Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Citadel virus: ISP=Virgin says I have this, but I see no sign of it


  • This topic is locked This topic is locked
27 replies to this topic

#1 Sylvander

Sylvander

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 October 2014 - 05:53 AM

Here's part of the genuine email they sent:

"We have been alerted that your computer may have become infected with a virus, commonly known as "malware" (malicious software). This e-mail gives you details of what we know and how you can deal with it.

What has happened?

We work with a number of not-for-profit organisations across the banking industry and security sectors that collate information on devices across the Internet that appear to be infected with a virus. They alert us and other UK Internet Service Providers when any of these devices appear on their network. Through this tracking they have notified us that a device on your home Internet connection (or one connected to your home network) may be infected with the Citadel virus.

An infected device may result in it being used to send out more viruses to other Internet users. Any personal data that you hold on your devices could be compromised, corrupted or lost. Malware can also cause your Internet connection to slow down.

The Citadel virus was detected on a device using your Internet connection or home network on 28 September 2014. If you are already aware of the issue, and have taken steps to fix it since this date you can ignore this communication. Otherwise it is very important that you take steps now to remedy this situation and make your device and network safe and secure.

 

I phoned them to confirm the email is genuine.

1. I was told that a malicious server on the web had received a contact from the virus, coming from my [router?] IP address, so it's from some device on my internal home network.

Their are only my PC [running Puppy Linux = Slacko-5.7.0-pae; WinXP is almost never used, no emails, no going out onto the web]...

And...

My wife's Samsung Galaxy Tab 2 10.1inch Tablet - Silver (16GB, WiFi, Android 4.0) which appears to be functioning normally.

 

2.

a. I've scanned all the partitions on the internal HDD [sda1,2,3,5,6] and a Flash Drive using Avast on-demand scanner->[1 innocuous infected file on C:], and the Avira Rescue System bootable CD [2 innocuous infected file found on C: and couple of portable programs on E:].

 

b. Booted XP on C:, downloaded/installed/ran Malwarebytes; it found about 6 harmless looking items, eliminated those.

No sign anywhere of the Citadel virus.

No OS slowdown or glitches, no demands for money; i.e. none of the reported symptoms of Citadel.

 

3. What to do?

Do I have this or not?



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:04 PM

Posted 20 October 2014 - 06:14 AM

:welcome:

Hello Sylvander,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Logs can take a while to research, so please be patient.
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


2. Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.



***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Sylvander

Sylvander
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 October 2014 - 09:19 AM

Hello Jo.

1. Following your instructions.

 

2. Got to:

To download "Security Check by screen317" I clicked on 1st and then 2nd links.

Both attempted to take me to "http://screen317.spywareinfoforum.org/", but timed out with "Problem loading page".

I've tried this using Firefox in: 1st Puppy Linux, then WinXP, and got the same result in both.



#4 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:04 PM

Posted 20 October 2014 - 09:52 AM

With IE the links work fine for me.

Skip that and go on with the Farbar Recovery Scan Tool please.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 Sylvander

Sylvander
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 October 2014 - 10:32 AM

1. Tried the links using IE8, but that didn't work either.

 

2. The link to the "Farbar Recovery Scan Tool" worked OK.

Downloaded the file [32-bit on 64-bit PC] FRST.exe, ran it, completed the scan, 2 files saved to the same folder [C:\00] = FRST.txt & Addition.txt .

 

3. How should I change language setting from US to GB?

a. FRST.txt content:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 20-10-2014
Ran by Owner (administrator) on BEDROOM3 on 20-10-2014 16:09:40
Running from C:\00
Loaded Profile: Owner (Available profiles: Owner)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\WINDOWS\system32\TaskSwitch.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(FNet Co., Ltd.) C:\Program Files\XFastUsb\XFastUsb.exe
(Creative Technology Ltd) C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
(Creative Technology Ltd) C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
(Macrovision Europe Ltd.) C:\DOCUME~1\Owner\LOCALS~1\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001
(The Eraser Project) C:\PROGRA~1\Eraser\Eraser.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Windows ® Codename Longhorn DDK provider) C:\Program Files\UPHClean\uphclean.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Zune\ZuneBusEnum.exe
(Creative Labs) C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jucheck.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [CoolSwitch] => C:\WINDOWS\system32\taskswitch.exe [45632 2002-03-20] ()
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19722344 2010-11-16] (Realtek Semiconductor Corp.)
HKLM\...\Run: [XFastUsb] => C:\Program Files\XFastUsb\XFastUsb.exe [4942336 2013-12-08] (FNet Co., Ltd.)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM\...\Run: [CTSyncService] => C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe [1233195 2009-07-08] (Creative Technology Ltd)
HKLM\...\Run: [VolPanel] => C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe [241789 2009-05-04] (Creative Technology Ltd)
HKLM\...\Run: [AMBDef] => AMBDef.exe
HKLM\...\Run: [UpdReg] => ÿÿÿÿ$¬
HKLM\...\Run: [Zune Launcher] => U$¬
HKLM\...\Run: [Eraser] => è    
HKLM\...\Winlogon: [UIHost] C:\WINDOWS\system32\logonui.exe [514560 2008-04-14] ( (Microsoft Corporation))
HKLM\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKLM\...\Policies\Explorer: [NoSharedDocuments] 1
HKLM\...\Policies\Explorer: [MaxRecentDocs] 18
HKLM\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
HKU\S-1-5-19\...\RunOnce: [_nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\S-1-5-20\...\RunOnce: [_nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
HKU\S-1-5-21-1614895754-861567501-682003330-1003\...\Run: [ASRockXTU] => [X]
HKU\S-1-5-21-1614895754-861567501-682003330-1003\...\Run: [zASRockInstantBoot] => [X]
HKU\S-1-5-21-1614895754-861567501-682003330-1003\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_5_502_135_ActiveX.exe [697272 2012-12-17] (Adobe Systems Incorporated)
HKU\S-1-5-18\...\RunOnce: [_nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
SecurityProviders: schannel.dll, credssp.dll, digest.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft .NET Framework v4 - Slow Windows XP Boot Fix.vbs ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zone54.com/
SearchScopes: HKCU - {F83B7E7A-688A-47DA-A9E5-A40D9E15266B} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\etmj7ihh.default
FF Homepage: https://www.ixquick.com/
FF Plugin: @java.com/DTPlugin,version=10.10.2 -> C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.10.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Extension: Flashblock - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\etmj7ihh.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2013-12-11]
FF Extension: No Name - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\etmj7ihh.default\Extensions\firefox@ghostery.com.xpi [2013-12-10]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-12-08]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2013-12-08] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-23] (Creative Technology Ltd) [File not signed]
S3 dmadmin; C:\WINDOWS\System32\dmadmin.exe [224768 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [170408 2013-12-09] (Oracle Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R3 Sound Blaster X-Fi MB Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [79360 2013-12-08] (Creative Labs) [File not signed]
R2 UPHClean; C:\Program Files\UPHClean\uphclean.exe [399872 2010-09-14] (Windows ® Codename Longhorn DDK provider) [File not signed]
R2 ZuneBusEnum; c:\Program Files\Zune\ZuneBusEnum.exe [57056 2011-08-05] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R1 AsrAppCharger; C:\WINDOWS\System32\DRIVERS\AsrAppCharger.sys [13832 2010-06-11] (Windows ® Win 7 DDK provider)
R3 BazisVirtualCDBus; C:\WINDOWS\System32\DRIVERS\BazisVirtualCDBus.sys [117584 2011-08-08] (SysProgs.org)
S4 dmboot; C:\WINDOWS\System32\drivers\dmboot.sys [799744 2008-04-13] (Microsoft Corp., Veritas Software) [File not signed]
S3 FNETTBOH_305; C:\WINDOWS\System32\drivers\FNETTBOH_305.SYS [29248 2013-12-09] (FNet Co., Ltd.)
R1 FNETURPX; C:\WINDOWS\System32\drivers\FNETURPX.SYS [14656 2013-12-08] (FNet Co., Ltd.)
R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [63088 2010-08-24] (Atheros Communications, Inc.)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [110296 2014-10-20] (Malwarebytes Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
R0 mv61xxmm; C:\WINDOWS\system32\Drivers\mv61xxmm.sys [14184 2012-12-19] (Marvell Semiconductor Inc.)
R0 mv64xxmm; C:\WINDOWS\system32\Drivers\mv64xxmm.sys [5632 2012-12-19] (Marvell Semiconductor Inc.) [File not signed]
R0 mvxxmm; C:\WINDOWS\system32\Drivers\mvxxmm.sys [14184 2012-12-19] (Marvell Semiconductor Inc.)
R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [361600 2012-12-18] (Microsoft Corporation) [File not signed]
R2 zumbus; C:\WINDOWS\System32\DRIVERS\zumbus.sys [41472 2011-08-05] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-20 16:08 - 2014-10-20 16:09 - 00000000 ____D () C:\FRST
2014-10-19 20:24 - 2014-10-20 16:00 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-10-19 20:24 - 2014-10-20 15:02 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-10-19 18:45 - 2014-10-19 18:45 - 00017458 _____ () C:\WINDOWS\KB2868626.log
2014-10-19 18:45 - 2014-10-19 18:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2868626$
2014-10-19 18:36 - 2014-10-19 18:37 - 00016805 _____ () C:\WINDOWS\KB2922229.log
2014-10-19 18:36 - 2014-10-19 18:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-10-19 18:27 - 2014-10-19 18:28 - 00016559 _____ () C:\WINDOWS\KB2916036.log
2014-10-19 18:27 - 2014-10-19 18:27 - 00015846 _____ () C:\WINDOWS\KB2934207.log
2014-10-19 18:27 - 2014-10-19 18:27 - 00015579 _____ () C:\WINDOWS\KB2834886.log
2014-10-19 18:27 - 2014-10-19 18:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2934207$
2014-10-19 18:27 - 2014-10-19 18:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
2014-10-19 18:27 - 2014-10-19 18:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834886$
2014-10-19 18:26 - 2014-10-19 18:26 - 00017195 _____ () C:\WINDOWS\KB2964358-IE8.log
2014-10-19 18:18 - 2014-10-19 18:18 - 00015946 _____ () C:\WINDOWS\KB2847311.log
2014-10-19 18:18 - 2014-10-19 18:18 - 00015359 _____ () C:\WINDOWS\KB2900986.log
2014-10-19 18:18 - 2014-10-19 18:18 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2900986$
2014-10-19 18:18 - 2014-10-19 18:18 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2847311$
2014-10-19 18:10 - 2014-10-19 18:10 - 00016466 _____ () C:\WINDOWS\KB2802968.log
2014-10-19 18:10 - 2014-10-19 18:10 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2802968$
2014-10-19 18:09 - 2014-10-19 18:10 - 00015054 _____ () C:\WINDOWS\KB2898715.log
2014-10-19 18:09 - 2014-10-19 18:09 - 00013662 _____ () C:\WINDOWS\KB2929961.log
2014-10-19 18:09 - 2014-10-19 18:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-10-19 18:09 - 2014-10-19 18:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2898715$
2014-10-19 18:08 - 2014-10-19 18:08 - 00301662 _____ () C:\WINDOWS\msxml4-KB2758694-enu.LOG
2014-10-19 18:08 - 2014-10-19 18:08 - 00015113 _____ () C:\WINDOWS\KB2862335.log
2014-10-19 18:08 - 2014-10-19 18:08 - 00013678 _____ () C:\WINDOWS\KB2834904-v2.log
2014-10-19 18:08 - 2014-10-19 18:08 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862335$
2014-10-19 18:08 - 2014-10-19 18:08 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834904-v2_WM11$
2014-10-19 18:08 - 2014-10-19 18:08 - 00000000 ____D () C:\Program Files\MSXML 4.0
2014-10-19 18:07 - 2014-10-19 18:07 - 00014864 _____ () C:\WINDOWS\KB2780091.log
2014-10-19 18:07 - 2014-10-19 18:07 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2780091$
2014-10-19 17:57 - 2014-10-19 17:57 - 00013497 _____ () C:\WINDOWS\KB2904266.log
2014-10-19 17:57 - 2014-10-19 17:57 - 00006620 _____ () C:\WINDOWS\system32\TZLog.log
2014-10-19 17:57 - 2014-10-19 17:57 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2904266$
2014-10-19 17:56 - 2014-10-19 17:57 - 00013572 _____ () C:\WINDOWS\KB2876217.log
2014-10-19 17:56 - 2014-10-19 17:56 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876217$
2014-10-19 17:55 - 2014-10-19 17:56 - 00013302 _____ () C:\WINDOWS\KB2930275.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00012699 _____ () C:\WINDOWS\KB2862152.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00012395 _____ () C:\WINDOWS\KB2864063.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00012178 _____ () C:\WINDOWS\KB2850869.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2864063$
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2850869$
2014-10-19 17:54 - 2014-10-19 17:54 - 00014233 _____ () C:\WINDOWS\KB2807986.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00013017 _____ () C:\WINDOWS\KB2859537.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00012002 _____ () C:\WINDOWS\KB2820917.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00011661 _____ () C:\WINDOWS\KB2876331.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00010550 _____ () C:\WINDOWS\KB2893294.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2893294$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876331$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2859537$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2820917$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2807986$
2014-10-19 17:53 - 2014-10-19 18:10 - 00000000 ___HD () C:\WINDOWS\$hf_mig$
2014-10-19 17:53 - 2014-10-19 17:54 - 00010658 _____ () C:\WINDOWS\KB2757638.log
2014-10-19 17:53 - 2014-10-19 17:53 - 00010339 _____ () C:\WINDOWS\KB2909210-IE8.log
2014-10-19 17:53 - 2014-10-19 17:53 - 00010021 _____ () C:\WINDOWS\KB2892075.log
2014-10-19 17:53 - 2014-10-19 17:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2892075$
2014-10-19 17:53 - 2014-10-19 17:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862330$
2014-10-19 17:53 - 2014-10-19 17:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2757638$
2014-10-19 17:52 - 2014-10-19 18:45 - 00006513 _____ () C:\WINDOWS\updspapi.log
2014-10-19 17:52 - 2014-10-19 17:53 - 00016232 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-10-19 17:52 - 2014-10-19 17:52 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-10-19 17:51 - 2014-10-19 17:52 - 00006953 _____ () C:\WINDOWS\KB2914368.log
2014-10-19 17:51 - 2014-10-19 17:51 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2014-10-19 17:16 - 2014-10-20 16:00 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-10-19 17:15 - 2014-10-19 17:15 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-19 17:15 - 2014-10-19 17:15 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-19 17:15 - 2014-10-19 17:15 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-19 17:15 - 2014-05-12 07:26 - 00053208 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-10-19 17:11 - 2014-03-12 11:48 - 00993280 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\kernel32.dll
2014-10-19 17:11 - 2013-12-05 12:26 - 01172992 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msxml3.dll
2014-10-19 17:11 - 2013-10-07 11:59 - 00603136 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\crypt32.dll
2014-10-19 17:10 - 2014-10-19 17:15 - 00000000 ____D () C:\Documents and Settings\Owner\Application Data\Malwarebytes
2014-10-19 17:10 - 2013-06-04 01:53 - 00290816 ____N (Adobe Systems Incorporated) C:\WINDOWS\system32\dllcache\atmfd.dll
2014-10-19 17:10 - 2013-01-26 04:55 - 00552448 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\oleaut32.dll
2014-10-19 17:09 - 2014-10-19 17:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-10-19 17:09 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-10-19 17:09 - 2014-02-07 03:01 - 01879040 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\win32k.sys
2014-10-19 17:09 - 2014-02-05 09:55 - 00562688 ____N () C:\WINDOWS\system32\dllcache\qedit.dll
2014-10-19 17:09 - 2013-11-07 06:38 - 00591360 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\rpcrt4.dll
2014-10-19 17:09 - 2013-10-12 16:56 - 00278528 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\oakley.dll
2014-10-19 17:09 - 2013-08-09 02:56 - 00386560 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\themeui.dll
2014-10-19 17:09 - 2013-08-05 14:30 - 01289728 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ole32.dll
2014-10-19 17:09 - 2013-07-10 11:37 - 00406016 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usp10.dll
2014-10-19 17:09 - 2013-01-02 07:48 - 01292288 ____N () C:\WINDOWS\system32\dllcache\quartz.dll
2014-10-19 17:09 - 2013-01-02 07:48 - 00148992 ____N () C:\WINDOWS\system32\dllcache\mpg2splt.ax
2014-10-19 17:08 - 2014-02-26 02:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\xp_eos.exe
2014-10-19 17:08 - 2014-02-26 02:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xp_eos.exe
2014-10-19 17:08 - 2013-11-13 03:59 - 00150528 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\imagehlp.dll
2014-10-19 17:08 - 2013-10-24 00:45 - 00172032 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\scrrun.dll
2014-10-19 17:08 - 2013-10-09 14:12 - 00287744 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\gdi32.dll
2014-10-19 17:08 - 2013-07-04 04:03 - 02149888 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2014-10-19 17:08 - 2013-07-04 03:59 - 02193536 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2014-10-19 17:08 - 2013-07-04 03:08 - 02070144 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2014-10-19 17:08 - 2013-07-04 03:08 - 02028544 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2014-10-19 17:08 - 2013-03-08 09:35 - 00293376 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\winsrv.dll
2014-10-19 17:08 - 2012-11-06 03:00 - 01446912 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msxml6.dll
2014-10-19 17:07 - 2013-07-03 03:12 - 00025088 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidparse.sys
2014-10-19 17:07 - 2013-07-03 02:59 - 00014976 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbscan.sys
2014-10-19 17:06 - 2014-04-30 09:13 - 06022144 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtml.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 01469440 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetcpl.cpl
2014-10-19 17:06 - 2014-03-06 18:59 - 01216000 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlmon.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00920064 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wininet.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00759296 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\vgx.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00743424 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00630272 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00611840 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mstime.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00387584 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedkcs32.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00247808 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00206848 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\occache.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00184320 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iepeers.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00105984 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\url.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00067072 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtmled.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00055296 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00043520 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\licmgr10.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00025600 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsproxy.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00018944 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\corpol.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00012800 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
2014-10-19 17:06 - 2014-01-04 04:13 - 00420864 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\vbscript.dll
2014-10-19 17:06 - 2013-08-09 01:55 - 00144128 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbport.sys
2014-10-19 17:06 - 2013-08-09 01:55 - 00032384 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbccgp.sys
2014-10-19 17:06 - 2013-08-09 01:55 - 00005376 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbd.sys
2014-10-19 17:06 - 2013-02-12 01:32 - 00012928 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usb8023x.sys
2014-10-19 17:06 - 2013-02-12 01:32 - 00012928 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usb8023.sys
2014-10-19 17:06 - 2009-03-18 12:02 - 00030336 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbehci.sys
2014-10-19 17:05 - 2014-03-06 18:59 - 11113472 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
2014-10-19 17:05 - 2014-03-06 18:59 - 02006016 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
2014-10-19 17:05 - 2014-03-06 18:59 - 00522240 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
2014-10-19 17:05 - 2013-11-27 21:21 - 00040960 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ndproxy.sys
2014-10-19 15:41 - 2014-10-19 15:43 - 00000000 ____D () C:\cce_linux
2014-10-16 17:54 - 2014-10-16 17:54 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-20 16:10 - 2013-12-09 02:00 - 00000000 ____D () C:\Documents and Settings\Owner\Local Settings\Temp
2014-10-20 16:09 - 2013-12-10 10:54 - 00000000 ____D () C:\00
2014-10-20 16:04 - 2013-12-08 19:48 - 00511206 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-20 16:01 - 2013-12-09 01:55 - 01124276 _____ () C:\WINDOWS\WindowsUpdate.log
2014-10-20 15:59 - 2013-12-09 01:59 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-10-20 15:22 - 2013-12-09 02:00 - 00000178 ___SH () C:\Documents and Settings\Owner\ntuser.ini
2014-10-20 15:22 - 2013-12-09 01:59 - 00015090 _____ () C:\WINDOWS\SchedLgU.Txt
2014-10-20 14:45 - 2013-12-10 10:54 - 00000000 ____D () C:\01
2014-10-19 20:28 - 2013-12-08 02:26 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-10-19 20:24 - 2013-12-08 19:45 - 00097456 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-10-19 18:45 - 2013-12-08 19:48 - 00313494 _____ () C:\WINDOWS\iis6.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00247839 _____ () C:\WINDOWS\FaxSetup.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00136673 _____ () C:\WINDOWS\ocgen.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00112148 _____ () C:\WINDOWS\tsoc.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00087297 _____ () C:\WINDOWS\comsetup.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00083118 _____ () C:\WINDOWS\msmqinst.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00052248 _____ () C:\WINDOWS\ntdtcsetup.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00040690 _____ () C:\WINDOWS\netfxocm.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00016719 _____ () C:\WINDOWS\MedCtrOC.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00011826 _____ () C:\WINDOWS\tabletoc.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00001393 _____ () C:\WINDOWS\imsins.log
2014-10-19 18:37 - 2013-12-08 19:48 - 00001393 _____ () C:\WINDOWS\imsins.BAK
2014-10-19 18:08 - 2013-12-08 19:46 - 01000137 _____ () C:\WINDOWS\setupapi.log
2014-10-19 17:37 - 2014-02-15 18:07 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-19 17:37 - 2013-12-08 19:41 - 00000000 ____D () C:\WINDOWS\Media
2014-10-19 17:30 - 2013-12-08 02:53 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2014-10-19 17:30 - 2013-12-08 02:53 - 00000724 _____ () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2014-10-19 17:13 - 2013-12-08 02:53 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-10-19 16:58 - 2013-12-09 02:04 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-10-19 16:58 - 2008-04-14 12:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-10-16 17:58 - 2013-12-09 02:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
2014-10-16 17:53 - 2013-12-09 01:53 - 00001570 _____ () C:\Documents and Settings\All Users\Start Menu\Microsoft Update.lnk
2014-10-01 21:03 - 2013-12-09 02:07 - 00000000 ____D () C:\Program Files\K-Lite Codec Pack

Files to move or delete:
====================
C:\Documents and Settings\Custom Settings\Extra Programs System Settings.reg
C:\Documents and Settings\Custom Settings\Extra Programs User Settings.reg
C:\Documents and Settings\Custom Settings\Windows XP System Settings.reg
C:\Documents and Settings\Custom Settings\Windows XP User Settings.reg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

b. Additional.txt content:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20-10-2014
Ran by Owner at 2014-10-20 16:10:31
Running from C:\00
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe AIR (Version: 1.0.8.4990 - Adobe Systems Inc.) Hidden
Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A90000000001}) (Version: 9.0.0 - Adobe Systems Incorporated)
Alt-Tab Task Switcher Powertoy for Windows XP (HKLM\...\{A7050037-F0EA-4BAB-BCD5-FC05507D6147}) (Version: 1.00.0001 - Microsoft Corporation)
ASRock App Charger v1.0.4 (HKLM\...\ASRock App Charger_is1) (Version:  - ASRock Inc.)
ASRock eXtreme Tuner v0.1.42 (HKLM\...\ASRock eXtreme Tuner_is1) (Version:  - )
ASRock InstantBoot v1.26 (HKLM\...\ASRock InstantBoot_is1) (Version:  - )
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.44 - Atheros Communications Inc.)
BitLocker To Go Reader (HKLM\...\KB970401) (Version:  - Microsoft Corporation)
ClearType Tuning Control Panel Applet (HKLM\...\{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}) (Version: 1.01.0000 - Microsoft Corporation)
ContextConsole Shell Extension (x86-32) (HKLM\...\CmdOpen Shell Extension) (Version: 2.1.0.1 - Kai Liu)
Eraser 6.0.10.2620 (HKLM\...\{A45C5EC7-F13E-4414-99BE-47373935C0FE}) (Version: 6.0.2620 - The Eraser Project)
HashCheck Shell Extension (x86-32) (HKLM\...\HashCheck Shell Extension) (Version: 2.1.11.1 - Kai Liu)
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.10.5328 - Intel Corporation)
Java 7 Update 10 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217010FF}) (Version: 7.0.100 - Oracle)
Java Auto Updater (Version: 2.1.9.0 - Sun Microsystems, Inc.) Hidden
K-Lite Mega Codec Pack 9.6.0 (HKLM\...\KLiteCodecPack_is1) (Version: 9.6.0 - )
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable - x86 8.0.50727.6229 (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61187 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6313 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6313 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219.414 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable - x86 11.0.51106.1 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.0 - Mozilla)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6257 - Realtek Semiconductor Corp.)
RootsMagic 3.2.6.0 UK Edition (HKLM\...\RootsMagic_is1) (Version:  - RootsMagic, Inc.)
Sound Blaster X-Fi MB (HKLM\...\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}) (Version: 1.0 - Creative Technology Limited)
SumatraPDF 2.1.1 (HKLM\...\SumatraPDF) (Version: 2.1.1 - Krzysztof Kowalczyk)
Unlocker 1.9.1 (HKLM\...\Unlocker) (Version: 1.9.1 - Cedrick Collomb)
User Profile Hive Cleanup Service (HKLM\...\{7D15B945-2725-4443-AB3F-D900556612FE}) (Version: 1.6.36 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
WinCDEmu (HKLM\...\WinCDEmu) (Version: 3.6 - Bazis)
Windows Genuine Advantage Validation 1.9.42.0 Cracked (HKLM\...\{EB1BE39D-4C36-40A0-8CFB-079A2D14CB79}) (Version: 1.5.0.0 - Wocarson)
Windows Mobile Device Updater Component (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
XFastUsb (HKLM\...\XFastUsb) (Version:  - )
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)
Zune (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (CHS) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (CHT) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (CSY) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (DAN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (DEU) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (ELL) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (ESP) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (FIN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (FRA) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (HUN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (IND) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (ITA) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (JPN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (KOR) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (MSL) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (NLD) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (NOR) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (PLK) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (PTB) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (PTG) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (RUS) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (SVE) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

08-12-2013 02:03:25 System Checkpoint
08-12-2013 02:05:30 clean install drive c
08-12-2013 03:05:23 Software Distribution Service 3.0
08-12-2013 03:05:40 Installed Zune 4.8
20-12-2013 13:38:12 Installed Eraser 6.0.10.2620
01-01-2014 13:07:29 System Checkpoint
15-02-2014 16:52:31 System Checkpoint
16-10-2014 16:56:17 Software Distribution Service 3.0
19-10-2014 16:51:19 Software Distribution Service 3.0

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 12:00 - 2008-04-14 12:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2013-12-09 02:06 - 2010-07-04 21:32 - 00010752 _____ () C:\Program Files\Unlocker\UnlockerCOM.dll
2002-03-20 00:30 - 2002-03-20 00:30 - 00045632 _____ () C:\WINDOWS\system32\taskswitch.exe
2014-10-20 15:59 - 2014-10-20 15:59 - 00697884 _____ () C:\Documents and Settings\Owner\Local Settings\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0001\~df394b.tmp
2014-10-20 16:00 - 2014-10-20 16:00 - 00592896 _____ () C:\Documents and Settings\Owner\Local Settings\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0001\~de6248.tmp

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-1614895754-861567501-682003330-500 - Administrator - Disabled)
Guest (S-1-5-21-1614895754-861567501-682003330-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1614895754-861567501-682003330-1000 - Limited - Disabled)
Owner (S-1-5-21-1614895754-861567501-682003330-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Owner
SUPPORT_388945a0 (S-1-5-21-1614895754-861567501-682003330-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

System errors:
=============
Error: (10/20/2014 04:00:43 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/20/2014 03:02:05 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.101 for the Network Card with network address 002522BD5B76 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (10/19/2014 08:25:47 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/19/2014 05:38:52 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/19/2014 05:38:20 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PCIIde

Error: (10/19/2014 05:38:15 PM) (Source: 0) (EventID: 1) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (10/19/2014 04:58:46 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.103 for the Network Card with network address 002522BD5B76 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (07/28/2014 06:32:31 PM) (Source: 0) (EventID: 4199) (User: )
Description: 192.168.0.10200:0B:3B:D4:AD:0A

Error: (05/24/2014 00:24:18 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.102 for the Network Card with network address 002522BD5B76 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (01/05/2014 01:03:57 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.103 for the Network Card with network address 002522BD5B76 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Microsoft Office Sessions:
=========================
Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

==================== Memory info ===========================

Processor:  Intel® Pentium® CPU G620T @ 2.20GHz
Percentage of memory in use: 26%
Total physical RAM: 3050.61 MB
Available physical RAM: 2234.31 MB
Total Pagefile: 4941.25 MB
Available Pagefile: 4272.07 MB
Total Virtual: 2047.88 MB
Available Virtual: 1936.72 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:20 GB) (Free:9.37 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:0.98 GB) (Free:0.36 GB) FAT32
Drive e: (DATA) (Fixed) (Total:2 GB) (Free:0.75 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: 000804AB)
Partition 1: (Active) - (Size=20 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1.5 GB) - (Type=0C)
Partition 3: (Not Active) - (Size=2 GB) - (Type=0C)
Partition 4: (Not Active) - (Size=209.4 GB) - (Type=05)

==================== End Of Log ============================



#6 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:04 PM

Posted 20 October 2014 - 10:43 AM

Hello Sylvander,

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 Sylvander

Sylvander
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 20 October 2014 - 11:51 AM

1. Malwarebytes: downloaded, installed, run, scanned, no malware found = clean!

 

2. Here's the content of the AdwCleaner[R0].txt file:

----------------------------------------------------------------------

# AdwCleaner v4.000 - Report created 20/10/2014 at 17:42:25
# Updated 12/10/2014 by Xplode
# Database :
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Owner - BEDROOM3
# Running from : C:\00\AdwCleaner\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v33.0 (x86 en-US)

[etmj7ihh.default] - Line Found : user_pref("browser.startup.homepage", "hxxps://www.ixquick.com/");

*************************

AdwCleaner[R0].txt - [686 octets] - [20/10/2014 17:42:25]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [745 octets] ##########

-------------------------------------------------------------------------------------------------------------------

 

Wouldn't want to eliminate either Internet Explorer or Firefox.

And I want to retain ixquick homepage.


Edited by Sylvander, 20 October 2014 - 11:55 AM.


#8 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:04 PM

Posted 20 October 2014 - 12:11 PM

Hello Sylvander,

Download ComboFix from the following location:
Link

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

CF_RC_notice.png
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
cfRC_screen_2.png
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Enable your antivirus!
 

***


Please download Farbar Service Scanner and run it on the computer with the issue.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Sylvander

Sylvander
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 October 2014 - 07:08 AM

Following your instructions in the previous post above:

1. Installed the XP Recovery Console, and made sure the password was blank=not_set, and tested.

Was taken to a C:\Windows> prompt.

Is that it functioning normally?

 

2. Downloaded the ComboFix.exe file and ran it.

Here's the content of the log.txt file:

------------------------------------------------------------------

ComboFix 14-10-20.01 - Owner 21/10/2014  12:38:21.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3051.2328 [GMT 1:00]
Running from: c:\00\ComboFix\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\setupapi.log
c:\windows\system\VB40032.DLL
c:\windows\system32\config\systemprofile\DELA5C.tmp
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\ShellExt\CmdOpen.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-21 to 2014-10-21  )))))))))))))))))))))))))))))))
.
.
2014-10-20 16:42 . 2014-10-20 17:26    --------    d-----w-    C:\AdwCleaner
2014-10-20 16:12 . 2014-10-20 16:34    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-10-20 15:08 . 2014-10-20 15:10    --------    d-----w-    C:\FRST
2014-10-19 17:08 . 2014-10-19 17:08    --------    d-----w-    c:\program files\MSXML 4.0
2014-10-19 16:53 . 2014-10-19 17:10    --------    d--h--w-    c:\windows\$hf_mig$
2014-10-19 16:52 . 2014-10-19 16:52    --------    d-----w-    c:\windows\ie8updates
2014-10-19 16:16 . 2014-10-21 11:31    110296    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-19 16:15 . 2014-10-20 16:10    54232    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-10-19 16:15 . 2014-10-19 16:15    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-10-19 16:11 . 2013-10-07 10:59    603136    ------w-    c:\windows\system32\dllcache\crypt32.dll
2014-10-19 16:11 . 2014-03-12 10:48    993280    ------w-    c:\windows\system32\dllcache\kernel32.dll
2014-10-19 16:11 . 2013-12-05 11:26    1172992    ------w-    c:\windows\system32\dllcache\msxml3.dll
2014-10-19 16:10 . 2013-06-04 00:53    290816    ------w-    c:\windows\system32\dllcache\atmfd.dll
2014-10-19 16:10 . 2013-01-26 03:55    552448    ------w-    c:\windows\system32\dllcache\oleaut32.dll
2014-10-19 16:10 . 2014-10-19 16:15    --------    d-----w-    c:\documents and settings\Owner\Application Data\Malwarebytes
2014-10-19 16:09 . 2013-11-07 05:38    591360    ------w-    c:\windows\system32\dllcache\rpcrt4.dll
2014-10-19 16:09 . 2014-10-19 16:15    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2014-10-19 16:09 . 2014-02-05 08:55    562688    ------w-    c:\windows\system32\dllcache\qedit.dll
2014-10-19 16:09 . 2014-05-12 06:25    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-10-19 16:09 . 2013-01-02 06:48    1292288    ------w-    c:\windows\system32\dllcache\quartz.dll
2014-10-19 16:09 . 2013-08-05 13:30    1289728    ------w-    c:\windows\system32\dllcache\ole32.dll
2014-10-19 16:09 . 2014-02-07 02:01    1879040    ------w-    c:\windows\system32\dllcache\win32k.sys
2014-10-19 16:09 . 2013-08-09 01:56    386560    ------w-    c:\windows\system32\dllcache\themeui.dll
2014-10-19 16:09 . 2013-10-12 15:56    278528    ------w-    c:\windows\system32\dllcache\oakley.dll
2014-10-19 16:09 . 2013-07-10 10:37    406016    ------w-    c:\windows\system32\dllcache\usp10.dll
2014-10-19 16:08 . 2013-10-09 13:12    287744    ------w-    c:\windows\system32\dllcache\gdi32.dll
2014-10-19 16:08 . 2013-07-04 03:03    2149888    ------w-    c:\windows\system32\dllcache\ntkrnlmp.exe
2014-10-19 16:08 . 2013-07-04 02:59    2193536    ------w-    c:\windows\system32\dllcache\ntoskrnl.exe
2014-10-19 16:08 . 2013-07-04 02:08    2028544    ------w-    c:\windows\system32\dllcache\ntkrpamp.exe
2014-10-19 16:08 . 2013-07-04 02:08    2070144    ------w-    c:\windows\system32\dllcache\ntkrnlpa.exe
2014-10-19 16:08 . 2013-03-08 08:35    293376    ------w-    c:\windows\system32\dllcache\winsrv.dll
2014-10-19 16:08 . 2013-11-13 02:59    150528    ------w-    c:\windows\system32\dllcache\imagehlp.dll
2014-10-19 16:08 . 2012-11-06 02:00    1446912    ------w-    c:\windows\system32\dllcache\msxml6.dll
2014-10-19 16:08 . 2013-10-23 23:45    172032    ------w-    c:\windows\system32\dllcache\scrrun.dll
2014-10-19 16:08 . 2014-02-26 01:59    13312    ------w-    c:\windows\system32\xp_eos.exe
2014-10-19 16:08 . 2014-02-26 01:59    13312    ------w-    c:\windows\system32\dllcache\xp_eos.exe
2014-10-19 16:07 . 2013-07-03 02:12    25088    ------w-    c:\windows\system32\dllcache\hidparse.sys
2014-10-19 16:07 . 2013-07-03 01:59    14976    ------w-    c:\windows\system32\dllcache\usbscan.sys
2014-10-19 16:05 . 2014-03-06 17:59    11113472    ------w-    c:\windows\system32\dllcache\ieframe.dll
2014-10-19 16:05 . 2014-03-06 17:59    2006016    ------w-    c:\windows\system32\dllcache\iertutil.dll
2014-10-19 16:05 . 2014-03-06 17:59    522240    ------w-    c:\windows\system32\dllcache\jsdbgui.dll
2014-10-19 16:05 . 2013-11-27 20:21    40960    ------w-    c:\windows\system32\dllcache\ndproxy.sys
2014-10-19 14:41 . 2014-10-19 14:43    --------    d---a-w-    C:\cce_linux
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-12-18 . F738697D2AA60AC4BA9B9DED1412D4B2 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-02 142360]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-02 176152]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-02 145944]
"RTHDCPL"="RTHDCPL.EXE" [2010-11-16 19722344]
"XFastUsb"="c:\program files\XFastUsb\XFastUsb.exe" [2013-12-08 4942336]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"CTSyncService"="c:\program files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe" [2009-07-08 1233195]
"VolPanel"="c:\program files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2009-05-04 241789]
"AMBDef"="AMBDef.exe" [2008-01-23 53248]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 159456]
"Eraser"="c:\progra~1\Eraser\Eraser.exe" [2012-05-22 980920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft .NET Framework v4 - Slow Windows XP Boot Fix.vbs [2012-6-20 861]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders    schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [19/12/2012 00:02 14184]
R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [19/12/2012 00:02 5632]
R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [19/12/2012 00:02 14184]
R1 AsrAppCharger;AsrAppCharger;c:\windows\system32\drivers\AsrAppCharger.sys [08/12/2013 02:32 13832]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [08/12/2013 02:32 14656]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [08/12/2013 02:30 2656280]
R3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [08/12/2013 02:29 1691480]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\drivers\BazisVirtualCDBus.sys [04/06/2011 21:14 117584]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [08/12/2013 02:28 260864]
R3 L1c;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [08/12/2013 19:45 63088]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [08/12/2013 02:30 41088]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [19/10/2014 17:15 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [19/10/2014 17:15 860472]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [08/12/2013 02:34 79360]
S3 FNETTBOH_305;FNETTBOH_305;c:\windows\system32\drivers\FNETTBOH_305.SYS [09/12/2013 12:19 29248]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [19/10/2014 17:09 23256]
S3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [08/12/2013 02:34 79360]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-21 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-10-19 01:59]
.
2014-10-20 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-10-19 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.zone54.com/
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\etmj7ihh.default\
FF - prefs.js: browser.startup.homepage - hxxps://ixquick.com/
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ASRockXTU - (no file)
HKCU-Run-zASRockInstantBoot - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-10-21 12:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  AMBDef = AMBDef.exe?|?????$?|U$?|???????
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2014-10-21  12:43:39
ComboFix-quarantined-files.txt  2014-10-21 11:43
.
Pre-Run: 9,783,488,512 bytes free
Post-Run: 9,937,330,176 bytes free
.
- - End Of File - - C6D62C6C4AB572C1A96B1EC9EE545517
8F558EB6672622401DA993E1E865C861

------------------------------------------------------------------------------------------------

 

3. Downloaded the FRST.exe file [Farbar Service Scanner], and ran it.

Here is the content of the FSS.txt file:

-------------------------------------------------------

Farbar Service Scanner Version: 21-07-2014
Ran by Owner (administrator) on 21-10-2014 at 13:01:26
Running from "C:\00\Farbar,service,scanner"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys
[2012-12-18 23:55] - [2012-12-18 23:55] - 0361600 ____A (Microsoft Corporation) F738697D2AA60AC4BA9B9DED1412D4B2

C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

---------------------------------------------------------------------------------------------------------------------

 

Here is the content of the Addition.txt file:

-------------------------------------------------------

Farbar Service Scanner Version: 21-07-2014
Ran by Owner (administrator) on 21-10-2014 at 13:01:26
Running from "C:\00\Farbar,service,scanner"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys
[2012-12-18 23:55] - [2012-12-18 23:55] - 0361600 ____A (Microsoft Corporation) F738697D2AA60AC4BA9B9DED1412D4B2

C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

------------------------------------------------------------------------------------------------



#10 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:04 PM

Posted 21 October 2014 - 07:48 AM

Hello Sylvander,

that's OK with the XP Recovery Console.


Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Run the Farbar Recovery Scan Tool again.
  • Double-click to run FSRT / FSRT64. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

***


How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 Sylvander

Sylvander
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 October 2014 - 08:39 AM

1. Downloaded JRT.exe and ran it.

Here is the content of the JRT.txt file:

--------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.14.2014:1)
OS: Microsoft Windows XP x86
Ran by Owner on 21/10/2014 at 14:09:45.23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted the following from C:\Documents and Settings\Owner\Application Data\mozilla\firefox\profiles\etmj7ihh.default\prefs.js

user_pref("browser.startup.homepage", "hxxps://ixquick.com/");





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 21/10/2014 at 14:11:53.28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---------------------------------------------------------------------------------------------------------------------------

 

2. Deleted the previous txt files for the "Farbar Recovery Scan Tool", then ran FRST.exe file.

Ticked all of the boxes and clicked "Scan".

Here's the content of the FSS.txt file.

------------------------------------------------------------------------------

Farbar Service Scanner Version: 21-07-2014
Ran by Owner (administrator) on 21-10-2014 at 14:23:38
Running from "C:\00\Farbar,service,scanner"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys
[2012-12-18 23:55] - [2012-12-18 23:55] - 0361600 ____A (Microsoft Corporation) F738697D2AA60AC4BA9B9DED1412D4B2

C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

-------------------------------------------------------------------------------------

 

This is the 2nd time that FRST.exe has been run, hence no Addition.txt file was produced.

 

3. You asked "How is the computer running now?".

ANSWER: I see no change. The PC appears to be running the same as it did before all of this was started.



#12 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:04 PM

Posted 21 October 2014 - 08:49 AM

Hi,

you ran the Farbar Service Scanner again.


But now we need a log from the "Farbar Recovery Scan Tool", => please let the FRST.exe file run again.

 


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 Sylvander

Sylvander
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 October 2014 - 12:34 PM

1. Here's the content of FRST.txt

-----------------------------------------------------------------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-10-2014
Ran by Owner (administrator) on BEDROOM3 on 21-10-2014 18:18:35
Running from C:\00\Farbar,recovery,scan,tool
Loaded Profile: Owner (Available profiles: Owner)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Creative Technology Ltd) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\WINDOWS\system32\TaskSwitch.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(FNet Co., Ltd.) C:\Program Files\XFastUsb\XFastUsb.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
(Creative Technology Ltd) C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe
(Creative Technology Ltd) C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
(Macrovision Europe Ltd.) C:\DOCUME~1\Owner\LOCALS~1\temp\Sound_Blaster_X-Fi_MB_Cleanup.0001
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(The Eraser Project) C:\PROGRA~1\Eraser\Eraser.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Windows ® Codename Longhorn DDK provider) C:\Program Files\UPHClean\uphclean.exe
(Microsoft Corporation) C:\Program Files\Zune\ZuneBusEnum.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Creative Labs) C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\wmiadap.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
HKLM\...\Run: [CoolSwitch] => C:\WINDOWS\system32\taskswitch.exe [45632 2002-03-20] ()
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [19722344 2010-11-16] (Realtek Semiconductor Corp.)
HKLM\...\Run: [XFastUsb] => C:\Program Files\XFastUsb\XFastUsb.exe [4942336 2013-12-08] (FNet Co., Ltd.)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM\...\Run: [CTSyncService] => C:\Program Files\InstallShield Installation Information\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}\AMBSPISyncService.exe [1233195 2009-07-08] (Creative Technology Ltd)
HKLM\...\Run: [VolPanel] => C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe [241789 2009-05-04] (Creative Technology Ltd)
HKLM\...\Run: [AMBDef] => AMBDef.exe
HKLM\...\Run: [UpdReg] => ÿÿÿÿ$¬
HKLM\...\Run: [Zune Launcher] => U$¬
HKLM\...\Run: [Eraser] => è     
HKLM\...\Winlogon: [UIHost] C:\WINDOWS\system32\logonui.exe [514560 2008-04-14] ( (Microsoft Corporation))
HKLM\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKLM\...\Policies\Explorer: [NoSharedDocuments] 1
HKLM\...\Policies\Explorer: [MaxRecentDocs] 18
HKLM\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKLM\...\Policies\Explorer: [NoRecentDocsNetHood] 1
HKLM\...\Policies\Explorer: [MemCheckBoxInRunDlg] 1
HKU\S-1-5-18\...\RunOnce: [_nltide_3] => rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
SecurityProviders: schannel.dll, credssp.dll, digest.dll
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft .NET Framework v4 - Slow Windows XP Boot Fix.vbs ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zone54.com/
SearchScopes: HKCU - {F83B7E7A-688A-47DA-A9E5-A40D9E15266B} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\etmj7ihh.default
FF Homepage: https://ixquick.com/
FF Plugin: @java.com/DTPlugin,version=10.10.2 -> C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.10.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Extension: Flashblock - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\etmj7ihh.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2013-12-11]
FF Extension: No Name - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\etmj7ihh.default\Extensions\firefox@ghostery.com.xpi [2013-12-10]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-12-08]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2013-12-08] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [307200 2009-02-23] (Creative Technology Ltd) [File not signed]
S3 dmadmin; C:\WINDOWS\System32\dmadmin.exe [224768 2008-04-14] (Microsoft Corp., Veritas Software) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [170408 2013-12-09] (Oracle Corporation)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R3 Sound Blaster X-Fi MB Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [79360 2013-12-08] (Creative Labs) [File not signed]
R2 UPHClean; C:\Program Files\UPHClean\uphclean.exe [399872 2010-09-14] (Windows ® Codename Longhorn DDK provider) [File not signed]
R2 ZuneBusEnum; c:\Program Files\Zune\ZuneBusEnum.exe [57056 2011-08-05] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R1 AsrAppCharger; C:\WINDOWS\System32\DRIVERS\AsrAppCharger.sys [13832 2010-06-11] (Windows ® Win 7 DDK provider)
R3 BazisVirtualCDBus; C:\WINDOWS\System32\DRIVERS\BazisVirtualCDBus.sys [117584 2011-08-08] (SysProgs.org)
S4 dmboot; C:\WINDOWS\System32\drivers\dmboot.sys [799744 2008-04-13] (Microsoft Corp., Veritas Software) [File not signed]
S3 FNETTBOH_305; C:\WINDOWS\System32\drivers\FNETTBOH_305.SYS [29248 2013-12-09] (FNet Co., Ltd.)
R1 FNETURPX; C:\WINDOWS\System32\drivers\FNETURPX.SYS [14656 2013-12-08] (FNet Co., Ltd.)
R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [63088 2010-08-24] (Atheros Communications, Inc.)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
R0 mv61xxmm; C:\WINDOWS\system32\Drivers\mv61xxmm.sys [14184 2012-12-19] (Marvell Semiconductor Inc.)
R0 mv64xxmm; C:\WINDOWS\system32\Drivers\mv64xxmm.sys [5632 2012-12-19] (Marvell Semiconductor Inc.) [File not signed]
R0 mvxxmm; C:\WINDOWS\system32\Drivers\mvxxmm.sys [14184 2012-12-19] (Marvell Semiconductor Inc.)
R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [361600 2012-12-18] (Microsoft Corporation) [File not signed]
R2 zumbus; C:\WINDOWS\System32\DRIVERS\zumbus.sys [41472 2011-08-05] (Microsoft Corporation)
S3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-21 14:11 - 2014-10-21 14:11 - 00000925 _____ () C:\Documents and Settings\Owner\Desktop\JRT.txt
2014-10-21 14:09 - 2014-10-21 14:09 - 00000000 ____D () C:\WINDOWS\ERUNT
2014-10-21 14:03 - 2014-10-21 14:03 - 00000000 ____D () C:\WINDOWS\system32\xircom
2014-10-21 14:03 - 2014-10-21 14:03 - 00000000 ____D () C:\Program Files\xerox
2014-10-21 14:03 - 2014-10-21 14:03 - 00000000 ____D () C:\Program Files\outlook express
2014-10-21 14:03 - 2014-10-21 14:03 - 00000000 ____D () C:\Program Files\netmeeting
2014-10-21 14:03 - 2014-10-21 14:03 - 00000000 ____D () C:\Program Files\movie maker
2014-10-21 14:03 - 2014-10-21 14:03 - 00000000 ____D () C:\Program Files\microsoft frontpage
2014-10-21 12:43 - 2014-10-21 18:19 - 00000000 ____D () C:\Documents and Settings\Owner\Local Settings\temp
2014-10-21 12:43 - 2014-10-21 12:43 - 00012721 _____ () C:\ComboFix.txt
2014-10-21 12:43 - 2014-10-21 12:43 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-10-21 12:43 - 2014-10-21 12:43 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-10-21 12:36 - 2014-10-21 12:43 - 00000000 ____D () C:\Qoobox
2014-10-21 12:36 - 2014-10-21 12:42 - 00000000 ____D () C:\WINDOWS\erdnt
2014-10-21 12:36 - 2011-06-26 07:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-10-21 12:36 - 2010-11-07 18:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-10-21 12:36 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-10-21 12:36 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-10-21 12:36 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-10-21 12:36 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-10-21 12:36 - 2000-08-31 01:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-10-21 12:36 - 2000-08-31 01:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-10-21 12:36 - 2000-08-31 01:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-10-21 10:28 - 2013-12-20 15:48 - 00000211 ___SH () C:\BOOT.BAK
2014-10-21 10:28 - 2008-04-14 12:00 - 00260288 __RSH () C:\cmldr
2014-10-21 10:27 - 2014-10-21 10:28 - 00000000 _RSHD () C:\cmdcons
2014-10-21 10:27 - 2014-10-21 10:27 - 00000581 _____ () C:\WINDOWS\wsdu.log
2014-10-21 10:27 - 2014-10-21 10:27 - 00000264 _____ () C:\WINDOWS\UPGRADE.TXT
2014-10-21 10:27 - 2014-10-21 10:27 - 00000000 ____D () C:\WINDOWS\setup.pss
2014-10-21 10:26 - 2014-10-21 10:28 - 00024677 _____ () C:\WINDOWS\WINNT32.LOG
2014-10-21 10:26 - 2014-10-21 10:26 - 00000178 _____ () C:\WINDOWS\DHCPUPG.LOG
2014-10-20 17:42 - 2014-10-20 18:26 - 00000000 ____D () C:\AdwCleaner
2014-10-20 17:12 - 2014-10-20 17:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2014-10-20 16:08 - 2014-10-21 18:18 - 00000000 ____D () C:\FRST
2014-10-19 20:24 - 2014-10-21 18:14 - 00000222 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-10-19 20:24 - 2014-10-20 15:02 - 00000216 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-10-19 18:45 - 2014-10-19 18:45 - 00017458 _____ () C:\WINDOWS\KB2868626.log
2014-10-19 18:45 - 2014-10-19 18:45 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2868626$
2014-10-19 18:36 - 2014-10-19 18:37 - 00016805 _____ () C:\WINDOWS\KB2922229.log
2014-10-19 18:36 - 2014-10-19 18:36 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2922229$
2014-10-19 18:27 - 2014-10-19 18:28 - 00016559 _____ () C:\WINDOWS\KB2916036.log
2014-10-19 18:27 - 2014-10-19 18:27 - 00015846 _____ () C:\WINDOWS\KB2934207.log
2014-10-19 18:27 - 2014-10-19 18:27 - 00015579 _____ () C:\WINDOWS\KB2834886.log
2014-10-19 18:27 - 2014-10-19 18:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2934207$
2014-10-19 18:27 - 2014-10-19 18:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2916036$
2014-10-19 18:27 - 2014-10-19 18:27 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834886$
2014-10-19 18:26 - 2014-10-19 18:26 - 00017195 _____ () C:\WINDOWS\KB2964358-IE8.log
2014-10-19 18:18 - 2014-10-19 18:18 - 00015946 _____ () C:\WINDOWS\KB2847311.log
2014-10-19 18:18 - 2014-10-19 18:18 - 00015359 _____ () C:\WINDOWS\KB2900986.log
2014-10-19 18:18 - 2014-10-19 18:18 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2900986$
2014-10-19 18:18 - 2014-10-19 18:18 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2847311$
2014-10-19 18:10 - 2014-10-19 18:10 - 00016466 _____ () C:\WINDOWS\KB2802968.log
2014-10-19 18:10 - 2014-10-19 18:10 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2802968$
2014-10-19 18:09 - 2014-10-19 18:10 - 00015054 _____ () C:\WINDOWS\KB2898715.log
2014-10-19 18:09 - 2014-10-19 18:09 - 00013662 _____ () C:\WINDOWS\KB2929961.log
2014-10-19 18:09 - 2014-10-19 18:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-10-19 18:09 - 2014-10-19 18:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2898715$
2014-10-19 18:08 - 2014-10-19 18:08 - 00301662 _____ () C:\WINDOWS\msxml4-KB2758694-enu.LOG
2014-10-19 18:08 - 2014-10-19 18:08 - 00015113 _____ () C:\WINDOWS\KB2862335.log
2014-10-19 18:08 - 2014-10-19 18:08 - 00013678 _____ () C:\WINDOWS\KB2834904-v2.log
2014-10-19 18:08 - 2014-10-19 18:08 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862335$
2014-10-19 18:08 - 2014-10-19 18:08 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2834904-v2_WM11$
2014-10-19 18:08 - 2014-10-19 18:08 - 00000000 ____D () C:\Program Files\MSXML 4.0
2014-10-19 18:07 - 2014-10-19 18:07 - 00014864 _____ () C:\WINDOWS\KB2780091.log
2014-10-19 18:07 - 2014-10-19 18:07 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2780091$
2014-10-19 17:57 - 2014-10-19 17:57 - 00013497 _____ () C:\WINDOWS\KB2904266.log
2014-10-19 17:57 - 2014-10-19 17:57 - 00006620 _____ () C:\WINDOWS\system32\TZLog.log
2014-10-19 17:57 - 2014-10-19 17:57 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2904266$
2014-10-19 17:56 - 2014-10-19 17:57 - 00013572 _____ () C:\WINDOWS\KB2876217.log
2014-10-19 17:56 - 2014-10-19 17:56 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876217$
2014-10-19 17:55 - 2014-10-19 17:56 - 00013302 _____ () C:\WINDOWS\KB2930275.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00012699 _____ () C:\WINDOWS\KB2862152.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00012395 _____ () C:\WINDOWS\KB2864063.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00012178 _____ () C:\WINDOWS\KB2850869.log
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2930275$
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2864063$
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862152$
2014-10-19 17:55 - 2014-10-19 17:55 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2850869$
2014-10-19 17:54 - 2014-10-19 17:54 - 00014233 _____ () C:\WINDOWS\KB2807986.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00013017 _____ () C:\WINDOWS\KB2859537.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00012002 _____ () C:\WINDOWS\KB2820917.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00011661 _____ () C:\WINDOWS\KB2876331.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00010550 _____ () C:\WINDOWS\KB2893294.log
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2893294$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2876331$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2859537$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2820917$
2014-10-19 17:54 - 2014-10-19 17:54 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2807986$
2014-10-19 17:53 - 2014-10-19 18:10 - 00000000 ___HD () C:\WINDOWS\$hf_mig$
2014-10-19 17:53 - 2014-10-19 17:54 - 00010658 _____ () C:\WINDOWS\KB2757638.log
2014-10-19 17:53 - 2014-10-19 17:53 - 00010339 _____ () C:\WINDOWS\KB2909210-IE8.log
2014-10-19 17:53 - 2014-10-19 17:53 - 00010021 _____ () C:\WINDOWS\KB2892075.log
2014-10-19 17:53 - 2014-10-19 17:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2892075$
2014-10-19 17:53 - 2014-10-19 17:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2862330$
2014-10-19 17:53 - 2014-10-19 17:53 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2757638$
2014-10-19 17:52 - 2014-10-19 18:45 - 00006513 _____ () C:\WINDOWS\updspapi.log
2014-10-19 17:52 - 2014-10-19 17:53 - 00016232 _____ () C:\WINDOWS\KB2936068-IE8.log
2014-10-19 17:52 - 2014-10-19 17:52 - 00000000 ____D () C:\WINDOWS\ie8updates
2014-10-19 17:51 - 2014-10-19 17:52 - 00006953 _____ () C:\WINDOWS\KB2914368.log
2014-10-19 17:51 - 2014-10-19 17:51 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2914368$
2014-10-19 17:16 - 2014-10-21 18:15 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-10-19 17:15 - 2014-10-20 17:10 - 00054232 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-10-19 17:15 - 2014-10-19 17:15 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-19 17:15 - 2014-10-19 17:15 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-19 17:15 - 2014-10-19 17:15 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-19 17:11 - 2014-03-12 11:48 - 00993280 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\kernel32.dll
2014-10-19 17:11 - 2013-12-05 12:26 - 01172992 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msxml3.dll
2014-10-19 17:11 - 2013-10-07 11:59 - 00603136 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\crypt32.dll
2014-10-19 17:10 - 2014-10-19 17:15 - 00000000 ____D () C:\Documents and Settings\Owner\Application Data\Malwarebytes
2014-10-19 17:10 - 2013-06-04 01:53 - 00290816 ____N (Adobe Systems Incorporated) C:\WINDOWS\system32\dllcache\atmfd.dll
2014-10-19 17:10 - 2013-01-26 04:55 - 00552448 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\oleaut32.dll
2014-10-19 17:09 - 2014-10-19 17:15 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-10-19 17:09 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-10-19 17:09 - 2014-02-07 03:01 - 01879040 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\win32k.sys
2014-10-19 17:09 - 2014-02-05 09:55 - 00562688 ____N () C:\WINDOWS\system32\dllcache\qedit.dll
2014-10-19 17:09 - 2013-11-07 06:38 - 00591360 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\rpcrt4.dll
2014-10-19 17:09 - 2013-10-12 16:56 - 00278528 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\oakley.dll
2014-10-19 17:09 - 2013-08-09 02:56 - 00386560 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\themeui.dll
2014-10-19 17:09 - 2013-08-05 14:30 - 01289728 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ole32.dll
2014-10-19 17:09 - 2013-07-10 11:37 - 00406016 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usp10.dll
2014-10-19 17:09 - 2013-01-02 07:48 - 01292288 ____N () C:\WINDOWS\system32\dllcache\quartz.dll
2014-10-19 17:09 - 2013-01-02 07:48 - 00148992 ____N () C:\WINDOWS\system32\dllcache\mpg2splt.ax
2014-10-19 17:08 - 2014-02-26 02:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\xp_eos.exe
2014-10-19 17:08 - 2014-02-26 02:59 - 00013312 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xp_eos.exe
2014-10-19 17:08 - 2013-11-13 03:59 - 00150528 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\imagehlp.dll
2014-10-19 17:08 - 2013-10-24 00:45 - 00172032 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\scrrun.dll
2014-10-19 17:08 - 2013-10-09 14:12 - 00287744 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\gdi32.dll
2014-10-19 17:08 - 2013-07-04 04:03 - 02149888 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2014-10-19 17:08 - 2013-07-04 03:59 - 02193536 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2014-10-19 17:08 - 2013-07-04 03:08 - 02070144 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2014-10-19 17:08 - 2013-07-04 03:08 - 02028544 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2014-10-19 17:08 - 2013-03-08 09:35 - 00293376 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\winsrv.dll
2014-10-19 17:08 - 2012-11-06 03:00 - 01446912 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msxml6.dll
2014-10-19 17:07 - 2013-07-03 03:12 - 00025088 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidparse.sys
2014-10-19 17:07 - 2013-07-03 02:59 - 00014976 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbscan.sys
2014-10-19 17:06 - 2014-04-30 09:13 - 06022144 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtml.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 01469440 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\inetcpl.cpl
2014-10-19 17:06 - 2014-03-06 18:59 - 01216000 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\urlmon.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00920064 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wininet.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00759296 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\vgx.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00743424 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedvtool.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00630272 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeeds.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00611840 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mstime.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00387584 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iedkcs32.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00247808 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieproxy.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00206848 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\occache.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00184320 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iepeers.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00105984 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\url.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00067072 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mshtmled.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00055296 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00043520 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\licmgr10.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00025600 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsproxy.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00018944 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\corpol.dll
2014-10-19 17:06 - 2014-03-06 18:59 - 00012800 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\xpshims.dll
2014-10-19 17:06 - 2014-01-04 04:13 - 00420864 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\vbscript.dll
2014-10-19 17:06 - 2013-08-09 01:55 - 00144128 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbport.sys
2014-10-19 17:06 - 2013-08-09 01:55 - 00032384 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbccgp.sys
2014-10-19 17:06 - 2013-08-09 01:55 - 00005376 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbd.sys
2014-10-19 17:06 - 2013-02-12 01:32 - 00012928 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usb8023x.sys
2014-10-19 17:06 - 2013-02-12 01:32 - 00012928 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usb8023.sys
2014-10-19 17:06 - 2009-03-18 12:02 - 00030336 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbehci.sys
2014-10-19 17:05 - 2014-03-06 18:59 - 11113472 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ieframe.dll
2014-10-19 17:05 - 2014-03-06 18:59 - 02006016 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\iertutil.dll
2014-10-19 17:05 - 2014-03-06 18:59 - 00522240 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\jsdbgui.dll
2014-10-19 17:05 - 2013-11-27 21:21 - 00040960 ____N (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ndproxy.sys
2014-10-19 15:41 - 2014-10-19 15:43 - 00000000 ____D () C:\cce_linux
2014-10-16 17:54 - 2014-10-16 17:54 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-21 18:18 - 2013-12-08 19:48 - 00511206 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-21 18:15 - 2013-12-09 01:55 - 01178803 _____ () C:\WINDOWS\WindowsUpdate.log
2014-10-21 18:14 - 2013-12-09 01:59 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-10-21 18:06 - 2013-12-10 10:54 - 00000000 ____D () C:\00
2014-10-21 14:41 - 2013-12-09 02:00 - 00000178 ___SH () C:\Documents and Settings\Owner\ntuser.ini
2014-10-21 14:41 - 2013-12-09 01:59 - 00020042 _____ () C:\WINDOWS\SchedLgU.Txt
2014-10-21 14:03 - 2013-12-08 19:41 - 00000000 ____D () C:\WINDOWS\Help
2014-10-21 12:41 - 2013-12-08 19:41 - 00000000 ____D () C:\WINDOWS\system32\ShellExt
2014-10-21 12:41 - 2013-12-08 19:41 - 00000000 ____D () C:\WINDOWS\system
2014-10-21 12:41 - 2008-04-14 12:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-10-21 10:28 - 2013-12-08 19:46 - 00122482 _____ () C:\WINDOWS\setupact.log
2014-10-21 10:28 - 2013-12-08 19:44 - 00000282 __RSH () C:\boot.ini
2014-10-20 18:28 - 2008-04-14 12:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-10-20 18:08 - 2013-12-08 02:26 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-10-20 14:45 - 2013-12-10 10:54 - 00000000 ____D () C:\01
2014-10-19 20:24 - 2013-12-08 19:45 - 00097456 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2014-10-19 18:45 - 2013-12-08 19:48 - 00313494 _____ () C:\WINDOWS\iis6.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00247839 _____ () C:\WINDOWS\FaxSetup.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00136673 _____ () C:\WINDOWS\ocgen.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00112148 _____ () C:\WINDOWS\tsoc.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00087297 _____ () C:\WINDOWS\comsetup.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00083118 _____ () C:\WINDOWS\msmqinst.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00052248 _____ () C:\WINDOWS\ntdtcsetup.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00040690 _____ () C:\WINDOWS\netfxocm.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00016719 _____ () C:\WINDOWS\MedCtrOC.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00011826 _____ () C:\WINDOWS\tabletoc.log
2014-10-19 18:45 - 2013-12-08 19:48 - 00001393 _____ () C:\WINDOWS\imsins.log
2014-10-19 18:37 - 2013-12-08 19:48 - 00001393 _____ () C:\WINDOWS\imsins.BAK
2014-10-19 17:37 - 2014-02-15 18:07 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-19 17:37 - 2013-12-08 19:41 - 00000000 ____D () C:\WINDOWS\Media
2014-10-19 17:30 - 2013-12-08 02:53 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2014-10-19 17:30 - 2013-12-08 02:53 - 00000724 _____ () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2014-10-19 17:13 - 2013-12-08 02:53 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-10-19 16:58 - 2013-12-09 02:04 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-10-16 17:58 - 2013-12-09 02:04 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
2014-10-16 17:53 - 2013-12-09 01:53 - 00001570 _____ () C:\Documents and Settings\All Users\Start Menu\Microsoft Update.lnk
2014-10-01 21:03 - 2013-12-09 02:07 - 00000000 ____D () C:\Program Files\K-Lite Codec Pack

Files to move or delete:
====================
C:\Documents and Settings\Custom Settings\Extra Programs System Settings.reg
C:\Documents and Settings\Custom Settings\Extra Programs User Settings.reg
C:\Documents and Settings\Custom Settings\Windows XP System Settings.reg
C:\Documents and Settings\Custom Settings\Windows XP User Settings.reg


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

-----------------------------------------------------------------------------------------------------------------------------

 

2. Here's the content of Addition.txt

----------------------------------------------------------

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21-10-2014
Ran by Owner at 2014-10-21 18:19:05
Running from C:\00\Farbar,recovery,scan,tool
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe AIR (Version: 1.0.8.4990 - Adobe Systems Inc.) Hidden
Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A90000000001}) (Version: 9.0.0 - Adobe Systems Incorporated)
Alt-Tab Task Switcher Powertoy for Windows XP (HKLM\...\{A7050037-F0EA-4BAB-BCD5-FC05507D6147}) (Version: 1.00.0001 - Microsoft Corporation)
ASRock App Charger v1.0.4 (HKLM\...\ASRock App Charger_is1) (Version:  - ASRock Inc.)
ASRock eXtreme Tuner v0.1.42 (HKLM\...\ASRock eXtreme Tuner_is1) (Version:  - )
ASRock InstantBoot v1.26 (HKLM\...\ASRock InstantBoot_is1) (Version:  - )
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.44 - Atheros Communications Inc.)
BitLocker To Go Reader (HKLM\...\KB970401) (Version:  - Microsoft Corporation)
ClearType Tuning Control Panel Applet (HKLM\...\{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}) (Version: 1.01.0000 - Microsoft Corporation)
ContextConsole Shell Extension (x86-32) (HKLM\...\CmdOpen Shell Extension) (Version: 2.1.0.1 - Kai Liu)
Eraser 6.0.10.2620 (HKLM\...\{A45C5EC7-F13E-4414-99BE-47373935C0FE}) (Version: 6.0.2620 - The Eraser Project)
HashCheck Shell Extension (x86-32) (HKLM\...\HashCheck Shell Extension) (Version: 2.1.11.1 - Kai Liu)
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.10.5328 - Intel Corporation)
Java 7 Update 10 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217010FF}) (Version: 7.0.100 - Oracle)
Java Auto Updater (Version: 2.1.9.0 - Sun Microsystems, Inc.) Hidden
K-Lite Mega Codec Pack 9.6.0 (HKLM\...\KLiteCodecPack_is1) (Version: 9.6.0 - )
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable - x86 8.0.50727.6229 (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61187 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6313 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6313 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219.414 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable - x86 11.0.51106.1 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 33.0 - Mozilla)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6257 - Realtek Semiconductor Corp.)
RootsMagic 3.2.6.0 UK Edition (HKLM\...\RootsMagic_is1) (Version:  - RootsMagic, Inc.)
Sound Blaster X-Fi MB (HKLM\...\{F3D9AC82-30F4-4BB9-B9AB-8697637568C1}) (Version: 1.0 - Creative Technology Limited)
SumatraPDF 2.1.1 (HKLM\...\SumatraPDF) (Version: 2.1.1 - Krzysztof Kowalczyk)
Unlocker 1.9.1 (HKLM\...\Unlocker) (Version: 1.9.1 - Cedrick Collomb)
User Profile Hive Cleanup Service (HKLM\...\{7D15B945-2725-4443-AB3F-D900556612FE}) (Version: 1.6.36 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
WinCDEmu (HKLM\...\WinCDEmu) (Version: 3.6 - Bazis)
Windows Genuine Advantage Validation 1.9.42.0 Cracked (HKLM\...\{EB1BE39D-4C36-40A0-8CFB-079A2D14CB79}) (Version: 1.5.0.0 - Wocarson)
Windows Mobile Device Updater Component (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
XFastUsb (HKLM\...\XFastUsb) (Version:  - )
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)
Zune (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (CHS) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (CHT) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (CSY) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (DAN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (DEU) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (ELL) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (ESP) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (FIN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (FRA) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (HUN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (IND) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (ITA) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (JPN) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (KOR) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (MSL) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (NLD) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (NOR) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (PLK) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (PTB) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (PTG) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (RUS) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden
Zune Language Pack (SVE) (Version: 04.08.2345.00 - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

08-12-2013 02:03:25 System Checkpoint
08-12-2013 02:05:30 clean install drive c
08-12-2013 03:05:23 Software Distribution Service 3.0
08-12-2013 03:05:40 Installed Zune 4.8
20-12-2013 13:38:12 Installed Eraser 6.0.10.2620
01-01-2014 13:07:29 System Checkpoint
15-02-2014 16:52:31 System Checkpoint
16-10-2014 16:56:17 Software Distribution Service 3.0
19-10-2014 16:51:19 Software Distribution Service 3.0
20-10-2014 17:14:34 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-14 12:00 - 2014-10-21 12:41 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2013-12-09 02:06 - 2010-07-04 21:32 - 00010752 _____ () C:\Program Files\Unlocker\UnlockerCOM.dll
2002-03-20 00:30 - 2002-03-20 00:30 - 00045632 _____ () C:\WINDOWS\system32\taskswitch.exe
2014-10-21 18:14 - 2014-10-21 18:14 - 00697884 _____ () C:\Documents and Settings\Owner\Local Settings\temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0000\~df394b.tmp
2014-10-21 18:14 - 2014-10-21 18:14 - 00592896 _____ () C:\Documents and Settings\Owner\Local Settings\temp\Sound_Blaster_X-Fi_MB_Cleanup.0001.dir.0000\~de6248.tmp
2014-10-19 17:30 - 2014-10-11 13:53 - 03649648 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1614895754-861567501-682003330-500 - Administrator - Disabled)
Guest (S-1-5-21-1614895754-861567501-682003330-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1614895754-861567501-682003330-1000 - Limited - Disabled)
Owner (S-1-5-21-1614895754-861567501-682003330-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Owner
SUPPORT_388945a0 (S-1-5-21-1614895754-861567501-682003330-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (10/21/2014 00:36:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 0.0.0.0, faulting module iexplore.exe, version 0.0.0.0, fault address 0x0008d1c0.
Processing media-specific event for [iexplore.exe!ws!]

Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


System errors:
=============
Error: (10/21/2014 02:04:13 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/21/2014 00:31:41 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/21/2014 10:24:02 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/21/2014 10:22:59 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.102 for the Network Card with network address 002522BD5B76 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (10/20/2014 06:00:01 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/20/2014 04:59:29 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/20/2014 04:00:43 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/20/2014 03:02:05 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.101 for the Network Card with network address 002522BD5B76 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (10/19/2014 08:25:47 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.

Error: (10/19/2014 05:38:52 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.


Microsoft Office Sessions:
=========================
Error: (10/21/2014 00:36:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe0.0.0.0iexplore.exe0.0.0.00008d1c0

Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/20/2014 04:09:51 PM) (Source: crypt32) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


==================== Memory info ===========================

Processor:  Intel® Pentium® CPU G620T @ 2.20GHz
Percentage of memory in use: 19%
Total physical RAM: 3050.61 MB
Available physical RAM: 2445.99 MB
Total Pagefile: 4941.25 MB
Available Pagefile: 4461.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.41 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:20 GB) (Free:9.23 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:0.98 GB) (Free:0.36 GB) FAT32
Drive e: (DATA) (Fixed) (Total:2 GB) (Free:0.75 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.9 GB) (Disk ID: 000804AB)
Partition 1: (Active) - (Size=20 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1.5 GB) - (Type=0C)
Partition 3: (Not Active) - (Size=2 GB) - (Type=0C)
Partition 4: (Not Active) - (Size=209.4 GB) - (Type=05)

==================== End Of Log ============================

---------------------------------------------------------------------------------------------------------------------------



#14 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:04 PM

Posted 21 October 2014 - 12:57 PM

Hello Sylvander,
 

***


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt

 
start
HKLM\...\Run: [UpdReg] => ÿÿÿÿ$¬
HKLM\...\Run: [Zune Launcher] => U$¬
S3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [X]
EmptyTemp:
end


NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 Sylvander

Sylvander
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 21 October 2014 - 01:35 PM

1. Content of Fixlog.txt

-------------------------------------------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-10-2014
Ran by Owner at 2014-10-21 19:29:15 Run:1
Running from C:\00\Farbar,recovery,scan,tool
Loaded Profile: Owner (Available profiles: Owner)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKLM\...\Run: [UpdReg] => ÿÿÿÿ$¬
HKLM\...\Run: [Zune Launcher] => U$¬
S3 catchme; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys [X]
EmptyTemp:
end
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\UpdReg => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Zune Launcher => value deleted successfully.
catchme => Service deleted successfully.
EmptyTemp: => Removed 27.5 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

------------------------------------------------------------------------------------------------------------------------------------------------






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users