Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't use computer unless in safe mode, please help!


  • This topic is locked This topic is locked
19 replies to this topic

#1 Flaarg

Flaarg

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 11 December 2013 - 09:15 PM

I started a topic here, and was advised to use dss and put logs here, please read it for more info on my problem and the steps that have been taken already.

 

Here are my logs:

 

dss:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.45.2
Run by admin at 20:04:03 on 2013-12-11
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1470.960 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRunOnce: [Report] c:\adwcleaner\AdwCleaner[S1].txt
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRunOnce: [ (A0)] cmd /c "c:\documents and settings\admin\desktop\mbar\mbar.exe" /rdv /s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:475
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:475
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{7494BEE4-A975-414E-95BE-56C9A674C0DF} : DHCPNameServer = 75.75.76.76 75.75.75.75
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\qmbam1sl.default\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.165\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1202122.dll
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-6-20 13560]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys --> c:\windows\system32\drivers\mfehidk.sys [?]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\drivers\BazisVirtualCDBus.sys [2011-6-4 117584]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2013-10-19 51416]
S0 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys --> c:\windows\system32\drivers\mferkdet.sys [?]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2013-6-21 28552]
S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-7-5 37352]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-7-5 440376]
S2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-7-5 440376]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-7-5 90400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 mfevtp;McAfee Validation Trust Protection Service;"c:\windows\system32\mfevtps.exe" --> c:\windows\system32\mfevtps.exe [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-8-16 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2013-12-11 21:22:16 104664 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-12-11 09:03:48 167344 ----a-w- c:\windows\system32\mfevtps.exe.e3e2.deleteme
2013-12-04 04:27:04 206 ----a-w- c:\windows\wininit.tmp
2013-11-25 02:49:26 67072 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp3xu.dll
2013-11-25 02:49:24 37376 ----a-w- c:\windows\system32\hpz3l3xu.dll
2013-11-14 09:34:36 -------- d-----w- c:\program files\WinCDEmu
2013-11-14 03:26:03 -------- d-----w- c:\program files\directx
.
==================== Find3M  ====================
.
2013-12-11 21:22:12 51416 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-12-05 15:00:51 90400 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-25 21:28:16 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-10-23 06:06:28 26 ----a-w- c:\windows\winstart.bat
2013-10-23 06:06:28 123 ----a-w- c:\windows\tmpcpyis.bat
2013-10-23 06:06:28 122 ----a-w- c:\windows\tmpdelis.bat
2013-10-13 07:25:38 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24:17 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57:59 385024 ----a-w- c:\windows\system32\html.iec
2013-10-12 15:56:19 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12:48 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-08 12:50:41 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-08 12:29:36 145408 ----a-w- c:\windows\system32\javacpl.cpl
2013-10-07 10:59:21 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14:01 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
============= FINISH: 20:04:14.79 ===============
 
 
 
Attached File  attach.txt   26.54KB   1 downloads


BC AdBot (Login to Remove)

 


#2 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,291 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:10:00 PM

Posted 16 December 2013 - 12:15 PM

Hi, Flaarg! I'm going to try to help you out. :)

Before we get started, here are some things I need you to remember:
 

  • Please don't make any changes to your computer until I'm done helping you without asking me first! This will make it practically impossible for me to assist you.
  • Please don't run things without asking me first, this will also make it impossible for me to help you.
  • If you're getting help elsewhere, or have already resolved the problem, please let me know so I can close this thread.
  • Please respond to me within five days of me replying to you. If you need more time, please let me know. I will close topics that I have not received a response from within five days.
  • Please be patient with me. I'm a human just like you, so I need some time to analyze your logs and responses so I can correctly help you. I should respond to you within two days, but if I haven't, please send me a PM! I may have missed your response.
  • If something goes wrong, you don't understand something, or you don't know what to do, please stop and ask me before proceeding with any further steps!

 

 

Before I can start fixing things, I need you to run a different scan, which I will use the results from to start fixing things. :)

 

Farbar Recovery Scan Tool
 
I need you to run a scan with FRST.
 

  • Download the version of FRST that is designed for your system from here, and save it to your desktop. If you don't know which one is designed for your system, download both and try running both. Only one will work correctly, and that's the one you need to use.
  • Double click the program to run it. Say Yes on the disclaimer and click the Scan button.
  • Once it's done scanning, FRST will create two logs on your desktop, FRST.txt and addition.txt. Please copy and paste both into your reply, one at a time.

 

 

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#3 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 16 December 2013 - 05:41 PM

FRST.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-12-2013 02
Ran by admin (administrator) on D3FFM5C1 on 16-12-2013 16:35:06
Running from C:\Documents and Settings\admin\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) ===================
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [683576 2013-11-25] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [DMXLauncher] - C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] ()
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-10-11] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [nwiz] - nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [SigmatelSysTrayApp] - C:\WINDOWS\stsystra.exe [282624 2006-07-27] (SigmaTel, Inc.)
HKLM\...\RunOnce: [ (A0)] - cmd /c "C:\Documents and Settings\admin\Desktop\mbar\mbar.exe" /rdv /s [1175352 2013-11-18] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [395776 2006-08-28] (Gteko Ltd.)
HKCU\...\RunOnce: [Report] - C:\AdwCleaner\AdwCleaner[S1].txt [1387 2013-12-10] ()
HKU\Administrator\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [ 2006-08-28] (Gteko Ltd.)
HKU\Administrator\...\RunOnce: [] - C:\Program Files\Internet Explorer\iexplore.exe [ 2009-03-08] (Microsoft Corporation)
HKU\Default User\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [ 2006-08-28] (Gteko Ltd.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
ShortcutTarget: HP Image Zone Fast Start.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\qmbam1sl.default
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @oberon-media.com/ONCAdapter - C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll No File
FF Plugin: @pandasecurity.com/activescan - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\adawaretb.xml
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
 
Chrome: 
=======
CHR HomePage: hxxp://www.yahoo.com/
CHR DefaultSearchKeyword: google.com
CHR DefaultSearchProvider: Google
CHR DefaultSearchURL: {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultNewTabURL: {google:baseURL}_/chrome/newtab?{google:RLZ}{google:instantExtendedEnabledParameter}{google:ntpIsThemedParameter}ie={inputEncoding}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\pdf.dll ()
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U25) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Panda ActiveScan 2.0) - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
CHR Plugin: (Shockwave for Director) - C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\WINDOWS\system32\npDeployJava1.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Google Docs) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (AdBlock) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.6.16_0
CHR Extension: (Google Wallet) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR Extension: (Gmail) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [oejkcgajlodefenbbjdnaiahmbnnoole] - C:\Program Files\adawaretb\chrome-newtab-search.crx
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
========================== Services (Whitelisted) =================
 
S2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [440376 2013-11-25] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [440376 2013-11-25] (Avira Operations GmbH & Co. KG)
S2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S2 mfevtp; "C:\WINDOWS\system32\mfevtps.exe" [x]
 
==================== Drivers (Whitelisted) ====================
 
S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36864 2006-06-18] (Advanced Micro Devices)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [90400 2013-12-05] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137208 2013-11-25] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-11-25] (Avira Operations GmbH & Co. KG)
R3 BazisVirtualCDBus; C:\Windows\System32\DRIVERS\BazisVirtualCDBus.sys [117584 2011-08-08] (SysProgs.org)
S3 CTUSFSYN; C:\Windows\System32\drivers\ctusfsyn.sys [158464 2005-05-25] (Creative Technology Ltd.)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [13560 2013-06-20] (GFI Software)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2009-05-18] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2009-05-18] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2009-05-18] (HP)
R3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [51416 2013-12-11] (Malwarebytes Corporation)
S3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1389056 2006-01-04] (Creative Technology Ltd.)
R0 nvata; C:\Windows\System32\DRIVERS\nvata.sys [105472 2007-05-15] (NVIDIA Corporation)
S0 pavboot; C:\Windows\System32\drivers\pavboot.sys [28552 2009-06-30] (Panda Security, S.L.)
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-07-05] (Avira GmbH)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1171464 2006-07-27] (SigmaTel, Inc.)
S2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2006-11-28] (Symantec Corporation)
S3 trufos; C:\Windows\System32\drivers\trufos.sys [343456 2013-06-21] (BitDefender S.R.L.)
R0 mfehidk; system32\drivers\mfehidk.sys [x]
S0 mferkdet; system32\drivers\mferkdet.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 aswMBR; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\aswMBR.sys [x]
U3 mbr; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\mbr.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-12-16 16:35 - 2013-12-16 16:35 - 00013529 _____ C:\Documents and Settings\admin\Desktop\FRST.txt
2013-12-16 16:34 - 2013-12-16 16:34 - 00000000 ____D C:\FRST
2013-12-16 16:25 - 2013-12-16 16:25 - 01060997 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FRST.exe
2013-12-11 20:04 - 2013-12-11 20:04 - 00027174 _____ C:\Documents and Settings\admin\Desktop\attach.txt
2013-12-11 20:04 - 2013-12-11 20:04 - 00008840 _____ C:\Documents and Settings\admin\Desktop\dds.txt
2013-12-11 20:00 - 2013-12-11 20:01 - 00688992 ____R (Swearware) C:\Documents and Settings\admin\Desktop\dds.com
2013-12-11 15:22 - 2013-12-11 15:22 - 00104664 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-12-11 14:16 - 2013-12-11 14:19 - 00024142 _____ C:\Documents and Settings\admin\Desktop\Result.txt
2013-12-11 14:15 - 2013-12-11 14:15 - 00002923 _____ C:\Documents and Settings\admin\Desktop\FSS.txt
2013-12-11 14:14 - 2013-12-11 14:14 - 00000976 _____ C:\Documents and Settings\admin\Desktop\checkup.txt
2013-12-11 14:05 - 2013-12-11 14:05 - 00760937 _____ (Farbar) C:\Documents and Settings\admin\Desktop\MiniToolBox.exe
2013-12-11 14:04 - 2013-12-11 14:04 - 00708597 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FSS.exe
2013-12-11 14:03 - 2013-12-11 14:03 - 00891200 _____ C:\Documents and Settings\admin\Desktop\SecurityCheck.exe
2013-12-11 03:03 - 2013-12-11 03:03 - 00167344 _____ (McAfee, Inc.) C:\WINDOWS\system32\mfevtps.exe.e3e2.deleteme
2013-12-10 23:26 - 2013-12-16 16:34 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-12-10 23:24 - 2013-12-10 23:24 - 00277352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-12-10 23:24 - 2013-12-10 23:24 - 00000382 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-10 18:52 - 2013-12-10 18:52 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-12-03 22:27 - 2013-12-03 22:46 - 00000255 _____ C:\WINDOWS\wininit.ini
2013-12-03 22:27 - 2013-12-03 22:41 - 00000206 _____ C:\WINDOWS\wininit.tmp
2013-11-24 20:56 - 2013-11-24 20:56 - 00000000 ____D C:\Documents and Settings\admin\My Documents\My Albums
2013-11-24 20:49 - 2005-05-05 08:51 - 00037376 _____ (Hewlett-Packard Company) C:\WINDOWS\system32\hpz3l3xu.dll
2013-11-24 09:01 - 2013-11-25 15:29 - 105952601 _____ C:\WINDOWS\system32\쪞뵭L
2013-11-18 09:28 - 2013-12-10 23:28 - 04121952 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\admin\Desktop\TDSSKiller.exe
 
==================== One Month Modified Files and Folders =======
 
2013-12-16 16:35 - 2013-12-16 16:35 - 00013529 _____ C:\Documents and Settings\admin\Desktop\FRST.txt
2013-12-16 16:34 - 2013-12-16 16:34 - 00000000 ____D C:\FRST
2013-12-16 16:34 - 2013-12-10 23:26 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-12-16 16:25 - 2013-12-16 16:25 - 01060997 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FRST.exe
2013-12-11 20:04 - 2013-12-11 20:04 - 00027174 _____ C:\Documents and Settings\admin\Desktop\attach.txt
2013-12-11 20:04 - 2013-12-11 20:04 - 00008840 _____ C:\Documents and Settings\admin\Desktop\dds.txt
2013-12-11 20:01 - 2013-12-11 20:00 - 00688992 ____R (Swearware) C:\Documents and Settings\admin\Desktop\dds.com
2013-12-11 15:52 - 2013-06-18 21:56 - 00004740 _____ C:\Documents and Settings\admin\Desktop\Rkill.txt
2013-12-11 15:51 - 2013-06-18 22:09 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-12-11 15:51 - 2013-01-04 19:42 - 00000000 ____D C:\Documents and Settings\admin\Desktop\mbar
2013-12-11 15:22 - 2013-12-11 15:22 - 00104664 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-12-11 15:22 - 2013-10-19 16:23 - 00051416 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-12-11 14:19 - 2013-12-11 14:16 - 00024142 _____ C:\Documents and Settings\admin\Desktop\Result.txt
2013-12-11 14:15 - 2013-12-11 14:15 - 00002923 _____ C:\Documents and Settings\admin\Desktop\FSS.txt
2013-12-11 14:14 - 2013-12-11 14:14 - 00000976 _____ C:\Documents and Settings\admin\Desktop\checkup.txt
2013-12-11 14:08 - 2013-10-23 05:27 - 01937144 _____ (Bleeping Computer, LLC) C:\Documents and Settings\admin\Desktop\rkill.exe
2013-12-11 14:05 - 2013-12-11 14:05 - 00760937 _____ (Farbar) C:\Documents and Settings\admin\Desktop\MiniToolBox.exe
2013-12-11 14:05 - 2013-07-02 15:27 - 00000000 ____D C:\Documents and Settings\admin\Desktop\Tools
2013-12-11 14:04 - 2013-12-11 14:04 - 00708597 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FSS.exe
2013-12-11 14:03 - 2013-12-11 14:03 - 00891200 _____ C:\Documents and Settings\admin\Desktop\SecurityCheck.exe
2013-12-11 08:16 - 2013-01-04 19:52 - 00000000 ____D C:\Documents and Settings\admin\My Documents\Other
2013-12-11 08:13 - 2013-07-02 15:28 - 00000000 ____D C:\Documents and Settings\admin\Desktop\Stinger32
2013-12-11 08:13 - 2013-06-22 03:50 - 00000000 ____D C:\Program Files\stinger
2013-12-11 03:31 - 2013-06-22 03:51 - 00000000 ____D C:\Stinger_Quarantine
2013-12-11 03:03 - 2013-12-11 03:03 - 00167344 _____ (McAfee, Inc.) C:\WINDOWS\system32\mfevtps.exe.e3e2.deleteme
2013-12-10 23:30 - 2012-07-14 19:24 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-12-10 23:28 - 2013-11-18 09:28 - 04121952 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\admin\Desktop\TDSSKiller.exe
2013-12-10 23:24 - 2013-12-10 23:24 - 00277352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-12-10 23:24 - 2013-12-10 23:24 - 00000382 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-10 23:24 - 2013-06-09 17:30 - 00000000 ____D C:\WINDOWS\erdnt
2013-12-10 23:24 - 2013-01-04 19:54 - 00000000 ____D C:\Documents and Settings\admin\Desktop\OTL
2013-12-10 23:24 - 2012-06-03 11:04 - 00000278 ___SH C:\Documents and Settings\admin\ntuser.ini
2013-12-10 23:23 - 2013-09-22 02:56 - 00000000 ____D C:\AdwCleaner
2013-12-10 19:51 - 2012-06-03 11:04 - 00000000 ____D C:\Documents and Settings\admin
2013-12-10 18:53 - 2005-08-16 04:50 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-12-10 18:52 - 2013-12-10 18:52 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-12-10 18:52 - 2005-08-16 04:50 - 00000000 ____D C:\Documents and Settings\Administrator
2013-12-10 18:44 - 2013-10-23 00:09 - 00000179 _____ C:\handle.dat
2013-12-10 18:44 - 2013-09-24 23:16 - 00000880 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-10 18:44 - 2006-11-28 19:54 - 00081191 _____ C:\WINDOWS\system32\nvapps.xml
2013-12-10 18:43 - 2005-08-16 04:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-12-10 18:33 - 2013-09-24 23:16 - 00000884 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-10 06:58 - 2013-06-21 06:01 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2013-12-10 06:01 - 2005-08-16 04:38 - 00000000 ____D C:\WINDOWS\Registration
2013-12-05 09:00 - 2013-07-05 19:34 - 00090400 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
2013-12-04 15:33 - 2013-09-24 23:18 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2013-12-03 22:51 - 2013-10-22 18:32 - 00000000 ____D C:\Westwood
2013-12-03 22:46 - 2013-12-03 22:27 - 00000255 _____ C:\WINDOWS\wininit.ini
2013-12-03 22:41 - 2013-12-03 22:27 - 00000206 _____ C:\WINDOWS\wininit.tmp
2013-12-03 20:51 - 2013-10-22 20:43 - 00000000 ____D C:\Program Files\Red Alert
2013-11-25 15:29 - 2013-11-24 09:01 - 105952601 _____ C:\WINDOWS\system32\쪞뵭L
2013-11-25 15:28 - 2013-07-05 19:34 - 00137208 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
2013-11-25 15:28 - 2013-07-05 19:34 - 00037352 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avkmgr.sys
2013-11-24 21:13 - 2013-05-31 20:31 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-24 20:56 - 2013-11-24 20:56 - 00000000 ____D C:\Documents and Settings\admin\My Documents\My Albums
2013-11-24 20:54 - 2005-08-16 04:38 - 00000000 ____D C:\WINDOWS\system32\FxsTmp
2013-11-24 20:49 - 2005-08-16 04:22 - 00000000 ____D C:\WINDOWS\twain_32
2013-11-24 20:16 - 2013-10-21 21:14 - 00000000 ____D C:\Documents and Settings\admin\Application Data\HP
2013-11-23 15:52 - 2013-02-01 03:37 - 00000000 ____D C:\WINDOWS\Minidump
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================


#4 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 16 December 2013 - 05:44 PM

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 16-12-2013 02
Ran by admin at 2013-12-16 16:36:17
Running from C:\Documents and Settings\admin\Desktop
Boot Mode: Safe Mode (with Networking)
==========================================================
 
 
==================== Security Center ========================
 
AV: Avira Desktop (Disabled - Up to date) {AD166499-45F9-482A-A743-FDD3350758C7}
 
==================== Installed Programs ======================
 
32 Bit HP CIO Components Installer (Version: 6.1.1)
32 bit Windows Card Reader Driver (Version: 1.1.0.0)
7-Zip 9.20
Adobe Flash Player 11 ActiveX (Version: 11.5.502.135)
Adobe Reader XI (11.0.05) (Version: 11.0.05)
Adobe Shockwave Player 12.0 (Version: 12.0.2.122)
AiO_Scan_CDA (Version: 50.0.214.000)
AiOSoftwareNPI (Version: 50.0.214.000)
Amazon Kindle
AOLIcon (Version: 1.00.0000)
Apple Application Support (Version: 2.3)
Apple Mobile Device Support (Version: 4.0.0.96)
Apple Software Update (Version: 2.1.3.127)
Athlon 64 Processor Driver (Version: 1.3.2.0)
Auslogics Disk Defrag (Version: 3.5)
AVerMedia M779 Driver (Version: 3.04.0006)
Avira Free Antivirus (Version: 14.0.1.759)
Broadcom 440x 10/100 Integrated Controller (Version: 10.04.01)
Broadcom Management Programs (Version: 10.15.03)
BufferChm (Version: 53.0.13.000)
CCleaner (Version: 4.05)
Command & Conquer Gold Edition Stand Alone v1.06c revision 2
Conexant D850 56K V.9x DFVc Modem
CP_AtenaShokunin1Config (Version: 53.0.13.000)
CP_CalendarTemplates1 (Version: 53.0.13.000)
CP_Package_Basic1 (Version: 53.0.13.000)
CP_Package_Variety1 (Version: 61.0.163.000)
CP_Package_Variety2 (Version: 61.0.163.000)
CP_Package_Variety3 (Version: 61.0.163.000)
CP_Panorama1Config (Version: 53.0.13.000)
CueTour (Version: 53.0.13.000)
CustomerResearchQFolder (Version: 1.00.0000)
Dell CinePlayer (Version: 3.0)
Dell Support 3.2.1 (Version: 5.5.2087)
Dell System Detect (HKCU Version: 5.3.1.5)
Dell System Restore (Version: 2.00.0000)
Destinations (Version: 53.0.13.000)
DeviceFunctionQFolder (Version: 1.00.0000)
DeviceManagementQFolder (Version: 1.00.0000)
Digital Content Portal (Version: 1.00.0000)
Digital Line Detect (Version: 1.10)
DocProc (Version: 5.2.0.0)
Documentation & Support Launcher (Version: 1.00.0000)
DocumentViewer (Version: 53.0.13.000)
DocumentViewerQFolder (Version: 1.00.0000)
EarthLink Setup Files (Version: 2005.2.178.0.2.2)
EducateU (Version: 1.00.0000)
eSupportQFolder (Version: 1.00.0000)
Fax_CDA (Version: 50.0.214.000)
FileASSASSIN (Version: 1.06)
FullDPAppQFolder (Version: 1.00.0000)
Games, Music, & Photos Launcher (Version: 1.00.0000)
GemMaster Mystic
Get High Speed Internet! (Version: 1.00.0000)
Google Chrome (Version: 31.0.1650.63)
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
HP Document Viewer 5.3 (Version: 5.3)
HP Extended Capabilities 5.3 (Version: 5.3)
HP Image Zone 5.3 (Version: 5.3)
HP Imaging Device Functions 5.3 (Version: 5.3)
HP PSC & OfficeJet 5.3.A
HP Software Update (Version: 3.0.5.001)
HP Solution Center & Imaging Support Tools 5.3 (Version: 5.3)
HPProductAssistant (Version: 130.0.371.000)
InstantShareDevices (Version: 53.0.13.000)
Internet Service Offers Launcher (Version: 1.00.0000)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java 7 Update 45 (Version: 7.0.450)
Java Auto Updater (Version: 2.1.9.8)
Learn2 Player (Uninstall Only)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
MarketResearch (Version: 53.0.13.000)
Microsoft .NET Framework 1.0 Hotfix (KB2604042)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Security Update (KB2698035)
Microsoft .NET Framework 1.0 Security Update (KB2742607)
Microsoft .NET Framework 1.0 Security Update (KB2833951)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2833941)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer (Version: 1.1.0.3514)
Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Works (Version: 08.05.0818)
Modem Diagnostic Tool (Version: 1.0.17.2)
Mozilla Firefox 24.0 (x86 en-US) (Version: 24.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
NetWaiting (Version: 2.5.12)
NewCopy_CDA (Version: 50.0.214.000)
NTREGOPT 1.1j
NVIDIA Drivers
Panda ActiveScan 2.0 (Version: 01.04.01.0014)
PanoStandAlone (Version: 53.0.13.000)
PhotoGallery (Version: 53.0.13.000)
QuickTime (Version: 7.74.80.86)
RandMap (Version: 53.0.13.000)
Readme (Version: 50.0.214.000)
Red Alert 3.03p-Iran (Version: 3.03p-Iran)
Scan (Version: 5.2.0.0)
ScannerCopy (Version: 5.2.0.0)
SearchAssist
SeaTools for Windows (Version: 1.2.0.7)
SigmaTel Audio (Version: 5.10.4820.0)
SkinsHP1 (Version: 53.0.13.000)
SolutionCenter (Version: 50.0.152.000)
Sonic Activation Module (Version: 1.0)
Sonic Encoders (Version: 1.00)
Sonic_PrimoSDK (Version: 53.0.13.000)
Sound Blaster ADVANCED MB Drivers
Speccy (Version: 1.22)
SpywareBlaster 5.0 (Version: 5.0.0)
Status (Version: 53.0.13.000)
swMSM (Version: 12.0.0.1)
Toolbox (Version: 61.0.163.000)
TrayApp (Version: 53.0.13.000)
TreeSize Free V2.7 (Version: 2.7)
Unload (Version: 6.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2492386) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB2808679) (Version: 1)
Update for Windows XP (KB2863058) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 53.0.13.000)
WinCDEmu (Version: 3.6)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 10 (Version: 9.00.3636)
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Search 4.0 (Version: 04.00.6001.503)
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3 (Version: 20080414.031525)
 
==================== Restore Points  =========================
 
01-10-2013 12:30:40 Configured 32 bit Windows Card Reader Driver
01-10-2013 12:35:47 Removed Dell Support Center (Support Software).
02-10-2013 13:25:05 System Checkpoint
03-10-2013 13:28:22 System Checkpoint
04-10-2013 14:25:12 System Checkpoint
05-10-2013 15:25:12 System Checkpoint
06-10-2013 16:25:15 System Checkpoint
07-10-2013 17:25:13 System Checkpoint
08-10-2013 18:16:53 System Checkpoint
09-10-2013 18:25:07 System Checkpoint
10-10-2013 08:00:26 Software Distribution Service 3.0
11-10-2013 09:32:08 System Checkpoint
12-10-2013 12:04:36 System Checkpoint
13-10-2013 12:47:12 System Checkpoint
14-10-2013 02:16:57 Software Distribution Service 3.0
15-10-2013 02:45:40 System Checkpoint
16-10-2013 03:41:30 System Checkpoint
17-10-2013 03:44:58 System Checkpoint
18-10-2013 04:45:48 System Checkpoint
19-10-2013 04:48:45 System Checkpoint
20-10-2013 00:04:43 Removed SigmaTel Audio
20-10-2013 00:30:28 Removed Mouse Suite for Desktop Computers
20-10-2013 11:56:26 Installed Java 7 Update 45
21-10-2013 12:28:56 System Checkpoint
22-10-2013 13:07:00 System Checkpoint
23-10-2013 06:27:18 Removed SAMB_ADVMB_FILTER_DRV
23-10-2013 07:17:02 Installed SAMB_ADVMB_FILTER_DRV
23-10-2013 08:30:29 Installed SigmaTel Audio
24-10-2013 08:36:59 System Checkpoint
25-10-2013 12:45:30 System Checkpoint
26-10-2013 13:35:42 System Checkpoint
27-10-2013 14:35:06 System Checkpoint
28-10-2013 15:34:44 System Checkpoint
29-10-2013 16:34:20 System Checkpoint
30-10-2013 17:34:16 System Checkpoint
31-10-2013 19:06:33 System Checkpoint
02-11-2013 03:48:01 System Checkpoint
03-11-2013 04:30:15 System Checkpoint
04-11-2013 04:32:04 System Checkpoint
05-11-2013 04:44:46 System Checkpoint
06-11-2013 04:52:16 System Checkpoint
07-11-2013 05:03:41 System Checkpoint
08-11-2013 06:53:00 System Checkpoint
09-11-2013 08:04:36 System Checkpoint
10-11-2013 08:04:48 System Checkpoint
11-11-2013 08:51:12 System Checkpoint
12-11-2013 09:51:08 System Checkpoint
13-11-2013 09:00:19 Software Distribution Service 3.0
14-11-2013 13:03:11 System Checkpoint
15-11-2013 13:57:32 System Checkpoint
16-11-2013 14:08:56 System Checkpoint
17-11-2013 14:09:57 System Checkpoint
18-11-2013 14:55:50 System Checkpoint
19-11-2013 14:56:22 System Checkpoint
20-11-2013 15:56:25 System Checkpoint
21-11-2013 16:55:34 System Checkpoint
22-11-2013 17:55:34 System Checkpoint
23-11-2013 18:55:36 System Checkpoint
24-11-2013 19:55:15 System Checkpoint
25-11-2013 20:54:58 System Checkpoint
26-11-2013 21:50:33 System Checkpoint
28-11-2013 05:02:52 System Checkpoint
29-11-2013 05:41:43 System Checkpoint
30-11-2013 06:31:52 System Checkpoint
01-12-2013 07:45:20 System Checkpoint
02-12-2013 08:31:49 System Checkpoint
03-12-2013 09:30:55 System Checkpoint
04-12-2013 11:08:52 System Checkpoint
05-12-2013 11:30:07 System Checkpoint
06-12-2013 13:16:32 System Checkpoint
07-12-2013 13:25:40 System Checkpoint
08-12-2013 13:29:32 System Checkpoint
09-12-2013 14:28:50 System Checkpoint
10-12-2013 14:53:38 System Checkpoint
 
==================== Hosts content: ==========================
 
2005-08-16 04:18 - 2013-06-18 23:19 - 00448840 ____N C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
 
There are 1000 more lines.
 
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/10/2013 07:01:01 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved
 
Error: (12/10/2013 07:00:16 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
 
Error: (12/10/2013 07:00:02 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved
 
Error: (12/10/2013 06:59:47 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved
 
Error: (12/10/2013 03:29:03 PM) (Source: Chrome) (User: NT AUTHORITY)
Description: Chrome has encountered a fatal error.
ver=31.0.1650.63;lang=;id=;is_machine=1;oop=1;upload=1;minidump=C:\Program Files\Google\CrashReports\3c637155-2ac2-4062-9531-7f19207292cb.dmp
 
Error: (12/10/2013 06:54:43 AM) (Source: MSDTC Client) (User: )
Description: Failed to initialize the needed name objects. Error Specifics: d:\comxp_sp3\com\com1x\dtc\dtc\msdtcprx\src\dtcinit.cpp:215, Pid: 3968
No Callstack,
 CmdLine: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
 
 
System errors:
=============
Error: (12/11/2013 06:24:39 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 04:07:25 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 02:26:40 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 02:13:13 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 02:12:31 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 02:12:30 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 02:12:14 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 02:09:34 PM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 07:29:18 AM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error: (12/11/2013 07:28:16 AM) (Source: DCOM) (User: D3FFM5C1)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
 
Microsoft Office Sessions:
=========================
Error: (12/10/2013 07:01:01 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 07:00:16 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 07:00:02 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 06:59:47 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 06:59:38 PM) (Source: crypt32)(User: )
 
Error: (12/10/2013 03:29:03 PM) (Source: Chrome)(User: NT AUTHORITY)
Description: Chrome has encountered a fatal error.
ver=31.0.1650.63;lang=;id=;is_machine=1;oop=1;upload=1;minidump=C:\Program Files\Google\CrashReports\3c637155-2ac2-4062-9531-7f19207292cb.dmp
 
Error: (12/10/2013 06:54:43 AM) (Source: MSDTC Client)(User: )
Description: d:\comxp_sp3\com\com1x\dtc\dtc\msdtcprx\src\dtcinit.cpp:215, Pid: 3968
No Callstack,
 CmdLine: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 35%
Total physical RAM: 1470.42 MB
Available physical RAM: 952.6 MB
Total Pagefile: 4324.24 MB
Available Pagefile: 4132.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.63 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:69.82 GB) (Free:42.99 GB) NTFS ==>[Drive with boot components (Windows XP)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 75 GB) (Disk ID: E686F016)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=70 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=5 GB) - (Type=DB)
 
==================== End Of Log ============================


#5 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,291 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:10:00 PM

Posted 18 December 2013 - 05:46 PM

Hi,

 

Very sorry for the late reply. :( Hopefully this fix will start making things better. :)

 

Farbar Recovery Scan Tool

I need you to run a fix with FRST.
 

  • Open up Notepad, and copy and paste the text in the following box into the Notepad text field:
    HKLM\...\Policies\Explorer: [NoControlPanel] 0
    HKCU\...\RunOnce: [Report] - C:\AdwCleaner\AdwCleaner[S1].txt [1387 2013-12-10] ()
    HKU\Administrator\...\RunOnce: [] - C:\Program Files\Internet Explorer\iexplore.exe [ 2009-03-08] (Microsoft Corporation)
    SearchScopes: HKLM - DefaultScope value is missing.
    FF Plugin: @oberon-media.com/ONCAdapter - C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll No File
    CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
    CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\WINDOWS\system32\npDeployJava1.dll No File
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    S2 mfevtp; "C:\WINDOWS\system32\mfevtps.exe" [x]
    R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [13560 2013-06-20] (GFI Software)
    S2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2006-11-28] (Symantec Corporation)
    S3 trufos; C:\Windows\System32\drivers\trufos.sys [343456 2013-06-21] (BitDefender S.R.L.)
    R0 mfehidk; system32\drivers\mfehidk.sys [x]
    S0 mferkdet; system32\drivers\mferkdet.sys [x]
    U3 aswMBR; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\aswMBR.sys [x]
    U3 mbr; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\mbr.sys [x]
    C:\WINDOWS\system32\mfevtps.exe.e3e2.deleteme
    C:\WINDOWS\wininit.ini
    C:\WINDOWS\wininit.tmp
    C:\WINDOWS\system32\쪞뵭L
    C:\Documents and Settings\admin\Desktop\Stinger32
    C:\Program Files\stinger
    C:\Stinger_Quarantine
    C:\handle.dat
    c:\windows\winstart.bat
    c:\windows\tmpcpyis.bat
    c:\windows\tmpdelis.bat
    C:\Windows\System32\drivers\trufos.sys
    C:\WINDOWS\system32\drivers\symlcbrd.sys
    C:\Windows\System32\drivers\gfibto.sys
  • Save it to the same location as FRST as fixlist.txt.
  • Open up FRST, and click the Fix button. If it asks you to reboot in order to complete the fix, please do so.
  • Once it's done fixing things, it will create fixlog.txt in the same folder. Please copy and paste it into your reply.

Please also run a FRST scan again, and copy the new FRST.txt into your reply. :)

 

Please let me know how the computer is running.

 

Gunto


Edited by Gunto, 18 December 2013 - 05:47 PM.

Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#6 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 18 December 2013 - 09:33 PM

svchost still takes up 99% of the cpu outside safe mode.

 

fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-12-2013 05
Ran by admin at 2013-12-18 20:16:43 Run:1
Running from C:\Documents and Settings\admin\Desktop
Boot Mode: Safe Mode (with Networking)
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\RunOnce: [Report] - C:\AdwCleaner\AdwCleaner[S1].txt [1387 2013-12-10] ()
HKU\Administrator\...\RunOnce: [] - C:\Program Files\Internet Explorer\iexplore.exe [ 2009-03-08] (Microsoft Corporation)
SearchScopes: HKLM - DefaultScope value is missing.
FF Plugin: @oberon-media.com/ONCAdapter - C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\WINDOWS\system32\npDeployJava1.dll No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S2 mfevtp; "C:\WINDOWS\system32\mfevtps.exe" [x]
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [13560 2013-06-20] (GFI Software)
S2 symlcbrd; C:\WINDOWS\system32\drivers\symlcbrd.sys [10344 2006-11-28] (Symantec Corporation)
S3 trufos; C:\Windows\System32\drivers\trufos.sys [343456 2013-06-21] (BitDefender S.R.L.)
R0 mfehidk; system32\drivers\mfehidk.sys [x]
S0 mferkdet; system32\drivers\mferkdet.sys [x]
U3 aswMBR; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\aswMBR.sys [x]
U3 mbr; \??\C:\DOCUME~1\admin\LOCALS~1\Temp\mbr.sys [x]
C:\WINDOWS\system32\mfevtps.exe.e3e2.deleteme
C:\WINDOWS\wininit.ini
C:\WINDOWS\wininit.tmp
C:\WINDOWS\system32\쪞뵭L
C:\Documents and Settings\admin\Desktop\Stinger32
C:\Program Files\stinger
C:\Stinger_Quarantine
C:\handle.dat
c:\windows\winstart.bat
c:\windows\tmpcpyis.bat
c:\windows\tmpdelis.bat
C:\Windows\System32\drivers\trufos.sys
C:\WINDOWS\system32\drivers\symlcbrd.sys
C:\Windows\System32\drivers\gfibto.sys
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoControlPanel => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Report => Value deleted successfully.
HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\RunOnce\\ => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter => Key deleted successfully.
C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll not found.
C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll not found.
C:\WINDOWS\system32\npDeployJava1.dll not found.
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
mfevtp => Service deleted successfully.
gfibto => Service deleted successfully.
symlcbrd => Service deleted successfully.
trufos => Service deleted successfully.
mfehidk => Service deleted successfully.
mferkdet => Service deleted successfully.
aswMBR => Service deleted successfully.
mbr => Service deleted successfully.
C:\WINDOWS\system32\mfevtps.exe.e3e2.deleteme => Moved successfully.
C:\WINDOWS\wininit.ini => Moved successfully.
C:\WINDOWS\wininit.tmp => Moved successfully.
"C:\WINDOWS\system32\쪞뵭L" => File/Directory not found.
C:\Documents and Settings\admin\Desktop\Stinger32 => Moved successfully.
C:\Program Files\stinger => Moved successfully.
C:\Stinger_Quarantine => Moved successfully.
C:\handle.dat => Moved successfully.
c:\windows\winstart.bat => Moved successfully.
c:\windows\tmpcpyis.bat => Moved successfully.
c:\windows\tmpdelis.bat => Moved successfully.
C:\Windows\System32\drivers\trufos.sys => Moved successfully.
C:\WINDOWS\system32\drivers\symlcbrd.sys => Moved successfully.
C:\Windows\System32\drivers\gfibto.sys => Moved successfully.
 
 
The system needs a manual reboot. 
 
==== End of Fixlog ====
 
 
 
 
FRST.txt:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-12-2013 05
Ran by admin (administrator) on D3FFM5C1 on 18-12-2013 20:27:33
Running from C:\Documents and Settings\admin\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) ===================
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [avgnt] - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [683576 2013-11-25] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [DMXLauncher] - C:\Program Files\Dell\Media Experience\DMXLauncher.exe [94208 2005-10-05] ()
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-10-11] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [nwiz] - nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] - RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [SigmatelSysTrayApp] - C:\WINDOWS\stsystra.exe [282624 2006-07-27] (SigmaTel, Inc.)
HKCU\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [395776 2006-08-28] (Gteko Ltd.)
HKU\Administrator\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [ 2006-08-28] (Gteko Ltd.)
HKU\Default User\...\Run: [DellSupport] - C:\Program Files\Dell Support\DSAgnt.exe [ 2006-08-28] (Gteko Ltd.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
ShortcutTarget: HP Image Zone Fast Start.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
FireFox:
========
FF ProfilePath: C:\Documents and Settings\admin\Application Data\Mozilla\Firefox\Profiles\qmbam1sl.default
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @pandasecurity.com/activescan - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\adawaretb.xml
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
 
Chrome: 
=======
CHR HomePage: hxxp://www.yahoo.com/
CHR DefaultSearchKeyword: google.com
CHR DefaultSearchProvider: Google
CHR DefaultSearchURL: {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultNewTabURL: {google:baseURL}_/chrome/newtab?{google:RLZ}{google:instantExtendedEnabledParameter}{google:ntpIsThemedParameter}ie={inputEncoding}
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\31.0.1650.63\pdf.dll ()
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 7 U25) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Panda ActiveScan 2.0) - C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
CHR Plugin: (Shockwave for Director) - C:\WINDOWS\system32\Adobe\Director\np32dsw_1202122.dll (Adobe Systems, Inc.)
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\WINDOWS\system32\npDeployJava1.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Google Docs) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (AdBlock) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.6.16_0
CHR Extension: (Google Wallet) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR Extension: (Gmail) - C:\Documents and Settings\admin\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [oejkcgajlodefenbbjdnaiahmbnnoole] - C:\Program Files\adawaretb\chrome-newtab-search.crx
 
========================== Services (Whitelisted) =================
 
S2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [440376 2013-11-25] (Avira Operations GmbH & Co. KG)
S2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [440376 2013-11-25] (Avira Operations GmbH & Co. KG)
S2 McrdSvc; C:\WINDOWS\ehome\mcrdsvc.exe [99328 2005-08-05] (Microsoft Corporation)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
 
==================== Drivers (Whitelisted) ====================
 
S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S1 AmdK8; C:\Windows\System32\DRIVERS\AmdK8.sys [36864 2006-06-18] (Advanced Micro Devices)
S2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [90400 2013-12-05] (Avira Operations GmbH & Co. KG)
S1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [137208 2013-11-25] (Avira Operations GmbH & Co. KG)
S1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [37352 2013-11-25] (Avira Operations GmbH & Co. KG)
R3 BazisVirtualCDBus; C:\Windows\System32\DRIVERS\BazisVirtualCDBus.sys [117584 2011-08-08] (SysProgs.org)
S3 CTUSFSYN; C:\Windows\System32\drivers\ctusfsyn.sys [158464 2005-05-25] (Creative Technology Ltd.)
S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49920 2009-05-18] (HP)
S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2009-05-18] (HP)
S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2009-05-18] (HP)
S3 monfilt; C:\Windows\System32\drivers\monfilt.sys [1389056 2006-01-04] (Creative Technology Ltd.)
R0 nvata; C:\Windows\System32\DRIVERS\nvata.sys [105472 2007-05-15] (NVIDIA Corporation)
S0 pavboot; C:\Windows\System32\drivers\pavboot.sys [28552 2009-06-30] (Panda Security, S.L.)
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2013-07-05] (Avira GmbH)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1171464 2006-07-27] (SigmaTel, Inc.)
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-12-18 20:21 - 2013-12-18 20:21 - 00000179 _____ C:\handle.dat
2013-12-18 20:19 - 2013-12-18 20:25 - 00000812 _____ C:\WINDOWS\SchedLgU.Txt
2013-12-18 20:19 - 2013-12-18 20:25 - 00000216 _____ C:\WINDOWS\wiadebug.log
2013-12-18 20:19 - 2013-12-18 20:20 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-12-18 20:19 - 2013-12-18 20:19 - 00000000 _____ C:\WINDOWS\Sti_Trace.log
2013-12-18 20:13 - 2013-12-18 20:13 - 00000000 ____D C:\Documents and Settings\admin\Desktop\FRST-OlderVersion
2013-12-16 16:36 - 2013-12-16 16:36 - 00022739 _____ C:\Documents and Settings\admin\Desktop\Addition.txt
2013-12-16 16:35 - 2013-12-18 20:27 - 00012218 _____ C:\Documents and Settings\admin\Desktop\FRST.txt
2013-12-16 16:34 - 2013-12-18 20:16 - 00000000 ____D C:\FRST
2013-12-16 16:25 - 2013-12-18 20:13 - 01325654 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FRST.exe
2013-12-11 20:04 - 2013-12-11 20:04 - 00027174 _____ C:\Documents and Settings\admin\Desktop\attach.txt
2013-12-11 20:04 - 2013-12-11 20:04 - 00008840 _____ C:\Documents and Settings\admin\Desktop\dds.txt
2013-12-11 20:00 - 2013-12-11 20:01 - 00688992 ____R (Swearware) C:\Documents and Settings\admin\Desktop\dds.com
2013-12-11 15:22 - 2013-12-11 15:22 - 00104664 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-12-11 14:16 - 2013-12-11 14:19 - 00024142 _____ C:\Documents and Settings\admin\Desktop\Result.txt
2013-12-11 14:15 - 2013-12-11 14:15 - 00002923 _____ C:\Documents and Settings\admin\Desktop\FSS.txt
2013-12-11 14:14 - 2013-12-11 14:14 - 00000976 _____ C:\Documents and Settings\admin\Desktop\checkup.txt
2013-12-11 14:05 - 2013-12-11 14:05 - 00760937 _____ (Farbar) C:\Documents and Settings\admin\Desktop\MiniToolBox.exe
2013-12-11 14:04 - 2013-12-11 14:04 - 00708597 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FSS.exe
2013-12-11 14:03 - 2013-12-11 14:03 - 00891200 _____ C:\Documents and Settings\admin\Desktop\SecurityCheck.exe
2013-12-10 23:26 - 2013-12-18 20:18 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-12-10 23:24 - 2013-12-18 20:25 - 00015960 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-10 23:24 - 2013-12-10 23:24 - 00277352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-12-10 18:52 - 2013-12-10 18:52 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-11-24 20:56 - 2013-11-24 20:56 - 00000000 ____D C:\Documents and Settings\admin\My Documents\My Albums
2013-11-24 20:49 - 2005-05-05 08:51 - 00037376 _____ (Hewlett-Packard Company) C:\WINDOWS\system32\hpz3l3xu.dll
2013-11-24 09:01 - 2013-11-25 15:29 - 105952601 _____ C:\WINDOWS\system32\쪞뵭L
2013-11-18 09:28 - 2013-12-10 23:28 - 04121952 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\admin\Desktop\TDSSKiller.exe
 
==================== One Month Modified Files and Folders =======
 
2013-12-18 20:27 - 2013-12-16 16:35 - 00012218 _____ C:\Documents and Settings\admin\Desktop\FRST.txt
2013-12-18 20:25 - 2013-12-18 20:19 - 00000812 _____ C:\WINDOWS\SchedLgU.Txt
2013-12-18 20:25 - 2013-12-18 20:19 - 00000216 _____ C:\WINDOWS\wiadebug.log
2013-12-18 20:25 - 2013-12-10 23:24 - 00015960 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-18 20:25 - 2005-08-16 04:49 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-12-18 20:24 - 2012-06-03 11:04 - 00000278 ___SH C:\Documents and Settings\admin\ntuser.ini
2013-12-18 20:24 - 2012-06-03 11:04 - 00000000 ____D C:\Documents and Settings\admin
2013-12-18 20:21 - 2013-12-18 20:21 - 00000179 _____ C:\handle.dat
2013-12-18 20:21 - 2006-11-28 20:29 - 00075688 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2013-12-18 20:20 - 2013-12-18 20:19 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-12-18 20:20 - 2006-11-28 19:54 - 00081191 _____ C:\WINDOWS\system32\nvapps.xml
2013-12-18 20:19 - 2013-12-18 20:19 - 00000000 _____ C:\WINDOWS\Sti_Trace.log
2013-12-18 20:19 - 2013-09-24 23:16 - 00000880 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-18 20:18 - 2013-12-10 23:26 - 00000664 _____ C:\WINDOWS\system32\d3d9caps.dat
2013-12-18 20:16 - 2013-12-16 16:34 - 00000000 ____D C:\FRST
2013-12-18 20:13 - 2013-12-18 20:13 - 00000000 ____D C:\Documents and Settings\admin\Desktop\FRST-OlderVersion
2013-12-18 20:13 - 2013-12-16 16:25 - 01325654 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FRST.exe
2013-12-16 16:36 - 2013-12-16 16:36 - 00022739 _____ C:\Documents and Settings\admin\Desktop\Addition.txt
2013-12-11 20:04 - 2013-12-11 20:04 - 00027174 _____ C:\Documents and Settings\admin\Desktop\attach.txt
2013-12-11 20:04 - 2013-12-11 20:04 - 00008840 _____ C:\Documents and Settings\admin\Desktop\dds.txt
2013-12-11 20:01 - 2013-12-11 20:00 - 00688992 ____R (Swearware) C:\Documents and Settings\admin\Desktop\dds.com
2013-12-11 15:52 - 2013-06-18 21:56 - 00004740 _____ C:\Documents and Settings\admin\Desktop\Rkill.txt
2013-12-11 15:51 - 2013-06-18 22:09 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-12-11 15:51 - 2013-01-04 19:42 - 00000000 ____D C:\Documents and Settings\admin\Desktop\mbar
2013-12-11 15:22 - 2013-12-11 15:22 - 00104664 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2013-12-11 15:22 - 2013-10-19 16:23 - 00051416 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2013-12-11 14:19 - 2013-12-11 14:16 - 00024142 _____ C:\Documents and Settings\admin\Desktop\Result.txt
2013-12-11 14:15 - 2013-12-11 14:15 - 00002923 _____ C:\Documents and Settings\admin\Desktop\FSS.txt
2013-12-11 14:14 - 2013-12-11 14:14 - 00000976 _____ C:\Documents and Settings\admin\Desktop\checkup.txt
2013-12-11 14:08 - 2013-10-23 05:27 - 01937144 _____ (Bleeping Computer, LLC) C:\Documents and Settings\admin\Desktop\rkill.exe
2013-12-11 14:05 - 2013-12-11 14:05 - 00760937 _____ (Farbar) C:\Documents and Settings\admin\Desktop\MiniToolBox.exe
2013-12-11 14:05 - 2013-07-02 15:27 - 00000000 ____D C:\Documents and Settings\admin\Desktop\Tools
2013-12-11 14:04 - 2013-12-11 14:04 - 00708597 _____ (Farbar) C:\Documents and Settings\admin\Desktop\FSS.exe
2013-12-11 14:03 - 2013-12-11 14:03 - 00891200 _____ C:\Documents and Settings\admin\Desktop\SecurityCheck.exe
2013-12-11 08:16 - 2013-01-04 19:52 - 00000000 ____D C:\Documents and Settings\admin\My Documents\Other
2013-12-10 23:30 - 2012-07-14 19:24 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-12-10 23:28 - 2013-11-18 09:28 - 04121952 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\admin\Desktop\TDSSKiller.exe
2013-12-10 23:24 - 2013-12-10 23:24 - 00277352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2013-12-10 23:24 - 2013-06-09 17:30 - 00000000 ____D C:\WINDOWS\erdnt
2013-12-10 23:24 - 2013-01-04 19:54 - 00000000 ____D C:\Documents and Settings\admin\Desktop\OTL
2013-12-10 23:23 - 2013-09-22 02:56 - 00000000 ____D C:\AdwCleaner
2013-12-10 18:53 - 2005-08-16 04:50 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2013-12-10 18:52 - 2013-12-10 18:52 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2013-12-10 18:52 - 2005-08-16 04:50 - 00000000 ____D C:\Documents and Settings\Administrator
2013-12-10 18:33 - 2013-09-24 23:16 - 00000884 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-10 06:58 - 2013-06-21 06:01 - 00000000 ____D C:\WINDOWS\system32\NtmsData
2013-12-10 06:01 - 2005-08-16 04:38 - 00000000 ____D C:\WINDOWS\Registration
2013-12-05 09:00 - 2013-07-05 19:34 - 00090400 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avgntflt.sys
2013-12-04 15:33 - 2013-09-24 23:18 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2013-12-03 22:51 - 2013-10-22 18:32 - 00000000 ____D C:\Westwood
2013-12-03 20:51 - 2013-10-22 20:43 - 00000000 ____D C:\Program Files\Red Alert
2013-11-25 15:29 - 2013-11-24 09:01 - 105952601 _____ C:\WINDOWS\system32\쪞뵭L
2013-11-25 15:28 - 2013-07-05 19:34 - 00137208 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avipbb.sys
2013-11-25 15:28 - 2013-07-05 19:34 - 00037352 _____ (Avira Operations GmbH & Co. KG) C:\WINDOWS\system32\Drivers\avkmgr.sys
2013-11-24 21:13 - 2013-05-31 20:31 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-11-24 20:56 - 2013-11-24 20:56 - 00000000 ____D C:\Documents and Settings\admin\My Documents\My Albums
2013-11-24 20:54 - 2005-08-16 04:38 - 00000000 ____D C:\WINDOWS\system32\FxsTmp
2013-11-24 20:49 - 2005-08-16 04:22 - 00000000 ____D C:\WINDOWS\twain_32
2013-11-24 20:16 - 2013-10-21 21:14 - 00000000 ____D C:\Documents and Settings\admin\Application Data\HP
2013-11-23 15:52 - 2013-02-01 03:37 - 00000000 ____D C:\WINDOWS\Minidump
 
Some content of TEMP:
====================
C:\Documents and Settings\admin\Local Settings\temp\avgnt.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== End Of Log ============================


#7 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,291 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:10:00 PM

Posted 19 December 2013 - 02:45 AM

Hi,

 

Alright, let's look into svchost.exe and see if we can find out what might be causing it to eat up so much memory.

 

SystemLook

 

I need you to run a search with SystemLook.

  • Download SystemLook from here, and save it to your desktop.
  • Double click the file to open it. Copy and paste the text in the following box into the SystemLook text field:
  • :filefind
    svchost.exe
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
  • Click the Look button.
  • Once the program is done scanning, copy and paste the resulting log into your reply.

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#8 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 19 December 2013 - 03:52 PM

Systemlook:

 

SystemLook 30.07.11 by jpshortstuff
Log created at 14:50 on 19/12/2013 by admin
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "svchost.exe"
C:\Documents and Settings\admin\Desktop\mbam chameleon\svchost.exe --a---- 218184 bytes [14:48 15/08/2012] [02:01 05/01/2013] B6381489F9C8612AFFD4A2765ABD341C
C:\i386\svchost.exe --a---- 14336 bytes [21:33 20/12/2006] [11:00 10/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 218184 bytes [00:27 06/06/2012] [19:50 04/04/2013] B4C6E3889BB310CA7E974A04EC6E46AC
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c- 14336 bytes [23:26 05/06/2012] [11:00 10/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\erdnt\cache\svchost.exe --a---- 14336 bytes [23:57 09/06/2013] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------- 14336 bytes [18:52 03/03/2009] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe --a---- 14336 bytes [10:18 16/08/2005] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\dllcache\svchost.exe --a---- 14336 bytes [10:18 16/08/2005] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
 
========== reg ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"HTTPFilter"="HTTPFilter"
"LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
"NetworkService"="DnsCache"
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN napagent hkmsvc"
"DcomLaunch"="DcomLaunch TermService"
"rpcss"="RpcSs"
"imgsvc"="StiSvc"
"termsvcs"="TermService"
"HPZ12"="Pml Driver HPZ12 Net Driver HPZ12"
"eapsvcs"="eaphost"
"dot3svc"="dot3svc"
"WudfServiceGroup"="WUDFSvc"
"WINRM"="WINRM"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\WINRM]
 
 
-= EOF =-


#9 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,291 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:10:00 PM

Posted 21 December 2013 - 07:14 AM

Hi,

 

All of those files and registry entries look ok, so it looks like a good service gone crazy is eating up all your CPU. I'm going to have you check out what service(s) is/are using svchost.exe in normal mode.

 

Process Explorer

 

I need you to check out a process using Process Explorer.

 

  • Download Process Explorer from here, and save it to your desktop.
  • Extract the contents of the zipped file to your desktop.
  • Reboot your PC into normal mode, open up the procexp.exe file on your desktop, and accept the license agreement.
  • Once the program opens up, look for the svchost.exe instance that's eating up all your CPU. If something else seems to be using it and it has a + in front of its process name, click that + to expand it until you find the svchost.exe in question.
  • Hover over that same instance, and take note of the service(s) using the file in the Services: section of the hover-over box. Please tell me the service name(s) in your next reply.

Also, regarding your PM, it hasn't even been forty eight hours since your last response. I'm not late quite yet. :)

 

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#10 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 21 December 2013 - 04:35 PM

Here are the services:

 

Automatic Updates

Background Intelligent Transfer Service

CryptSvc

COM+ Event System

DHCP Client

Distributed Link Tracking Client

Error Reporting Service

Fast User Switching

Help and Support

Logical Disk Manager

Network Connections

Network Location Awareness

Remote Access Connection Manager

Security Center

Secondary Logon

System Event Notification

Server

Shell Hardware Detection

System Restore Service

Telephony

Task Scheduler

Themes

Windows Time

Windows Management Instrumentation

Windows Audio

Workstation

Windows Firewall/Internet Connection Sharing

Wireless Zero Configuration

 

A quick status update on my computer: I noticed that svchost was fluctuating more than before, rather than staying at 99% cpu it would go down to normal and then go back up. I did some sleuthing and I strongly believe it is the Automatic Updates, when I turn it off and start it back up again, svchost starts eating up all the cpu, but when I turn it off, svchost no longer eats up the cpu. I can't be 100% sure because it wasn't completely stuck at 99% like before, however, the fact that I'm typing this post in normal mode, as opposed to safe mode for my previous posts, tells me I'm likely right.



#11 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,291 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:10:00 PM

Posted 23 December 2013 - 06:02 AM

Hi,

 

Thanks for going through the trouble of finding out exactly which service is the problem. The Farbar Service Scanner log you provided in your previous thread seems to show that the file required for this service is legitimate, so for now I am going to have you reset the service's configuration to default and see how that works.

 

ERUNT

I need you to backup your registry using ERUNT.

  • Download the ERUNT installer from here, and save it to your desktop.
  • Double click the installer to start the installation. Follow the prompts and let the program install.
  • Now, open up ERUNT by clicking the shortcut on your desktop by the same name. Follow the prompts to complete the backup, and you're finished.

Next, please download this file to your desktop. Double click it and allow the contents to merge with your registry. Reboot, and then please let me know how svchost.exe is behaving afterwards.

 

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#12 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 23 December 2013 - 03:59 PM

That seems to have done the trick, svchost is acting normal now. Thank you!!!!



#13 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,291 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:10:00 PM

Posted 24 December 2013 - 07:51 AM

Hi,

 

Excellent! :thumbup2: Now, to make sure nothing is left hiding, I'd like you to run an MBAM scan.

 

Malwarebytes

I need you to run a scan with Malwarebytes Anti-Malware.

  • Double-click the MBAM shortcut on your desktop to open MBAM.
  • Click the Update tab, and check for updates. If a new version of MBAM is included in the update, follow the prompts and install it.
  • Once the program is done updating, select the Perform full scan option on the main interface. Then click the Scan button, hit Scan, and let the scan run.
  • Once the scan is finished, a log will pop up. If any malware was found, click the Show Results button, and make sure everything present is checked and click Remove Selected. If MBAM asks you to reboot, do so immediately. Either way, please copy and paste the log into your reply. If your PC is rebooted, you can find the log by opening up MBAM and going to the Logs tab.

Let me know if things are still running well.

 

Gunto


Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#14 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 24 December 2013 - 10:57 AM

Won't be able to run the scan until Thursday when I get back.,



#15 Flaarg

Flaarg
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:12:00 AM

Posted 27 December 2013 - 02:32 PM

Just ran the scan, MBAM came up clean.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users