Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus removal attempted.Unable to boot up.Rootkit suspected


  • This topic is locked This topic is locked
19 replies to this topic

#1 Phil in USA

Phil in USA

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 18 April 2014 - 04:00 PM

I have a roughly 10-year old Dell Win XP-pro sp3 32-bit machine that I suspect has a rootkit virus that runs the cpu at 100%. (That virus appears to be under the name svchost.exe. Process Explorer shows this as its only name. There are other svchost.exe files running as well,  and when I stop this file from running the machine runs ok for a while but eventually the virus creeps back in to run the cpu at 100% cpu again. My MS security update is turned off so I don't think it is due to the Windows xp update screwup - but who knows? The problem seemed to begin after an update but I wasn't there when the automatic update occurred.) This is the root problem I had been working on for a while but now I have a start up problem that is either due to virus or hardware. 

 

Today, after running Malawarebyte's special rootkit virus removal program it won't boot up. It gives the message "DCOM server process launcher service terminated unexpectedly. Shutdown initiated..."

 

The start up problem had symptoms earlier. I had run a variety of antivirus programs - malawarebytes, superantivirus, hitmanpro and some others - and yesterday a new message said on startup- "Windows could not start due to computer disk hardware config problem... could not read from the selected boot disk...check boot path and disk hardware." I then created a windows recovery disk and ran it and it seemed to clean the boot up files, but the main problem of the 100% cpu virus was still there.

 

Anyway, today I ran Malwarebyte's special rootkit program. The recent update has identified a file called rpcss.dll as "Trojan.Zekos.Patchedxp3" (this was confirmed by HitmanPro) and I authorized removal. But on re-start the machine failed to boot back up. I tried to use the recovery disk again. On the recovery option it takes me to the C:\ drive and shows only 7 files. That drive now looks a little bit similar to the external Seagate backup drive - the E drive. If I type map it shows c:ntfs, e:ntfs, d:ntfs, a:, and f: - the dvd drive. But I see no directories and it denies access if I try to access a file on any drive - even the external drive. I was trying to get to the c:\windows\windows32\ to replace the old rpcss.dll (Trojan) with a clean version.

 

I don't know whether the problem involves the rootkit/virus issue or whether the hard drive itself has gone bad. 

 

I would appreciate any suggestions.

Thanks

Phil


Edited by hamluis, 18 April 2014 - 04:49 PM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:48 PM

Posted 18 April 2014 - 07:45 PM

Hi Phil another will respond here that handles these. It may not be tonight.

You will probably need a Flash drive or CD drive and access to another computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 PM

Posted 18 April 2014 - 08:57 PM

:welcome:

 

Do you have the installation for XP so we can create a bootable CD?

 

Can you boot in Safe mode command prompt?


Edited by JSntgRvr, 18 April 2014 - 09:03 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:48 PM

Posted 18 April 2014 - 10:57 PM

Hello, just letting you know I moved this topic o here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 22 April 2014 - 03:34 PM

I do not have the original win xp pro disk for this machine but I do have a spare win xp pro disk lying around. Cannot boot in safe mode. I made a recovery disk from a site on the internet for win xp (not pro).

Phil



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 PM

Posted 22 April 2014 - 07:37 PM

We need to try and boot your computer using the Ultimate Boot CD for Windows (UBCD4win)
 
Please print this guide for future reference!
 
You will need: a blank CD, a Windows XP CD, a clean computer, and a flash drive.
 
Please follow the steps below and let me know if you were successful.  If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.
 
Step 1 - creating the ISO file
 
1. Please select a mirror and download the Ultimate Boot CD for Windows to your Desktop

  • Double-Click on the UBCD4Win.exe that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up
  • Note: Do not install to a folder with spaces in it's name, it is best to use the default C:\UBCD4Win
  • Note: Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read here for information regarding the files that normally trigger AV software.
  • At the very end, uncheck "Run UBCD4WinBuilder.exe when installation is complete", then click Finish

2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive

  • Open My Computer, navigate to: C:\ubcd4win
  • Double-click on UBCD4WinBuilder.exe
  • Click I Agree to the UBCD4Win PE Builder License
  • Click No when prompted to Search for Windows installation files
  • For Source: click on the ellipsis (...), then click on the drive with your Windows XP CD, then press Ok
  • For Custom: no information is necessary, leave blank
  • For Output: keep the default BartPE
  • For Media output select Create ISO image: (enter filename)

Note: you can leave the default file name and path as well (C:\UBCD4Win\UBCD4WinBuilder.iso), but if you do change it make sure it is a folder without spaces in the name

  • Note: If your XP install disc is SP1 then please click the Plugins button and modify the following options:

Click on each option, then click Enable/Disable so the correct value is displayed.
 
Disabled - !Critical: DComLaunch Service [Building with XP SP1-DISABLE]
Enabled - !Critical: LargeIDE Fix (KB331958) [Building with XP SP1-ENABLE]

3. Click on the "Build" button

  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run its course
  • When the Build is finished you can click close, then exit

4. Burn your ISO file to CD

==========
 
Step 2 - downloading Farbar's Recovery Scan Tool (FRST)
 
Next, from your clean computer, download Farbar Recovery Scan Tool and save it to your flash drive.
 
note: you will need the 32-bit version to run with UBCD4Win
 
Now plug your flash drive back into your sick computer and move on to the next step.
 
==========
 
Step 3 - booting to the UBCD4Win CD
 
Restart Your sick Computer Using the UBCD4Win Disc That You Have Created

  • Insert the UBCD4Win disc in to one of your CD/DVD drives
  • Restart your computer, the computer should choose to boot from the UBCD4Win CD automatically
  • If it doesn't and you are asked if you want to boot from CD, then choose that option

note: more information on booting from CD can be obtained here

  • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter
  • It may take a little longer for the desktop to appear than it does when you start your computer normally, just let the process run itself until the desktop appears
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?, click Yes
  • You should now have a desktop that looks like this:

Main.jpg
 
 
==========
 
Step 4 - running the FRST scan

  • Single click My computer from your UBCD4Win desktop to navigate to the Farbar Recovery Scan Tool (FRST.exe) you saved to your flash drive.
  • Double click on FRST.exe to begin running the tool
  • When the tool opens click Yes to disclaimer

note: if prompted to download the latest version, please do so from the link in Step 2

  • Click on the Scan button
  • It will make a log (FRST.txt) on the flash drive, close it and safely remove the USB drive
  • Insert the USB drive into your clean computer and post the log in your next reply

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 24 April 2014 - 01:03 PM

Thank you very much for your help. Here is the log:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-04-2014
Ran by SYSTEM on BARTPE-30405 on 24-04-2014 13:56:59
Running from E:\
Microsoft Windows XP Service Pack 2 (X86) OS Language: Georgian
Internet Explorer Version 8
Boot Mode: Recovery

The current controlset is ControlSet003

ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [61440 2010-02-11] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [PWRISOVM.EXE] => D:\Program Files\PowerISO\PWRISOVM.EXE [180224 2009-11-09] (PowerISO Computing, Inc.)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [MaxMenuMgr] => C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [185640 2009-09-26] (Seagate LLC)
HKLM\...\Run: [TraySantaCruz] => C:\WINDOWS\system32\tbctray.exe [290816 2002-04-17] (Voyetra Turtle Beach, Inc.)
Winlogon\Notify\AtiExtEvent: C:\Windows\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKLM\...\Policies\Explorer: [NoSetTaskBar] 0
HKLM\...\Policies\Explorer: [NoFileMenu] 0
HKLM\...\Policies\Explorer: [NoNetworkConnections] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0x00000000
HKLM\...\Policies\Explorer: [MaxRecentDocs] 0
HKLM\...\Policies\Explorer: [NoNetConnectDisconnect] 0
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 0
HKLM\...\Policies\Explorer: [NoRecentDocsHistory] 0x00000000
HKLM\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x00000000
HKLM\...\Policies\Explorer: [NoStartBanner] 0x00000000
HKLM\...\Policies\Explorer: [NoWinKey] 0
HKLM\...\Policies\Explorer: [NoNetConnextDisconnect] 0
HKLM\...\Policies\Explorer: [NoSMConfigurePrograms] 0
HKLM\...\Policies\Explorer: [NoControlPanle] 0
Lsa: [Authentication Packages] msv1_0 nwprovau
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WNDA3100v2 Smart Wizard.lnk
ShortcutTarget: NETGEAR WNDA3100v2 Smart Wizard.lnk -> C:\PROGRAMS\NETGEAR\WNDA3100v2\WNDA3100v2.exe (No File)

========================== Services (Whitelisted) =================

S2 !SASCORE; D:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2011-09-02] (SUPERAntiSpyware.com)
S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2010-02-11] ()
S2 FoxitCloudUpdateService; C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [239680 2014-02-19] (Foxit Corporation)
S2 FreeAgentGoNext Service; C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe [189736 2009-09-26] (Seagate Technology LLC)
S2 KMService; C:\WINDOWS\system32\srvany.exe [8192 2010-10-24] ()
S3 Microsoft SharePoint Workspace Audit Service; D:\Program Files\Microsoft Office\Office14\GROOVE.EXE [30814400 2013-12-19] (Microsoft Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
S2 NWCWorkstation; C:\Windows\System32\nwwks.dll [65536 2008-04-14] (Microsoft Corporation)
S2 WSWNDA3100; C:\Program Files\NETGEAR\WNDA3100v2\WifiSvc.exe [278528 2009-11-04] ()

==================== Drivers (Whitelisted) ====================

S1 A2DDA; C:\Documents and Settings\owner\My Documents\Virus Removal Resources\Run\a2ddax86.sys [17904 2012-11-05] (Emsi Software GmbH)
S1 ATITool; C:\Windows\System32\DRIVERS\ATITool.sys [24064 2006-11-10] ()
S3 BCMH43XX; C:\Windows\System32\DRIVERS\bcmwlhigh5.sys [632576 2009-05-05] (Broadcom Corporation)
S3 gameenum; C:\Windows\System32\DRIVERS\gameenum.sys [10624 2008-04-14] (Microsoft Corporation)
S3 hidgame; C:\Windows\System32\DRIVERS\hidgame.sys [8576 2001-08-17] (Microsoft Corporation)
S1 IDMTDI; C:\Windows\System32\DRIVERS\idmtdi.sys [121184 2013-11-28] (Tonec Inc.)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
S2 NwlnkIpx; C:\Windows\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-13] (Microsoft Corporation)
S2 NwlnkNb; C:\Windows\System32\DRIVERS\nwlnknb.sys [63232 2001-08-23] (Microsoft Corporation)
S2 NwlnkSpx; C:\Windows\System32\DRIVERS\nwlnkspx.sys [55936 2001-08-23] (Microsoft Corporation)
S3 NWRDR; C:\Windows\System32\DRIVERS\nwrdr.sys [163584 2008-04-13] (Microsoft Corporation)
S1 SASDIFSV; D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-09-02] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-09-02] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 tbcspud; C:\Windows\System32\drivers\tbcspud.sys [144768 2002-04-17] (Voyetra Turtle Beach)
S3 tbcwdm; C:\Windows\System32\drivers\tbcwdm.sys [545088 2002-04-17] (Voyetra Turtle Beach)
S3 vtdg46xx; C:\Program Files\Turtle Beach\Santa Cruz\Control Panel\vtdg46xx.sys [19232 2002-03-21] ()
S3 w89c940; C:\Windows\System32\DRIVERS\w940nd.sys [16925 2001-08-17] (Winbond Electronics Corporation)
S3 catchme; \??\C:\DOCUME~1\owner\LOCALS~1\Temp\catchme.sys [X]
S3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [X]
S0 vsseplm; System32\drivers\agdc.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\FRST
2014-04-18 16:25 - 2014-04-18 16:25 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-04-18 16:23 - 2014-04-18 18:55 - 00000000 ____D () C:\Documents and Settings\owner\Desktop\mbar
2014-04-18 04:28 - 2014-04-18 04:28 - 00000000 ____S () C:\Windows\System32\enymclw.vdu
2014-04-17 23:34 - 2014-04-17 23:35 - 00001604 _____ () C:\Windows\setupapi.log
2014-04-16 04:20 - 2014-04-16 04:20 - 00000000 ____S () C:\Windows\System32\qqma.syk
2014-04-16 00:19 - 2014-04-16 02:46 - 00003345 _____ () C:\Windows\KB2898785-IE8.log
2014-04-15 21:34 - 2014-03-07 03:53 - 02925760 _____ (Sysinternals - www.sysinternals.com) C:\procexp.exe
2014-04-15 21:17 - 2014-04-19 20:18 - 00017918 _____ () C:\Windows\SchedLgU.Txt
2014-04-15 20:09 - 2014-04-15 20:09 - 00002643 _____ () C:\Documents and Settings\owner\Desktop\RKreport[0]_D_04152014_160945.txt
2014-04-15 20:06 - 2014-04-15 20:06 - 00002587 _____ () C:\Documents and Settings\owner\Desktop\RKreport[0]_S_04152014_144803-Apr15-2014.txt
2014-04-15 18:48 - 2014-04-15 18:48 - 00002587 _____ () C:\Documents and Settings\owner\Desktop\RKreport[0]_S_04152014_144803.txt
2014-04-15 18:33 - 2014-04-19 20:18 - 00010049 _____ () C:\Windows\WindowsUpdate.log
2014-04-11 03:06 - 2014-04-11 03:06 - 00000520 _____ () C:\Windows\System32\.crusader
2014-04-09 19:06 - 2014-04-09 19:06 - 00000000 ____S () C:\Windows\System32\jthvhfp.syr
2014-04-08 19:03 - 2014-04-08 19:03 - 00000000 ____S () C:\Windows\System32\vsfl.okh
2014-04-04 04:54 - 2014-04-18 18:37 - 00000084 _____ () C:\Windows\System32\fnlps.czd
2014-04-04 04:43 - 2014-04-04 04:43 - 00000064 _____ () C:\Windows\System32\ygcm.fhr
2014-04-04 04:43 - 2014-04-04 04:43 - 00000000 _____ () C:\Windows\System32\fpncjn.pau
2014-04-04 04:26 - 2014-04-04 04:26 - 00305834 ____S () C:\Windows\System32\yiovcr.gkx
2014-04-01 23:10 - 2014-04-01 23:10 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Laplink
2014-04-01 22:51 - 2014-04-01 22:51 - 00001727 _____ () C:\Documents and Settings\All Users\Desktop\Laplink PCmover Express for Windows XP.lnk
2014-04-01 22:50 - 2014-04-01 22:50 - 00000000 ____D () C:\Program Files\Laplink
2014-04-01 22:50 - 2014-04-01 22:50 - 00000000 ____D () C:\Program Files\Common Files\Laplink
2014-03-29 04:02 - 2014-03-29 04:02 - 00000728 _____ () C:\Documents and Settings\All Users\Desktop\YTD Video Downloader.lnk
2014-03-29 04:02 - 2014-03-29 04:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\YTD Video Downloader

==================== One Month Modified Files and Folders =======

2014-04-24 13:56 - 2014-04-24 13:56 - 00000000 ____D () C:\FRST
2014-04-19 20:18 - 2014-04-15 21:17 - 00017918 _____ () C:\Windows\SchedLgU.Txt
2014-04-19 20:18 - 2014-04-15 18:33 - 00010049 _____ () C:\Windows\WindowsUpdate.log
2014-04-19 20:18 - 2010-10-24 00:21 - 00000178 ___SH () C:\Documents and Settings\owner\ntuser.ini
2014-04-19 20:04 - 2001-08-23 11:00 - 00002206 _____ () C:\Windows\System32\wpa.dbl
2014-04-18 18:56 - 2010-10-24 16:06 - 00524288 _____ () C:\Windows\System32\config\ACEEvent.evt
2014-04-18 18:55 - 2014-04-18 16:23 - 00000000 ____D () C:\Documents and Settings\owner\Desktop\mbar
2014-04-18 18:52 - 2012-03-26 03:10 - 00000664 _____ () C:\Windows\System32\d3d9caps.dat
2014-04-18 18:37 - 2014-04-04 04:54 - 00000084 _____ () C:\Windows\System32\fnlps.czd
2014-04-18 16:25 - 2014-04-18 16:25 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-04-18 16:23 - 2013-07-19 19:33 - 00052312 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
2014-04-18 16:08 - 2010-10-24 00:35 - 00000000 ____D () C:\Documents and Settings\owner\My Documents\Phil Files
2014-04-18 04:28 - 2014-04-18 04:28 - 00000000 ____S () C:\Windows\System32\enymclw.vdu
2014-04-17 23:35 - 2014-04-17 23:34 - 00001604 _____ () C:\Windows\setupapi.log
2014-04-17 19:23 - 2010-10-23 19:51 - 00000314 __RSH () C:\boot.ini
2014-04-17 04:30 - 2010-10-29 03:36 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-04-16 13:03 - 2013-02-18 17:27 - 00000000 ____D () C:\Documents and Settings\owner\Application Data\DMCache
2014-04-16 13:02 - 2010-10-24 14:39 - 00000116 _____ () C:\Windows\NeroDigital.ini
2014-04-16 04:20 - 2014-04-16 04:20 - 00000000 ____S () C:\Windows\System32\qqma.syk
2014-04-16 03:44 - 2010-10-24 15:17 - 00000000 ____D () C:\Documents and Settings\owner\Application Data\Media Player Classic
2014-04-16 02:46 - 2014-04-16 00:19 - 00003345 _____ () C:\Windows\KB2898785-IE8.log
2014-04-15 21:17 - 2014-03-07 06:40 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-04-15 21:14 - 2012-11-06 23:51 - 00196608 _____ () C:\Windows\System32\config\SpybotSD.evt
2014-04-15 20:43 - 2010-10-24 00:34 - 00000081 _____ () C:\Windows\WinInit.INI
2014-04-15 20:42 - 2012-11-06 23:51 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2014-04-15 20:09 - 2014-04-15 20:09 - 00002643 _____ () C:\Documents and Settings\owner\Desktop\RKreport[0]_D_04152014_160945.txt
2014-04-15 20:09 - 2014-03-11 02:27 - 00000000 ____D () C:\Documents and Settings\owner\Desktop\RK_Quarantine
2014-04-15 20:06 - 2014-04-15 20:06 - 00002587 _____ () C:\Documents and Settings\owner\Desktop\RKreport[0]_S_04152014_144803-Apr15-2014.txt
2014-04-15 18:48 - 2014-04-15 18:48 - 00002587 _____ () C:\Documents and Settings\owner\Desktop\RKreport[0]_S_04152014_144803.txt
2014-04-15 14:28 - 2001-08-23 11:00 - 00000552 _____ () C:\Windows\win.ini
2014-04-15 14:28 - 2001-08-23 11:00 - 00000246 _____ () C:\Windows\system.ini
2014-04-15 14:17 - 2013-02-18 17:27 - 00000000 ____D () C:\Program Files\Internet Download Manager
2014-04-15 14:09 - 2013-02-18 17:27 - 00000000 ____D () C:\Documents and Settings\owner\Application Data\IDM
2014-04-11 04:15 - 2010-10-24 09:30 - 00002379 _____ () C:\Documents and Settings\owner\Desktop\Microsoft Word 2010.lnk
2014-04-11 03:06 - 2014-04-11 03:06 - 00000520 _____ () C:\Windows\System32\.crusader
2014-04-11 01:00 - 2010-10-25 19:03 - 00000000 ____D () C:\Documents and Settings\owner\My Documents\Outlook Files
2014-04-09 19:06 - 2014-04-09 19:06 - 00000000 ____S () C:\Windows\System32\jthvhfp.syr
2014-04-08 21:35 - 2010-11-05 22:34 - 00000000 ____D () C:\Documents and Settings\owner\dwhelper
2014-04-08 19:03 - 2014-04-08 19:03 - 00000000 ____S () C:\Windows\System32\vsfl.okh
2014-04-04 04:43 - 2014-04-04 04:43 - 00000064 _____ () C:\Windows\System32\ygcm.fhr
2014-04-04 04:43 - 2014-04-04 04:43 - 00000000 _____ () C:\Windows\System32\fpncjn.pau
2014-04-04 04:26 - 2014-04-04 04:26 - 00305834 ____S () C:\Windows\System32\yiovcr.gkx
2014-04-03 07:03 - 2013-08-27 00:37 - 00001917 _____ () C:\Windows\epplauncher.mif
2014-04-03 07:01 - 2013-08-27 00:34 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-04-01 23:10 - 2014-04-01 23:10 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Laplink
2014-04-01 22:51 - 2014-04-01 22:51 - 00001727 _____ () C:\Documents and Settings\All Users\Desktop\Laplink PCmover Express for Windows XP.lnk
2014-04-01 22:50 - 2014-04-01 22:50 - 00000000 ____D () C:\Program Files\Laplink
2014-04-01 22:50 - 2014-04-01 22:50 - 00000000 ____D () C:\Program Files\Common Files\Laplink
2014-04-01 22:49 - 2012-12-28 18:52 - 00000000 ____D () C:\Documents and Settings\owner\Local Settings\Application Data\Downloaded Installations
2014-04-01 06:50 - 2012-04-03 18:20 - 00000000 ____D () C:\Documents and Settings\owner\Application Data\vlc
2014-04-01 05:42 - 2010-10-24 09:30 - 00002385 _____ () C:\Documents and Settings\owner\Desktop\Microsoft Outlook 2010.lnk
2014-03-29 04:02 - 2014-03-29 04:02 - 00000728 _____ () C:\Documents and Settings\All Users\Desktop\YTD Video Downloader.lnk
2014-03-29 04:02 - 2014-03-29 04:02 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\YTD Video Downloader
2014-03-29 04:02 - 2010-12-27 01:30 - 00000000 ____D () C:\Program Files\YouTube Downloader

Some content of TEMP:
====================

C:\Documents and Settings\owner\Local Settings\Temp\ntdll_dump.dll
C:\Documents and Settings\owner\Local Settings\Temp\Quarantine.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2008-04-14 04:42] - [2009-02-09 12:10] - 0405504 ____A (Microsoft Corporation) e5bd773c5efcbddd35266d976866f57e
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2014-04-18 18:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP51
RP: -> 2014-04-17 04:10 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP50
RP: -> 2014-04-16 00:21 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP49
RP: -> 2014-04-14 22:21 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP48
RP: -> 2014-04-13 05:32 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP47
RP: -> 2014-04-11 21:46 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP46
RP: -> 2014-04-10 03:42 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP44
RP: -> 2014-04-09 19:13 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP43
RP: -> 2014-04-08 19:09 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP42
RP: -> 2014-04-08 04:56 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP41
RP: -> 2014-04-07 04:56 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP40
RP: -> 2014-04-06 08:32 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP39
RP: -> 2014-04-06 04:56 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP38
RP: -> 2014-04-05 04:56 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP37
RP: -> 2014-04-04 05:01 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP36
RP: -> 2014-04-03 07:00 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP35
RP: -> 2014-04-02 22:47 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP34
RP: -> 2014-04-01 22:50 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP33
RP: -> 2014-04-01 03:58 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP32
RP: -> 2014-03-31 03:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP31
RP: -> 2014-03-30 09:06 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP30
RP: -> 2014-03-30 03:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP29
RP: -> 2014-03-29 03:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP28
RP: -> 2014-03-28 03:53 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP27
RP: -> 2014-03-27 03:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP26
RP: -> 2014-03-26 03:59 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP25
RP: -> 2014-03-25 03:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP24
RP: -> 2014-03-24 03:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP23
RP: -> 2014-03-23 09:07 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP22
RP: -> 2014-03-23 03:53 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP21
RP: -> 2014-03-22 07:00 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP20
RP: -> 2014-03-22 03:54 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP19
RP: -> 2014-03-21 08:47 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP18
RP: -> 2014-03-20 07:51 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP17
RP: -> 2014-03-19 07:52 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP16
RP: -> 2014-03-19 00:15 - 024576 _restore{A1914A7E-C9B9-4765-922E-2218080AAD51}\RP15

==================== Memory info ===========================

Percentage of memory in use: 35%
Total physical RAM: 2046.8 MB
Available physical RAM: 1316.13 MB
Total Pagefile: 1877.42 MB
Available Pagefile: 1344.18 MB
Total Virtual: 2047.88 MB
Available Virtual: 1999.54 MB

==================== Drives ================================
Drive b: (RAMDisk) (Fixed) (Total:0.5 GB) (Free:0.5 GB) FAT
Drive c: (Windows) (Fixed) (Total:71.58 GB) (Free:18 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (Programs) (Fixed) (Total:71.58 GB) (Free:2.49 GB) NTFS
Drive e: () (Fixed) (Total:3.73 GB) (Free:3.72 GB) FAT32
Drive x: (UBCD4Windows) (CDROM) (Total:0.64 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows XP) (Size: 72 GB) (Disk ID: BC38BC38)
Partition 1: (Active) - (Size=72 GB) - (Type=07 NTFS)

========================================================

Disk: 2 (MBR Code: Windows XP) (Size: 72 GB) (Disk ID: F47DF47D)
Partition 1: (Not Active) - (Size=72 GB) - (Type=07 NTFS)

========================================================

Disk: 3 (Size: 4 GB) (Disk ID: 471D15AD)
Partition 1: (Not Active) - (Size=4 GB) - (Type=0B)

==================== End Of Log ============================

Edited by JSntgRvr, 24 April 2014 - 04:52 PM.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 PM

Posted 24 April 2014 - 05:12 PM

First step:

Download the enclosed file. [attachment=149750:fixlist.txt]

Save it in the same location FRST was saved (Flash drive)

Open FRST and click on the Fix button.

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.

Second step:

Type the following in the edit box on FRST, after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes on the USB drive in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 24 April 2014 - 06:24 PM

Here are the results of fixlog.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-04-2014
Ran by SYSTEM at 2014-04-24 19:15:01 Run:1
Running from E:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Start
S3 catchme; \??\C:\DOCUME~1\owner\LOCALS~1\Temp\catchme.sys [X]
S3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [X]
S0 vsseplm; System32\drivers\agdc.sys [X]
C:\Windows\System32\enymclw.vdu
C:\Windows\System32\qqma.syk
C:\Windows\System32\jthvhfp.syr
C:\Windows\System32\vsfl.okh
C:\Windows\System32\fnlps.czd
C:\Windows\System32\ygcm.fhr
C:\Windows\System32\fpncjn.pau
C:\Windows\System32\yiovcr.gkx
File: C:\Windows\System32\.crusader
End
*****************

 

Here is result of search.txt:

Farbar Recovery Scan Tool (x86) Version: 24-04-2014
Ran by SYSTEM at 2014-04-24 19:16:15
Running from E:\
Boot Mode: Recovery

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2008-04-14 04:42] - [2009-02-09 12:10] - 0405504 ____A (Microsoft Corporation) e5bd773c5efcbddd35266d976866f57e

C:\WINDOWS\system32\dllcache\rpcss.dll
[2008-04-14 04:42] - [2009-02-09 12:10] - 0405504 ___AC (Microsoft Corporation) e5bd773c5efcbddd35266d976866f57e

C:\WINDOWS\erdnt\cache\rpcss.dll
[2013-08-26 19:24] - [2009-02-09 12:10] - 0401408 ____A (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2010-10-24 02:23] - [2008-04-14 04:42] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2010-10-24 01:02] - [2009-02-09 10:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

X:\I386\SYSTEM32\RPCSS.DLL
[2008-04-14 04:42] - [2008-04-14 04:42] - 0399360 ____R (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

=== End Of Search ===

 

Thanks.



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 PM

Posted 24 April 2014 - 09:27 PM

The fixlist.txt was not processed by FRST. Lets try again. This is a new fixlist.txt. If the report returns unprocessed, we may have to do this manually.

 

Download the enclosed file. [attachment=149757:fixlist.txt]

Save it in the same location FRST was saved (Flash drive)

Open FRST and click on the Fix button.

The tool will make a log in the same location FRST is saved (Fixlog.txt), Please post it to your reply.


Edited by JSntgRvr, 24 April 2014 - 09:32 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 27 April 2014 - 01:07 PM

Here is the log:
ix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-04-2014
Ran by SYSTEM at 2014-04-27 14:05:15 Run:2
Running from E:\
Boot Mode: Recovery
==============================================
Content of fixlist:
*****************
Start
Replace: C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll C:\WINDOWS\system32\rpcss.dll
Replace: C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll C:\WINDOWS\system32\dllcache\rpcss.dll
S3 catchme; \??\C:\DOCUME~1\owner\LOCALS~1\Temp\catchme.sys [X]
S3 TrueSight; \??\C:\WINDOWS\system32\TrueSight.sys [X]
S0 vsseplm; System32\drivers\agdc.sys [X]
C:\Windows\System32\enymclw.vdu
C:\Windows\System32\qqma.syk
C:\Windows\System32\jthvhfp.syr
C:\Windows\System32\vsfl.okh
C:\Windows\System32\fnlps.czd
C:\Windows\System32\ygcm.fhr
C:\Windows\System32\fpncjn.pau
C:\Windows\System32\yiovcr.gkx
File: C:\Windows\System32\.crusader
End
*****************
C:\WINDOWS\system32\rpcss.dll => Moved successfully.
C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll copied successfully to C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\dllcache\rpcss.dll => Moved successfully.
C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll copied successfully to C:\WINDOWS\system32\dllcache\rpcss.dll
catchme => Service not found.
TrueSight => Service not found.
vsseplm => Service not found.
"C:\Windows\System32\enymclw.vdu" => File/Directory not found.
"C:\Windows\System32\qqma.syk" => File/Directory not found.
"C:\Windows\System32\jthvhfp.syr" => File/Directory not found.
"C:\Windows\System32\vsfl.okh" => File/Directory not found.
"C:\Windows\System32\fnlps.czd" => File/Directory not found.
"C:\Windows\System32\ygcm.fhr" => File/Directory not found.
"C:\Windows\System32\fpncjn.pau" => File/Directory not found.
"C:\Windows\System32\yiovcr.gkx" => File/Directory not found.
========================= File: C:\Windows\System32\.crusader ========================
MD5: 5db085aac10a26e539db88b3a5cbbde2
Creation and modification date: 2014-04-11 03:06 - 2014-04-11 03:06
Size: 0000520
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product Name:
Description:
File Version:
Product Version:
Copyright:
====== End Of File: ======
==== End of Fixlog ====
 
Thanks!

Edited by JSntgRvr, 28 April 2014 - 10:19 AM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 PM

Posted 28 April 2014 - 10:20 AM

Attempt to boot in Normal Mode and let me know the outcome.

If unsuccessful, re-scan with FRST and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 29 April 2014 - 05:21 PM

Wow. It booted ok in normal mode! It is not as fast responding as it was and it seemed to take forever to boot up but it now works. Is there anything you recommend on speeding up the boot up and response? Perhaps a registry cleaner? Also, because MS is ending Win xp support, do you recommend any particular free antivirus programs that offer real time browsing protection for a Win xp machine that only has 2 gigs of ram?

Thanks again! You are a real hero.

Phil



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,399 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:48 PM

Posted 30 April 2014 - 09:25 AM

Stay away from Registry Cleaners.

Lets empty the temp folders:

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Run adwCleaner.

Download : ADWCleaner to your desktop.

NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs and click on the AdwCleaner icon.

scan-results.jpg

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder. as AdwCleaner[S0].txt

bf_new.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Phil in USA

Phil in USA
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:08:48 PM

Posted 01 May 2014 - 01:13 AM

The TFC deleted a huge amount of files. I ran mbam a few hours earlier - I think it found 2 issues and I cleaned it - but I ran it again for you for this analysis. Here are the 3 logs you requested:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by owner on Wed 04/30/2014 at 21:57:56.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\ytd video downloader"
Successfully deleted: [Folder] "C:\Documents and Settings\All Users\start menu\programs\ytd video downloader"

 

~~~ FireFox

Successfully deleted: [Folder] "C:\Program Files\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net"
Successfully deleted the following from C:\Documents and Settings\owner\Application Data\mozilla\firefox\profiles\7504ypuq.default\prefs.js

user_pref("extensions.skipscreen.hostMatchStr", "hxxp://www.4shared.com/(get|audio|file|document|dir)/.*|hxxp://.*depositfiles.com/(([a-z]{2})/files/|auth-).*|hxxp://(www.)*di

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/30/2014 at 22:06:01.79
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

# AdwCleaner v3.205 - Report created 01/05/2014 at 00:43:53
# Updated 28/04/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : owner - COMPUTER_1
# Running from : C:\Documents and Settings\owner\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\owner\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com
Folder Deleted : C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\7504ypuq.default\Extensions\kztoiugbm@gj-iee.org
[!] Folder Deleted : C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lklpajgjjooinmegfahfginjgdjkjejp

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [kztoiugbm@gj-iee.org]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v3.0.19 (en-US)

[ File : C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\7504ypuq.default\prefs.js ]

-\\ Google Chrome v30.0.1599.101

[ File : C:\Documents and Settings\owner\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://vshare.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp
Deleted [Search Provider] : hxxp://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={B926B091-D78C-11E2-ADD9-0007E900E4D4}
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Extension] : dhdepfaagokllfmhfbcfmocaeigmoebo
Deleted [Extension] : gjkpcnacdgdlpfejlgflolpaigoicibh
Deleted [Extension] : hphibigbodkkohoglgfkddblldpfohjl
Deleted [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej
Deleted [Extension] : kincjchfokkeneeofpeefomkikfkiedl
Deleted [Extension] : lklpajgjjooinmegfahfginjgdjkjejp
Deleted [Extension] : pgmfkblbflahhponhjmkcnpjinenhlnc

*************************

AdwCleaner[R0].txt - [6560 octets] - [07/03/2014 01:24:29]
AdwCleaner[R1].txt - [1955 octets] - [10/03/2014 22:52:56]
AdwCleaner[R2].txt - [2427 octets] - [30/04/2014 22:20:01]
AdwCleaner[S0].txt - [6817 octets] - [07/03/2014 01:50:13]
AdwCleaner[S1].txt - [2042 octets] - [10/03/2014 22:56:34]
AdwCleaner[S2].txt - [2380 octets] - [01/05/2014 00:43:53]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [2440 octets] ##########

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.05.01.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
owner :: COMPUTER_1 [administrator]

5/1/2014 12:57:43 AM
mbam-log-2014-05-01 (00-57-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 220932
Time elapsed: 19 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

Thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users