Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pop up containing trojan randomly pops up by redirection


  • This topic is locked This topic is locked
34 replies to this topic

#1 noelist

noelist

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 25 August 2014 - 03:45 PM

Hi, at some point in the near past, we started getting a pop up on google and you tube, on my XP PC it was in the middle of a grey page, on wifes win7 it just appeared as a dialog box with "your flash player may be out of date please update now" .

on my PC, the first one l clicked on the OK button as the address was www.youtube.com, but avira immediatly beeped that it had planted a trojan, l sent them the file and their reply was:-

 

Our analysts named the threat TR/Crypt.Xpack.94703.

 

l have since run two scans from my antivirus by avira, their PC Cleaner scan and as suggested, ADWcleaner.

 

l was not able to find a place to upload the report of their "PC Cleaner scan" result log to them as l could not find the page they suggested to do so.

 

so i used "combo fix" and have a report log which you may like to peruse.

 

i have read the "what you need to know before posting" page, but am using my wifes PC cos l now cannot start my XP PC. it is on that machine that all the info you require resides.

 

l do hope you can help with this scourge. thanks in advance.

 

P.S. had enough today, will try and start my PC again in the morning. (the XP one).

 

 

 



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:18 PM

Posted 26 August 2014 - 05:52 AM





Hello noelist

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 26 August 2014 - 08:28 AM

Hi Gringo, .as of this morning both my wifes and my computers have ceased displaying the annoying pop ups with the trojan, which is rather strange, last night after running "combofix", and then a scan from my avira antivir in safe mode, l could not get my computer to start, nor to get it in safe mode by tapping F8, thats when l gave up. but this morning it fired up fine, so did my wifes.

 

To run combofix l had to delete my antivirus app, l was about to reinstall it, it may be that this would be a requirement for running "the Farbar recovery scan tool", which I will run now anyway, just to get confirmation from an expert that my PC is clean.

 

Back later, THANKS.



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:18 PM

Posted 26 August 2014 - 08:36 AM

No problem and I would like to see the reports anyway


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 26 August 2014 - 08:58 AM

Hi Gringo, here are the reports (that was fast) :-

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:26-08-2014
Ran by Administrator (administrator) on PENTIUM4 on 26-08-2014 14:36:51
Running from C:\Documents and Settings\Administrator\Desktop
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [UserFaultCheck] => %systemroot%\system32\dumprep 0 -u
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\.DEFAULT\...\RunOnce: [RunNarrator] => C:\WINDOWS\system32\Narrator.exe [53760 2008-04-14] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {41564952-412D-5637-00A7-7A786E7484D7} -  No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/autodl/jinstall-170-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-170-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
Tcpip\Parameters: [DhcpNameServer] 146.185.220.85 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkck7rl3.default-1392728637765
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_179.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1168638.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\amazon-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\chambers-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\eBay-en-GB.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\yahoo-en-GB.xml
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-18]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182184 2013-06-12] (Oracle Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2011-06-02] ()
S3 DigiartyVirtualCDBus; C:\WINDOWS\System32\drivers\DigiartyVirtualCDBus.sys [163616 2013-01-22] (Digiarty Software, Inc.)
S3 DNINDIS5; C:\WINDOWS\system32\DNINDIS5.SYS [17149 2003-07-24] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R2 MDC8021X; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [15890 2009-09-05] (Meetinghouse Data Communications) [File not signed]
S3 optousb; C:\WINDOWS\System32\DRIVERS\optousb.sys [18432 2008-04-04] (OPTO ELECTRONICS CO.,LTD.)
S3 optovcm; C:\WINDOWS\System32\DRIVERS\optovcm.sys [26368 2008-04-04] (OPTO ELECTRONICS CO.,LTD.)
R1 ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [28520 2013-10-31] (Avira GmbH)
R3 TotRec8; C:\WINDOWS\system32\drivers\TotRec8.sys [93968 2012-11-30] (High Criteria inc.)
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [120830 2003-10-08] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [98842 2003-10-08] (Intel Corporation)
S3 AR5523; system32\DRIVERS\wg11tnd5.sys [X]
S3 ATHFMWDL; System32\Drivers\ATHFMWDL.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-26 14:36 - 2014-08-26 14:37 - 00006661 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2014-08-26 14:36 - 2014-08-26 14:36 - 00001993 _____ () C:\Documents and Settings\Administrator\Desktop\Resume Installation.lnk
2014-08-26 14:36 - 2014-08-26 14:36 - 00000000 ____D () C:\FRST
2014-08-26 14:35 - 2014-08-26 14:36 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\AviraResume
2014-08-26 14:33 - 2014-08-26 14:33 - 01095168 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2014-08-26 13:07 - 2014-08-26 13:16 - 175034624 _____ () C:\Documents and Settings\Administrator\Desktop\avira_antivirus_pro_en.exe
2014-08-23 15:31 - 2014-08-23 17:23 - 00000000 ____D () C:\AdwCleaner
2014-08-22 19:29 - 2014-08-22 19:29 - 04531851 _____ () C:\Documents and Settings\Administrator\Desktop\AVSUPINF.7z
2014-08-20 00:59 - 2014-08-20 00:59 - 00000102 _____ () C:\Documents and Settings\Administrator\Desktop\save mahan forest.txt
2014-08-15 15:49 - 2014-08-15 15:49 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2808679$
2014-08-15 15:48 - 2014-08-15 15:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2492386$
2014-08-15 15:48 - 2011-03-11 15:10 - 00225262 ____C () C:\WINDOWS\system32\dllcache\msimain.sdb
2014-07-28 03:15 - 2014-07-28 03:15 - 00000577 _____ () C:\Documents and Settings\Administrator\Desktop\POEM.txt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-08-26 14:37 - 2014-08-26 14:36 - 00006661 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2014-08-26 14:37 - 2007-11-30 12:50 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2014-08-26 14:36 - 2014-08-26 14:36 - 00001993 _____ () C:\Documents and Settings\Administrator\Desktop\Resume Installation.lnk
2014-08-26 14:36 - 2014-08-26 14:36 - 00000000 ____D () C:\FRST
2014-08-26 14:36 - 2014-08-26 14:35 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\AviraResume
2014-08-26 14:33 - 2014-08-26 14:33 - 01095168 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2014-08-26 14:01 - 2011-08-23 23:37 - 00002016 _____ () C:\Documents and Settings\Administrator\Desktop\My Stuff.txt
2014-08-26 13:51 - 2014-02-19 00:46 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-08-26 13:16 - 2014-08-26 13:07 - 175034624 _____ () C:\Documents and Settings\Administrator\Desktop\avira_antivirus_pro_en.exe
2014-08-26 12:39 - 2007-11-30 12:50 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-08-26 08:52 - 2008-06-20 14:00 - 01577946 ____N () C:\WINDOWS\WindowsUpdate.log
2014-08-26 08:46 - 2014-03-27 19:13 - 00000238 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-08-26 08:46 - 2012-10-12 00:31 - 00000159 ____N () C:\WINDOWS\wiadebug.log
2014-08-26 08:46 - 2012-10-12 00:31 - 00000050 ____N () C:\WINDOWS\wiaservc.log
2014-08-26 08:46 - 2007-11-30 10:56 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-08-26 08:46 - 2003-03-31 13:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-08-25 16:08 - 2007-11-30 12:50 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2014-08-25 16:08 - 2007-11-30 12:41 - 00032488 ____N () C:\WINDOWS\SchedLgU.Txt
2014-08-25 16:07 - 2011-08-23 02:32 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Avira
2014-08-25 15:43 - 2007-12-13 17:14 - 00000000 ____D () C:\WINDOWS\system32\NtmsData
2014-08-25 15:15 - 2007-11-30 10:53 - 00000000 ____D () C:\WINDOWS\Registration
2014-08-25 03:49 - 2011-08-23 22:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2014-08-23 17:23 - 2014-08-23 15:31 - 00000000 ____D () C:\AdwCleaner
2014-08-22 19:29 - 2014-08-22 19:29 - 04531851 _____ () C:\Documents and Settings\Administrator\Desktop\AVSUPINF.7z
2014-08-22 15:12 - 2012-04-10 11:56 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Joined Clips
2014-08-22 15:12 - 2011-08-27 00:54 - 00043008 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-08-20 00:59 - 2014-08-20 00:59 - 00000102 _____ () C:\Documents and Settings\Administrator\Desktop\save mahan forest.txt
2014-08-15 15:49 - 2014-08-15 15:49 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2808679$
2014-08-15 15:49 - 2014-03-24 14:23 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-08-15 15:49 - 2009-04-13 19:46 - 00000000 ___HD () C:\WINDOWS\$hf_mig$
2014-08-15 15:48 - 2014-08-15 15:48 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2492386$
2014-08-15 15:43 - 2011-08-23 01:42 - 00000000 __SHD () C:\Documents and Settings\Administrator\UserData
2014-08-15 14:40 - 2012-05-08 10:10 - 00699568 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-08-15 14:40 - 2011-08-24 00:45 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-08-13 10:43 - 2013-08-15 20:36 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-08-13 10:40 - 2010-11-22 19:49 - 96303304 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-07-31 07:27 - 2012-04-24 22:23 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-07-31 00:33 - 2014-06-18 00:31 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-07-28 03:50 - 2011-08-23 14:59 - 00000682 _____ () C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2014-07-28 03:50 - 2011-08-23 14:59 - 00000000 ____D () C:\Program Files\CCleaner
2014-07-28 03:15 - 2014-07-28 03:15 - 00000577 _____ () C:\Documents and Settings\Administrator\Desktop\POEM.txt

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:26-08-2014
Ran by Administrator at 2014-08-26 14:37:43
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 14 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 14.0.0.179 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.8.638 - Adobe Systems, Inc.)
AimOne MP4 Cutter & Joiner V2.21 (HKLM\...\{72064ADD-8C71-4059-A981-E668AE37248B}_is1) (Version:  - AimOneSoft, Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)
Digital Camera Driver (HKLM\...\Digital Camera Driver) (Version:  - )
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - SEIKO EPSON Corporation)
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
Java 7 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217017FF}) (Version: 7.0.250 - Oracle)
Java Auto Updater (Version: 2.1.9.5 - Sun Microsystems, Inc.) Hidden
K-Lite Codec Pack 7.6.0 (Standard) (HKLM\...\KLiteCodecPack_is1) (Version: 7.6.0 - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft Internationalized Domain Names Mitigation APIs (Version:  - Microsoft Corporation) Hidden
Microsoft National Language Support Downlevel APIs (Version:  - Microsoft Corporation) Hidden
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 31.0 (x86 en-GB) (HKLM\...\Mozilla Firefox 31.0 (x86 en-GB)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
SlimPDF Reader (HKLM\...\{7E1FEE27-F869-4D4B-8AA3-64C7FD99BD7C}_is1) (Version:  - Investintech.com Inc.)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version:  - )
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System Requirements Lab for Intel (HKLM\...\{904CD0E4-4B72-4CF7-9828-267C6678A22E}) (Version: 4.5.2.0 - Husdawg, LLC)
Total Recorder 8.4 Standard Edition (HKLM\...\TotalRecorder) (Version:  - )
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2598845) (HKLM\...\KB2598845-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2632503) (HKLM\...\KB2632503-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2492386) (HKLM\...\KB2492386) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2541763) (HKLM\...\KB2541763) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2607712) (HKLM\...\KB2607712) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2616676) (HKLM\...\KB2616676) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2641690) (HKLM\...\KB2641690) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2736233) (HKLM\...\KB2736233) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2808679) (HKLM\...\KB2808679) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2863058) (HKLM\...\KB2863058) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971737) (HKLM\...\KB971737) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2003-03-31 13:00 - 2003-03-31 13:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============


==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: EPSON Stylus D78 Series => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "C:\WINDOWS\TEMP\E_S3B.tmp" /EF "HKCU"
MSCONFIG\startupreg: HotKeysCmds => C:\WINDOWS\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\WINDOWS\system32\igfxtray.exe
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/26/2014 02:36:59 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (08/26/2014 02:36:59 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (08/20/2014 03:09:54 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application mpc-hc.exe, version 1.5.3.3611, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/09/2014 06:06:20 PM) (Source: ESENT) (EventID: 490) (User: )
Description: svchost (1048) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\edb.log" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ".  The open file operation will fail with error -1032 (0xfffffbf8).

Error: (08/04/2014 11:19:25 AM) (Source: VSS) (EventID: 5013) (User: )
Description: Volume Shadow Copy Service error: Shadow Copy writer RemovableStorageManager called routine OpenNtmsSessionW which failed with status 0x800708ca (converted to 0x800423f4).

Error: (07/31/2014 03:18:11 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application mpc-hc.exe, version 1.5.3.3611, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/29/2014 00:47:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application avwebgrd.exe, version 14.0.5.430, faulting module avwebgrd.exe, version 14.0.5.430, fault address 0x00067b7c.
Processing media-specific event for [avwebgrd.exe!ws!]

Error: (07/12/2014 07:54:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application avwebgrd.exe, version 14.0.5.430, faulting module avwebgrd.exe, version 14.0.5.430, fault address 0x00067b7c.
Processing media-specific event for [avwebgrd.exe!ws!]

Error: (07/05/2014 02:21:15 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application cdwizard.exe, version 2.1.0.16, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/04/2014 10:16:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 30.0.0.5269, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (08/26/2014 08:45:59 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 000FFE04849F has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/25/2014 03:07:51 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 000FFE04849F has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/25/2014 03:06:44 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/25/2014 02:01:53 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
avipbb
avkmgr
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
ssmdrv
Tcpip

Error: (08/25/2014 02:01:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Error: (08/25/2014 02:01:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error:
%%31

Error: (08/25/2014 02:01:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31

Error: (08/25/2014 02:01:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31

Error: (08/25/2014 02:00:49 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/23/2014 01:51:23 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 000FFE04849F has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor:  Intel® Pentium® 4 CPU 2.80GHz
Percentage of memory in use: 28%
Total physical RAM: 759.48 MB
Available physical RAM: 539.95 MB
Total Pagefile: 2764.17 MB
Available Pagefile: 2619.33 MB
Total Virtual: 2047.88 MB
Available Virtual: 1932.93 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:37.26 GB) (Free:9.76 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 37.3 GB) (Disk ID: 78A878A8)
Partition 1: (Active) - (Size=37.3 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

enjoy, (sbleep, chortle)

 

Cheers mate, catch you later, THANKS.


Edited by noelist, 26 August 2014 - 09:00 AM.


#6 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 26 August 2014 - 09:20 AM

Ah ha ha ha.....edited the typo dringo to Gringo, never noticed the "sbleep" done by your anti racist remark thingy, the word is a very old english (UK) word meaning " to laugh in a restrained way" .

 

obviously in the USA, remove the "s" at the beggining of the word and it becomes Bleep!, no point in typing the word cos it will be changed to bleep anyway, so if you need a clue, its a derogatory form of description of a dark skinned person, There, thats politically correct in the UK.

 

just thought i'd explain. thanks.



#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:18 PM

Posted 26 August 2014 - 09:36 AM

Hello

that is one of the shortest reports I have seen



These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 27 August 2014 - 08:57 AM

ok doing it now....



#9 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 27 August 2014 - 09:17 AM

log of adware scan.

 

# AdwCleaner v3.308 - Report created 27/08/2014 at 15:08:06
# Updated 20/08/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Administrator - PENTIUM4
# Running from : C:\Documents and Settings\Administrator\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v31.0 (x86 en-GB)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkck7rl3.default-1392728637765\prefs.js ]


*************************

AdwCleaner[R0].txt - [2304 octets] - [23/08/2014 15:31:58]
AdwCleaner[R1].txt - [1002 octets] - [27/08/2014 15:04:35]
AdwCleaner[S0].txt - [2322 octets] - [23/08/2014 15:57:37]
AdwCleaner[S1].txt - [925 octets] - [27/08/2014 15:08:06]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [984 octets] ##########
 



#10 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 27 August 2014 - 09:38 AM

JRT scan log.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by Administrator on 27/08/2014 at 15:23:25.98
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\apn"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 27/08/2014 at 15:29:57.65
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

ok, there you go Gringo, will be back later, cheers.



#11 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 27 August 2014 - 09:43 AM

Ah, there was a short while, when minimising a page after the first scan, that when maximising the page, it would open the top left quarter of the page and take 5 seconds to open to full screen, but may have been because processor was busy, apart from that, today it is working well for an old banger like this PC.

 

Cheers.

 

Oh dear, slight problem... i turned off avira as per instructions on BP.com and now can't turn it on again.....i tried restart, still not able to turn it on,  will have to re-install.

 

cheers, noelist.

 

 


Edited by noelist, 27 August 2014 - 11:32 AM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:18 PM

Posted 28 August 2014 - 04:44 AM


Hello noelist,

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 29 August 2014 - 06:53 AM

ok Gringo, no time yesterday, will get on to it now.



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:18 PM

Posted 29 August 2014 - 07:11 AM

No problem and I will check on you later

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 noelist

noelist
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lancashire
  • Local time:12:18 AM

Posted 29 August 2014 - 07:52 AM

and here is combofix log :-

 

ComboFix 14-08-29.03 - Administrator 29/08/2014  13:12:34.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.759.373 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
.
.
(((((((((((((((((((((((((   Files Created from 2014-07-28 to 2014-08-29  )))))))))))))))))))))))))))))))
.
.
2014-08-27 14:23 . 2014-08-27 14:23    --------    d-----w-    c:\windows\ERUNT
2014-08-26 14:42 . 2014-08-26 14:42    --------    d-----w-    c:\documents and settings\Administrator\Application Data\Avira
2014-08-26 14:39 . 2014-08-15 09:30    37352    ----a-w-    c:\windows\system32\drivers\avkmgr.sys
2014-08-26 14:39 . 2014-08-15 09:30    136216    ----a-w-    c:\windows\system32\drivers\avipbb.sys
2014-08-26 14:39 . 2014-08-15 09:30    97648    ----a-w-    c:\windows\system32\drivers\avgntflt.sys
2014-08-26 14:39 . 2014-08-26 14:39    --------    d-----w-    c:\program files\Avira
2014-08-26 13:36 . 2014-08-26 13:37    --------    d-----w-    C:\FRST
2014-08-23 14:31 . 2014-08-27 14:08    --------    d-----w-    C:\AdwCleaner
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-15 13:40 . 2012-05-08 09:10    699568    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-08-15 13:40 . 2011-08-23 23:45    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 07:51 . 2014-05-14 01:51    5659136    ----a-w-    c:\windows\system32\FlashPlayerInstaller.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2014-08-15 751184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus D78 Series]
2006-09-22 04:01    139264    ----a-w-    c:\windows\system32\spool\drivers\w32x86\3\E_FATIBGE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-10-02 14:19    118784    ------w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-10-02 14:37    155648    ------w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 06:32    253816    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [26/08/2014 15:39 37352]
R2 AntiVirMailService;Avira Mail Protection;c:\program files\Avira\AntiVir Desktop\avmailc.exe [26/08/2014 15:39 802384]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [26/08/2014 15:39 430160]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [26/08/2014 15:39 1021008]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [05/12/2011 01:17 93968]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys --> c:\windows\system32\Drivers\ATHFMWDL.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [02/06/2011 11:08 11336]
S3 DigiartyVirtualCDBus;Digiarty Virtual Driver;c:\windows\system32\drivers\DigiartyVirtualCDBus.sys [22/01/2013 18:33 163616]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [05/09/2009 13:30 17149]
S3 optousb;OPTO ELECTRONICS optousb;c:\windows\system32\drivers\optousb.sys [04/04/2008 04:47 18432]
S3 optovcm;OPTO ELECTRONICS optovcm;c:\windows\system32\drivers\optovcm.sys [04/04/2008 04:47 26368]
.
Contents of the 'Scheduled Tasks' folder
.
2014-08-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-08 13:40]
.
2014-08-29 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2014-05-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 146.185.220.85 8.8.8.8
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hkck7rl3.default-1392728637765\
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{41564952-412D-5637-00A7-7A786E7484D7} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-08-29 13:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-343818398-1275210071-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,aa,cb,86,6b,fe,5b,4b,a2,e7,ec,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5f,aa,cb,86,6b,fe,5b,4b,a2,e7,ec,\
.
[HKEY_USERS\S-1-5-21-343818398-1275210071-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(704)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(3172)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2014-08-29  13:20:11
ComboFix-quarantined-files.txt  2014-08-29 12:20
.
Pre-Run: 10,039,783,424 bytes free
Post-Run: 10,178,711,552 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - F77822A13A5C210CA6731E1F63801A9E
8F558EB6672622401DA993E1E865C861
 

l will let you know how PC is running later once l've done somthing, l should say that the pop up " this site says flash player may need updating" was activated when l log on to You tube, it had "www.youtube.com in the address bar l noticed each time it appeared. on my wifes PC it came up using Google, meant to say before.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users