht
2015-08-12 20:14 - 2015-08-12 20:14 - 01768863 _____ C:\Users\Lori\Desktop\WindowsUpdate 12 Aug 2015.log
2015-08-11 13:42 - 2015-08-11 13:45 - 00000000 ____D C:\Users\Lori\Downloads\NIS 2015 Offline 22.5.2.15
2015-08-11 08:39 - 2015-08-11 12:06 - 00000000 ____D C:\Users\Lori\Downloads\Adobe Flash Uninstaller Win 18.0.0.232
2015-08-11 08:35 - 2015-08-14 13:02 - 00000000 ____D C:\Users\Lori\Downloads\Adobe Flash IE 18.0.0.232
2015-08-11 08:34 - 2015-08-11 08:35 - 00000000 ____D C:\Users\Lori\Downloads\Adobe Flash Non-IE 18.0.0.232
2015-08-11 08:31 - 2015-08-12 20:17 - 00000000 ____D C:\Users\Lori\Downloads\Firefox 40.0
2015-08-01 12:18 - 2015-08-01 12:19 - 00000000 ____D C:\Users\Lori\Downloads\NetLimiter 3 Free
2015-07-28 09:19 - 2015-07-28 09:23 - 00000000 ____D C:\Users\Lori\Downloads\Adblock Plus 2.6.10
2015-07-27 20:41 - 2015-07-27 20:41 - 01682416 _____ (Malwarebytes Corporation) C:\Users\Lori\Desktop\mbam-check-2.1.1.1001.exe
2015-07-23 07:34 - 2015-07-23 18:08 - 00000000 ____D C:\Users\Lori\Downloads\CCleaner 5.08.5308
2015-07-20 17:36 - 2015-07-14 11:02 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-07-20 17:36 - 2015-07-14 09:23 - 00296960 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-15 15:03 - 2015-04-02 08:14 - 00000000 ____D C:\FRST
2015-08-15 14:28 - 2006-11-02 07:47 - 00003344 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-15 14:28 - 2006-11-02 07:47 - 00003344 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-15 13:50 - 2015-07-01 13:18 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-15 13:35 - 2008-08-17 17:46 - 00000000 ____D C:\Users\Lori\Documents\Employment
2015-08-15 13:34 - 2010-01-08 11:06 - 00000000 ____D C:\Users\Lori\AppData\Local\CutePDF Writer
2015-08-15 12:31 - 2008-03-17 06:04 - 01796504 _____ C:\Windows\WindowsUpdate.log
2015-08-15 12:28 - 2015-04-07 08:32 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-08-15 12:28 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-14 22:42 - 2006-11-02 08:01 - 00032562 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-14 22:41 - 2009-12-24 14:29 - 00000000 ____D C:\Users\Lori\AppData\Local\CrashDumps
2015-08-14 22:29 - 2008-08-17 16:54 - 00000000 ____D C:\Users\Lori\Documents\MS Word
2015-08-14 18:05 - 2006-11-02 05:33 - 01742062 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-14 18:03 - 2014-07-11 21:52 - 00002347 _____ C:\Users\Lori\Desktop\SyncToy 2.1.lnk
2015-08-14 18:02 - 2008-08-21 08:08 - 00000000 ___RD C:\Users\Lori\Documents\MS Excel
2015-08-14 17:51 - 2015-04-07 08:32 - 00000858 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-08-14 17:51 - 2015-04-07 08:32 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-08-13 09:00 - 2009-07-31 16:25 - 00000000 ____D C:\Users\Lori\AppData\Roaming\HpUpdate
2015-08-12 07:31 - 2008-01-20 21:47 - 04865756 _____ C:\Windows\PFRO.log
2015-08-11 11:50 - 2010-07-29 14:10 - 00000000 ____D C:\Users\Lori\Documents\ST New
2015-08-08 16:20 - 2008-08-24 13:05 - 00000000 ____D C:\Users\Lori\Documents\My Scans
2015-08-05 13:43 - 2008-08-16 09:58 - 00000000 ____D C:\Users\Lori\Documents\MS Money
2015-08-04 12:41 - 2008-08-19 18:12 - 00000000 ____D C:\Users\Lori\Documents\PDFs
2015-07-30 21:53 - 2011-11-09 12:58 - 00000000 ____D C:\Users\Lori\dwhelper
2015-07-30 21:52 - 2015-04-17 18:58 - 00000000 ____D C:\Users\Lori\AppData\Roaming\vlc
2015-07-28 19:31 - 2014-09-29 14:47 - 00000000 ____D C:\Users\Lori\Documents\Voicemails
2015-07-23 18:21 - 2015-03-19 22:29 - 00000804 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-07-23 18:21 - 2009-05-15 15:34 - 00000000 ____D C:\Program Files\CCleaner
2015-07-20 17:41 - 2006-11-02 07:47 - 00302320 _____ C:\Windows\system32\FNTCACHE.DAT

==================== Files in the root of some directories =======

2008-08-16 21:02 - 2008-12-22 10:47 - 0027744 _____ () C:\Users\Lori\AppData\Roaming\nvModes.001
2008-08-16 20:47 - 2008-09-11 18:42 - 0027744 _____ () C:\Users\Lori\AppData\Roaming\nvModes.dat
2008-08-19 07:28 - 2015-02-06 12:47 - 0001776 _____ () C:\Users\Lori\AppData\Roaming\wklnhst.dat
2008-08-10 15:46 - 2008-08-10 15:46 - 0000000 _____ () C:\Users\Lori\AppData\Local\AtStart.txt
2008-10-04 16:08 - 2015-03-25 13:21 - 0001356 _____ () C:\Users\Lori\AppData\Local\d3d9caps.dat
2008-09-03 09:07 - 2013-04-29 10:56 - 0012288 _____ () C:\Users\Lori\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-08-10 15:46 - 2008-08-10 15:46 - 0000000 _____ () C:\Users\Lori\AppData\Local\DSwitch.txt
2008-09-11 18:42 - 2009-05-24 21:12 - 0000000 _____ () C:\Users\Lori\AppData\Local\FnF4.txt
2008-08-10 15:46 - 2008-08-10 15:46 - 0000000 _____ () C:\Users\Lori\AppData\Local\QSwitch.txt
2009-07-31 21:02 - 2011-03-09 18:41 - 2989660 _____ (Macromedia, Inc.) C:\ProgramData\DVD.exe
2012-10-28 17:11 - 2012-10-28 17:11 - 2231606 _____ (Macromedia, Inc.) C:\ProgramData\Games.exe
2009-07-31 21:01 - 2011-03-09 21:10 - 0000326 _____ () C:\ProgramData\hpqp.ini
2009-07-31 21:02 - 2014-11-01 15:46 - 0000021 _____ () C:\ProgramData\hpqp.txt
2008-08-10 14:33 - 2009-11-17 16:49 - 0007837 _____ () C:\ProgramData\hpzinstall.log
2009-07-31 21:02 - 2011-03-09 18:40 - 2331174 _____ (Macromedia, Inc.) C:\ProgramData\Karaoke.exe
2009-07-31 21:02 - 2011-07-05 07:36 - 3063561 _____ (Macromedia, Inc.) C:\ProgramData\MobileTV.exe
2009-07-31 21:02 - 2011-03-09 18:41 - 2864396 _____ (Macromedia, Inc.) C:\ProgramData\MPV.exe
2008-12-22 10:56 - 2013-08-18 08:04 - 0031776 _____ () C:\ProgramData\nvModes.001
2008-12-22 10:56 - 2013-08-18 08:03 - 0031776 _____ () C:\ProgramData\nvModes.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-08-15 12:34

==================== End of log ============================

 

-------------
32-bit Vista Home Premium SP2 * Firefox 40.0.2 (default) * IE9 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.0.8.1057

HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

MBAM Scan Log Hicosmea Registry Entry 15 Aug 2015.txt

Link to post
Share on other sites

  • Root Admin

Hello

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.

If there is anything that you do not understand kindly ask before proceeding.

If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)
STEP 0

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes

so that your normal security software can then run and clean your computer of infections.

When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies

that stop us from using certain tools. When finished it will display a log file that shows the processes that were

terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot

your computer as any malware processes that are configured to start automatically will just be started again.

Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
STEP 02

Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x

When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Link to post
Share on other sites

Hi AdvancedSetup:

 

STEP 0:  RKill log attached if required.

 

STEP 01:  Link 1 gave a error 404 so I downloaded from Link 2.  Double-clicking ERUNT icon on desktop generated errors but ran successfully when I right-clicked and chose "Run as Administrator"

 

STEP 02: No detections with MBAM Threat scan (results posted below).

 

Further to my original post, please note that I was finally able to run Windows Update to completion on 16-Aug-2015, although it got stuck at "Checking for updates..." for over 35 min before it reported the Patch Tuesday updates released on 11-Aug-2015 (17 important, 1 optional) were available for download.

_______________________

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 18/08/2015
Scan Time: 9:59:42 PM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.18.09
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Lori

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 460583
Time Elapsed: 33 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

Rkill.txt

-------------
32-bit Vista Home Premium SP2 * Firefox 40.0.2 * IE9 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.0.8.1057

HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

  • Root Admin

There appears to be something wrong with your "hosts" file. Please use the following article to delete your current hosts file and return it back to factory defaults.

 

https://support.microsoft.com/en-us/kb/972034

 

Then once that's done please run through the following steps.

 

 

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology


    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.


STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Link to post
Share on other sites

There appears to be something wrong with your "hosts" file. Please use the following article to delete your current hosts file and return it back to factory defaults.

 

I ran the MS FixIt tool to automatically fix my Hosts file and it asked for a re-boot at the end of the fix.  Do I need to run RKill again before I perform Steps 04 through 08 now that I've re-started my computer?

 

I checked my Hosts file before running the MSFixIt tool and couldn't see the odd characters that were shown in the Hosts section of my RKill.txt log (see attached copies of old and new Hosts files) so I'm not sure if they were just an artifact in the RKill log or if I actually had hidden characters in my old Hosts file.  Regardless, I went ahead and restored my Hosts file to its factory defaults as instructed.

 

OLD Hosts Copy 19 Aug 2015.txtNEW Hosts Copy 19 Aug 2015.txt

-------------

32-bit Vista Home Premium SP2 * Firefox 40.0.2 * IE9 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.0.8.1057

HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

  • Root Admin

Yeah not sure what caused it and in theory it wouldn't work as a means to do anything butt perhaps via another call from another file could read it and use as a hidden method for redirects. New log looks good.

 

No you don't need to run RKill again just go ahead and run the other steps as outlined please.

 

Thanks

Link to post
Share on other sites

Thanks for the feedback regarding my Hosts file.  Just a few observations before I post my logs:

JRT / AdwCleaner

I noticed that the Video Download Helper v5.4.1 extension has been removed from my Firefox browser - likely by the JRT (Step 04) or AdwCleaner (Step 05).  That's not a problem but I'm curious why it would be removed since I downloaded the digitally signed installer from the official AMO site at https://addons.mozilla.org/en-Us/firefox/addon/video-downloadhelper/ and VDH is the second most popular download from that site after AdBlock Plus.

ESET Online Scanner

Archived (compressed file) scanning was enabled by default so I ran the scan with this option enabled.  The 19 detections were all found in my C:\Users\Lori\Downloads\ folder and look like PUPs bundled inside old software installers.  None of these installers need to be on my system if you want to wipe them.

Farbar Recovery Scan Tool

I downloaded a fresh copy of FRST.exe for today's scan so it generated a new Addition.txt file that I've attached at the bottom of this post.


STEP 04 - Junkware Removal Tool

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.6 (08.10.2015:1)
OS: Windows Vista Home Premium x86
Ran by Lori on 19/08/2015 at 11:01:42.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Tasks

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\innovative solutions
Successfully deleted: [Folder] C:\ProgramData\pc drivers headquarters
Successfully deleted: [Folder] C:\Users\Lori\Appdata\Local\innovative solutions
Successfully deleted: [Folder] C:\Users\Lori\Appdata\Local\slimware utilities inc
Successfully deleted: [Folder] C:\users\Public\Documents\downloaded installers

~~~ FireFox

Successfully deleted: [File] C:\Users\Lori\AppData\Roaming\mozilla\firefox\profiles\q0pq9fzl.Apr 2015 Test\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
Successfully deleted: [File] C:\Users\Lori\AppData\Roaming\mozilla\firefox\profiles\q0pq9fzl.Apr 2015 Test\searchplugins\safesearch.xml

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19/08/2015 at 11:04:24.75
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

STEP 05 - AdwCleaner

 

# AdwCleaner v5.002 - Logfile created 19/08/2015 at 11:18:46
# Updated 18/08/2015 by Xplode
# Database : 2015-08-18.2 [server]
# Operating system : Windows Vista Home Premium Service Pack 2 (x86)
# Username : Lori - LORI-PC
# Running from : C:\Users\Lori\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

[-] File Deleted : C:\Users\Backup Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ot3fnamm.default\searchplugins\safesearch.xml

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
[-] Key Deleted : HKCU\Software\Uniblue
[-] Key Deleted : HKCU\Software\YahooPartnerToolbar
[-] Key Deleted : HKCU\Software\SlimWare Utilities Inc
[-] Key Deleted : HKLM\SOFTWARE\Uniblue
[!] Key Not Deleted : HKLM\SOFTWARE\Uniblue\SpeedUpMyPC
[-] Key Deleted : HKLM\SOFTWARE\SlimWare Utilities Inc
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

***** [ Web browsers ] *****

*************************

:: Proxy settings cleared
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2243 bytes] ##########

 

STEP 06 - MBAM Threat Scan

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 19/08/2015
Scan Time: 11:25:36 AM
Logfile: MBAM Threat Scan 19 Aug 2015.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.19.04
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Lori

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 460522
Time Elapsed: 24 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

STEP 07 - ESET Online Scan (results only, not repaired)

 

C:\Users\Lori\Downloads\Blue Griffon 1.5.2\FileHippo\setup-bluegriffon.exe    Win32/DownWare.W potentially unwanted application
C:\Users\Lori\Downloads\CCleaner 5.08.5308\ccsetup508.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Lori\Downloads\CCleaner 5.08.5308\FileHippo\ccsetup508.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Lori\Downloads\HitmanPro Alert 3 Build 120 RC\hmpalert3rc.zip    a variant of Win32/NetFilter.A potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\Auslogics Duplicate File Finder 2.2.0.0\duplicate-file-finder-setup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\CutePDF Writer Acro 3.0.0.2\CuteWriter.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\CutePDF Writer Acro 3.0.0.2\CuteWriter.zip    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\CutePDF Writer Acro 3.0.0.2\FileHippo\CuteWriter.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\Free Sound Recorder 8.2.1\FreeSoundRecorder.exe    a variant of Win32/Complitly.A potentially unwanted application
C:\Users\Lori\Downloads\Old or Tested Software\Glary Utilities Free 2.31.0.1098\gusetup.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\NetWorx 5.3.2\networx_setup.exe    a variant of Win32/NetFilter.A potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\NetWorx 5.3.4\networx_setup.exe    a variant of Win32/NetFilter.A potentially unsafe application
C:\Users\Lori\Downloads\Old or Tested Software\Vista Services Optimizer 2.0\vso.exe    Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Lori\Downloads\Pandora Recovery 2.1.1\PandoraRecovery.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Lori\Downloads\Recuva 1.52.1086\FileHippo\rcsetup152.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Lori\Downloads\Speccy 1.28.709\spsetup128.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Lori\Downloads\Speccy 1.28.709\FileHippo\spsetup128 (1).exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Lori\Downloads\Speccy 1.28.709\FileHippo OLD\spsetup128.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Lori\Downloads\Speccy 1.28.709\Piriform OLD\spsetup128.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application
 

 

STEP 08 - Farbar Recovery Scan Tool (new scan)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:19-08-2015
Ran by Lori (administrator) on LORI-PC (19-08-2015 14:11:17)
Running from C:\Users\Lori\Desktop
Loaded Profiles: Lori & UpdatusUser (Available Profiles: Lori & Backup Administrator & UpdatusUser & Vista Standard)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.7.0.11\nis.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.7.0.11\nis.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
() C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\conime.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [iAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2008-12-04] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7539232 2009-06-09] (Realtek Semiconductor)
HKLM\...\Run: [QlbCtrl.exe] => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [OnScreenDisplay] => C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554288 2007-11-01] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2299176 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2015-04-07] (Apple Inc.)
HKU\S-1-5-21-3086198521-800258848-3831315664-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Mystify.scr [221184 2008-01-20] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3086198521-800258848-3831315664-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.ca/
HKU\S-1-5-21-3086198521-800258848-3831315664-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3086198521-800258848-3831315664-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
HKU\S-1-5-21-3086198521-800258848-3831315664-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Pavilion&pf=laptop
SearchScopes: HKLM -> DefaultScope {D5BA47E8-9799-47EE-A7B8-F142CFA6B57E} URL = hxxp://ca.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKLM -> {D5BA47E8-9799-47EE-A7B8-F142CFA6B57E} URL = hxxp://ca.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKU\S-1-5-21-3086198521-800258848-3831315664-1000 -> DefaultScope {5C1BA458-C49C-4223-8CA2-D81D95C4F6A2} URL = hxxp://www.google.ca/search?hl=en&q={searchTerms}&btnG=Google+Search&meta=
SearchScopes: HKU\S-1-5-21-3086198521-800258848-3831315664-1000 -> {5C1BA458-C49C-4223-8CA2-D81D95C4F6A2} URL = hxxp://www.google.ca/search?hl=en&q={searchTerms}&btnG=Google+Search&meta=
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-06-26] (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL [2015-03-04] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-06-26] (Symantec Corporation)
Toolbar: HKU\S-1-5-21-3086198521-800258848-3831315664-1000 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.7.0.11\coIEPlg.dll [2015-06-26] (Symantec Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-08] (Microsoft Corporation)
Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{8DA183E0-602C-4F03-BDA0-535201848968}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{B9AF306D-1378-499B-BBF3-D235DE55172C}: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test
FF Homepage: hxxps://www.google.ca/
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Extension: WOT - C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-07-12]
FF Extension: Mozilla Archive Format - C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\Extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi [2015-04-06]
FF Extension: Adblock Plus - C:\Users\Lori\AppData\Roaming\Mozilla\Firefox\Profiles\q0pq9fzl.Apr 2015 Test\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-04-06]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn [2015-08-19]
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2015-04-03]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.7.0.11\Exts\Chrome.crx [2015-03-18]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-12-04] (Hewlett-Packard) [File not signed]
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
S3 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [135168 2008-03-25] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S4 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2008-07-18] (Hewlett-Packard) [File not signed]
R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.7.0.11\NIS.exe [276336 2015-03-07] (Symantec Corporation)
S3 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2008-07-18] (Hewlett-Packard) [File not signed]
S3 QPCapSvc; C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [292216 2010-03-08] ()
S3 QPSched; C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [116080 2010-03-08] ()
S3 Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [394704 2008-01-29] (Symantec, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R5 ACPI; C:\Windows\System32\drivers\acpi.sys [265688 2009-04-11] (Microsoft Corporation)
R5 atapi; C:\Windows\System32\drivers\atapi.sys [19944 2009-04-11] (Microsoft Corporation)
S3 ATSWPDRV; C:\Windows\System32\DRIVERS\ATSwpDrv.sys [146560 2007-08-28] (AuthenTec, Inc.)
R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\BASHDefs\20150810.001\BHDrvx86.sys [1181936 2015-07-23] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1507000.00B\ccSetx86.sys [127064 2014-02-20] (Symantec Corporation)
R5 CLFS; C:\Windows\System32\CLFS.sys [244152 2015-03-04] (Microsoft Corporation)
R5 Compbatt; C:\Windows\System32\DRIVERS\compbatt.sys [20792 2008-01-20] (Microsoft Corporation)
R5 crcdisk; C:\Windows\System32\drivers\crcdisk.sys [24632 2008-01-20] (Microsoft Corporation)
R5 disk; C:\Windows\System32\drivers\disk.sys [53736 2009-04-11] (Microsoft Corporation)
R3 eapihdrv; C:\Users\Lori\AppData\Local\Temp\ehdrv.sys [135760 2015-08-19] (ESET)
R5 Ecache; C:\Windows\System32\drivers\ecache.sys [140224 2015-07-21] (Microsoft Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [389456 2015-07-28] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [122192 2015-07-28] (Symantec Corporation)
R5 FileInfo; C:\Windows\System32\drivers\fileinfo.sys [58936 2008-01-20] (Microsoft Corporation)
R5 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [190424 2009-04-11] (Microsoft Corporation)
R3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)
R5 iaStor; C:\Windows\System32\DRIVERS\iaStor.sys [328728 2008-12-04] (Intel Corporation)
R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\IPSDefs\20150818.001\IDSvix86.sys [523512 2015-06-19] (Symantec Corporation)
R5 intelide; C:\Windows\System32\drivers\intelide.sys [17976 2008-01-20] (Microsoft Corporation)
R5 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [440768 2015-06-12] (Microsoft Corporation)
R5 MountMgr; C:\Windows\System32\drivers\mountmgr.sys [56256 2015-07-21] (Microsoft Corporation)
R5 msahci; C:\Windows\System32\drivers\msahci.sys [28728 2008-01-20] (Microsoft Corporation)
R5 msisadrv; C:\Windows\System32\drivers\msisadrv.sys [16440 2008-01-20] (Microsoft Corporation)
R5 Mup; C:\Windows\System32\Drivers\mup.sys [48104 2009-04-11] (Microsoft Corporation)
R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20150818.025\NAVENG.SYS [104440 2015-07-28] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20150818.025\NAVEX15.SYS [1645432 2015-07-28] (Symantec Corporation)
R5 NDIS; C:\Windows\System32\drivers\ndis.sys [527848 2009-04-11] (Microsoft Corporation)
R5 partmgr; C:\Windows\System32\drivers\partmgr.sys [53120 2012-03-20] (Microsoft Corporation)
R5 pci; C:\Windows\System32\drivers\pci.sys [149480 2009-04-11] (Microsoft Corporation)
R5 spldr; C:\Windows\system32\Drivers\spldr.sys [21048 2008-01-20] (Microsoft Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\NIS\1507000.00B\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1507000.00B\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R5 SymDS; C:\Windows\System32\drivers\NIS\1507000.00B\SYMDS.SYS [367704 2014-07-23] (Symantec Corporation)
R5 SymEFA; C:\Windows\System32\drivers\NIS\1507000.00B\SYMEFA.SYS [936152 2014-07-23] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2015-03-12] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1507000.00B\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1507000.00B\SYMTDIV.SYS [384728 2014-07-23] (Symantec Corporation)
R5 Tcpip; C:\Windows\System32\drivers\tcpip.sys [905664 2014-04-04] (Microsoft Corporation)
R5 volmgr; C:\Windows\System32\drivers\volmgr.sys [52792 2008-01-20] (Microsoft Corporation)
R5 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [292840 2009-04-11] (Microsoft Corporation)
R5 volsnap; C:\Windows\System32\drivers\volsnap.sys [224640 2012-08-21] (Microsoft Corporation)
R5 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [527064 2013-06-26] (Microsoft Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 cpuz132; \??\C:\Users\Lori\AppData\Local\Temp\cpuz132\cpuz132_x32.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PROCEXP150; \??\C:\Windows\system32\Drivers\PROCEXP150.SYS [X]
S3 PROCEXP151; \??\C:\Windows\system32\Drivers\PROCEXP151.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-19 14:11 - 2015-08-19 14:11 - 00015944 _____ C:\Users\Lori\Desktop\FRST.txt
2015-08-19 14:09 - 2015-08-19 14:09 - 01677312 _____ (Farbar) C:\Users\Lori\Desktop\FRST.exe
2015-08-19 14:07 - 2015-08-19 14:07 - 00005462 _____ C:\Users\Lori\Desktop\ESET Scan 19 Aug 2015.txt
2015-08-19 12:00 - 2015-08-19 12:00 - 02870984 _____ (ESET) C:\Users\Lori\Desktop\esetsmartinstaller_enu.exe
2015-08-19 12:00 - 2015-08-19 12:00 - 00000000 ____D C:\Program Files\ESET
2015-08-19 11:53 - 2015-08-19 11:53 - 00001084 _____ C:\Users\Lori\Desktop\MBAM Threat Scan 19 Aug 2015.txt
2015-08-19 11:22 - 2015-08-19 11:22 - 00002322 _____ C:\Users\Lori\Desktop\AdwCleaner[C1] 19 Aug 2015.txt
2015-08-19 11:17 - 2015-08-19 11:17 - 00002113 _____ C:\Users\Lori\Desktop\AdwCleaner[s1] PRE-CLEAN 19 Aug 2015 .txt
2015-08-19 11:13 - 2015-08-19 11:18 - 00000000 ____D C:\AdwCleaner
2015-08-19 11:12 - 2015-08-19 11:12 - 01585664 _____ C:\Users\Lori\Desktop\AdwCleaner.exe
2015-08-19 11:04 - 2015-08-19 11:04 - 00001434 _____ C:\Users\Lori\Desktop\JRT 19 Aug 2015.txt
2015-08-19 10:55 - 2015-08-19 10:55 - 01798040 _____ (Malwarebytes Corporation) C:\Users\Lori\Desktop\JRT.exe
2015-08-19 08:28 - 2015-08-19 08:28 - 00000000 ____D C:\Users\Lori\Downloads\Java RE 32-bit 8 Update 60
2015-08-18 22:35 - 2015-08-18 22:35 - 00000000 ____D C:\Windows\ERDNT
2015-08-18 21:52 - 2015-08-18 21:52 - 00000733 _____ C:\Users\Vista Standard\Desktop\NTREGOPT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000733 _____ C:\Users\UpdatusUser\Desktop\NTREGOPT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000733 _____ C:\Users\Lori\Desktop\NTREGOPT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000733 _____ C:\Users\Backup Administrator\Desktop\NTREGOPT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000714 _____ C:\Users\Vista Standard\Desktop\ERUNT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000714 _____ C:\Users\UpdatusUser\Desktop\ERUNT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000714 _____ C:\Users\Lori\Desktop\ERUNT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000714 _____ C:\Users\Backup Administrator\Desktop\ERUNT.lnk
2015-08-18 21:52 - 2015-08-18 21:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2015-08-18 21:52 - 2015-08-18 21:52 - 00000000 ____D C:\Program Files\ERUNT
2015-08-18 21:46 - 2015-08-18 21:46 - 00791393 _____ (Lars Hederer ) C:\Users\Lori\Desktop\erunt-setup.exe
2015-08-18 21:36 - 2015-08-19 07:32 - 00355740 _____ C:\Users\Lori\Desktop\Can't Run Windows Update After PUP.Optional.Spigot.A Removal - Malware Removal Help - Malwarebytes Forum.mht
2015-08-18 21:35 - 2015-08-18 21:35 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\Lori\Desktop\rkill.exe
2015-08-18 19:16 - 2015-08-14 18:03 - 12386816 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-08-18 19:16 - 2015-08-14 17:56 - 01804288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-08-18 19:16 - 2015-08-14 17:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-08-17 17:52 - 2015-08-17 17:53 - 00000000 ____D C:\Users\Lori\Downloads\Video DownloadHelper 5.4.1
2015-08-16 12:52 - 2015-07-21 15:55 - 01206192 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-08-16 12:52 - 2015-07-21 11:07 - 03605440 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-08-16 12:52 - 2015-07-21 11:07 - 03553216 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-08-16 12:52 - 2015-07-21 11:07 - 00140224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ecache.sys
2015-08-16 12:52 - 2015-07-21 11:07 - 00056256 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2015-08-16 12:52 - 2015-07-21 11:03 - 00564224 _____ (Microsoft Corporation) C:\Windows\system32\emdmgmt.dll
2015-08-16 12:52 - 2015-07-21 11:03 - 00049664 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-08-16 12:52 - 2015-07-21 11:03 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2015-08-16 12:51 - 2015-07-11 10:56 - 11587584 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-08-16 12:51 - 2015-07-10 14:37 - 02067968 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-08-16 12:51 - 2015-07-09 09:20 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2015-08-16 12:44 - 2015-07-18 11:03 - 00068608 _____ (Microsoft Corporation) C:\Windows\system32\basesrv.dll
2015-08-16 12:43 - 2015-07-31 17:08 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-08-16 12:43 - 2015-07-31 16:46 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2015-08-16 12:43 - 2015-07-31 16:46 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2015-08-16 12:43 - 2015-07-31 16:46 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2015-08-16 12:43 - 2015-07-31 16:46 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2015-08-16 12:43 - 2015-07-31 15:41 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2015-08-16 12:43 - 2015-07-31 15:40 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2015-08-16 12:43 - 2015-07-31 15:35 - 00682496 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2015-08-16 12:43 - 2015-07-31 15:33 - 02066944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-08-16 12:43 - 2015-07-31 15:33 - 01072640 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2015-08-16 12:43 - 2015-07-31 15:33 - 00802304 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2015-08-16 12:43 - 2015-07-31 15:33 - 00297472 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-08-16 12:43 - 2015-07-10 14:37 - 01402368 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2015-08-16 12:43 - 2015-07-10 14:37 - 01253376 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2015-08-16 12:42 - 2015-07-01 10:57 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\WebClnt.dll
2015-08-16 12:41 - 2015-07-22 15:54 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-08-16 12:41 - 2015-07-22 15:51 - 01810432 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-08-16 12:41 - 2015-07-22 15:47 - 09751040 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-08-16 12:41 - 2015-07-22 15:46 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-08-16 12:41 - 2015-07-22 15:46 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-08-16 12:41 - 2015-07-22 15:45 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-08-16 12:41 - 2015-07-22 15:45 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2015-08-16 12:41 - 2015-07-22 15:45 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-08-16 12:41 - 2015-07-22 15:44 - 00718336 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-08-16 12:41 - 2015-07-22 15:44 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-08-16 12:41 - 2015-07-22 15:44 - 00421888 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-08-16 12:41 - 2015-07-22 15:44 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-08-16 12:41 - 2015-07-22 15:43 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-08-16 12:41 - 2015-07-22 15:43 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-08-16 12:41 - 2015-07-22 15:43 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-08-16 12:41 - 2015-07-22 15:43 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2015-08-16 12:41 - 2015-07-22 15:43 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2015-08-16 12:41 - 2015-07-22 15:43 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2015-08-16 12:41 - 2015-07-22 15:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-08-16 12:41 - 2015-07-09 09:25 - 00151040 _____ (Microsoft Corporation) C:\Windows\system32\notepad.exe
2015-08-16 12:41 - 2015-07-09 09:25 - 00151040 _____ (Microsoft Corporation) C:\Windows\notepad.exe
2015-08-14 13:04 - 2015-08-14 13:04 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-08-14 13:04 - 2015-08-14 13:04 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-08-14 08:41 - 2015-08-14 08:42 - 00000000 ____D C:\Users\Lori\Downloads\Panda Free Antiviris 16.0.1
2015-08-13 17:16 - 2015-08-14 17:49 - 00000000 ____D C:\Users\Lori\Downloads\Firefox 40.0.2
2015-08-12 21:51 - 2015-08-12 21:51 - 01173801 _____ C:\Users\Lori\Desktop\How to solve connection problems concerning Windows Update or Microsoft Update.mht
2015-08-12 20:14 - 2015-08-12 20:14 - 01768863 _____ C:\Users\Lori\Desktop\WindowsUpdate 12 Aug 2015.log
2015-08-11 13:42 - 2015-08-11 13:45 - 00000000 ____D C:\Users\Lori\Downloads\NIS 2015 Offline 22.5.2.15
2015-08-11 08:39 - 2015-08-11 12:06 - 00000000 ____D C:\Users\Lori\Downloads\Adobe Flash Uninstaller Win 18.0.0.232
2015-08-11 08:35 - 2015-08-14 13:02 - 00000000 ____D C:\Users\Lori\Downloads\Adobe Flash IE 18.0.0.232
2015-08-11 08:34 - 2015-08-11 08:35 - 00000000 ____D C:\Users\Lori\Downloads\Adobe Flash Non-IE 18.0.0.232
2015-08-11 08:31 - 2015-08-12 20:17 - 00000000 ____D C:\Users\Lori\Downloads\Firefox 40.0
2015-08-05 00:03 - 2015-08-05 00:03 - 00877152 _____ (Microsoft Corporation) C:\Windows\system32\msvcr120_clr0400.dll
2015-08-05 00:03 - 2015-08-05 00:03 - 00538208 _____ (Microsoft Corporation) C:\Windows\system32\msvcp120_clr0400.dll
2015-08-01 12:18 - 2015-08-01 12:19 - 00000000 ____D C:\Users\Lori\Downloads\NetLimiter 3 Free
2015-07-28 09:19 - 2015-07-28 09:23 - 00000000 ____D C:\Users\Lori\Downloads\Adblock Plus 2.6.10
2015-07-27 20:41 - 2015-07-27 20:41 - 01682416 _____ (Malwarebytes Corporation) C:\Users\Lori\Desktop\mbam-check-2.1.1.1001.exe
2015-07-23 07:34 - 2015-07-23 18:08 - 00000000 ____D C:\Users\Lori\Downloads\CCleaner 5.08.5308

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-19 14:11 - 2015-04-02 08:14 - 00000000 ____D C:\FRST
2015-08-19 13:20 - 2006-11-02 07:47 - 00003344 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-19 13:20 - 2006-11-02 07:47 - 00003344 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-19 11:25 - 2015-07-01 13:18 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-19 11:23 - 2008-03-17 06:04 - 01984108 _____ C:\Windows\WindowsUpdate.log
2015-08-19 11:20 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-19 11:19 - 2006-11-02 08:01 - 00032562 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-19 08:34 - 2008-08-21 08:08 - 00000000 ___RD C:\Users\Lori\Documents\MS Excel
2015-08-19 08:10 - 2010-07-29 14:10 - 00000000 ____D C:\Users\Lori\Documents\ST New
2015-08-18 07:48 - 2006-11-02 05:33 - 01742062 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-16 16:25 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\Microsoft.NET
2015-08-16 12:59 - 2006-11-02 07:47 - 00302320 _____ C:\Windows\system32\FNTCACHE.DAT
2015-08-16 12:50 - 2013-07-10 10:14 - 00000000 ____D C:\Windows\system32\MRT
2015-08-16 12:44 - 2006-11-02 05:24 - 129304528 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2015-08-15 18:57 - 2009-12-24 14:29 - 00000000 ____D C:\Users\Lori\AppData\Local\CrashDumps
2015-08-15 16:00 - 2008-08-16 09:58 - 00000000 ____D C:\Users\Lori\Documents\MS Money
2015-08-15 13:35 - 2010-01-08 11:06 - 00000000 ____D C:\Users\Lori\AppData\Local\CutePDF Writer
2015-08-15 13:35 - 2008-08-17 17:46 - 00000000 ____D C:\Users\Lori\Documents\Employment
2015-08-15 12:28 - 2015-04-07 08:32 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-08-14 22:29 - 2008-08-17 16:54 - 00000000 ____D C:\Users\Lori\Documents\MS Word
2015-08-14 18:03 - 2014-07-11 21:52 - 00002347 _____ C:\Users\Lori\Desktop\SyncToy 2.1.lnk
2015-08-14 17:51 - 2015-04-07 08:32 - 00000858 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-08-14 17:51 - 2015-04-07 08:32 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-08-13 09:00 - 2009-07-31 16:25 - 00000000 ____D C:\Users\Lori\AppData\Roaming\HpUpdate
2015-08-12 07:31 - 2008-01-20 21:47 - 04865756 _____ C:\Windows\PFRO.log
2015-08-08 16:20 - 2008-08-24 13:05 - 00000000 ____D C:\Users\Lori\Documents\My Scans
2015-08-04 12:41 - 2008-08-19 18:12 - 00000000 ____D C:\Users\Lori\Documents\PDFs
2015-07-30 21:53 - 2011-11-09 12:58 - 00000000 ____D C:\Users\Lori\dwhelper
2015-07-30 21:52 - 2015-04-17 18:58 - 00000000 ____D C:\Users\Lori\AppData\Roaming\vlc
2015-07-28 19:31 - 2014-09-29 14:47 - 00000000 ____D C:\Users\Lori\Documents\Voicemails
2015-07-23 18:21 - 2015-03-19 22:29 - 00000804 _____ C:\Users\Public\Desktop\CCleaner.lnk
2015-07-23 18:21 - 2009-05-15 15:34 - 00000000 ____D C:\Program Files\CCleaner

==================== Files in the root of some directories =======

2008-08-16 21:02 - 2008-12-22 10:47 - 0027744 _____ () C:\Users\Lori\AppData\Roaming\nvModes.001
2008-08-16 20:47 - 2008-09-11 18:42 - 0027744 _____ () C:\Users\Lori\AppData\Roaming\nvModes.dat
2008-08-19 07:28 - 2015-02-06 12:47 - 0001776 _____ () C:\Users\Lori\AppData\Roaming\wklnhst.dat
2008-08-10 15:46 - 2008-08-10 15:46 - 0000000 _____ () C:\Users\Lori\AppData\Local\AtStart.txt
2008-10-04 16:08 - 2015-03-25 13:21 - 0001356 _____ () C:\Users\Lori\AppData\Local\d3d9caps.dat
2008-09-03 09:07 - 2013-04-29 10:56 - 0012288 _____ () C:\Users\Lori\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-08-10 15:46 - 2008-08-10 15:46 - 0000000 _____ () C:\Users\Lori\AppData\Local\DSwitch.txt
2008-09-11 18:42 - 2009-05-24 21:12 - 0000000 _____ () C:\Users\Lori\AppData\Local\FnF4.txt
2008-08-10 15:46 - 2008-08-10 15:46 - 0000000 _____ () C:\Users\Lori\AppData\Local\QSwitch.txt
2009-07-31 21:02 - 2011-03-09 18:41 - 2989660 _____ (Macromedia, Inc.) C:\ProgramData\DVD.exe
2012-10-28 17:11 - 2012-10-28 17:11 - 2231606 _____ (Macromedia, Inc.) C:\ProgramData\Games.exe
2009-07-31 21:01 - 2011-03-09 21:10 - 0000326 _____ () C:\ProgramData\hpqp.ini
2009-07-31 21:02 - 2014-11-01 15:46 - 0000021 _____ () C:\ProgramData\hpqp.txt
2008-08-10 14:33 - 2009-11-17 16:49 - 0007837 _____ () C:\ProgramData\hpzinstall.log
2009-07-31 21:02 - 2011-03-09 18:40 - 2331174 _____ (Macromedia, Inc.) C:\ProgramData\Karaoke.exe
2009-07-31 21:02 - 2011-07-05 07:36 - 3063561 _____ (Macromedia, Inc.) C:\ProgramData\MobileTV.exe
2009-07-31 21:02 - 2011-03-09 18:41 - 2864396 _____ (Macromedia, Inc.) C:\ProgramData\MPV.exe
2008-12-22 10:56 - 2013-08-18 08:04 - 0031776 _____ () C:\ProgramData\nvModes.001
2008-12-22 10:56 - 2013-08-18 08:03 - 0031776 _____ () C:\ProgramData\nvModes.dat

Some files in TEMP:
====================
C:\Users\Lori\AppData\Local\temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-08-19 11:27

==================== End of log ============================

 

 

JRT 19 Aug 2015.txt

AdwCleanerC1 19 Aug 2015.txt

MBAM Threat Scan 19 Aug 2015.txt

ESET Scan 19 Aug 2015.txt

FRST 19 Aug 2015.txt  Addition 19 Aug 2015.txt

Link to post
Share on other sites

  • Root Admin

Not sure why but looks like probably AdwCleaner removed the video downloader. Just because something is popular does not make it safe. I'm not sure what the criteria for removal is or was but more than likely some type of advertising. If interested you might be able to take it up with the author of AdwCleaner.

 

You have a couple errors in the Event Logs that would seem to indicate possible issues with the installation of Apple software. Perhaps iTunes. You might want to try reinstalling the latest version of iTunes to fix it.

 

Overall the logs look pretty good now. A few minor issues but nothing serious. How is the computer running now? Are there still any ongoing issues or signs of malware?

Link to post
Share on other sites

Thanks for the info about AdwCleaner and Video DownloadHelper.  I'll see if I can find out more info from the developers.

Unfortunately, Apple stopped providing iTunes updates for XP and Vista last month so iTunes v12.1.2 (rel. 14-Jul-2015) was the final version released for my 32-bit Vista computer. Versions 11.2 to 12.1.2 are affected by a known bug where a Windows Data Execution Prevention (DEP) error is generated every time the iTunes GUI is closed on a machine running Vista (see Biggestted' thread in the Apple forum titled Windows Vista Problem Reports After Latest iTunes 11.2 Update) so that likely accounts for most of the error messages associated with iTunes.

As I noted <here>, Windows Update started working again on 16-Aug-2015, although it's still a bit sluggish.  A critical out-of-band patch for IE was delivered yesterday (KB3087985) and it installed successfully so that's good news.  I found a thread in the Windows VistaForums by ScousaJay titled Windows Update Just Seems to Hang While Checking so it appears I wasn't the only Vista user having problem connecting to Microsoft's update servers to download the Aug 2015 Patch Tuesday updates, but why it happened is still a mystery.

I'm still using the free version of MBAM and haven't activated my Premium license to see if MBAM's Malicious Website Protection is still preventing Norton Internet Security from running automatic LiveUpdates.  I was going to wait until you'd given me the all clear but I can test this now if you'd like.  I'd be surprised if this issue is malware-related, though. I've used MBAM Pro/Premium on my current machine since 2009 and I'm beginning to wonder if I have an orphaned registry entry from an old MBAM Pro v1.x installation that isn't removed by the mbam-clean.exe tool and is interferring with my MBAM Premium v2.x real-time protection.
------------
32-bit Vista Home Premium SP2 * Firefox 40.0.2 * NIS 2014 v. 21.7.0.11 * 32-bit iTunes 12.1.2 * MBAM 2.1.8
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

  • Root Admin

Make sure you have the very latest installer for Norton. I just spent like a couple weeks helping a user with issues that we eventually tracked down to an old installer for his Norton. Once he got the latest version if fixed it. Not sure if that may be the same issue for you or not as he was on Windows 7 not Vista. As you know Vista is ancient in the computer World and fix/break for it is hit or miss these days. Please go ahead and try an install and see how it goes and let me know.

 

Thanks again

 

Ron

Link to post
Share on other sites

I've already tried a clean reinstall of NIS v21.7 0.11 (i.e., uninstall from Control Panel selecting "Please remove all user data", wipe with Norton Removal Tool, reinstall with the latest available v21 offline installer) and that didn't fix the problem with MBAM's Malicious Website Protection blocking my NIS updates.  I'm not upgrading to the new Windows 10-compatible NIS v22.5.2.15 until they do something about all the bugs posted <here> since having a working antivirus is my top priority.  I guess I'll have to stay with the free version of MBAM or disable my real-time Malicious Website Protection until I can afford to buy a new computer.

I just had a reply back from Xplode and he noted that it was Junkware Removal Tool, and not AdwCleaner, that removed the Video DownloadHelper extension {b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi from my Firefox browser.  He also said that SystemLookup classifies Video DownloadHelper as "Open to debate" (i.e., a PUP - reasons are posted at http://www.systemlookup.com/search.php?type=filename&search=b9db16a4-6edc-47ec-a1f4-b86292ed211d&s=) and that the VDH extension could be added to AdwCleaner's database soon.

 

Glad to hear that my system wasn't infected with hidden malware.  Is there any PUP / diagnostic tool cleanup that still needs to be done, or am I good to go?

------------
32-bit Vista Home Premium SP2 * Firefox 40.0.2 * NIS 2014 v. 21.7.0.11 * MBAM Premium 2.1.8
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS

Link to post
Share on other sites

  • Root Admin

I'll give you the basic clean up speech. At this time all I can do is report back to our QA Team the conflict and see if a future build can correct it or not. We should be done here then.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.
 

Link to post
Share on other sites

Hi AdvancedSetup:

I completed your cleanup routine and ran one final MBAM Threat Scan (no threats deteced) so I believe I'm good to go.

One last observation about the ERUNT 1.1j tool I downloaded from Link 2 of your instructions <here> (Link 1 still gives an error 404).  I'm not sure it actually created a registry backup that I could have used in case of an emergency on my 32-bit Vista machine because the specs posted for  v 1.1j (released 2005) on MajorGeeks at http://www.majorgeeks.com/files/details/erunt.html only mention NT/2000/XP.

 

I was logged in with an account with Administrator rights but ERUNT 1.1j generated multiple error messages when I doubled-clicked the desktop icon (see one image below).  The tool seemed to run normally when I right-clicked and selected "Run as Administrator" and stored two .dat files in C:\Windows\ERDNT, but I noticed that the startup banner only listed NT/2000/XP as compatible operating systems and at the time I assumed the omission of Vista was just an oversight.  The latest ERUNT available at http://www.bleepingcomputer.com/download/erunt/ is compatible with 32-bit XP/Vista/Win 7.

Thank you again for your assistance.  Your prompt responses and professional guidance were greatly appreciated.

post-16430-0-65436700-1440166877_thumb.p

Link to post
Share on other sites

  • Root Admin

Yes you have 2 choices. Either disable User Account Control or right click and "Run as administrator" - you can also probably click on the properties for the shortcut and under Advanced select "Run as administrator"

 

As far as I know the program has not been updated to comply with these issues, but here is the FAQ.

The program is 10 years old but does work well when used appropriately.

 

(v1.1j, 10/20/2005, Freeware, English and German)

 

http://www.larshederer.homepage.t-online.de/erunt/faq.htm

 

This is his home page:  http://www.larshederer.homepage.t-online.de/erunt/index.htm

 

Thanks again

Link to post
Share on other sites

  • 4 months later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.