Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

loadm.exelator.com


  • Please log in to reply
11 replies to this topic

#1 Deep_Thought

Deep_Thought

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:21 PM

Posted 19 September 2013 - 08:44 PM

Something weird happened last night. I was playing a game of checkers using the one that comes with Windows (still on XP), zClientm or whatever. My cursor flickered a few times, like something was trying to load, then this popped up.

 

exelator.png

 

I closed the checkers program to deal with it and ran some anti-virus scans. The only thing that got removed was some sort of cookie, and a folder c:\documents and settings\All Users\Application Data\TEMP.

 

After I was fairly sure my computer was safe, I decided to test things out by playing checkers again. Sure enough, the same thing happened. I'm a little surprised since I didn't think this game could become infected, and I don't know why none of my other anti-virus programs detected anything. Information on this thing is scarce online as well. Does anyone know what it is and how to prevent or get rid of it? I play checkers a lot when I'm waiting for something, so it's annoying that I can't do it until this problem is resolved. Please help me out. Thanks.



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 33,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:21 PM

Posted 20 September 2013 - 07:22 PM

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#3 Deep_Thought

Deep_Thought
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:21 PM

Posted 21 September 2013 - 10:36 PM

Here are my logs. I was surprised Malwarebytes found something when none of my other programs did. I thought Avira was supposed to be a decent free anti-virus program, but it looks like these got past it anyway. Also, Avira prevented Rkill from editing the Hosts file, but other than that, it didn't interfere with any of the other programs.

 

SecurityCheck

 

 Results of screen317's Security Check version 0.99.51  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Avira Desktop   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 SUPERAntiSpyware     
 Cleaner 5 EZ   
 Java 7 Update 11  
 Java 7 Update 25  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Flash Player     11.7.700.224  
 Adobe Reader X (10.1.7)
 Mozilla Firefox (18.0.1)
````````Process Check: objlist.exe by Laurent````````  
 WinPatrol winpatrol.exe
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
 Avira free antivirus Avira AntiVir Desktop sched.exe
 SUPERAntiSpyware SASCORE.EXE   
 WinPatrol winpatrol.exe   
 Avira free antivirus Avira AntiVir Desktop avshadow.exe
 SecurityCheck SecurityCheck.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 9%
````````````````````End of Log``````````````````````
 

Farbar

 

Farbar Service Scanner Version: 05-01-2013
Ran by Me (administrator) on 21-09-2013 at 20:07:13
Running from "C:\Anti-virus\Farbar Service Scanner"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is offline
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) RFWNDIS(13) Tcpip(4)
0x0E000000050000000E00000001000000020000000300000004000000060000000700000008000000090000000A0000000B0000000C0000000D000000
IpSec Tag value is correct.

**** End of log ****

 

MiniToolBox

 

MiniToolBox by Farbar  Version: 23-07-2012
Ran by Me (administrator) on 21-09-2013 at 20:12:23
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

SiS 900-Based PCI Fast Ethernet Adapter = Local Area Connection (Disconnected)
802.11b Wireless PCI Card = Wireless Network Connection 2 (Disconnected)
Linksys AE2500 = Wireless Network Connection (Connected)


# ----------------------------------
# Interface IP Configuration         
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration        Host Name . . . . . . . . . . . . : c0mputer        Primary Dns Suffix  . . . . . . .

:         Node Type . . . . . . . . . . . . : Unknown        IP Routing Enabled. . . . . . . . : No        WINS Proxy

Enabled. . . . . . . . : No        DNS Suffix Search List. . . . . . : domain.actdsltmpEthernet adapter

Wireless Network Connection:        Connection-specific DNS Suffix  . : domain.actdsltmp        

Description . . . . . . . . . . . : Linksys AE2500        Physical Address. . . . . . . . . : C0-C1-C0-5E-62-44      

  Dhcp Enabled. . . . . . . . . . . : Yes        Autoconfiguration Enabled . . . . : Yes        IP Address. . . . . . .

. . . . . : 192.168.0.5        Subnet Mask . . . . . . . . . . . : 255.255.255.0        Default Gateway . . . . . . . . .

: 192.168.0.1        DHCP Server . . . . . . . . . . . : 192.168.0.1        DNS Servers . . . . . . . . . . . :

192.168.0.1                                            205.171.3.25        Lease Obtained. . . . . . . . . . : Saturday,

September 21, 2013 8:02:13 PM        Lease Expires . . . . . . . . . . : Saturday, September 28, 2013

8:02:13 PMServer:  qwestmodem.domain.actdsltmp
Address:  192.168.0.1

Name:    google.com
Addresses:  74.125.225.162, 74.125.225.174, 74.125.225.160, 74.125.225.169
      74.125.225.167, 74.125.225.165, 74.125.225.161, 74.125.225.168, 74.125.225.166
      74.125.225.164, 74.125.225.163

Pinging google.com [74.125.225.174] with 32 bytes of data:Reply from 74.125.225.174: bytes=32

time=31ms TTL=57Reply from 74.125.225.174: bytes=32 time=30ms TTL=57Ping statistics for

74.125.225.174:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in

milli-seconds:    Minimum = 30ms, Maximum = 31ms, Average = 30msServer:  

qwestmodem.domain.actdsltmp
Address:  192.168.0.1

Name:    yahoo.com
Addresses:  98.138.253.109, 206.190.36.45, 98.139.183.24

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:Reply from 98.139.183.24: bytes=32

time=93ms TTL=51Reply from 98.139.183.24: bytes=32 time=140ms TTL=51Ping statistics for

98.139.183.24:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in

milli-seconds:    Minimum = 93ms, Maximum = 140ms, Average = 116msServer:  

qwestmodem.domain.actdsltmp
Address:  192.168.0.1

Name:    bleepingcomputer.com
Address:  208.43.87.2

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:Reply from 208.43.87.2: Destination

host unreachable.Reply from 208.43.87.2: Destination host unreachable.Ping statistics for 208.43.87.2:    

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    

Minimum = 0ms, Maximum = 0ms, Average = 0msPinging 127.0.0.1 with 32 bytes of data:Reply from

127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping

statistics for 127.0.0.1:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip

times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average =

0ms========================================================================

===
Interface List
0x1 ........................... MS TCP Loopback interface
0x20003 ...c0 c1 c0 5e 62 44 ...... Linksys AE2500 -

Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.5      25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1      1
      192.168.0.0    255.255.255.0      192.168.0.5     192.168.0.5      25
      192.168.0.5  255.255.255.255        127.0.0.1       127.0.0.1      25
    192.168.0.255  255.255.255.255      192.168.0.5     192.168.0.5      25
        224.0.0.0        240.0.0.0      192.168.0.5     192.168.0.5      25
  255.255.255.255  255.255.255.255      192.168.0.5     192.168.0.5      1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/21/2013 06:42:48 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error: (09/21/2013 06:42:48 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error: (09/21/2013 06:42:48 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error: (09/19/2013 09:47:28 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error: (09/19/2013 09:47:28 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error: (09/19/2013 09:47:28 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error: (09/19/2013 05:20:03 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error: (09/19/2013 05:20:03 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error: (09/19/2013 05:20:03 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error: (09/19/2013 02:20:33 AM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from:

<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.


System errors:
=============
Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort1

Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D

Error: (09/21/2013 08:00:02 PM) (Source: 0) (User: )
Description: \Device\Harddisk1\D


Microsoft Office Sessions:
=========================
Error: (09/21/2013 06:42:48 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis

network connection does not exist.

Error: (09/21/2013 06:42:48 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis

network connection does not exist.

Error: (09/21/2013 06:42:48 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA

connection with the server could not be established

Error: (09/19/2013 09:47:28 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis

network connection does not exist.

Error: (09/19/2013 09:47:28 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis

network connection does not exist.

Error: (09/19/2013 09:47:28 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA

connection with the server could not be established

Error: (09/19/2013 05:20:03 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis

network connection does not exist.

Error: (09/19/2013 05:20:03 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis

network connection does not exist.

Error: (09/19/2013 05:20:03 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtA

connection with the server could not be established

Error: (09/19/2013 02:20:33 AM) (Source: crypt32)(User: )
Description:

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis

network connection does not exist.


=========================== Installed Programs ============================

Adobe AIR (Version: 2.7.1.19610)
Adobe Flash Player 10 ActiveX (Version: 10.1.102.64)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Adobe Shockwave Player 11.6 (Version: 11.6.8.638)
Apple Application Support (Version: 2.3)
Apple Software Update (Version: 2.1.3.127)
Avira Free Antivirus (Version: 13.0.0.4052)
CameraHelperMsi (Version: 13.31.1038.0)
Cleaner 5 EZ
Creative Audio Console (Version: 1.33)
Creative Software AutoUpdate (Version: 1.40)
D-i-v-X AVI Codec Pack Pro 2.4.0
Debut Video Capture Software
DivX Setup (Version: 2.4.0.6)
Doxillion Document Converter
erLT (Version: 1.20.138.34)
ESET Online Scanner v3
Express Burn Disc Burning Software
Express Zip File Compression Software
FlashMute
Java 7 Update 11 (Version: 7.0.110)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Logitech Vid (Version: 1.70.1044)
Logitech Webcam Software (Version: 2.0)
LWS Facebook (Version: 13.31.1038.0)
LWS Gallery (Version: 13.31.1038.0)
LWS Help_main (Version: 13.31.1044.0)
LWS Launcher (Version: 13.31.1038.0)
LWS Motion Detection (Version: 13.30.1395.0)
LWS Pictures And Video (Version: 13.31.1038.0)
LWS Twitter (Version: 13.30.1346.0)
LWS Video Mask Maker (Version: 13.30.1379.0)
LWS VideoEffects (Version: 13.30.1379.0)
LWS Webcam Software (Version: 13.31.1038.0)
LWS WLM Plugin (Version: 1.30.1201.0)
LWS YouTube Plugin (Version: 13.31.1038.0)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Works 6-9 Converter (Version: 9.7.0621)
Mobipocket Reader 6.2 (Version: 6.2.608)
Mozilla Firefox 18.0.1 (x86 en-US) (Version: 18.0.1)
Mozilla Maintenance Service (Version: 18.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
Opera 12.12 (Version: 12.12.1707)
Paint.NET v3.5.11 (Version: 3.61.0)
Pixillion Image Converter
Prism Video File Converter
QuickTime (Version: 7.73.80.64)
RealOne Player
Remove on Reboot Shell Extension
Serif PhotoPlus X4 (Version: 14.0.2.013)
Skype™ 6.6 (Version: 6.6.106)
Software Version Updater (Version: 1.1.3.7)
SUPER © +Recorder.2013.55 (Mar 7, 2013) version +Recorder.2013. (Version: +Recorder.2013.55)
SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49 (Version: v2011.build.49)
SUPERAntiSpyware (Version: 5.6.1008)
swMSM (Version: 12.0.0.1)
Trillian
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
VideoPad Video Editor
Visual Pinball (Version: 1.0.0)
VLC media player 2.0.7 (Version: 2.0.7)
WebFldrs XP (Version: 9.50.7523)
Winamp Detector Plug-in (Version: 1.0.0.1)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows PowerShell™ 1.0 (Version: 1)
Windows Support Tools (Version: 5.1.2600.2180)
Windows XP Service Pack 3 (Version: 20080414.031525)
WinZip 16.0 (Version: 16.0.9661)

========================= Devices: ================================

Name: Multimedia Audio Controller
Description: Multimedia Audio Controller
Class Guid: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Manufacturer: Silicon Integrated Systems Corp.
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update

wizard.

Name: SiS 900-Based PCI Fast Ethernet Adapter
Description: SiS 900-Based PCI Fast Ethernet Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: SiS
Service: SISNIC
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable

Device wizard. Follow the instructions.

Name: 802.11b Wireless PCI Card
Description: 802.11b Wireless PCI Card
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: PCI Wireless
Service: ADM8211
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable

Device wizard. Follow the instructions.

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


========================= Memory info: ===================================

Percentage of memory in use: 42%
Total physical RAM: 1535.48 MB
Available physical RAM: 883.51 MB
Total Pagefile: 3431.86 MB
Available Pagefile: 2692.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.16 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:149.04 GB) (Free:123.29 GB) NTFS
2 Drive f: () (Fixed) (Total:439.45 GB) (Free:297.14 GB) NTFS

========================= Users: ========================================

User accounts for \\c0mputer

Me                    Administrator            ASPNET                   
User2                  Guest                    HelpAssistant            
IUSR_C0MPUTER            IWAM_C0MPUTER            SUPPORT_388945a0         


**** End of log ****
 

Malywarebytes

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.22.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Me :: C0MPUTER [administrator]

9/21/2013 8:25:26 PM
mbam-log-2013-09-21 (20-25-26).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233166
Time elapsed: 7 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCR\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96} (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Updater.AmiUpd.1 (PUP.Software.Updater) -> Quarantined and deleted successfully.
HKCR\Updater.AmiUpd (PUP.Software.Updater) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\Me\Application Data\SwvUpdater (PUP.Software.Updater) -> Quarantined and deleted successfully.

Files Detected: 3
C:\Documents and Settings\Me\Application Data\SwvUpdater\Updater.exe (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Application Data\SwvUpdater\Updater.xml (PUP.Software.Updater) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Application Data\SwvUpdater\status.cfg (PUP.Software.Updater) -> Quarantined and deleted successfully.

(end)
 

Malwarebytes' Anti-Rootkit

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.09.22.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Admin :: C0MPUTER [administrator]

9/21/2013 8:56:34 PM
mbar-log-2013-09-21 (20-56-34).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File

System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 237800
Time elapsed: 12 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

Rkill

 

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/21/2013 09:09:21 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\system32\CTHELPER.EXE (PID: 404) [WD-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 09/21/2013 09:10:10 PM
Execution time: 0 hours(s), 0 minute(s), and 48 seconds(s)
 



#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 33,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:21 PM

Posted 22 September 2013 - 03:27 PM

p22002970.gif Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

p22002970.gif Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


=============================================================================

p22002970.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


=======================================

p22002970.gif Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#5 Deep_Thought

Deep_Thought
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:21 PM

Posted 25 September 2013 - 01:53 AM

AdWare Cleaner

 

# AdwCleaner v2.003 - Logfile created 09/22/2013 at 19:08:21
# Updated 23/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Me - C0MPUTER
# Boot Mode : Normal
# Running from : C:\Anti-virus\AdWare Cleaner\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Mozilla Firefox v18.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\z9f2x7ry.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\User2\Application Data\Mozilla\Firefox\Profiles\acr11v9x.default\prefs.js

[OK] File is clean.

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\55607wp6.default\prefs.js

[OK] File is clean.

-\\ Opera v12.12.1707.0

File : C:\Documents and Settings\Me\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2302 octets] - [07/10/2012 18:40:41]
AdwCleaner[R2].txt - [2362 octets] - [10/10/2012 19:37:46]
AdwCleaner[S1].txt - [2800 octets] - [10/10/2012 20:08:50]
AdwCleaner[S2].txt - [1738 octets] - [12/01/2013 20:38:51]
AdwCleaner[R3].txt - [1551 octets] - [22/09/2013 19:04:17]
AdwCleaner[S3].txt - [1633 octets] - [22/09/2013 19:08:21]

########## EOF - C:\AdwCleaner[S3].txt - [1693 octets] ##########
 

Junkware Removal Tool

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.4.2 (01.08.2013:1)
OS: Microsoft Windows XP x86
Ran by Me on Sun 09/22/2013 at 19:14:34.15
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\billp studios\detected\startup



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\Documents and Settings\Me\Application Data\mozilla\firefox\profiles\z9f2x7ry.default\extensions\[email protected]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 09/22/2013 at 19:28:35.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

ESET didn't find anything.



#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 33,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:21 PM

Posted 25 September 2013 - 06:36 PM

How is computer doing?

 

p22002970.gif Update Firefox to the current 24.0 version.

 

p22002970.gif Update Adobe Flash Player: http://get.adobe.com/flashplayer/
Make sure you UN-check Yes, install McAfee Security Scan Plus

NOTE 1: Beginning with Adobe Flash Version 11.3, the universal installer includes the 32-bit and 64-bit versions of the Flash Player.
NOTE 2: While installing make sure you UN-check any extra garbage which wants to install alongside.

 

p22002970.gif 1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: If you're running 64-bit system make sure you install BOTH, 32-bit and 64-bit Java.

Note 3: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it.

  • Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#7 Deep_Thought

Deep_Thought
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:21 PM

Posted 02 October 2013 - 05:03 AM

Hi. Sorry for the delay, I got busy with other things. My computer seems to be fine, although I haven't tried to use checkers again yet. I upgraded Firefox, although now I'm remembering why I kept the old version for so long, I hate some of the changes they've made to it.

 

I updated Java just now, but it gave me a "GetDefaultBrowserError: 2" error after it was done. Also, the last time I upgraded Flash, it made my computer run super slow. I can only have a few tabs open, especially if it's a site that uses Flash a lot, or it's nearly impossible to use my computer. I know it's partially my fault for using one so outdated, but isn't there anything I can do about this?



#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 33,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:21 PM

Posted 02 October 2013 - 08:01 PM

All of the above has to be kept up to date so update all and report on any issues.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#9 Deep_Thought

Deep_Thought
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:21 PM

Posted 05 October 2013 - 10:34 PM

Everything is updated and there are no major problems to report.



#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 33,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:21 PM

Posted 05 October 2013 - 10:36 PM

Your computer is clean p3879546.jpg

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/
Windows 8: http://www.bleepingcomputer.com/tutorials/windows-8-system-restore-guide/#disable

2. Make sure Windows Updates are current.

3. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

12. Except for MBAM and TFC, which are keepers you can simply delete all other tools we used as they don't install.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif




#11 Deep_Thought

Deep_Thought
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:21 PM

Posted 09 October 2013 - 08:20 PM

All right, I did all that stuff. Secunia PSI seems like a very useful program, but I don't really like WOT and I'm thinking of disabling it. It causes pages to not load properly sometimes, especially if I click the back button. And yes, I'm aware of how to avoid "foistware", and I really think that practice should be illegal. Is there anything else you think I should do, or more programs or sites to recommend to help protect my computer in the future?



#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 33,396 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:21 PM

Posted 09 October 2013 - 08:59 PM

If no Issues you should be good to go :)


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users