Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with usps email virus


  • This topic is locked This topic is locked
92 replies to this topic

#1 pj1234

pj1234

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 22 June 2014 - 06:02 PM

my computer is infected with the virus from clicking the "print label" link in the the usps email
 
my computer is running windows xp pro sp3
 
at time of infection there were no antivirus programs installed
 
when i noticed the computer was infected i downloaded a program called process explorer so i could see the file paths of which processes seemed to be viruses
 
process explorer showed iexplorer.exe running with very high cpu and mem usage but of course i dont use iexplorer. there were also other exe running in background with high cpu and mem usage with strange names like oromfo.exe. googling them found nothing.
 
i decided to download mbam and run. the computer was going very slow at this point. i ran mbam but the computer froze in the middle of the scan.
 
i restarted the computer and it now hung on the the windows loading screen. i tried safe mode and it automatically restarted at agp440.sys. i used my winxp pro cd to enter recovery console and disabled agp440 service.
 
now i tried normal restart and still hand at load screen. tried safe mode and it automatically restarted at mup.sys. to get past this i tried first unplugging everything but ps2 keyboard. after that didn't work i tried running chkdsk /r in recovery console, which succeeded but had no effect on the mup.sys auto restart. i then tried fixmbr in the recovery console which had no effect.
 
finally i tried the steps on the microsoft knowledge base page here: http://support.microsoft.com/kb/307545
"How to recover from a corrupt registry that prevents windows xp from starting"
 
i did the stuff in step one, copying files from windows/repair to system32 file. i restarted the computer and windows hung at loading screen while starting normally. tried safe mode and realized it was agp440.sys which was re-enabled from the regestry repair. so i disabled the agp440 service again and restarted.
 
windows started up in normal mode this time. i restarted and attempted to start in safe mode but the computer auto restarts as soon as you select safe mode.
 
so i started windows in normal mode.  i went to "system volume information" folder to attempt to complete the steps in the registry recovery but there were no system restore points other than the one created after copying the repair files. so i have no system restore points and just the back up registry files that are apparently corrupt.
 
i decided to run mbam in normal mode. it found lots of trojans some of which had file paths i recognized from the process explorer. after it finished i quarantined all that it found. i restarted and ran it again and it found nothing.
 
i opened process explorer and found that iexplorer.exe was running in background still. as were many instances of an exe called oromfo.exe with a file path in application data. i went to its folder and killed all its running processes, which kept opening so i had to be fast. then i manually deleted the exe. within seconds, it reappeared in processes and in the folder from which i had deleted it.
 
i have the infected computer unplugged from the network so i downloaded dds to usb drive ran on infected and have one attach log generated. i also retrieved the mbam logs.
 
something else the computer does that seems weird is it opens a dialog box called "windows installer" that says "preparing to install" and doesn't show up in processes and slows the computer down to a halt. i press the cancel button and then after a few moments it disappears.
 

im wondering if removing this virus will resolve the issues with the corupted registry and the agp440 driver. if we remove the virus will i still be screwed considering i have no system restore points? will it be best to do like a zero fill format and then fresh install?

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 27 June 2014 - 06:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/538655 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 pj1234

pj1234
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 28 June 2014 - 12:42 AM

I still need help. I have not done anything since i posted originally, so everything is the same.

 

I ran dds again. It will only make attach.txt. If i run it with just the dds.txt box checked, it simply closes without creating any logs. I have no av installed. The attach txt is the same as in first post.

 

OS is Windows XP pro, SP3, 32bit

 

I have the windows cd and have been using it to open the recovery console.

 

Thanks in advanced



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:03 PM

Posted 02 July 2014 - 08:29 AM

Greetings pj1234 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. While I review our situation please run the below for me.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • Attached System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 pj1234

pj1234
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 02 July 2014 - 06:25 PM

Hi gary, thanks for the help. my name is pj.

 

i ran the scans and will post the text below. i want you to know that im downloading everything on my laptop then using a usb drive to run stuff on the infected computer which is not plugged into the network.

 

also want to say that on the infected computer, every time i try to move a file from one location to another by selecting it, dragging and dropping, the computer opens a w"windows installer' dialog box and i have to hit cancel several times for it to go away and the action of moving files to complete.

 

also want you to know that the computer froze several times, while attempting to complete the tasks you asked me to do, and restarts were necessary.

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-07-2014
Ran by Peter (administrator) on DONTASK on 02-07-2014 17:04:04
Running from C:\Documents and Settings\Peter\Desktop
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 6
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\WINDOWS\system32\MsPMSPSv.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
() C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Lexmark X73 Button Monitor] => C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
HKLM\...\Run: [Lexmark X73 Button Manager] => C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
HKLM\...\Run: [PrinTray] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM\...\Run: [Asbiedikozymla] => C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe [296491 2014-06-22] ()
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
Winlogon\Notify\avgrsstarter: avgrsstx.dll [X]
HKU\.DEFAULT\...\Run: [ALUAlert] => C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
HKU\.DEFAULT\...\Policies\Explorer: [CDRAutoRun] 0
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [swmbdjut] => C:\Documents and Settings\Peter\Local Settings\Application Data\evrxqprq.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [epdjdjsg] => C:\Documents and Settings\Peter\Local Settings\Application Data\ovnxwelo.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [tkpdsoen] => C:\Documents and Settings\Peter\Local Settings\Application Data\epsgllxf.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [Asbiedikozymla] => C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe [296491 2014-06-22] ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Peter\Application Data\Mozilla\Firefox\Profiles\lcejh5e6.default-1401146046031
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-06]

Chrome:
=======
CHR HomePage: hxxp://www.google.com/
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.114\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.114\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Chrome\Application\35.0.1916.114\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Google Update) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Entanglement Web App) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2011-06-07]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-20]
CHR Extension: (Poppit) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2011-06-07]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]

========================== Services (Whitelisted) =================

S4 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [270336 2001-02-23] (Microsoft Corporation) [File not signed]
R2 WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [53248 2001-05-01] (Microsoft Corporation) [File not signed]
S4 Ati HotKey Poller; %SystemRoot%\system32\Ati2evxx.exe [X]
S4 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [X]
S2 avg8wd; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [X]
S2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [X]

==================== Drivers (Whitelisted) ====================

S3 cmpci; C:\WINDOWS\System32\drivers\cmaudio.sys [280782 2001-10-30] (C-Media Inc) [File not signed]
S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-14] (Microsoft Corporation)
S1 AvgLdx86; \SystemRoot\System32\Drivers\avgldx86.sys [X]
S1 AvgMfx86; \SystemRoot\System32\Drivers\avgmfx86.sys [X]
S1 Cdr4_xp; No ImagePath
S1 Cdralw2k; No ImagePath
S1 cdudf_xp; No ImagePath
S1 DVDVRRdr_xp; No ImagePath
S3 dvd_2K; No ImagePath
S2 LXARScan; System32\Drivers\Lxarscan.sys [X]
S3 mmc_2K; No ImagePath
S1 pwd_2k; No ImagePath
S3 rtl8139; system32\DRIVERS\RTL8139.SYS [X]
S1 UdfReadr_xp; No ImagePath
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2099-02-23 14:35 - 2001-02-22 09:54 - 00000768 _____ () C:\Program Files\x73_lut.dat
2099-02-08 16:03 - 2001-05-11 11:39 - 00053248 _____ (Silitek Corp.) C:\Program Files\ACMonitor_X73.exe
2099-02-08 15:53 - 2001-04-23 14:22 - 00001437 _____ () C:\Program Files\gtx73.ini
2014-07-02 17:04 - 2014-07-02 17:04 - 00010084 _____ () C:\Documents and Settings\Peter\Desktop\FRST.txt
2014-07-02 17:03 - 2014-07-02 17:04 - 00000000 ____D () C:\FRST
2014-07-02 17:03 - 2014-07-02 15:19 - 01073664 _____ (Farbar) C:\Documents and Settings\Peter\Desktop\FRST.exe
2014-06-27 23:29 - 2014-06-22 14:54 - 00688992 ____R (Swearware) C:\Documents and Settings\Peter\Desktop\dds.com
2014-06-22 16:03 - 2014-06-27 23:32 - 00002300 _____ () C:\Documents and Settings\Peter\Desktop\attach.txt
2014-06-21 23:39 - 2014-06-21 23:39 - 00004724 _____ () C:\WINDOWS\system32\PerfStringBackup.TMP
2014-06-21 23:37 - 2014-06-21 23:47 - 00001282 _____ () C:\WINDOWS\wmsetup.log
2014-06-21 23:37 - 2014-06-21 23:47 - 00000788 _____ () C:\Documents and Settings\Peter\Start Menu\Programs\Windows Media Player.lnk
2014-06-21 23:35 - 2014-06-21 23:39 - 00000075 _____ () C:\WINDOWS\setupact.log
2014-06-21 23:35 - 2014-06-21 23:35 - 00000749 _____ () C:\WINDOWS\comsetup.log
2014-06-21 23:35 - 2014-06-21 23:35 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-06-21 14:54 - 2014-06-21 15:24 - 00000000 ____D () C:\WINDOWS\tmp

==================== One Month Modified Files and Folders =======

2014-07-02 17:04 - 2014-07-02 17:04 - 00010084 _____ () C:\Documents and Settings\Peter\Desktop\FRST.txt
2014-07-02 17:04 - 2014-07-02 17:03 - 00000000 ____D () C:\FRST
2014-07-02 17:04 - 2007-01-23 21:36 - 00000000 ____D () C:\Documents and Settings\Peter\Local Settings\Temp
2014-07-02 17:03 - 2007-01-23 21:29 - 01547814 _____ () C:\WINDOWS\WindowsUpdate.log
2014-07-02 17:02 - 2014-04-07 08:02 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-07-02 17:02 - 2007-01-23 21:34 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-07-02 17:02 - 2004-08-04 05:00 - 00001374 _____ () C:\WINDOWS\system32\wpa.dbl
2014-07-02 15:19 - 2014-07-02 17:03 - 01073664 _____ (Farbar) C:\Documents and Settings\Peter\Desktop\FRST.exe
2014-06-27 23:33 - 2007-01-23 21:36 - 00000278 ___SH () C:\Documents and Settings\Peter\ntuser.ini
2014-06-27 23:33 - 2007-01-23 21:34 - 00032546 _____ () C:\WINDOWS\SchedLgU.Txt
2014-06-27 23:32 - 2014-06-22 16:03 - 00002300 _____ () C:\Documents and Settings\Peter\Desktop\attach.txt
2014-06-22 15:59 - 2014-05-26 14:57 - 00029553 _____ () C:\WINDOWS\setupapi.log
2014-06-22 14:54 - 2014-06-27 23:29 - 00688992 ____R (Swearware) C:\Documents and Settings\Peter\Desktop\dds.com
2014-06-22 01:17 - 2014-05-30 17:10 - 00000000 ____D () C:\Documents and Settings\Peter\Application Data\Huyrano
2014-06-22 00:58 - 2014-05-30 20:52 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-06-22 00:51 - 2010-04-13 13:41 - 00000000 ____D () C:\Program Files\Diablo II
2014-06-22 00:51 - 2007-01-23 21:43 - 00023440 _____ () C:\Documents and Settings\Peter\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2014-06-22 00:50 - 2011-06-03 09:56 - 00000978 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-764733703-839522115-1003UA.job
2014-06-22 00:50 - 2011-06-03 09:56 - 00000926 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-764733703-839522115-1003Core.job
2014-06-22 00:22 - 2014-05-30 10:49 - 00000000 ____D () C:\Documents and Settings\Peter\Application Data\Hoihsii
2014-06-22 00:22 - 2013-08-14 03:06 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2850869$
2014-06-21 23:47 - 2014-06-21 23:37 - 00001282 _____ () C:\WINDOWS\wmsetup.log
2014-06-21 23:47 - 2014-06-21 23:37 - 00000788 _____ () C:\Documents and Settings\Peter\Start Menu\Programs\Windows Media Player.lnk
2014-06-21 23:39 - 2014-06-21 23:39 - 00004724 _____ () C:\WINDOWS\system32\PerfStringBackup.TMP
2014-06-21 23:39 - 2014-06-21 23:35 - 00000075 _____ () C:\WINDOWS\setupact.log
2014-06-21 23:37 - 2007-01-23 21:28 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-06-21 23:37 - 2004-08-04 05:00 - 00000603 _____ () C:\WINDOWS\win.ini
2014-06-21 23:35 - 2014-06-21 23:35 - 00000749 _____ () C:\WINDOWS\comsetup.log
2014-06-21 23:35 - 2014-06-21 23:35 - 00000000 _____ () C:\WINDOWS\setuperr.log
2014-06-21 23:34 - 2007-01-23 12:33 - 00137256 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-06-21 15:24 - 2014-06-21 14:54 - 00000000 ____D () C:\WINDOWS\tmp

Some content of TEMP:
====================
C:\Documents and Settings\Peter\Local Settings\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjf5hex.dll
C:\Documents and Settings\Peter\Local Settings\Temp\UpdateFlashPlayer_7998111c.exe


==================== Bamital & volsnap Check =================

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:01-07-2014
Ran by Peter at 2014-07-02 17:05:07
Running from C:\Documents and Settings\Peter\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================


==================== Installed Programs ======================

µTorrent (HKCU\...\uTorrent) (Version: 3.4.1.30888 - BitTorrent Inc.)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) (Version: 8.1.2 - Adobe Systems, Inc) Hidden
Adobe Flash Player 10 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 10.0.22.87 - Adobe Systems Incorporated)
Adobe Flash Player ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 9.0.124.0 - Adobe Systems Incorporated)
Adobe Reader 8.1.2 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A81200000003}) (Version: 8.1.2 - Adobe Systems Incorporated)
Adobe Reader 8.1.2 Security Update 1 (KB403742) (HKLM\...\{AC76BA86-7AD7-1033-7B44-A81200000003}_Adobe Reader 8.1.2) (Version:  - )
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1014 - )
ATI Catalyst Control Center (HKLM\...\{325F7A83-E15A-4C18-B5FE-E03A38F690BD}) (Version: 1.2.2217.17271 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.221-060124a1-030275C-ATI - )
ATI HYDRAVISION (HKLM\...\{083F79E4-6FE9-46FB-A6C6-4F8862742947}) (Version: 3.25.9006 - )
ATI Problem Report Wizard (HKLM\...\{5DA6F06A-B389-407B-BF8C-1548767914D8}) (Version: 8.10 - ATI Technologies)
AVG Free 8.5 (HKLM\...\AVG8Uninstall) (Version:  - )
Boggle (HKLM\...\Bogglev1) (Version:  - )
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6021.5000 - Microsoft Corporation)
Diablo II (HKLM\...\Diablo II) (Version:  - )
Easy CD & DVD Creator 6 (HKLM\...\{46DDF76F-ACD4-42BC-B48F-B89C4EE2E1A9}) (Version: 6.1.1.7 - Roxio Inc.,)
Google Chrome (HKCU\...\Google Chrome) (Version: 35.0.1916.114 - Google Inc.)
J2SE Runtime Environment 5.0 Update 6 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0150060}) (Version: 1.5.0.60 - Sun Microsystems, Inc.)
Lexmark X73 (HKLM\...\Lexmark X73) (Version:  - )
Magic Online III (HKLM\...\{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}) (Version: 3.00.0000 - Wizards of the Coast)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 (Version: 1.1.4322 - Microsoft) Hidden
Microsoft .NET Framework 1.1 Security Update (KB953297) (HKLM\...\M953297) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Office XP Professional with FrontPage (HKLM\...\{90280409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.2627.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Mozilla Firefox (3.5.5) (HKLM\...\Mozilla Firefox (3.5.5)) (Version: 3.5.5 (en-US) - Mozilla)
MSXML 6 Service Pack 2 (KB954459) (HKLM\...\{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}) (Version: 6.20.1099.0 - Microsoft Corporation)
PCI Audio Driver (HKLM\...\PCI Audio Driver) (Version:  - )
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB894391) (HKLM\...\KB894391) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB898461) (HKLM\...\KB898461) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB900485) (HKLM\...\KB900485) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB908531) (HKLM\...\KB908531) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB910437) (HKLM\...\KB910437) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB911280) (HKLM\...\KB911280) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB916595) (HKLM\...\KB916595) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB920872) (HKLM\...\KB920872) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB922582) (HKLM\...\KB922582) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB925720) (HKLM\...\KB925720) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB927891) (HKLM\...\KB927891) (Version: 3 - Microsoft Corporation)
Update for Windows XP (KB929338) (HKLM\...\KB929338) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB930916) (HKLM\...\KB930916) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB931836) (HKLM\...\KB931836) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB933360) (HKLM\...\KB933360) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB936357) (HKLM\...\KB936357) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB938828) (HKLM\...\KB938828) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB942763) (HKLM\...\KB942763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB942840) (HKLM\...\KB942840) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB946627) (HKLM\...\KB946627) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951072-v2) (HKLM\...\KB951072-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB955839) (HKLM\...\KB955839) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB976749) (HKLM\...\KB976749) (Version: 1 - Microsoft Corporation)
Warcraft III: All Products (HKCU\...\Warcraft III) (Version:  - )
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Installer 3.1 (KB893803) (HKLM\...\KB893803v2) (Version: 3.1 - Microsoft Corporation)
Windows XP Hotfix - KB873339 (HKLM\...\KB873339) (Version: 20041117.092459 - Microsoft Corporation)
Windows XP Hotfix - KB885835 (HKLM\...\KB885835) (Version: 20041027.181713 - Microsoft Corporation)
Windows XP Hotfix - KB885836 (HKLM\...\KB885836) (Version: 20041028.173203 - Microsoft Corporation)
Windows XP Hotfix - KB885884 (HKLM\...\KB885884) (Version: 20040924.025457 - Microsoft Corporation)
Windows XP Hotfix - KB886185 (HKLM\...\KB886185) (Version: 20041021.090540 - Microsoft Corporation)
Windows XP Hotfix - KB888302 (HKLM\...\KB888302) (Version: 20041207.111426 - Microsoft Corporation)
Windows XP Hotfix - KB890859 (HKLM\...\KB890859) (Version: 1 - Microsoft Corporation)
Windows XP Hotfix - KB891781 (HKLM\...\KB891781) (Version: 20050110.165439 - Microsoft Corporation)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
World of Warcraft (HKLM\...\World of Warcraft) (Version:  - )

==================== Restore Points  =========================

22-06-2014 06:38:30 System Checkpoint

==================== Hosts content: ==========================

2012-04-19 22:53 - 2012-04-19 22:53 - 00001211 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net


==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Driver Robot.job => ?
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-764733703-839522115-1003Core.job => C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-764733703-839522115-1003UA.job => C:\Documents and Settings\Peter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2008-10-12 17:58 - 2008-09-16 20:18 - 00132608 _____ () C:\Program Files\WinRAR\rarext.dll
2007-08-07 08:55 - 2014-06-22 01:17 - 00296491 _____ () C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe
2004-08-04 05:00 - 2008-04-14 05:42 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot => "AlternateShell"=""

==================== EXE Association (whitelisted) =============


==================== MSCONFIG/TASK MANAGER disabled items =========

MSCONFIG\startupfolder: C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: ATICCC => "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
MSCONFIG\startupreg: AVG8_TRAY => C:\PROGRA~1\AVG\AVG8\avgtray.exe
MSCONFIG\startupreg: C-Media Mixer => Mixer.exe /startup
MSCONFIG\startupreg: C-Media Speaker Configuration => D:\DRIVERS\sound\CMI8738\Setup.exe /SPEAKER
MSCONFIG\startupreg: ccRegVfy => C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: Internet Antivirus Pro => "C:\program files\Internet Antivirus Pro\IAPro.exe" /s
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: Microsoft Windows logon process => C:\Documents and Settings\Peter\Application Data\Microsoft\Windows\winlogon.exe
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background
MSCONFIG\startupreg: RoxioAudioCentral => "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
MSCONFIG\startupreg: RoxioDragToDisc => "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
MSCONFIG\startupreg: RoxioEngineUtility => "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
MSCONFIG\startupreg: Run =>  
MSCONFIG\startupreg: StartCCC => "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
MSCONFIG\startupreg: SunJavaUpdateSched => C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name:
Description:
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: CD-ROM Drive
Description: CD-ROM Drive
Class Guid: {4D36E965-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard CD-ROM drives)
Service: cdrom
Problem: : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Resolution: Reasons for this error include a driver that is not present; a binary file that is corrupt; a file I/O problem, or a driver that references an entry point in another binary file that could not be loaded.
Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.

Name:
Description:
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (06/21/2014 11:39:11 PM) (Source: LoadPerf) (EventID: 3001) (User: )
Description: The performance counter name string value in the registry is incorrectly
formatted. The bogus string is 2706, the bogus index value is the first
DWORD in Data section while the last valid index values are the second and
third DWORD in Data section.

Error: (06/21/2014 11:39:08 PM) (Source: LoadPerf) (EventID: 3011) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (06/21/2014 11:39:08 PM) (Source: LoadPerf) (EventID: 3001) (User: )
Description: The performance counter name string value in the registry is incorrectly
formatted. The bogus string is 2706, the bogus index value is the first
DWORD in Data section while the last valid index values are the second and
third DWORD in Data section.

Error: (05/24/2014 05:18:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application avastui.exe, version 9.0.2018.397, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [avastui.exe!ws!]

Error: (05/23/2014 07:15:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application UT2004.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/02/2014 08:17:13 PM) (Source: Microsoft Office 10) (EventID: 1000) (User: )
Description: Faulting application powerpnt.exe, version 10.0.2623.0, faulting module powerpnt.exe, version 10.0.2623.0, fault address 0x0006e2b4.

Error: (03/07/2014 01:19:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000101b3.
Processing media-specific event for [explorer.exe!ws!]

Error: (02/22/2014 09:38:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application uTorrent.exe, version 3.3.2.30303, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (02/07/2014 10:27:11 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application acrord32.exe, version 8.3.1.289, faulting module msvcr80.dll, version 8.0.50727.4053, fault address 0x0001500a.
Processing media-specific event for [acrord32.exe!ws!]

Error: (01/07/2014 03:53:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 26.0.0.5087, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (07/02/2014 05:03:45 PM) (Source: DCOM) (EventID: 10010) (User: DONTASK)
Description: The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (07/02/2014 05:03:33 PM) (Source: Windows Update Agent) (EventID: 16) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (07/02/2014 05:02:43 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgLdx86
AvgMfx86
Cdr4_xp
cdudf_xp
DVDVRRdr_xp
UdfReadr_xp

Error: (07/02/2014 05:02:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The AVG8 WatchDog service failed to start due to the following error:
%%2

Error: (07/02/2014 05:02:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The WebClient service failed to start due to the following error:
%%1290

Error: (07/02/2014 05:02:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The LexBce Server service failed to start due to the following error:
%%2

Error: (07/02/2014 05:02:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Lexmark X73 MFP Scanner service failed to start due to the following error:
%%2

Error: (06/27/2014 11:29:21 PM) (Source: DCOM) (EventID: 10010) (User: DONTASK)
Description: The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (06/27/2014 11:28:51 PM) (Source: DCOM) (EventID: 10010) (User: DONTASK)
Description: The server {000C101C-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (06/27/2014 11:28:23 PM) (Source: Windows Update Agent) (EventID: 16) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.


Microsoft Office Sessions:
=========================
Error: (06/21/2014 11:39:11 PM) (Source: LoadPerf) (EventID: 3001) (User: )
Description: 2706

Error: (06/21/2014 11:39:08 PM) (Source: LoadPerf) (EventID: 3011) (User: )
Description: WmiApRplWmiApRpl

Error: (06/21/2014 11:39:08 PM) (Source: LoadPerf) (EventID: 3001) (User: )
Description: 2706

Error: (05/24/2014 05:18:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: avastui.exe9.0.2018.397unknown0.0.0.000000000

Error: (05/23/2014 07:15:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: UT2004.exe0.0.0.0hungapp0.0.0.000000000

Error: (04/02/2014 08:17:13 PM) (Source: Microsoft Office 10) (EventID: 1000) (User: )
Description: powerpnt.exe10.0.2623.0powerpnt.exe10.0.2623.00006e2b4

Error: (03/07/2014 01:19:59 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512ntdll.dll5.1.2600.6055000101b3

Error: (02/22/2014 09:38:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: uTorrent.exe3.3.2.30303hungapp0.0.0.000000000

Error: (02/07/2014 10:27:11 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: acrord32.exe8.3.1.289msvcr80.dll8.0.50727.40530001500a

Error: (01/07/2014 03:53:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe26.0.0.5087hungapp0.0.0.000000000


==================== Memory info ===========================

Percentage of memory in use: 16%
Total physical RAM: 2046.32 MB
Available physical RAM: 1713.45 MB
Total Pagefile: 3939.14 MB
Available Pagefile: 3775.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1941.24 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:76.68 GB) (Free:27.22 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Removable) (Total:1.97 GB) (Free:1.95 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 77 GB) (Disk ID: D2BDD2BD)
Partition 1: (Active) - (Size=77 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:03 PM

Posted 02 July 2014 - 06:57 PM

Hi pj,

Your computer is seriously infected. For starters, are you willing to uninstall your Adobe program since you do not have a valid license for it?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 pj1234

pj1234
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 02 July 2014 - 07:33 PM

yes. ill be willing to do whatever you recommend or require. ill wait for your instructions though.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:03 PM

Posted 02 July 2014 - 09:04 PM

I would appreciate it if part of the overall cleanup of your computer included that as well. Please let me know if you have trouble doing that.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 pj1234

pj1234
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 02 July 2014 - 10:18 PM

ok. i uninstalled it using ccleaner the way i do most programs. let me know if theres anything else i need to do.



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:03 PM

Posted 02 July 2014 - 10:46 PM

Hi pj.

Let's start with this.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKLM\...\Run: [Asbiedikozymla] => C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe [296491 2014-06-22] ()HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [swmbdjut] => C:\Documents and Settings\Peter\Local Settings\Application Data\evrxqprq.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [epdjdjsg] => C:\Documents and Settings\Peter\Local Settings\Application Data\ovnxwelo.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [tkpdsoen] => C:\Documents and Settings\Peter\Local Settings\Application Data\epsgllxf.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [Asbiedikozymla] => C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe [296491 2014-06-22] ()
C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe
C:\Documents and Settings\Peter\Local Settings\Application Data\evrxqprq.exe
C:\Documents and Settings\Peter\Local Settings\Application Data\ovnxwelo.exe
C:\Documents and Settings\Peter\Local Settings\Application Data\epsgllxf.exe
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
Winlogon\Notify\avgrsstarter: avgrsstx.dll [X]
SearchScopes: HKLM - DefaultScope value is missing.
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
S1 Cdr4_xp; No ImagePath
S1 Cdralw2k; No ImagePath
S1 cdudf_xp; No ImagePath
S1 DVDVRRdr_xp; No ImagePath
S3 dvd_2K; No ImagePath
S3 mmc_2K; No ImagePath
S1 pwd_2k; No ImagePath
S1 UdfReadr_xp; No ImagePath
U1 WS2IFSL;
2099-02-23 14:35 - 2001-02-22 09:54 - 00000768 _____ () C:\Program Files\x73_lut.dat
2099-02-08 16:03 - 2001-05-11 11:39 - 00053248 _____ (Silitek Corp.) C:\Program Files\ACMonitor_X73.exe
2099-02-08 15:53 - 2001-04-23 14:22 - 00001437 _____ () C:\Program Files\gtx73.ini
C:\Documents and Settings\Peter\Local Settings\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjf5hex.dll
C:\Documents and Settings\Peter\Local Settings\Temp\UpdateFlashPlayer_7998111c.exe
Task: C:\WINDOWS\Tasks\Driver Robot.job => ?
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 pj1234

pj1234
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 02 July 2014 - 11:31 PM

no change after running fix. first attempt failed and said program needs to close with error report dialog box. second attempt ran. windows installer still opening when moving files.

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:01-07-2014
Ran by Peter at 2014-07-02 22:22:00 Run:2
Running from C:\Documents and Settings\Peter\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [Asbiedikozymla] => C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe [296491 2014-06-22] ()HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [swmbdjut] => C:\Documents and Settings\Peter\Local Settings\Application Data\evrxqprq.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [epdjdjsg] => C:\Documents and Settings\Peter\Local Settings\Application Data\ovnxwelo.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [tkpdsoen] => C:\Documents and Settings\Peter\Local Settings\Application Data\epsgllxf.exe [200704 2014-05-30] ()
HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [Asbiedikozymla] => C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe [296491 2014-06-22] ()
C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe
C:\Documents and Settings\Peter\Local Settings\Application Data\evrxqprq.exe
C:\Documents and Settings\Peter\Local Settings\Application Data\ovnxwelo.exe
C:\Documents and Settings\Peter\Local Settings\Application Data\epsgllxf.exe
Winlogon\Notify\AtiExtEvent: Ati2evxx.dll [X]
Winlogon\Notify\avgrsstarter: avgrsstx.dll [X]
SearchScopes: HKLM - DefaultScope value is missing.
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
S1 Cdr4_xp; No ImagePath
S1 Cdralw2k; No ImagePath
S1 cdudf_xp; No ImagePath
S1 DVDVRRdr_xp; No ImagePath
S3 dvd_2K; No ImagePath
S3 mmc_2K; No ImagePath
S1 pwd_2k; No ImagePath
S1 UdfReadr_xp; No ImagePath
U1 WS2IFSL;
2099-02-23 14:35 - 2001-02-22 09:54 - 00000768 _____ () C:\Program Files\x73_lut.dat
2099-02-08 16:03 - 2001-05-11 11:39 - 00053248 _____ (Silitek Corp.) C:\Program Files\ACMonitor_X73.exe
2099-02-08 15:53 - 2001-04-23 14:22 - 00001437 _____ () C:\Program Files\gtx73.ini
C:\Documents and Settings\Peter\Local Settings\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjf5hex.dll
C:\Documents and Settings\Peter\Local Settings\Temp\UpdateFlashPlayer_7998111c.exe
Task: C:\WINDOWS\Tasks\Driver Robot.job => ?
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Asbiedikozymla] => C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe [296491 2014-06-22] ()HKU\S-1-5-21-1801674531-764733703-839522115-1003\...\Run: [swmbdjut => Value not found.
HKU\S-1-5-21-1801674531-764733703-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\\epdjdjsg => Value not found.
HKU\S-1-5-21-1801674531-764733703-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\\tkpdsoen => Value not found.
HKU\S-1-5-21-1801674531-764733703-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Asbiedikozymla => value deleted successfully.
"C:\Documents and Settings\Peter\Application Data\Huyrano\oromfo.exe" => File/Directory not found.
"C:\Documents and Settings\Peter\Local Settings\Application Data\evrxqprq.exe" => File/Directory not found.
"C:\Documents and Settings\Peter\Local Settings\Application Data\ovnxwelo.exe" => File/Directory not found.
"C:\Documents and Settings\Peter\Local Settings\Application Data\epsgllxf.exe" => File/Directory not found.
'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent'=> Key not found.
'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter'=> Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
'HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}'=> Key not found.
'HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer' => Key deleted successfully.
C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll not found.
Cdr4_xp => Service deleted successfully.
Cdralw2k => Service deleted successfully.
cdudf_xp => Service deleted successfully.
DVDVRRdr_xp => Service deleted successfully.
dvd_2K => Service deleted successfully.
mmc_2K => Service deleted successfully.
pwd_2k => Service deleted successfully.
UdfReadr_xp => Service deleted successfully.
WS2IFSL => Service deleted successfully.
C:\Program Files\x73_lut.dat => Moved successfully.
C:\Program Files\ACMonitor_X73.exe => Moved successfully.
C:\Program Files\gtx73.ini => Moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpjf5hex.dll => Moved successfully.
C:\Documents and Settings\Peter\Local Settings\Temp\UpdateFlashPlayer_7998111c.exe => Moved successfully.
C:\WINDOWS\Tasks\Driver Robot.job => Moved successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.

==== End of Fixlog ====



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:03 PM

Posted 03 July 2014 - 09:48 AM

Hi pj,

We are just getting warmed up. Please do this.

===================================================

ComboFix Windows XP

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.
  • Please download ComboFix from one of these locations and save it to your desktop:

Bleepingcomputer

ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Query_RC.gif

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware
----------

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

----------

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • Any change in computer behavior?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 pj1234

pj1234
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 03 July 2014 - 02:42 PM

hi gary,

 

i ran combofix and installed recovery console. the computer seems to be running faster afterward. that oromfo.exe process seems to be gone.

 

issues still exist though. computer still freezes regularly within 20 minutes or less of booting. windows installer dialog box still opens and i continue to hit cancel whenever i move files also happens when i right click on desktop. still cant startup in safe mode. hangs a mup.sys. iexplorer still listed in processes with high mem usage.

 

also i think i noticed it deleted all the registry backups i created and noted in my original post. im sure those were no good but now am wondering how ill ever correct the registry.

 

thanks

 

 

 

 

 

ComboFix 14-07-03.01 - Peter 07/03/2014  13:05:43.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1594 [GMT -7:00]
Running from: c:\documents and settings\Peter\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Peter\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\SPL35.tmp
c:\documents and settings\All Users\SPLAB.tmp
c:\documents and settings\Peter\Application Data\Huyrano\oromfo.exe
c:\documents and settings\Peter\My Documents\~WRL0005.tmp
c:\documents and settings\Peter\WINDOWS
c:\program files\Java\jre7\bin\jp2ssv.dll
c:\windows\tmp
c:\windows\tmp\default.bak
c:\windows\tmp\sam.bak
c:\windows\tmp\security.bak
c:\windows\tmp\software.bak
c:\windows\tmp\system.bak
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2014-06-03 to 2014-07-03  )))))))))))))))))))))))))))))))
.
.
2014-07-03 00:03 . 2014-07-03 05:22    --------    d-----w-    C:\FRST
2014-06-22 06:39 . 2014-06-22 06:39    4724    ----a-w-    c:\windows\system32\PerfStringBackup.TMP
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-06-22 07:58 . 2014-05-31 03:52    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-30 14:05 . 2009-11-19 22:08    17488    ----a-w-    c:\windows\gdrv.sys
2014-05-27 21:23 . 2012-04-21 19:00    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-05-27 21:23 . 2011-06-29 15:58    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-12 14:26 . 2014-05-31 03:42    53208    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 14:25 . 2014-05-31 03:42    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-04-27 07:52 . 2011-03-28 21:53    54832    ----a-w-    c:\windows\system32\drivers\aswrdr.sys.1399924380609
2014-04-27 07:52 . 2011-03-28 21:53    776976    ----a-w-    c:\windows\system32\drivers\aswsnx.sys.1399924380609
2007-09-17 17:10 . 2012-11-07 04:14    24576    ----a-w-    c:\program files\Lexmark 3500-4500 Series
2001-05-08 23:36 . 2000-12-05 22:56    114688    ----a-w-    c:\program files\lxarscan.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\docume~1\ALLUSE~1\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57    40368    ----a-w-    c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2001-10-23 01:24    1216512    ----a-w-    c:\windows\mixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 21:03    36975    ----a-w-    c:\program files\Java\jre1.5.0_06\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-764733703-839522115-1003Core.job
- c:\documents and settings\Peter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 16:56]
.
2014-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-764733703-839522115-1003UA.job
- c:\documents and settings\Peter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 16:56]
.
2014-07-03 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2014-05-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Peter\Application Data\Mozilla\Firefox\Profiles\lcejh5e6.default-1401146046031\
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-swmbdjut - c:\documents and settings\Peter\Local Settings\Application Data\evrxqprq.exe
HKCU-Run-Asbiedikozymla - c:\documents and settings\Peter\Application Data\Huyrano\oromfo.exe
HKLM-Run-Lexmark X73 Button Monitor - c:\progra~1\LEXMAR~1\ACMonitor_X73.exe
HKLM-Run-Lexmark X73 Button Manager - c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe
HKLM-Run-PrinTray - c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe
HKLM-Run-Asbiedikozymla - c:\documents and settings\Peter\Application Data\Huyrano\oromfo.exe
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\cli.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-C-Media Speaker Configuration - d:\drivers\sound\CMI8738\Setup.exe
MSConfigStartUp-ccRegVfy - c:\program files\Common Files\Symantec Shared\ccRegVfy.exe
MSConfigStartUp-Internet Antivirus Pro - c:\program files\Internet Antivirus Pro\IAPro.exe
MSConfigStartUp-Microsoft Windows logon process - c:\documents and settings\Peter\Application Data\Microsoft\Windows\winlogon.exe
MSConfigStartUp-RoxioAudioCentral - c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
MSConfigStartUp-RoxioEngineUtility - c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
AddRemove-Adobe Flash Player Plugin - c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
AddRemove-World of Warcraft - c:\program files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
AddRemove-{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF} - c:\program files\InstallShield Installation Information\{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}\setup.exe
AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-07-03 13:13
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1801674531-764733703-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1801674531-764733703-839522115-1003\Software\÷@*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(464)
c:\windows\system32\sxs.dll
.
Completion time: 2014-07-03  13:15:13
ComboFix-quarantined-files.txt  2014-07-03 20:15
.
Pre-Run: 29,802,520,576 bytes free
Post-Run: 30,627,700,736 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - CCC992A8213C010EF8470FED6F117775
8F558EB6672622401DA993E1E865C861
 

 



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:06:03 PM

Posted 03 July 2014 - 04:08 PM

Greetings,

Your computer was quite compromised so it will take several steps to try to bring it back to health. And you are correct, your registry backups were compromised as well.

Please do this.

===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Windows 8/7/Vista users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • A report should open and a copy of the report will be placed on your desktop
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Running TDSSKiller with Changed Parameters

--------------------
  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters

tds2.jpg

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now

2012081514h0118.png

  • Click Start Scan and allow the scan process to run

tds4-1.jpg

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

tds6.jpg

  • Click Reboot computer
  • Please zip and attach in your reply the TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • RogueKiller log
  • Zipped TDSSKiller log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 pj1234

pj1234
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 03 July 2014 - 05:17 PM

i didnt mean to seem impatient in earlier posts. i understand its a bad infection. was hoping the information provided would be of some use.

 

ran rogue. and scan was successful. report didnt open immediately but i clicked the report button so hope this is what you need.

 

ran tdss and was successful.

 

im not seeing iexplorer.exe in processes the last few times i had computer on.

 

thanks

 

 

 

 

 

 

RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Peter [Admin rights]
Mode : Scan -- Date : 07/03/2014  15:51:47

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme -> FOUND
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 209.18.47.61 209.18.47.62  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 209.18.47.61 209.18.47.62  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 209.18.47.61 209.18.47.62  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1749D86C-1EF8-443D-B2AE-669C26C3096C} | DhcpNameServer : 209.18.47.61 209.18.47.62  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1749D86C-1EF8-443D-B2AE-669C26C3096C} | DhcpNameServer : 209.18.47.61 209.18.47.62  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1749D86C-1EF8-443D-B2AE-669C26C3096C} | DhcpNameServer : 209.18.47.61 209.18.47.62  -> FOUND
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1801674531-764733703-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 0a947cc88fa1189c7ee1120dfbf5c999
[BSP] ade790a6768eba3a67cc564b73fae642 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 78520 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic Flash Disk USB Device +++++
--- User ---
[MBR] 646d6b1d652893adf5994bb5d07d8d30
[BSP] 9ab224430cae5d4642efe916dd8f39b0 : Unknown MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x6) [VISIBLE] Offset (sectors): 1512 | Size: 2015 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )
 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users