Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Red Stripes Of Death won't move


  • This topic is locked This topic is locked
17 replies to this topic

#1 jimbotoo

jimbotoo

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 06 January 2015 - 10:51 AM

Mod Edit: Moved to forum for DDS Logs ~~ boopme


Hello Everybody 
 
My life long undying faith in the good will of people has wrecked my computer again.
 
As posted before Y T D downloader has gone to the realm of once a free and very safe program to the land of gangsters, with bugs so deep seated in it malewarebytes just rips it out every time you clean.
 
Well I finally got to what i thought was their home site, with tons of virus free seals of approval, I did one last dive into trying to get a clean version, this excursion into "When will you learn jimbotoo" has left even malwarebytes helpless to completely remove it
or something hidden in there with it.
 
when it yanked the program it left a whopping 2 GB's of unremovable Fragmented files in
my machine, I have never defraged and seen so much red stripe left over with the "some files could not be defragmented warning.
 
Defrag report says
 
Volume (C:)
    Volume size                                = 38.28 GB
    Cluster size                               = 4 KB
    Used space                                 = 30.12 GB
    Free space                                 = 8.16 GB
    Percent free space                         = 21 %

Volume fragmentation
    Total fragmentation                        = 4 %
    File fragmentation                         = 9 %
    Free space fragmentation                   = 0 %

File fragmentation
    Total files                                = 53,602
    Average file size                          = 846 KB
    Total fragmented files                     = 4
    Total excess fragments                     = 87
    Average fragments per file                 = 1.00

Pagefile fragmentation
    Pagefile size                              = 756 MB
    Total fragments                            = 2

Folder fragmentation
    Total folders                              = 5,996
    Fragmented folders                         = 1
    Excess folder fragments                    = 0

Master File Table (MFT) fragmentation
    Total MFT size                             = 72 MB
    MFT record count                           = 60,240
    Percent MFT in use                         = 82 %
    Total MFT fragments                        = 3

--------------------------------------------------------------------------------
Fragments       File Size       Files that cannot be defragmented
3               2.00 GB         \Documents and Settings\Home\My Documents\VIDEO JUKE BOX\MEDITAION FILMS\Zen Garden ♫✿.mp4

 
I have never seen a mark like this on a title ♫✿
 
 
 
update
 
I have had this file "Zen Garden ♫✿.mp4" as a FLV codec for years, i had just converted it to mp4, with the new YTD downloader converter,  so i could play it on my phone-as kit kat would not play a FLV, it played fine on phone once converted. this very beautiful 40 min movie is very hi def and always ate some real room up.
 
I ran RKILL then avast-nothing found


Edited by boopme, 09 January 2015 - 11:20 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 07 January 2015 - 12:48 PM

I ran rkill and got this

 

Rkill 2.6.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/07/2015 12:40:54 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

 * No issues found.

 

then i ran malwarebytes, spybot and avast, first malwarebytes founds 10 pups and this -config.msi\134612/rdf

 

dumped all

 

deleted video and got this when defragged

 

Volume (C:)
    Volume size                                = 38.28 GB
    Cluster size                               = 4 KB
    Used space                                 = 28.44 GB
    Free space                                 = 9.84 GB
    Percent free space                         = 25 %

Volume fragmentation
    Total fragmentation                        = 1 %
    File fragmentation                         = 2 %
    Free space fragmentation                   = 0 %

File fragmentation
    Total files                                = 53,987
    Average file size                          = 806 KB
    Total fragmented files                     = 2
    Total excess fragments                     = 65
    Average fragments per file                 = 1.00

Pagefile fragmentation
    Pagefile size                              = 756 MB
    Total fragments                            = 2

Folder fragmentation
    Total folders                              = 6,014
    Fragmented folders                         = 1
    Excess folder fragments                    = 0

Master File Table (MFT) fragmentation
    Total MFT size                             = 72 MB
    MFT record count                           = 60,674
    Percent MFT in use                         = 82 %
    Total MFT fragments                        = 3
 

 

deleting video gave me 5 percent more space and 2 GB, but it was always huge space eater,

i used it to go to sleep,

ha ha don't think i ever heard more then 10 mins of it.

 

 

jimbototoo


Edited by jimbotoo, 07 January 2015 - 02:19 PM.


#3 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 09 January 2015 - 03:05 AM

Sorry folks, i think i read the wrong instruction and did your requests to post this back wards by doing above first and my hat off to anybody who can read this stuff also please note what i highlighted in red below, that site www.spywareinfo.com has gone virus, why is it listed below and thank you all so much

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.65.2
Run by Home at 2:33:35 on 2015-01-09
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.503.34 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\EscSvc.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uSearch Bar = hxxp://www.bing.com
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - LocalServer32 - <no file>
uURLSearchHooks: {472734EA-242A-422b-ADF8-83D1E48CC825} - <orphaned>
mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - LocalServer32 - <no file>
BHO: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - <orphaned>
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe Reader Synchronizer] "c:\program files\adobe\reader 11.0\reader\AdobeCollabSync.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: SoftwareSASGeneration = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - LocalServer32 - <no file>
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxps://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1405058190421
TCP: NameServer = 71.10.216.1 71.10.216.2
TCP: Interfaces\{AA783F59-911C-49DE-8D1B-E28A7A740664} : DHCPNameServer = 71.10.216.1 71.10.216.2
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1    www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\home\application data\mozilla\firefox\profiles\0wo8flob.default-1406930654421\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=f84262ba9f788a06613d4f1143d2ef64
FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_246.dll
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? MBAMSwissArmy;MBAMSwissArmy
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? aswHwid;avast! HardwareID
S? aswMonFlt;aswMonFlt
S? aswRvrt;avast! Revert
S? aswSnx;aswSnx
S? aswSP;aswSP
S? aswVmm;avast! VM Monitor
S? avast! Antivirus;avast! Antivirus
S? EpsonScanSvc;Epson Scanner Service
.
=============== Created Last 30 ================
.
2015-01-07 02:14:04    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2014-12-27 07:28:56    --------    dc----w-    C:\AdwCleaner
2014-12-26 11:47:55    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2014-12-26 11:47:55    --------    d-----w-    c:\windows\system32\wbem\Repository
2014-12-26 11:44:25    --------    d-----w-    c:\program files\CheckPoint
2014-12-26 11:44:24    --------    d-----w-    c:\program files\DFX
.
==================== Find3M  ====================
.
2014-12-10 01:30:26    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-10 01:30:26    701104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-11-22 02:38:11    787800    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2014-11-21 14:37:17    206248    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-11-21 14:37:16    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-11-21 14:37:16    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-11-21 14:37:16    24184    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-11-21 14:37:15    43152    ----a-w-    c:\windows\avastSS.scr
.
============= FINISH:  2:36:18.14 ===============
 


Edited by jimbotoo, 09 January 2015 - 03:54 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 10 January 2015 - 10:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Hosts: 127.0.0.1 www.spywareinfo.com

This entry is listed in your hosts file. It's protecting you from connecting to the Rogue site.

Note that Spywareinfo is now know as SpywareInfoForum and is clean.
===


Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#5 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 10 January 2015 - 11:24 PM

Nasdag before you jump into this please hear me when i say----- THANK YOU SO VERY MUCH FOR HELPING THE WHOLE PLANET

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-01-2015
Ran by Home (administrator) on dan burton on 10-01-2015 23:08:46
Running from C:\Documents and Settings\Home\My Documents\Downloads\FABAR
Loaded Profile: Home (Available profiles: Home)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Seiko Epson Corporation) C:\WINDOWS\system32\escsvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\snmp.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-09] (AVAST Software)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\MountPoints2: {073c611d-6140-11e4-8d98-000cf1f13d58} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\MountPoints2: {6c7c1a90-6bb6-11e4-8dad-000cf1f13d58} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL TL-Bootstrap.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
URLSearchHook: HKLM - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} -  No File
URLSearchHook: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} -  No File
URLSearchHook: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} -  No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "www.google.com" <======= ATTENTION
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 -> {668BA716-2A68-46A4-ACE7-94D644F4B780} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: No Name -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} ->  No File
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKLM - No Name - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} -  No File
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} https://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1405058190421
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\0wo8flob.default-1406930654421
FF SelectedSearchEngine: Yahoo!
FF Homepage: https://startpage.com/do/mypage.pl?prf=f84262ba9f788a06613d4f1143d2ef64
FF Keyword.URL: https://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.69 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.69 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Extension: Ghostery - C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\0wo8flob.default-1406930654421\Extensions\firefox@ghostery.com.xpi [2014-09-17]
FF Extension: NoScript - C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\0wo8flob.default-1406930654421\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-12-06]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-04-04]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-08-03]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-21] (AVAST Software)
R2 EpsonScanSvc; C:\WINDOWS\system32\EscSvc.exe [122000 2011-12-11] (Seiko Epson Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-07-26] (Oracle Corporation)
S3 COMSysApp; C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
S3 SwPrv; C:\WINDOWS\system32\dllhost.exe /Processid:{94D4BB84-077F-47B0-9223-E8F54F5A2C47}
S3 WMPNetworkSvc; "C:\Program Files\Windows Media Player\WMPNetwk.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2003-03-31] (Microsoft Corporation)
R3 ALCXSENS; C:\WINDOWS\System32\drivers\ALCXSENS.SYS [391424 2003-12-12] (Sensaura Ltd)
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [601100 2004-01-10] (Realtek Semiconductor Corp.)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2014-11-21] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2014-11-21] (AVAST Software)
R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55240 2014-11-21] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-11-21] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787800 2014-11-21] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [423784 2014-11-21] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57928 2014-11-21] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [206248 2014-11-21] ()
S3 mxnic; C:\WINDOWS\System32\DRIVERS\mxnic.sys [19968 2001-08-17] (Macronix International Co., Ltd.                                               )
S1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation)
S3 SunkFilt; C:\WINDOWS\System32\Drivers\sunkfilt.sys [40564 2004-03-22] (Alcor Micro Corp.) [File not signed]
S3 SunkFilt39; C:\WINDOWS\System32\Drivers\sunkfilt39.sys [42936 2004-03-22] (Alcor Micro Corp.) [File not signed]
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [122110 2004-01-30] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [99002 2004-01-30] (Intel Corporation)
S3 HSFHWBS2; System32\DRIVERS\HSFHWBS2.sys [X]
S3 HSF_DP; System32\DRIVERS\HSF_DP.sys [X]
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S2 mdmxsdk; System32\DRIVERS\mdmxsdk.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 Sunkfiltp; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys [X]
S3 wanatw; System32\DRIVERS\wanatw4.sys [X]
S3 winachsf; System32\DRIVERS\HSF_CNXT.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-10 23:07 - 2015-01-10 23:09 - 00000000 ___DC () C:\FRST
2015-01-09 12:04 - 2015-01-10 12:18 - 00009519 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-09 12:04 - 2015-01-10 12:17 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-01-09 12:04 - 2015-01-10 12:16 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-01-09 12:04 - 2015-01-09 12:04 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2015-01-09 02:36 - 2015-01-09 02:36 - 00016974 _____ () C:\Documents and Settings\Home\Desktop\attach.txt
2015-01-09 02:36 - 2015-01-09 02:36 - 00006600 _____ () C:\Documents and Settings\Home\Desktop\dds.txt
2015-01-07 00:40 - 2015-01-07 00:42 - 00004456 _____ () C:\Documents and Settings\Home\Desktop\Rkill.txt
2015-01-06 22:45 - 2014-12-26 17:45 - 00450747 ____R () C:\WINDOWS\system32\Drivers\etc\hosts.20150106-224520.backup
2015-01-06 21:14 - 2015-01-06 21:18 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
2015-01-06 21:14 - 2015-01-06 21:14 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
2015-01-06 00:41 - 2015-01-06 00:41 - 00026657 _____ () C:\Documents and Settings\Home\My Documents\artist yahoo.odt
2014-12-27 02:28 - 2015-01-05 13:46 - 00000000 ___DC () C:\AdwCleaner
2014-12-26 17:45 - 2014-09-18 16:03 - 00000855 _____ () C:\WINDOWS\system32\Drivers\etc\hosts.20141226-174531.backup
2014-12-26 06:59 - 2014-12-26 06:59 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AVAST Software
2014-12-26 06:51 - 2014-11-21 09:37 - 00291352 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2014-12-26 06:44 - 2014-12-26 06:44 - 00000000 ____D () C:\Program Files\DFX
2014-12-26 06:44 - 2014-12-26 06:44 - 00000000 ____D () C:\Program Files\CheckPoint
2014-12-21 14:39 - 2014-12-24 01:55 - 00000000 ____D () C:\Documents and Settings\Home\My Documents\James sant

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-10 23:09 - 2011-12-17 21:39 - 00000000 ____D () C:\Documents and Settings\Home\Local Settings\Temp
2015-01-10 22:50 - 2014-09-16 19:50 - 00000412 _____ () C:\WINDOWS\Tasks\At1.job
2015-01-10 22:30 - 2014-05-29 02:59 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-10 19:37 - 2012-02-15 00:22 - 00000000 ____D () C:\Documents and Settings\Home\Application Data\vlc
2015-01-10 18:58 - 2012-08-03 20:10 - 00000364 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-01-10 18:00 - 2013-01-18 22:13 - 00000454 _____ () C:\WINDOWS\Tasks\PC Utility Kit Registration3.job
2015-01-10 12:17 - 2014-05-29 03:34 - 00000272 _____ () C:\WINDOWS\Tasks\JetCleanLoginCheckUpdate.job
2015-01-10 12:17 - 2014-03-06 14:41 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-10 12:16 - 2014-03-25 01:13 - 00000272 _____ () C:\WINDOWS\Tasks\JetBoost_AutoUpdate.job
2015-01-10 12:16 - 2004-05-01 12:54 - 00000006 ___HC () C:\WINDOWS\Tasks\SA.DAT
2015-01-10 05:36 - 2014-05-03 09:21 - 00032620 _____ () C:\WINDOWS\Tasks\SCHEDLGU.TXT
2015-01-10 05:36 - 2011-12-17 21:39 - 00000278 ___SH () C:\Documents and Settings\Home\ntuser.ini
2015-01-08 15:00 - 2014-03-06 14:41 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-01-08 02:58 - 2012-08-11 13:41 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2015-01-07 05:07 - 2004-05-01 12:43 - 00000000 ____D () C:\WINDOWS\repair
2015-01-06 01:29 - 2012-02-29 00:17 - 00034304 ____C () C:\Documents and Settings\Home\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-06 00:46 - 2012-10-23 01:12 - 00547324 __SHC () C:\Documents and Settings\Home\My Documents\Thumbs.db
2015-01-05 04:22 - 2012-12-11 12:12 - 00000000 ____D () C:\Documents and Settings\Home\My Documents\M Y  P I C T U R E S
2014-12-26 18:51 - 2004-05-04 00:24 - 00000000 ____D () C:\WINDOWS\system32\ReinstallBackups
2014-12-26 15:21 - 2004-05-01 12:43 - 00000000 ____D () C:\WINDOWS\Help
2014-12-26 15:16 - 2011-12-17 21:39 - 00000000 ____D () C:\Documents and Settings\Home
2014-12-26 06:48 - 2004-05-01 19:58 - 00000000 __SHD () C:\Documents and Settings\NetworkService
2014-12-26 06:48 - 2004-05-01 19:58 - 00000000 __SHD () C:\Documents and Settings\LocalService
2014-12-26 06:47 - 2004-05-01 19:51 - 00000000 ____D () C:\WINDOWS\Registration
2014-12-25 00:18 - 2012-02-15 00:32 - 00000000 ____D () C:\Documents and Settings\Home\Application Data\dvdcss
2014-12-16 02:35 - 2012-06-27 15:58 - 00000000 ___RD () C:\Documents and Settings\Home\My Documents\VIDEO JUKE BOX
2014-12-13 20:05 - 2013-10-11 02:42 - 00000000 ___DC () C:\WINDOWS\$NtUninstallKB2862335$
2014-12-11 12:02 - 2013-08-13 01:53 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-12-11 11:52 - 2012-04-04 10:59 - 109818608 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe

Files to move or delete:
====================
C:\Windows\Tasks\At1.job


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 



#6 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 10 January 2015 - 11:28 PM

                                                                               ADDITION

 

this groovo thing was part of a infection on another mechine see in red below

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-01-2015
Ran by Home at 2015-01-10 23:11:28
Running from C:\Documents and Settings\Home\My Documents\Downloads\FABAR
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
AOL Toolbar (HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\AOL Toolbar) (Version:  - )
Avast Free Antivirus (HKLM\...\avast) (Version: 10.0.2208 - AVAST Software)
BatchPurifier (HKLM\...\{88628D8A-A347-4C08-B7C3-96226CF33711}) (Version: 5.20.0000 - Digital Confidence)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Document Metadata Cleaner 3 (HKLM\...\Document Metadata Cleaner 3) (Version: 3 - Pointstone Software, LLC)
EPSON Copy Utility (HKLM\...\{B69CC1A5-0404-11D6-ABCB-005004C21D30}) (Version:  - )
EPSON EIC CX5400 (HKLM\...\Setup Wizard EPIC) (Version:  - )
EPSON Photo Print (HKLM\...\{22901BB7-2C57-409E-AF2F-56FFFEA41116}) (Version:  - )
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON Smart Panel (HKLM\...\{6C11D561-620B-47DA-A693-4C597F3CDF40}) (Version:  - )
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
Intel® PRO Network Adapters and Drivers (HKLM\...\PROSet) (Version:  - )
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
Java 7 Update 65 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217065FF}) (Version: 7.0.650 - Oracle)
JetClean (HKLM\...\BlueSprig_JetClean_is1) (Version: 1.5.0 - BlueSprig)
K-Lite Mega Codec Pack 5.1.0 (HKLM\...\KLiteCodecPack_is1) (Version: 5.1.0 - )
LibreOffice 4.2.5.2 (HKLM\...\{8D8F47B2-0E03-4C50-9803-A01120878F96}) (Version: 4.2.5.2 - The Document Foundation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Works 7.0 (HKLM\...\{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}) (Version: 07.02.0620 - Microsoft Corporation)
Mozilla Firefox 34.0 (x86 en-US) (HKLM\...\Mozilla Firefox 34.0 (x86 en-US)) (Version: 34.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Power DVDRemoval Tool (1) (HKLM\...\Power DVDRemoval Tool (1)_is1) (Version: build_1.0.0.146_rev__date_ - Security Stronghold)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version:  - )
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
SoftV92 Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1) (Version:  - )
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
VC 9.0 Runtime (Version: 1.0.0 - Check Point Software Technologies Ltd) Hidden
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Backup Utility (HKLM\...\{76EFFC7C-17A6-479D-9E47-8E658C1695AE}) (Version: 5.1 - Microsoft Corporation)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (HKLM\...\KB952011) (Version: 1.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

05-01-2015 03:45:32 System Checkpoint
06-01-2015 16:32:11 System Checkpoint
07-01-2015 17:15:57 System Checkpoint
08-01-2015 17:45:15 System Checkpoint
09-01-2015 19:34:03 System Checkpoint
10-01-2015 20:48:24 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2011-12-17 21:24 - 2015-01-06 22:45 - 00450747 ___RA C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\Home\APPLIC~1\GROOVO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\JetBoost_AutoUpdate.job => C:\Program Files\BlueSprig\JetBoost\AutoUpdate.exe
Task: C:\WINDOWS\Tasks\JetCleanLoginCheckUpdate.job => C:\Program Files\BlueSprig\JetClean\AutoUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\PC Utility Kit Registration3.job => C:\Program Files\Common Files\PC Utility Kit\UUS3\UUS3.dll <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2015-01-10 12:19 - 2015-01-10 12:19 - 02909696 _____ () C:\Program Files\AVAST Software\Avast\defs\15011002\algo.dll
2013-11-20 10:30 - 2014-11-21 09:37 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: SpybotSD TeaTimer =>

========================= Accounts: ==========================

Administrator (S-1-5-21-1781195661-1664296332-2074299522-500 - Administrator - Enabled)
ASPNET (S-1-5-21-1781195661-1664296332-2074299522-1380 - Limited - Enabled)
Guest (S-1-5-21-1781195661-1664296332-2074299522-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1781195661-1664296332-2074299522-1005 - Limited - Disabled)
Home (S-1-5-21-1781195661-1664296332-2074299522-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Home
SUPPORT_388945a0 (S-1-5-21-1781195661-1664296332-2074299522-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: PCI SoftV92 Data Fax Modem with SmartCP
Description: PCI SoftV92 Data Fax Modem with SmartCP
Class Guid: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Manufacturer: CXT
Service: Modem
Problem: : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Resolution: Reasons for this error include a driver that is not present; a binary file that is corrupt; a file I/O problem, or a driver that references an entry point in another binary file that could not be loaded.
Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/06/2015 00:46:55 AM) (Source: Application Error) (EventID: 1001) (User: )
Description: Fault bucket 672907187.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (01/06/2015 00:45:26 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 34.0.0.5442, faulting module mozalloc.dll, version 34.0.0.5442, fault address 0x00001425.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (12/16/2014 04:32:46 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 34.0.0.5442, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/03/2014 02:39:43 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application soffice.bin, version 4.2.5.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/02/2014 07:11:58 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket 324449306.

Error: (12/02/2014 07:11:36 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application soffice.bin, version 4.2.5.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/30/2014 07:08:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/27/2014 01:08:22 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 33.1.0.5423, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/20/2014 04:01:47 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application AcroRd32.exe, version 11.0.8.4, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (11/17/2014 07:14:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module gdiplus.dll, version 5.2.6002.23084, fault address 0x000b6b29.
Processing media-specific event for [explorer.exe!ws!]


System errors:
=============
Error: (01/10/2015 10:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 09:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 08:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 07:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 06:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 05:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 04:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 03:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 02:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/10/2015 01:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403


Microsoft Office Sessions:
=========================
Error: (01/06/2015 00:46:55 AM) (Source: Application Error) (EventID: 1001) (User: )
Description: 672907187

Error: (01/06/2015 00:45:26 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe34.0.0.5442mozalloc.dll34.0.0.544200001425

Error: (12/16/2014 04:32:46 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe34.0.0.5442hungapp0.0.0.000000000

Error: (12/03/2014 02:39:43 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: soffice.bin4.2.5.2hungapp0.0.0.000000000

Error: (12/02/2014 07:11:58 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: 324449306

Error: (12/02/2014 07:11:36 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: soffice.bin4.2.5.2hungapp0.0.0.000000000

Error: (11/30/2014 07:08:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: explorer.exe6.0.2900.5512hungapp0.0.0.000000000

Error: (11/27/2014 01:08:22 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe33.1.0.5423hungapp0.0.0.000000000

Error: (11/20/2014 04:01:47 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: AcroRd32.exe11.0.8.4hungapp0.0.0.000000000

Error: (11/17/2014 07:14:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512gdiplus.dll5.2.6002.23084000b6b29


==================== Memory info ===========================

Processor:  Intel® Celeron® CPU 2.53GHz
Percentage of memory in use: 57%
Total physical RAM: 502.8 MB
Available physical RAM: 211.83 MB
Total Pagefile: 1227.61 MB
Available Pagefile: 927.26 MB
Total Virtual: 2047.88 MB
Available Virtual: 1929.67 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:38.28 GB) (Free:9.29 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 38.3 GB) (Disk ID: 3972CD75)
Partition 1: (Active) - (Size=38.3 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

 

PS  Do you know how to get "powerDVD" frags removed, this is my 2nd computer i have seen that on., what is this "porn" .com stuff above, parental blockers?....this mechine is a recent yard sale rehab, had family pictures on it when i got it

 

jimbotoo


Edited by jimbotoo, 11 January 2015 - 07:12 AM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 11 January 2015 - 10:53 AM

This is the removal program to remove completely the Power DVD progam.
Power DVDRemoval Tool (1) (HKLM\...\Power DVDRemoval Tool (1)_is1) (Version: build_1.0.0.146_rev__date_ - Security Stronghold)
Using the Add/Remove program you can uninstall it.
It may just be that this entry is just some remant item in the Add/Remove list and you will not be able to remove it.
It's possibly dead. Leave it it's the case.
===


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKLM - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} -  No File
URLSearchHook: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} -  No File
URLSearchHook: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} -  No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "www.google.com" <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: No Name -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} ->  No File
Toolbar: HKLM - No Name - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} -  No File
FF Homepage: https://startpage.com/do/mypage.pl?prf=f84262ba9f788a06613d4f1143d2ef64
S3 WMPNetworkSvc; "C:\Program Files\Windows Media Player\WMPNetwk.exe" [X]
S3 HSFHWBS2; System32\DRIVERS\HSFHWBS2.sys [X]
S3 HSF_DP; System32\DRIVERS\HSF_DP.sys [X]
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S2 mdmxsdk; System32\DRIVERS\mdmxsdk.sys [X]
S3 Sunkfiltp; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys [X]
S3 wanatw; System32\DRIVERS\wanatw4.sys [X]
S3 winachsf; System32\DRIVERS\HSF_CNXT.sys [X]
Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\Home\APPLIC~1\GROOVO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
C:\Windows\Tasks\At1.job
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\PC Utility Kit Registration3.job => C:\Program Files\Common Files\PC Utility Kit\UUS3\UUS3.dll <==== ATTENTION
C:\Program Files\Common Files\PC Utility Kit
C:\DOCUME~1\Home\APPLIC~1\GROOVO~1
End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#8 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 11 January 2015 - 06:11 PM

thank you nasdag

 

 

 

computer running like a champion, more then a few smart folks have said powerdvd is a marage, empty, and it does not mater, 2 techs could not remove

 

what intuitively scares me is-"1\Home\APPLIC~1\GROOVO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION"

that thing went in with a big infection on my computer

 

I woke with a very hi fever today, flu i think, its best i put this down for a day or two, before doing or i might screw things up, thanks again, watch your PM box, i will be back soon, and of course thank you so much.

 

 

jimbotoo


Edited by jimbotoo, 11 January 2015 - 06:18 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 12 January 2015 - 07:57 AM

The topic will be opened. Reply here.

#10 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 14 January 2015 - 04:09 AM

The topic will be opened. Reply here.

 

Hi

 

jimbotoo gave me a note to write you, but its better to just say he should be leaving hospital tomarrow,

and sends his thanks for you patience.

 

care giver



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 20 January 2015 - 08:49 AM

Will leave this topic open until he returns in good health.

#12 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 29 January 2015 - 06:46 PM

Hello nasdag

going -Start =>All Programs => Accessories => Notepad I found no notepad, ran search and found a pad i could open and paste but it would not save to the frst file, in desperation i pasted into the search box on frst program and hit scan and it scanned and left the following list as "frst text document"

PLEASE KNOW I RESPECT YOUR HELP GREATLY, AND SORRY if i did anything backward  am still dizzy

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by Home (administrator)  on 29-01-2015 17:59:50
Running from C:\Documents and Settings\Home\My Documents\Downloads\FRST FILE
Loaded Profiles: Home (Available profiles: Home)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Seiko Epson Corporation) C:\WINDOWS\system32\escsvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Microsoft Corporation) C:\WINDOWS\system32\snmp.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-23] (AVAST Software)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\MountPoints2: {073c611d-6140-11e4-8d98-000cf1f13d58} - E:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\MountPoints2: {6c7c1a90-6bb6-11e4-8dad-000cf1f13d58} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL TL-Bootstrap.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bing.com
HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
URLSearchHook: HKLM - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} -  No File
URLSearchHook: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 - AOL Toolbar Search Class - {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} -  No File
URLSearchHook: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} -  No File
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "www.google.com" <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 -> {668BA716-2A68-46A4-ACE7-94D644F4B780} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1781195661-1664296332-2074299522-1006 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
BHO: No Name -> {3ef64538-8b54-4573-b48f-4d34b0238ab2} ->  No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKLM - No Name - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} -  No File
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} https://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1405058190421
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\0wo8flob.default-1406930654421
FF SelectedSearchEngine: Yahoo!
FF Homepage: https://startpage.com/do/mypage.pl?prf=f84262ba9f788a06613d4f1143d2ef64
FF Keyword.URL: https://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.12.69 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.69 -> C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF Extension: Ghostery - C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\0wo8flob.default-1406930654421\Extensions\firefox@ghostery.com.xpi [2014-09-17]
FF Extension: NoScript - C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\0wo8flob.default-1406930654421\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-12-06]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-04-04]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-08-03]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-21] (AVAST Software)
R2 EpsonScanSvc; C:\WINDOWS\system32\EscSvc.exe [122000 2011-12-11] (Seiko Epson Corporation)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-07-26] (Oracle Corporation)
S3 WMPNetworkSvc; "C:\Program Files\Windows Media Player\WMPNetwk.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 abp480n5; C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS [23552 2003-03-31] (Microsoft Corporation)
R3 ALCXSENS; C:\WINDOWS\System32\drivers\ALCXSENS.SYS [391424 2003-12-12] (Sensaura Ltd)
R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [601100 2004-01-10] (Realtek Semiconductor Corp.)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2014-11-21] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2014-11-21] (AVAST Software)
R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55240 2014-11-21] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-11-21] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787800 2014-11-21] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [423784 2014-11-21] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57928 2014-11-21] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [206248 2014-11-21] ()
S3 mxnic; C:\WINDOWS\System32\DRIVERS\mxnic.sys [19968 2001-08-17] (Macronix International Co., Ltd.                                               )
S1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42752 2008-04-13] (Microsoft Corporation)
S3 SunkFilt; C:\WINDOWS\System32\Drivers\sunkfilt.sys [40564 2004-03-22] (Alcor Micro Corp.) [File not signed]
S3 SunkFilt39; C:\WINDOWS\System32\Drivers\sunkfilt39.sys [42936 2004-03-22] (Alcor Micro Corp.) [File not signed]
R3 {6080A529-897E-4629-A488-ABA0C29B635E}; C:\WINDOWS\System32\drivers\ialmsbw.sys [122110 2004-01-30] (Intel Corporation)
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91}; C:\WINDOWS\System32\drivers\ialmkchw.sys [99002 2004-01-30] (Intel Corporation)
S3 HSFHWBS2; System32\DRIVERS\HSFHWBS2.sys [X]
S3 HSF_DP; System32\DRIVERS\HSF_DP.sys [X]
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S2 mdmxsdk; System32\DRIVERS\mdmxsdk.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 Sunkfiltp; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys [X]
S3 wanatw; System32\DRIVERS\wanatw4.sys [X]
S3 winachsf; System32\DRIVERS\HSF_CNXT.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-28 03:49 - 2015-01-28 03:49 - 00000060 _____ () C:\WINDOWS\setupact.log
2015-01-28 03:49 - 2015-01-28 03:49 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-01-26 18:50 - 2015-01-26 18:51 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-24 07:40 - 2015-01-29 14:38 - 00041788 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-24 07:40 - 2015-01-29 14:36 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-01-24 07:40 - 2015-01-29 14:36 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-01-24 07:40 - 2015-01-24 07:40 - 00000000 _____ () C:\WINDOWS\Sti_Trace.log
2015-01-22 22:09 - 2015-01-22 22:11 - 00000000 ____D () C:\Documents and Settings\Home\My Documents\New Folder
2015-01-16 04:14 - 2015-01-17 03:43 - 00043201 _____ () C:\Documents and Settings\Home\My Documents\church st.odt
2015-01-10 23:07 - 2015-01-29 18:00 - 00000000 ___DC () C:\FRST
2015-01-09 02:36 - 2015-01-09 02:36 - 00016974 _____ () C:\Documents and Settings\Home\Desktop\attach.txt
2015-01-06 22:45 - 2014-12-26 17:45 - 00450747 ____R () C:\WINDOWS\system32\Drivers\etc\hosts.20150106-224520.backup
2015-01-06 21:14 - 2015-01-25 00:33 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
2015-01-06 00:41 - 2015-01-06 00:41 - 00026657 _____ () C:\Documents and Settings\Home\My Documents\artist yahoo.odt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 18:01 - 2011-12-17 21:39 - 00000000 ____D () C:\Documents and Settings\Home\Local Settings\Temp
2015-01-29 18:00 - 2013-01-18 22:13 - 00000454 _____ () C:\WINDOWS\Tasks\PC Utility Kit Registration3.job
2015-01-29 17:50 - 2014-09-16 19:50 - 00000412 _____ () C:\WINDOWS\Tasks\At1.job
2015-01-29 17:30 - 2014-05-29 02:59 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-29 14:47 - 2012-08-03 20:10 - 00000364 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-01-29 14:36 - 2014-05-29 03:34 - 00000272 _____ () C:\WINDOWS\Tasks\JetCleanLoginCheckUpdate.job
2015-01-29 14:36 - 2014-03-25 01:13 - 00000272 _____ () C:\WINDOWS\Tasks\JetBoost_AutoUpdate.job
2015-01-29 14:36 - 2014-03-06 14:41 - 00000220 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-01-29 14:36 - 2004-05-01 12:54 - 00000006 ___HC () C:\WINDOWS\Tasks\SA.DAT
2015-01-29 12:00 - 2014-05-03 09:21 - 00032444 _____ () C:\WINDOWS\Tasks\SCHEDLGU.TXT
2015-01-29 12:00 - 2011-12-17 21:39 - 00000278 ___SH () C:\Documents and Settings\Home\ntuser.ini
2015-01-28 17:24 - 2014-09-30 02:46 - 00000000 ____D () C:\Documents and Settings\Home\My Documents\1 PERPETUAL DOC  CERTS  PERPETUAL DOC  CERTS
2015-01-27 10:32 - 2012-05-07 12:18 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-26 03:49 - 2012-02-15 00:22 - 00000000 ____D () C:\Documents and Settings\Home\Application Data\vlc
2015-01-25 00:33 - 2012-08-11 13:41 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2015-01-24 15:30 - 2014-05-29 02:59 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-24 15:30 - 2014-05-29 02:59 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-20 20:57 - 2014-11-28 08:26 - 00000000 ___RD () C:\Documents and Settings\Home\My Documents\ART  UPRIGHT
2015-01-17 03:47 - 2012-10-23 01:12 - 00550954 __SHC () C:\Documents and Settings\Home\My Documents\Thumbs.db
2015-01-08 15:00 - 2014-03-06 14:41 - 00000214 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2015-01-07 05:07 - 2004-05-01 12:43 - 00000000 ____D () C:\WINDOWS\repair
2015-01-06 01:29 - 2012-02-29 00:17 - 00034304 ____C () C:\Documents and Settings\Home\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-05 13:46 - 2014-12-27 02:28 - 00000000 ___DC () C:\AdwCleaner
2015-01-05 04:22 - 2012-12-11 12:12 - 00000000 ____D () C:\Documents and Settings\Home\My Documents\M Y  P I C T U R E S

==================== Files in the root of some directories =======

2012-12-01 20:04 - 2012-12-01 20:04 - 0000288 ____C () C:\Documents and Settings\Home\Application Data\.backup.dm
2012-02-29 00:17 - 2015-01-06 01:29 - 0034304 ____C () C:\Documents and Settings\Home\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Files to move or delete:
====================
C:\Windows\Tasks\At1.job


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

then hit fix

 

and it left  (dam i hope i listed these in right order) BUT DID NOT LEAVE A FILE CALLED==

Fixlog.txt

 

Ran by Home at 2015-01-29 18:02:13
Running from C:\Documents and Settings\Home\My Documents\Downloads\FRST FILE
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Disabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.296 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
AOL Toolbar (HKU\S-1-5-21-1781195661-1664296332-2074299522-1006\...\AOL Toolbar) (Version:  - )
Avast Free Antivirus (HKLM\...\avast) (Version: 10.0.2208 - AVAST Software)
BatchPurifier (HKLM\...\{88628D8A-A347-4C08-B7C3-96226CF33711}) (Version: 5.20.0000 - Digital Confidence)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Document Metadata Cleaner 3 (HKLM\...\Document Metadata Cleaner 3) (Version: 3 - Pointstone Software, LLC)
EPSON Copy Utility (HKLM\...\{B69CC1A5-0404-11D6-ABCB-005004C21D30}) (Version:  - )
EPSON EIC CX5400 (HKLM\...\Setup Wizard EPIC) (Version:  - )
EPSON Photo Print (HKLM\...\{22901BB7-2C57-409E-AF2F-56FFFEA41116}) (Version:  - )
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON Smart Panel (HKLM\...\{6C11D561-620B-47DA-A693-4C597F3CDF40}) (Version:  - )
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
Intel® PRO Network Adapters and Drivers (HKLM\...\PROSet) (Version:  - )
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
Java 7 Update 65 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217065FF}) (Version: 7.0.650 - Oracle)
JetClean (HKLM\...\BlueSprig_JetClean_is1) (Version: 1.5.0 - BlueSprig)
K-Lite Mega Codec Pack 5.1.0 (HKLM\...\KLiteCodecPack_is1) (Version: 5.1.0 - )
LibreOffice 4.2.5.2 (HKLM\...\{8D8F47B2-0E03-4C50-9803-A01120878F96}) (Version: 4.2.5.2 - The Document Foundation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Works 7.0 (HKLM\...\{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}) (Version: 07.02.0620 - Microsoft Corporation)
Mozilla Firefox 35.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 35.0.1 (x86 en-US)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 6 Service Pack 2 (KB973686) (HKLM\...\{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}) (Version: 6.20.2003.0 - Microsoft Corporation)
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Power DVDRemoval Tool (1) (HKLM\...\Power DVDRemoval Tool (1)_is1) (Version: build_1.0.0.146_rev__date_ - Security Stronghold)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version:  - )
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
SoftV92 Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1) (Version:  - )
VC 9.0 Runtime (Version: 1.0.0 - Check Point Software Technologies Ltd) Hidden
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Backup Utility (HKLM\...\{76EFFC7C-17A6-479D-9E47-8E658C1695AE}) (Version: 5.1 - Microsoft Corporation)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (HKLM\...\KB952011) (Version: 1.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows PowerShell™ 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

09-01-2015 19:34:03 System Checkpoint
10-01-2015 20:48:24 System Checkpoint
11-01-2015 22:16:42 System Checkpoint
13-01-2015 00:26:33 System Checkpoint
14-01-2015 05:22:39 System Checkpoint
15-01-2015 14:57:23 System Checkpoint
16-01-2015 19:06:12 System Checkpoint
17-01-2015 19:59:35 System Checkpoint
18-01-2015 23:51:25 System Checkpoint
20-01-2015 01:53:03 System Checkpoint
21-01-2015 02:54:23 System Checkpoint
22-01-2015 03:00:51 System Checkpoint
23-01-2015 10:38:26 System Checkpoint
24-01-2015 15:25:29 System Checkpoint
25-01-2015 15:46:02 System Checkpoint
26-01-2015 16:41:41 System Checkpoint
27-01-2015 17:13:22 System Checkpoint
28-01-2015 17:47:41 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2011-12-17 21:24 - 2015-01-06 22:45 - 00450747 ___RA C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    100888290cs.com
127.0.0.1    www.100888290cs.com
127.0.0.1    www.100sexlinks.com
127.0.0.1    100sexlinks.com
127.0.0.1    10sek.com
127.0.0.1    www.10sek.com
127.0.0.1    www.1-2005-search.com
127.0.0.1    1-2005-search.com
127.0.0.1    123fporn.info
127.0.0.1    www.123fporn.info
127.0.0.1    123haustiereundmehr.com
127.0.0.1    www.123haustiereundmehr.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\At1.job => C:\DOCUME~1\Home\APPLIC~1\GROOVO~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\JetBoost_AutoUpdate.job => C:\Program Files\BlueSprig\JetBoost\AutoUpdate.exe
Task: C:\WINDOWS\Tasks\JetCleanLoginCheckUpdate.job => C:\Program Files\BlueSprig\JetClean\AutoUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\PC Utility Kit Registration3.job => C:\Program Files\Common Files\PC Utility Kit\UUS3\UUS3.dll <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2015-01-29 14:44 - 2015-01-29 14:44 - 02913280 _____ () C:\Program Files\AVAST Software\Avast\defs\15012901\algo.dll
2013-11-20 10:30 - 2014-11-21 09:37 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2015-01-26 18:50 - 2015-01-26 18:51 - 03925104 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: SpybotSD TeaTimer =>

========================= Accounts: ==========================

Administrator (S-1-5-21-1781195661-1664296332-2074299522-500 - Administrator - Enabled)
ASPNET (S-1-5-21-1781195661-1664296332-2074299522-1380 - Limited - Enabled)
Guest (S-1-5-21-1781195661-1664296332-2074299522-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1781195661-1664296332-2074299522-1005 - Limited - Disabled)
Home (S-1-5-21-1781195661-1664296332-2074299522-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Home
SUPPORT_388945a0 (S-1-5-21-1781195661-1664296332-2074299522-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: PCI SoftV92 Data Fax Modem with SmartCP
Description: PCI SoftV92 Data Fax Modem with SmartCP
Class Guid: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Manufacturer: CXT
Service: Modem
Problem: : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)
Resolution: Reasons for this error include a driver that is not present; a binary file that is corrupt; a file I/O problem, or a driver that references an entry point in another binary file that could not be loaded.
Uninstall the driver, and then click "Scan for hardware changes" to reinstall or upgrade the driver.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/20/2015 05:16:32 AM) (Source: Application Error) (EventID: 1001) (User: )
Description: Fault bucket 777711796.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (01/20/2015 05:16:28 AM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket 777995374.

Error: (01/20/2015 04:55:22 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 35.0.0.5486, faulting module mozalloc.dll, version 35.0.0.5486, fault address 0x00001425.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (01/20/2015 04:54:51 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 35.0.0.5486, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/20/2015 04:31:10 AM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket 324449306.

Error: (01/20/2015 04:31:08 AM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket 324449306.

Error: (01/20/2015 04:29:05 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application soffice.bin, version 4.2.5.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/20/2015 04:29:04 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application soffice.bin, version 4.2.5.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/06/2015 00:46:55 AM) (Source: Application Error) (EventID: 1001) (User: )
Description: Fault bucket 672907187.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (01/06/2015 00:45:26 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application plugin-container.exe, version 34.0.0.5442, faulting module mozalloc.dll, version 34.0.0.5442, fault address 0x00001425.
Processing media-specific event for [plugin-container.exe!ws!]


System errors:
=============
Error: (01/29/2015 05:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 04:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 03:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 02:50:00 PM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 11:50:00 AM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 10:50:00 AM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 03:50:00 AM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 02:50:00 AM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 01:50:00 AM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403

Error: (01/29/2015 00:50:01 AM) (Source: Schedule) (EventID: 7901) (User: )
Description: The At1.job command failed to start due to the following error:
%%2147942403


Microsoft Office Sessions:
=========================
Error: (01/20/2015 05:16:32 AM) (Source: Application Error) (EventID: 1001) (User: )
Description: 777711796

Error: (01/20/2015 05:16:28 AM) (Source: Application Hang) (EventID: 1001) (User: )
Description: 777995374

Error: (01/20/2015 04:55:22 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe35.0.0.5486mozalloc.dll35.0.0.548600001425

Error: (01/20/2015 04:54:51 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: firefox.exe35.0.0.5486hungapp0.0.0.000000000

Error: (01/20/2015 04:31:10 AM) (Source: Application Hang) (EventID: 1001) (User: )
Description: 324449306

Error: (01/20/2015 04:31:08 AM) (Source: Application Hang) (EventID: 1001) (User: )
Description: 324449306

Error: (01/20/2015 04:29:05 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: soffice.bin4.2.5.2hungapp0.0.0.000000000

Error: (01/20/2015 04:29:04 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: soffice.bin4.2.5.2hungapp0.0.0.000000000

Error: (01/06/2015 00:46:55 AM) (Source: Application Error) (EventID: 1001) (User: )
Description: 672907187

Error: (01/06/2015 00:45:26 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe34.0.0.5442mozalloc.dll34.0.0.544200001425


==================== Memory info ===========================

Processor:  Intel® Celeron® CPU 2.53GHz
Percentage of memory in use: 74%
Total physical RAM: 502.8 MB
Available physical RAM: 126.19 MB
Total Pagefile: 1227.61 MB
Available Pagefile: 773.27 MB
Total Virtual: 2047.88 MB
Available Virtual: 1935.04 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:38.28 GB) (Free:7.26 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 38.3 GB) (Disk ID: 3972CD75)
Partition 1: (Active) - (Size=38.3 GB) - (Type=07 NTFS)

==================== End Of Log ============================


Edited by jimbotoo, 29 January 2015 - 07:12 PM.


#13 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 29 January 2015 - 07:07 PM

                                                                              SECURITY CHECK RESULTS COPY AND PASTE

 

 Results of screen317's Security Check version 0.99.95  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Avast Free Antivirus    
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Document Metadata Cleaner 3  
 Java 7 Update 65  
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31  
 Adobe Flash Player     16.0.0.296  
 Adobe Reader XI  
 Mozilla Firefox (35.0.1)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 2%
````````````````````End of Log``````````````````````



#14 jimbotoo

jimbotoo
  • Topic Starter

  • Banned
  • 297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:22 PM

Posted 29 January 2015 - 07:38 PM

I did a disk clean and defrag after above and had 10.29 gb free space

 

as per others advice here, i have tuned off updates from micro soft and disabled java script

 

spybot s and d teatimer showed up in the above but i have uninstalled it many days ago.

 

I deleted modom program a long time ago

 

if you have recomendations for any changes in these settings feel very free to inform me

 

thanks nasdag, truly

 

jimbotoo


Edited by jimbotoo, 29 January 2015 - 07:55 PM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:22 PM

Posted 30 January 2015 - 09:12 AM

Looking good.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users