Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Persistent Rootkit {429CAD59-35B1-4DBC-BB6D-1DB246563521} Slow¦Crashes


  • This topic is locked This topic is locked
25 replies to this topic

#1 TaraTara

TaraTara

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 21 February 2015 - 04:41 PM

Machine running very slowly.  Outlook failing to open quite often.  Firefox very slow to open.  Explorer crashing regularly particularly wiht Nikon RAW photo files and more recently jpg files.  After running avast detailed scan 2 days ago the machine failed to start up & had to press the startup buttton many times before it finally started.  Yesterday, I did a scan with Spybot and had the same problem starting up today.  Both scans were unsuccessful in removing the infection.  Sometimes when opening Adobe Photoshop, it would start opening then go to a white screen before reloading.

 

I now set out below the contents of the FRST.txt log file:-

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-02-2015
Ran by Suzette (administrator) on SG-HP on 21-02-2015 20:47:26
Running from C:\Documents and Settings\Suzette\Desktop
Loaded Profiles: Suzette (Available profiles: Suzette & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CTSVCCDA.EXE
(SEIKO EPSON CORPORATION) C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Microsoft Corporation) C:\WINDOWS\system32\MsPMSPSv.exe
() C:\WINDOWS\system32\TaskSwitch.exe
(ScanSoft, Inc) C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\avastui.exe
(Renesas Electronics Corporation) C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CTHELPER.EXE
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
() C:\Program Files\AutoHotkey\AutoHotkey.exe
(Microsoft Corporation) C:\WINDOWS\system32\ntvdm.exe
(funkytoad.com) C:\Program Files\Sundry (BG)\Homer\Homer.exe
(Andrey Gruber) C:\Program Files\Sundry (BG)\Utilities\PNotes\PNotes.exe
() C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [CoolSwitch] => C:\WINDOWS\system32\taskswitch.exe [45632 2002-03-19] ()
HKLM\...\Run: [Omnipage] => C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [49152 2002-06-03] (ScanSoft, Inc)
HKLM\...\Run: [NWEReboot] => [X]
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1037736 2007-08-31] (Microsoft Corporation)
HKLM\...\Run: [IntelliType] => C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [69632 2001-06-12] (Microsoft Corporation)
HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [Google Desktop Search] => C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-09] (Google)
HKLM\...\Run: [Nikon Message Center 2] => C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe [571392 2011-10-30] (Nikon Corporation)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Alwil Software\Avast5\AvastUI.exe [5227112 2015-01-25] (AVAST Software)
HKLM\...\Run: [RUSB3MON] => C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-20] (Renesas Electronics Corporation)
HKLM\...\Run: [WINDVDPatch] => C:\WINDOWS\system32\CTHELPER.EXE [24576 2002-07-02] (Creative Technology Ltd)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [DBAgent] => C:\Program Files\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1518664 2014-09-17] (Seagate Technology LLC)
HKLM\...\RunOnce: [WIAWizardMenu] => RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
HKLM\...\Policies\Explorer: []
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Run: [EPSON Stylus Photo R1800] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE [177664 2007-01-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x5F000000
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Policies\Explorer: []
HKU\S-1-5-18\...\Run: [Google Update] => C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [116648 2014-02-08] (Google Inc.)
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL => C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-08-09] (Google)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk.disabled
ShortcutTarget: Adobe Gamma Loader.lnk.disabled -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoHotkey.lnk
ShortcutTarget: AutoHotkey.lnk -> C:\Program Files\Sundry (BG)\Utilities\b-AutoHotkey Master.ahk ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Barclock.lnk
ShortcutTarget: Barclock.lnk -> C:\Program Files\Sundry (BG)\Utilities\Barclock\BARCLOCK.EXE ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Homer 1.4.lnk
ShortcutTarget: Homer 1.4.lnk -> C:\Program Files\Sundry (BG)\Homer\Homer.exe (funkytoad.com)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk.disabled
ShortcutTarget: NCProTray.lnk.disabled -> C:\Program Files\SEC\Natural Color Pro\NCProTray.exe (Samsung)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick Shelf.lnk.disabled
ShortcutTarget: Quick Shelf.lnk.disabled -> C:\WINDOWS\Installer\{04400801-5D65-445A-B3B4-3DCE72BA0C6C}\ENCICONS.EXE ()
Startup: C:\Documents and Settings\Suzette\Start Menu\Programs\Startup\PNotes.lnk
ShortcutTarget: PNotes.lnk -> C:\Program Files\Sundry (BG)\Utilities\PNotes\PNotes.exe (Andrey Gruber)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Alwil Software\Avast5\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
BHO: EpsonToolBandKicker Class -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
BHO: No Name -> {FFCB3198-32F3-4E8B-9539-4324694ED663} ->  No File
Toolbar: HKLM - EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1337934760600
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253813261581
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL ()
Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\msero.dll ()
Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL ()
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-07-19] (SuperAdBlocker.com)
Winsock: Catalog5 01 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default
FF DefaultSearchEngine: Wikipedia (en)
FF DefaultSearchUrl: hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF SelectedSearchEngine: Wikipedia (en)
FF Homepage: https://www.google.co.uk/
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1210150.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nokia.com/EnablerPlugin -> C:\Program Files\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( )
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\.DEFAULT: @tools.google.com/Google Update;version=3 -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\.DEFAULT: @tools.google.com/Google Update;version=9 -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\ask.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\bbcnews.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\expediadotcom.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\flickr-tags.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\foodtv.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\googlescholar.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\jeeves.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\lonelyplanet.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\MSN.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\webster.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\yanswers.xml
FF Extension: British English Dictionary - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\en-GB@dictionaries.addons.mozilla.org [2014-11-19]
FF Extension: ColorfulTabs - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} [2015-01-26]
FF Extension: FEBE - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3} [2015-01-20]
FF Extension: WOT - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-11-19]
FF Extension: DownloadHelper - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-11-19]
FF Extension: FoxClocks - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1} [2014-11-19]
FF Extension: SearchPreview - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6} [2015-01-26]
FF Extension: Bookmark Duplicate Cleaner - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\bookmarkdup@localghost.net.xpi [2014-11-19]
FF Extension: Classic Theme Restorer - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-11-19]
FF Extension: Personas Plus - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\personas@christopher.beard.xpi [2014-11-19]
FF Extension: Show Parent Folder - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\showParentFolder@alice.xpi [2014-11-19]
FF Extension: Auto-Sort Bookmarks - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\sortbookmarks@bouanto.xpi [2014-11-19]
FF Extension: All-in-One Sidebar - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi [2011-06-28]
FF Extension: URL Fixer - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi [2011-07-19]
FF Extension: Flagfox - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2014-11-19]
FF Extension: NoScript - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2011-04-30]
FF Extension: Pearl Crescent Page Saver Basic - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{c151d79e-e61b-4a90-a887-5a46d38fba99}.xpi [2011-05-23]
FF Extension: Adblock Plus - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-15]
FF Extension: Tab Mix Plus - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2012-02-03]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-24]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2011-03-01]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-10-20] (SUPERAntiSpyware.com) [File not signed]
S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2013-09-19] () [File not signed]
S3 Anpormt_; C:\WINDOWS\system32\drivers\hidir.sys [19200 2008-04-13] (Microsoft Corporation)
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [50344 2014-11-21] (AVAST Software)
R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd) [File not signed]
R2 EPSON_PM_RPCV4_01; C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE [113664 2007-01-11] (SEIKO EPSON CORPORATION) [File not signed]
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-09] (Google)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-17] (Oracle Corporation)
S3 Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [68096 2009-12-02] () [File not signed]
S3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe [65625 2003-12-09] () [File not signed]
S4 Seagate Dashboard Services; C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16000 2014-09-17] (Seagate Technology LLC)
S4 Seagate MobileBackup Service; C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe [157776 2014-09-17] (Seagate Technology LLC)
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe [65622 2003-12-09] (Sony Corporation) [File not signed]
R2 WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [53520 2000-06-26] (Microsoft Corporation) [File not signed]
S3 Aspdnxammn; No ImagePath
S3 Scarchowdrp; No ImagePath

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2279424 2004-10-01] (Realtek Semiconductor Corp.)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2014-11-21] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2014-11-21] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55240 2014-11-21] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-11-21] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787800 2014-11-23] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [423784 2014-11-21] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57928 2014-11-21] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [206248 2014-11-21] ()
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 ctljystk; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [3712 2001-08-17] (Creative Technology Ltd.)
S3 emu10k; C:\WINDOWS\System32\drivers\emu10k1m.sys [283904 2001-08-17] (Creative Technology Ltd.)
S3 emu10k1; C:\WINDOWS\System32\drivers\ctlfacem.sys [6912 2001-08-17] (Creative Technology Ltd.)
R3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [998004 2002-07-24] (Creative Technology Ltd)
R3 LVPr2Mon; C:\WINDOWS\System32\Drivers\LVPr2Mon.sys [25752 2009-10-07] ()
S3 LVUSBSta; C:\WINDOWS\System32\drivers\LVUSBSta.sys [41752 2008-07-26] (Logitech Inc.)
R3 MarvinBus; C:\WINDOWS\System32\DRIVERS\MarvinBus.sys [78976 2004-06-21] (Pinnacle Systems GmbH)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R1 PCLEPCI; C:\WINDOWS\system32\drivers\pclepci.sys [14165 2002-03-19] (Pinnacle Systems GmbH) [File not signed]
R3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [21248 2003-09-19] (Padus, Inc.) [File not signed]
R2 PfModNT; C:\WINDOWS\system32\PfModNT.sys [6752 1999-12-17] (Creative Technology Ltd.) [File not signed]
S3 PID_PEPI; C:\WINDOWS\System32\DRIVERS\LV302V32.SYS [2570520 2008-07-26] (Logitech Inc.)
R3 rusb3hub; C:\WINDOWS\System32\DRIVERS\rusb3hub.sys [80256 2012-05-10] (Renesas Electronics Corporation)
R3 rusb3xhc; C:\WINDOWS\System32\DRIVERS\rusb3xhc.sys [171520 2012-05-10] (Renesas Electronics Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 sfman; C:\WINDOWS\System32\drivers\sfmanm.sys [36480 2001-08-17] (Creative Technology Ltd.)
S3 TBIMount; C:\WINDOWS\System32\drivers\tbimount.sys [411144 2013-02-26] (TeraByte, Inc.)
U3 Httplumrswpm; No ImagePath
S4 InCDFs; system32\drivers\InCDFs.sys [X]
S1 InCDPass; system32\drivers\InCDPass.sys [X]
S1 InCDRm; system32\drivers\InCDRm.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 radpms; system32\DRIVERS\radpms.sys [X]
S3 rtl8139; system32\DRIVERS\RTL8139.SYS [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-21 20:47 - 2015-02-21 20:48 - 00026809 _____ () C:\Documents and Settings\Suzette\Desktop\FRST.txt
2015-02-21 20:46 - 2015-02-21 20:48 - 00000000 ____D () C:\FRST
2015-02-21 20:41 - 2015-02-21 20:35 - 01126400 _____ (Farbar) C:\Documents and Settings\Suzette\Desktop\FRST.exe
2015-02-19 20:14 - 2015-02-21 20:48 - 00000000 ____D () C:\Documents and Settings\Suzette\Local Settings\Temp
2015-02-19 20:14 - 2015-02-21 08:03 - 00000000 ____D () C:\Documents and Settings\Suzette\Local Settings\Application Data\Temp
2015-02-19 20:14 - 2015-02-19 20:14 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\Temp
2015-02-19 08:13 - 2015-02-19 08:13 - 00000000 ____D () C:\Documents and Settings\Suzette\Application Data\CrystalIdea Software
2015-01-27 13:33 - 2015-01-27 13:34 - 00000000 ____D () C:\Program Files\Mozilla Firefox

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-21 20:44 - 2009-11-22 20:25 - 00001948 _____ () C:\WINDOWS\BARCLOCK.INI
2015-02-21 20:25 - 2009-09-25 15:05 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-21 20:08 - 2013-12-13 11:51 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-21 19:54 - 2014-02-08 13:49 - 00000998 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
2015-02-21 17:45 - 2009-12-13 14:34 - 00000000 ____D () C:\Documents and Settings\Suzette\My Documents\Excel
2015-02-21 17:29 - 2009-09-24 14:58 - 02091931 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-21 15:08 - 2009-09-24 15:09 - 00032448 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-21 13:54 - 2014-02-08 13:49 - 00000946 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
2015-02-21 13:25 - 2009-09-25 15:05 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-21 10:41 - 2012-07-05 10:00 - 00000366 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-02-21 07:54 - 2009-09-24 10:25 - 00000000 ____D () C:\WINDOWS\Help
2015-02-21 07:06 - 2014-09-18 16:51 - 03374845 _____ () C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000002-80641102}.BAK
2015-02-21 07:06 - 2014-09-18 16:50 - 03374845 _____ () C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000002-80641102}.CDF
2015-02-21 07:06 - 2009-11-22 20:26 - 00000008 _____ () C:\WINDOWS\BARCLOCK.ALM
2015-02-21 07:06 - 2006-02-28 12:00 - 00001374 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-21 07:05 - 2014-03-13 16:24 - 00000226 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-02-21 07:05 - 2009-09-24 15:09 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-21 07:05 - 2009-09-24 10:39 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-21 07:05 - 2009-09-24 10:39 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2015-02-20 19:19 - 2014-09-18 17:01 - 00000024 _____ () C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000B-00001102-00000002-80641102}.dat
2015-02-20 19:19 - 2014-09-18 17:01 - 00000024 _____ () C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000002-80641102}.dat
2015-02-20 19:19 - 2009-11-27 11:13 - 00001080 _____ () C:\WINDOWS\system32\settingsbkup.sfm
2015-02-20 19:19 - 2009-11-27 11:13 - 00001080 _____ () C:\WINDOWS\system32\settings.sfm
2015-02-20 19:18 - 2009-09-24 15:17 - 00000278 ___SH () C:\Documents and Settings\Suzette\ntuser.ini
2015-02-20 19:16 - 2009-09-24 15:17 - 00000000 ____D () C:\Documents and Settings\Suzette
2015-02-19 20:17 - 2009-09-24 10:34 - 00325658 _____ () C:\WINDOWS\setupact.log
2015-02-19 08:10 - 2011-08-10 10:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\NVIDIA
2015-02-19 08:10 - 2011-08-10 10:53 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2015-02-18 15:36 - 2009-09-24 10:34 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-02-17 14:39 - 2012-03-06 14:34 - 00000404 _____ () C:\WINDOWS\Tasks\Disk Cleanup.job
2015-02-11 19:14 - 2013-09-12 11:41 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-11 18:48 - 2009-09-24 23:01 - 113756392 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-11 18:47 - 2009-12-05 18:15 - 00000000 ____D () C:\Documents and Settings\Suzette\My Documents\WordPerfect·Word
2015-02-11 18:09 - 2011-01-25 16:28 - 00002483 _____ () C:\Documents and Settings\All Users\Desktop\Microsoft Word.lnk
2015-02-10 18:27 - 2009-09-25 18:16 - 00000000 ____D () C:\Documents and Settings\Suzette\Application Data\Adobe
2015-02-10 18:27 - 2009-09-25 15:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe
2015-01-27 19:16 - 2012-05-01 11:23 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-25 18:57 - 2012-05-18 14:06 - 00000020 ____H () C:\Documents and Settings\All Users\Application Data\PKP_DLet.DAT

==================== Files in the root of some directories =======

2009-12-15 16:09 - 2009-12-15 16:10 - 0038507 _____ () C:\Documents and Settings\Suzette\Application Data\Comma Separated Values (Windows).ADR
2012-05-18 14:06 - 2012-05-18 14:06 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Smooth Strings
2012-05-18 14:08 - 2012-05-18 14:08 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Solid Colors
2012-05-18 14:06 - 2012-05-18 14:06 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Sound Effects
2012-11-11 12:10 - 2013-11-13 19:24 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Spacious
2009-12-15 21:02 - 2012-06-24 09:55 - 0145920 _____ () C:\Documents and Settings\Suzette\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-11-23 16:48 - 2009-11-23 16:48 - 0000130 _____ () C:\Documents and Settings\Suzette\Local Settings\Application Data\fusioncache.dat

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\NEventMessages.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

I now attach the Addition.txt file below

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,627 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 PM

Posted 26 February 2015 - 04:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/567859 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 TaraTara

TaraTara
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 27 February 2015 - 05:52 AM

I still need help.  I INCORRECTLY CLICKED THE LINK YESTERDAY IN THE EMAIL TO ACTIVATE MY ACCOUNT WHEN I HAD ALREADY DONE SO.  This led to me being locked out of my account and presumably led to the above response from you and an automated email from you yesterday.  Having clicked on yoiur email link you sent yesterday, I have now been able to get back into my account and set out below the information you've requested:-

 

I repeat the problem that I originally described above:-

 

I have not turned off the infected computer, since my original post; so it has been running continuously for the last 6 days.  I was worried that I might not be able to start it up again for the reasons I originally explained.  I have done nothing on it as I was waiting for your reply; as my previous attempts at removal were unsuccessful (see below).  I now repeat what I said above as to what the problem is, "Machine running very slowly.  Outlook failing to open quite often.  Firefox very slow to open.  Explorer crashing regularly particularly wiht Nikon RAW photo files and more recently jpg files.  After running avast detailed scan 2 days ago the machine failed to start up & had to press the startup buttton many times before it finally started.  Yesterday, I did a scan with Spybot and had the same problem starting up today.  Both scans were unsuccessful in removing the infection.  Sometimes when opening Adobe Photoshop, it would start opening then go to a white screen before reloading."

 

I have kept the infected computer disconnected from the Internet to prevent further problems and have used another computer to read your emails and do the posting to this topic.  So I ran FRST.exe on the infected computer, while disconnected from the internet, I hope this was the correct thing to do?

 

Here are the contents of the 2nd FRST.txt file as you requested:-

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-02-2015 01
Ran by Suzette (administrator) on SG-HP on 27-02-2015 09:50:04
Running from C:\Documents and Settings\Suzette\Desktop
Loaded Profiles: Suzette (Available profiles: Suzette & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CTSVCCDA.EXE
(SEIKO EPSON CORPORATION) C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Microsoft Corporation) C:\WINDOWS\system32\MsPMSPSv.exe
() C:\WINDOWS\system32\TaskSwitch.exe
(ScanSoft, Inc) C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(AVAST Software) C:\Program Files\Alwil Software\Avast5\avastui.exe
(Renesas Electronics Corporation) C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
(Creative Technology Ltd) C:\WINDOWS\system32\CTHELPER.EXE
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
() C:\Program Files\AutoHotkey\AutoHotkey.exe
(Microsoft Corporation) C:\WINDOWS\system32\ntvdm.exe
(funkytoad.com) C:\Program Files\Sundry (BG)\Homer\Homer.exe
(Andrey Gruber) C:\Program Files\Sundry (BG)\Utilities\PNotes\PNotes.exe
() C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [CoolSwitch] => C:\WINDOWS\system32\taskswitch.exe [45632 2002-03-19] ()
HKLM\...\Run: [Omnipage] => C:\Program Files\ScanSoft\OmniPageSE\opware32.exe [49152 2002-06-03] (ScanSoft, Inc)
HKLM\...\Run: [NWEReboot] => [X]
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft IntelliPoint\ipoint.exe [1037736 2007-08-31] (Microsoft Corporation)
HKLM\...\Run: [IntelliType] => C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [69632 2001-06-12] (Microsoft Corporation)
HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [Google Desktop Search] => C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-09] (Google)
HKLM\...\Run: [Nikon Message Center 2] => C:\Program Files\Nikon\Nikon Message Center 2\NkMC2.exe [571392 2011-10-30] (Nikon Corporation)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\Alwil Software\Avast5\AvastUI.exe [5227112 2015-01-25] (AVAST Software)
HKLM\...\Run: [RUSB3MON] => C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-20] (Renesas Electronics Corporation)
HKLM\...\Run: [WINDVDPatch] => C:\WINDOWS\system32\CTHELPER.EXE [24576 2002-07-02] (Creative Technology Ltd)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [DBAgent] => C:\Program Files\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1518664 2014-09-17] (Seagate Technology LLC)
HKLM\...\RunOnce: [WIAWizardMenu] => RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
HKLM\...\Policies\Explorer: []
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Run: [EPSON Stylus Photo R1800] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE [177664 2007-01-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Policies\Explorer: [NoDriveTypeAutoRun] 0x5F000000
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Policies\Explorer: []
HKU\S-1-5-18\...\Run: [Google Update] => C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [116648 2014-02-08] (Google Inc.)
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL => C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-08-09] (Google)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk.disabled
ShortcutTarget: Adobe Gamma Loader.lnk.disabled -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoHotkey.lnk
ShortcutTarget: AutoHotkey.lnk -> C:\Program Files\Sundry (BG)\Utilities\b-AutoHotkey Master.ahk ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Barclock.lnk
ShortcutTarget: Barclock.lnk -> C:\Program Files\Sundry (BG)\Utilities\Barclock\BARCLOCK.EXE ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Homer 1.4.lnk
ShortcutTarget: Homer 1.4.lnk -> C:\Program Files\Sundry (BG)\Homer\Homer.exe (funkytoad.com)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NCProTray.lnk.disabled
ShortcutTarget: NCProTray.lnk.disabled -> C:\Program Files\SEC\Natural Color Pro\NCProTray.exe (Samsung)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quick Shelf.lnk.disabled
ShortcutTarget: Quick Shelf.lnk.disabled -> C:\WINDOWS\Installer\{04400801-5D65-445A-B3B4-3DCE72BA0C6C}\ENCICONS.EXE ()
Startup: C:\Documents and Settings\Suzette\Start Menu\Programs\Startup\PNotes.lnk
ShortcutTarget: PNotes.lnk -> C:\Program Files\Sundry (BG)\Utilities\PNotes\PNotes.exe (Andrey Gruber)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\Alwil Software\Avast5\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
BHO: EpsonToolBandKicker Class -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
BHO: No Name -> {FFCB3198-32F3-4E8B-9539-4324694ED663} ->  No File
Toolbar: HKLM - EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1337934760600
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253813261581
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL ()
Handler: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\msero.dll ()
Handler: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\MSREF.DLL ()
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-07-19] (SuperAdBlocker.com)
Winsock: Catalog5 01 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default
FF DefaultSearchEngine: Wikipedia (en)
FF DefaultSearchUrl: hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF SelectedSearchEngine: Wikipedia (en)
FF Homepage: https://www.google.co.uk/
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1210150.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @nokia.com/EnablerPlugin -> C:\Program Files\Nokia\Nokia Suite\npNokiaSuiteEnabler.dll ( )
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\.DEFAULT: @tools.google.com/Google Update;version=3 -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\.DEFAULT: @tools.google.com/Google Update;version=9 -> C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\ask.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\bbcnews.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\expediadotcom.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\flickr-tags.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\foodtv.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\googlescholar.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\jeeves.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\lonelyplanet.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\MSN.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\webster.xml
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\yanswers.xml
FF Extension: British English Dictionary - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\en-GB@dictionaries.addons.mozilla.org [2014-11-19]
FF Extension: ColorfulTabs - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe} [2015-01-26]
FF Extension: FEBE - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3} [2015-01-20]
FF Extension: WOT - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-11-19]
FF Extension: DownloadHelper - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-11-19]
FF Extension: FoxClocks - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{d37dc5d0-431d-44e5-8c91-49419370caa1} [2014-11-19]
FF Extension: SearchPreview - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{EF522540-89F5-46b9-B6FE-1829E2B572C6} [2015-01-26]
FF Extension: Bookmark Duplicate Cleaner - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\bookmarkdup@localghost.net.xpi [2014-11-19]
FF Extension: Classic Theme Restorer - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-11-19]
FF Extension: Personas Plus - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\personas@christopher.beard.xpi [2014-11-19]
FF Extension: Show Parent Folder - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\showParentFolder@alice.xpi [2014-11-19]
FF Extension: Auto-Sort Bookmarks - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\sortbookmarks@bouanto.xpi [2014-11-19]
FF Extension: All-in-One Sidebar - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi [2011-06-28]
FF Extension: URL Fixer - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi [2011-07-19]
FF Extension: Flagfox - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}.xpi [2014-11-19]
FF Extension: NoScript - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2011-04-30]
FF Extension: Pearl Crescent Page Saver Basic - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{c151d79e-e61b-4a90-a887-5a46d38fba99}.xpi [2011-05-23]
FF Extension: Adblock Plus - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-08-15]
FF Extension: Tab Mix Plus - C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2012-02-03]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-24]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\Alwil Software\Avast5\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\Alwil Software\Avast5\WebRep\FF [2011-03-01]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-10-20] (SUPERAntiSpyware.com) [File not signed]
S3 Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [68096 2013-09-19] () [File not signed]
S3 Anpormt_; C:\WINDOWS\system32\drivers\hidir.sys [19200 2008-04-13] (Microsoft Corporation)
R2 avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [50344 2014-11-21] (AVAST Software)
R2 Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [44032 1999-12-13] (Creative Technology Ltd) [File not signed]
R2 EPSON_PM_RPCV4_01; C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE [113664 2007-01-11] (SEIKO EPSON CORPORATION) [File not signed]
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-09] (Google)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-17] (Oracle Corporation)
S3 Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [68096 2009-12-02] () [File not signed]
S3 PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe [65625 2003-12-09] () [File not signed]
S4 Seagate Dashboard Services; C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16000 2014-09-17] (Seagate Technology LLC)
S4 Seagate MobileBackup Service; C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe [157776 2014-09-17] (Seagate Technology LLC)
S3 SPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe [65622 2003-12-09] (Sony Corporation) [File not signed]
R2 WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [53520 2000-06-26] (Microsoft Corporation) [File not signed]
S3 Aspdnxammn; No ImagePath
S3 Scarchowdrp; No ImagePath

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [2279424 2004-10-01] (Realtek Semiconductor Corp.)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2014-11-21] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2014-11-21] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55240 2014-11-21] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-11-21] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787800 2014-11-23] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [423784 2014-11-21] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57928 2014-11-21] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [206248 2014-11-21] ()
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 ctljystk; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [3712 2001-08-17] (Creative Technology Ltd.)
S3 emu10k; C:\WINDOWS\System32\drivers\emu10k1m.sys [283904 2001-08-17] (Creative Technology Ltd.)
S3 emu10k1; C:\WINDOWS\System32\drivers\ctlfacem.sys [6912 2001-08-17] (Creative Technology Ltd.)
R3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
R3 ha10kx2k; C:\WINDOWS\System32\drivers\ha10kx2k.sys [998004 2002-07-24] (Creative Technology Ltd)
R3 LVPr2Mon; C:\WINDOWS\System32\Drivers\LVPr2Mon.sys [25752 2009-10-07] ()
S3 LVUSBSta; C:\WINDOWS\System32\drivers\LVUSBSta.sys [41752 2008-07-26] (Logitech Inc.)
R3 MarvinBus; C:\WINDOWS\System32\DRIVERS\MarvinBus.sys [78976 2004-06-21] (Pinnacle Systems GmbH)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R1 PCLEPCI; C:\WINDOWS\system32\drivers\pclepci.sys [14165 2002-03-19] (Pinnacle Systems GmbH) [File not signed]
R3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [21248 2003-09-19] (Padus, Inc.) [File not signed]
R2 PfModNT; C:\WINDOWS\system32\PfModNT.sys [6752 1999-12-17] (Creative Technology Ltd.) [File not signed]
S3 PID_PEPI; C:\WINDOWS\System32\DRIVERS\LV302V32.SYS [2570520 2008-07-26] (Logitech Inc.)
R3 rusb3hub; C:\WINDOWS\System32\DRIVERS\rusb3hub.sys [80256 2012-05-10] (Renesas Electronics Corporation)
R3 rusb3xhc; C:\WINDOWS\System32\DRIVERS\rusb3xhc.sys [171520 2012-05-10] (Renesas Electronics Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 sfman; C:\WINDOWS\System32\drivers\sfmanm.sys [36480 2001-08-17] (Creative Technology Ltd.)
S3 TBIMount; C:\WINDOWS\System32\drivers\tbimount.sys [411144 2013-02-26] (TeraByte, Inc.)
U3 Httplumrswpm; No ImagePath
S4 InCDFs; system32\drivers\InCDFs.sys [X]
S1 InCDPass; system32\drivers\InCDPass.sys [X]
S1 InCDRm; system32\drivers\InCDRm.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 radpms; system32\DRIVERS\radpms.sys [X]
S3 rtl8139; system32\DRIVERS\RTL8139.SYS [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2010-07-04] () [File not signed]
U1 WS2IFSL; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-27 09:50 - 2015-02-27 09:51 - 00026812 _____ () C:\Documents and Settings\Suzette\Desktop\FRST.txt
2015-02-27 09:49 - 2015-02-27 09:50 - 00000000 ____D () C:\FRST
2015-02-27 09:42 - 2015-02-27 09:27 - 01127424 _____ (Farbar) C:\Documents and Settings\Suzette\Desktop\FRST.exe
2015-02-27 09:39 - 2015-02-27 09:40 - 00000000 ____D () C:\Documents and Settings\Suzette\My Documents\_Infection Removal
2015-02-21 20:46 - 2015-02-21 20:51 - 00000000 ____D () C:\FRST Old First Run
2015-02-19 20:14 - 2015-02-27 09:51 - 00000000 ____D () C:\Documents and Settings\Suzette\Local Settings\Temp
2015-02-19 20:14 - 2015-02-21 08:03 - 00000000 ____D () C:\Documents and Settings\Suzette\Local Settings\Application Data\Temp
2015-02-19 20:14 - 2015-02-19 20:14 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\Temp
2015-02-19 08:13 - 2015-02-19 08:13 - 00000000 ____D () C:\Documents and Settings\Suzette\Application Data\CrystalIdea Software

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-27 09:45 - 2009-11-22 20:25 - 00001948 _____ () C:\WINDOWS\BARCLOCK.INI
2015-02-27 09:25 - 2009-09-25 15:05 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-27 09:08 - 2013-12-13 11:51 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-27 08:54 - 2014-02-08 13:49 - 00000998 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18UA.job
2015-02-27 03:08 - 2009-09-24 15:09 - 00032118 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-27 03:00 - 2009-09-24 14:58 - 02095946 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-26 22:41 - 2012-07-05 10:00 - 00000366 ____H () C:\WINDOWS\Tasks\avast! Emergency Update.job
2015-02-26 13:54 - 2014-02-08 13:49 - 00000946 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-18Core.job
2015-02-26 13:25 - 2009-09-25 15:05 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-24 14:39 - 2012-03-06 14:34 - 00000404 _____ () C:\WINDOWS\Tasks\Disk Cleanup.job
2015-02-21 17:45 - 2009-12-13 14:34 - 00000000 ____D () C:\Documents and Settings\Suzette\My Documents\Excel
2015-02-21 07:54 - 2009-09-24 10:25 - 00000000 ____D () C:\WINDOWS\Help
2015-02-21 07:06 - 2014-09-18 16:51 - 03374845 _____ () C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000002-80641102}.BAK
2015-02-21 07:06 - 2014-09-18 16:50 - 03374845 _____ () C:\WINDOWS\{00000002-00000000-0000000B-00001102-00000002-80641102}.CDF
2015-02-21 07:06 - 2009-11-22 20:26 - 00000008 _____ () C:\WINDOWS\BARCLOCK.ALM
2015-02-21 07:06 - 2006-02-28 12:00 - 00001374 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-21 07:05 - 2014-03-13 16:24 - 00000226 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2015-02-21 07:05 - 2009-09-24 15:09 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-21 07:05 - 2009-09-24 10:39 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-02-21 07:05 - 2009-09-24 10:39 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2015-02-20 19:19 - 2014-09-18 17:01 - 00000024 _____ () C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000B-00001102-00000002-80641102}.dat
2015-02-20 19:19 - 2014-09-18 17:01 - 00000024 _____ () C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000002-80641102}.dat
2015-02-20 19:19 - 2009-11-27 11:13 - 00001080 _____ () C:\WINDOWS\system32\settingsbkup.sfm
2015-02-20 19:19 - 2009-11-27 11:13 - 00001080 _____ () C:\WINDOWS\system32\settings.sfm
2015-02-20 19:18 - 2009-09-24 15:17 - 00000278 ___SH () C:\Documents and Settings\Suzette\ntuser.ini
2015-02-20 19:16 - 2009-09-24 15:17 - 00000000 ____D () C:\Documents and Settings\Suzette
2015-02-19 20:17 - 2009-09-24 10:34 - 00325658 _____ () C:\WINDOWS\setupact.log
2015-02-19 08:10 - 2011-08-10 10:56 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\NVIDIA
2015-02-19 08:10 - 2011-08-10 10:53 - 00000000 ____D () C:\Program Files\NVIDIA Corporation
2015-02-18 15:36 - 2009-09-24 10:34 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-02-11 19:14 - 2013-09-12 11:41 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-11 18:48 - 2009-09-24 23:01 - 113756392 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-11 18:47 - 2009-12-05 18:15 - 00000000 ____D () C:\Documents and Settings\Suzette\My Documents\WordPerfect·Word
2015-02-11 18:09 - 2011-01-25 16:28 - 00002483 _____ () C:\Documents and Settings\All Users\Desktop\Microsoft Word.lnk
2015-02-10 18:27 - 2009-09-25 18:16 - 00000000 ____D () C:\Documents and Settings\Suzette\Application Data\Adobe
2015-02-10 18:27 - 2009-09-25 15:09 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Adobe

==================== Files in the root of some directories =======

2009-12-15 16:09 - 2009-12-15 16:10 - 0038507 _____ () C:\Documents and Settings\Suzette\Application Data\Comma Separated Values (Windows).ADR
2012-05-18 14:06 - 2012-05-18 14:06 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Smooth Strings
2012-05-18 14:08 - 2012-05-18 14:08 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Solid Colors
2012-05-18 14:06 - 2012-05-18 14:06 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Sound Effects
2012-11-11 12:10 - 2013-11-13 19:24 - 0000268 ___RH () C:\Documents and Settings\Suzette\Application Data\Spacious
2009-12-15 21:02 - 2012-06-24 09:55 - 0145920 _____ () C:\Documents and Settings\Suzette\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-11-23 16:48 - 2009-11-23 16:48 - 0000130 _____ () C:\Documents and Settings\Suzette\Local Settings\Application Data\fusioncache.dat

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\NEventMessages.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

As also requested, I now attach the 2nd Addition.txt file.  I also confirm that I have my original Windows CD/DVD available.

 

I much look forward to hearing from you as it has been some 6 days since my original request for help.  I do appreciate all your help and understand how busy you are BUT AM MUCH LOOKING FORWARD TO YOUR ASSISTANCE!

 

Thanking you in anticipation of resolving this problem! :smash:

 

Attached File  Addition.txt   37.1KB   3 downloads



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 PM

Posted 27 February 2015 - 09:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 

ATTENTION: System Restore is disabled.


Follow the instructions on this page to enable System Restore before you start this fix.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/
====

Please disable TeaTimer befor proceeding with the follow fix.
http://www.computerhope.com/forum/index.php?topic=63105.0
When all is well you can re-enable it.
===


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\...\Run: [NWEReboot] => [X]
HKLM\...\Policies\Explorer: []
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Policies\Explorer: []
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
BHO: EpsonToolBandKicker Class -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
BHO: No Name -> {FFCB3198-32F3-4E8B-9539-4324694ED663} ->  No File
Toolbar: HKLM - EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\ask.xml
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]
S3 Aspdnxammn; No ImagePath
S3 Scarchowdrp; No ImagePath
U3 Httplumrswpm; No ImagePath
S4 InCDFs; system32\drivers\InCDFs.sys [X]
S1 InCDPass; system32\drivers\InCDPass.sys [X]
S1 InCDRm; system32\drivers\InCDRm.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 radpms; system32\DRIVERS\radpms.sys [X]
S3 rtl8139; system32\DRIVERS\RTL8139.SYS [X]
U1 WS2IFSL; No ImagePath

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===


Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

How is the computer running now?

#5 TaraTara

TaraTara
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 27 February 2015 - 02:38 PM

Hello nasdaq,

 

I much appreciate your help on this problem - thank you.  As you requested, I carried out the following:-

 

1. I enabled System Restore on all drives, allowing it the full 12% of the drive.

 

2. I disabled TeaTimer and will leave it off until you instruct me to re-enable it.

 

3. I created fixlist.txt as instructed above and put it into the same folder as FRST, which I ran and clicked Fix only once and waited.  It almost immediately created the Fixlog.txt but then froze saying, "Fixing is in progress.  Please wait...".  I left it running for a long time.  Eventually, a message came up saying, "FRST.exe has encountered a problem and needs to close..."; I've attached a screenshot called "Farbar Screenshot.JPG", which shows what happened.

 

4. I then did a manual restart and did the following:-

    a. moved the Fixlog.txt file to another folder

    b. disabled all the Avast shields controls (until computer is restarted)

        i) I thought this might have caused the problem on the previous run.

    c. I then ran FRST, which I ran and clicked Fix only once and waited.

 

5. Almost instantaneously it asked for a restart, which I did by clicking its dialog box.  After the restart it opened Fixlog.txt
and had put it on the Desktop.

 

6.  I now set out below each of the 2 Fixlog.txt files as you requested.  I will assume that it is OK to proceed with the other steps you suggested, despite this hiccup, unless I hear to the contrary.  I will post those results when done but thought it was important to give you this update at this stage.

 

7.  This is the content of the first Fixlog.txt file:-

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-02-2015 01
Ran by Suzette at 2015-02-27 16:31:49 Run:1
Running from C:\Documents and Settings\Suzette\Desktop
Loaded Profiles: Suzette (Available profiles: Suzette & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM\...\Run: [NWEReboot] => [X]
HKLM\...\Policies\Explorer: []
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Policies\Explorer: []
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
BHO: EpsonToolBandKicker Class -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
BHO: No Name -> {FFCB3198-32F3-4E8B-9539-4324694ED663} ->  No File
Toolbar: HKLM - EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\ask.xml
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]
S3 Aspdnxammn; No ImagePath
S3 Scarchowdrp; No ImagePath
U3 Httplumrswpm; No ImagePath
S4 InCDFs; system32\drivers\InCDFs.sys [X]
S1 InCDPass; system32\drivers\InCDPass.sys [X]
S1 InCDRm; system32\drivers\InCDRm.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 radpms; system32\DRIVERS\radpms.sys [X]
S3 rtl8139; system32\DRIVERS\RTL8139.SYS [X]
U1 WS2IFSL; No ImagePath

End


*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value deleted successfully.
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value deleted successfully.
"HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => Key deleted successfully.
 

 

 

8.  This is the content of the second Fixlog.txt file:-

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-02-2015 01
Ran by Suzette at 2015-02-27 17:33:47 Run:2
Running from C:\Documents and Settings\Suzette\Desktop
Loaded Profiles: Suzette (Available profiles: Suzette & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

HKLM\...\Run: [NWEReboot] => [X]
HKLM\...\Policies\Explorer: []
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\...\Policies\Explorer: []
SearchScopes: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll No File
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll No File
BHO: EpsonToolBandKicker Class -> {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -> C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
BHO: No Name -> {FFCB3198-32F3-4E8B-9539-4324694ED663} ->  No File
Toolbar: HKLM - EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1935655697-1284227242-1801674531-1003 -> EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll No File
FF SearchPlugin: C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\ask.xml
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]
S3 Aspdnxammn; No ImagePath
S3 Scarchowdrp; No ImagePath
U3 Httplumrswpm; No ImagePath
S4 InCDFs; system32\drivers\InCDFs.sys [X]
S1 InCDPass; system32\drivers\InCDPass.sys [X]
S1 InCDRm; system32\drivers\InCDRm.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 radpms; system32\DRIVERS\radpms.sys [X]
S3 rtl8139; system32\DRIVERS\RTL8139.SYS [X]
U1 WS2IFSL; No ImagePath

End


*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\NWEReboot => Value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => Value not found.
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => Value not found.
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key not found.
"HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
"HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}" => Key deleted successfully.
"HKCR\CLSID\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED663}" => Key deleted successfully.
HKCR\CLSID\{FFCB3198-32F3-4E8B-9539-4324694ED663} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} => value deleted successfully.
"HKCR\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" => Key deleted successfully.
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} => value deleted successfully.
HKCR\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D} => Key not found.
"HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0" => Key deleted successfully.
C:\Documents and Settings\Suzette\Application Data\Mozilla\Firefox\Profiles\yv0h34i6.default\searchplugins\ask.xml => Moved successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => Key deleted successfully.
Could not move "C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
Aspdnxammn => Service deleted successfully.
Scarchowdrp => Service deleted successfully.
Httplumrswpm => Service deleted successfully.
InCDFs => Service deleted successfully.
InCDPass => Service deleted successfully.
InCDRm => Service deleted successfully.
lmimirr => Service deleted successfully.
radpms => Service deleted successfully.
rtl8139 => Service deleted successfully.
WS2IFSL => Service deleted successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-02-27 17:35:20)<=

"C:\Program Files\Alwil Software\Avast5\WebRep\Chrome\aswWebRepChrome.crx" => File could not move.

==== End of Fixlog 17:35:21 ====

 

 

I look forward to hearing that the above gives you what you were expecting.  I will now carry on with the rest of the steps you asked of me.  Thank you.

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 PM

Posted 27 February 2015 - 02:42 PM

Run the RogueKiller.

If still having issues with this computer let me know what.

#7 TaraTara

TaraTara
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 27 February 2015 - 05:34 PM

I had already carried out the step of running AdwCleaner before I saw your above post.  I have also run RogueKiller but I did that after AdwCleanerDoes that mean that I should re-run AdwCleaner?  As it is now 10:15pm here, I will leave testing everything till tomorrow when I will get back to you as to how the computer is running now.  In the meantime I set out below for your review, one after the other respectively, the logs for:-

 

1. AdwCleaner[R1].txt, which was produced when I did the Scan.  It is R1, rather than R0, because I accidentally closed it before I pressed the Clean button :mellow:when I was trying to check off the element(s) I wished to keep!

 

2. AdwCleaner[S0].txt, which was produced when I pressed the Clean button.

 

3. RKreport_SCN_02272015_211755.log which was produced when I pressed the "Scan" button

 

4. RKreport_DEL_02272015_212943.log which was produced when I pressed the "delete" buttonhe

 

 

AdwCleaner[R1].txt:-

 

# AdwCleaner v4.111 - Logfile created 27/02/2015 at 20:19:11
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Local]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Suzette - SG-HP
# Running from : C:\Documents and Settings\Suzette\Desktop\adwcleaner_4.111.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found : C:\Documents and Settings\Suzette\Local Settings\Application Data\DriverToolkit
Folder Found : C:\Program Files\DriverToolkit

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : HKCU\Software\DriverToolkit
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\Interface\{6E4C89CF-3061-4EE4-B22A-B7A8AAEA5CB3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{D66BF89F-B0A2-48F5-A2E4-242EB645AB76}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D66BF89F-B0A2-48F5-A2E4-242EB645AB76}_is1

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[yv0h34i6.default] - Line Found : user_pref("extensions.customizegoogle.cookies.SafeSearch", "empty");
[yv0h34i6.default] - Line Found : user_pref("extensions.customizegoogle.cookies.enableSafeSearch", false);
[yv0h34i6.default] - Line Found : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
[yv0h34i6.default] - Line Found : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
[yv0h34i6.default] - Line Found : user_pref("surfcanyon.fractions", "0.0_0.0\r\n");
[yv0h34i6.default] - Line Found : user_pref("surfcanyon.last_checked_ts", "1266956244525");
*************************

AdwCleaner[R1].txt - [2226 bytes] - [27/02/2015 20:19:11]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [2285 bytes] ##########
 

 

 

AdwCleaner[S0].txt:-

 

# AdwCleaner v4.111 - Logfile created 27/02/2015 at 20:28:45
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Local]
# Operating system : Microsoft Windows XP Service Pack 3 (x86)
# Username : Suzette - SG-HP
# Running from : C:\Documents and Settings\Suzette\Desktop\adwcleaner_4.111.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\DriverToolkit
Folder Deleted : C:\Documents and Settings\Suzette\Local Settings\Application Data\DriverToolkit

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6E4C89CF-3061-4EE4-B22A-B7A8AAEA5CB3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\DriverToolkit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D66BF89F-B0A2-48F5-A2E4-242EB645AB76}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{D66BF89F-B0A2-48F5-A2E4-242EB645AB76}_is1
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[yv0h34i6.default\prefs.js] - Line Deleted : user_pref("extensions.customizegoogle.cookies.SafeSearch", "empty");
[yv0h34i6.default\prefs.js] - Line Deleted : user_pref("extensions.customizegoogle.cookies.enableSafeSearch", false);
[yv0h34i6.default\prefs.js] - Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
[yv0h34i6.default\prefs.js] - Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
[yv0h34i6.default\prefs.js] - Line Deleted : user_pref("surfcanyon.fractions", "0.0_0.0\r\n");
[yv0h34i6.default\prefs.js] - Line Deleted : user_pref("surfcanyon.last_checked_ts", "1266956244525");

*************************

AdwCleaner[R1].txt - [2364 bytes] - [27/02/2015 20:19:11]
AdwCleaner[S0].txt - [2377 bytes] - [27/02/2015 20:28:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2436  bytes] ##########
 

 

 

RKreport_SCN_02272015_211755.log:-

 

RogueKiller V10.4.3.0 [Feb 23 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Suzette [Administrator]
Mode : Scan -- Date : 02/27/2015  21:17:56

¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] explorer.exe(1856) -- C:\Documents and Settings\Suzette\Application Data\Dropbox\bin\DropboxExt.24.dll[7] -> Unloaded
[Suspicious.Path] explorer.exe(1856) -- C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll[7] -> Unloaded

¤¤¤ Registry : 22 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1" | (default) : {FB314ED9-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2" | (default) : {FB314EDA-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3" | (default) : {FB314EDD-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4" | (default) : {FB314EDE-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5" | (default) : {FB314EDB-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6" | (default) : {FB314EDF-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7" | (default) : {FB314EDC-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8" | (default) : {FB314EE0-A251-47B7-93E1-CDD82E34AF8B}  -> Found
[Suspicious.Path] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | Google Update : "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c  -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run | EPSON Stylus Photo R1800 : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /FU "C:\DOCUME~1\Suzette\LOCALS~1\Temp\E_SB.tmp" /EF "HKCU"  -> Found
[Suspicious.Path] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | Google Update : "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSearch : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] GoogleUpdateTaskUserS-1-5-18Core.job -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (/c) -> Found
[Suspicious.Path] GoogleUpdateTaskUserS-1-5-18UA.job -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (/ua /installsource scheduler) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] yv0h34i6.default : user_pref("network.proxy.type", 4); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1200JB-00CRA1 +++++
--- User ---
[MBR] aa055278fab22c9493918f4ddeef0367
[BSP] 98a551c56d6d9f24b15469d84829134c : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 7623 | Size: 111653 MB [Unknown Bootstrap | Unknown Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 228674880 | Size: 2805 MB [Unknown Bootstrap | Unknown Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 

 

 

RKreport_DEL_02272015_212943.log:-

 

RogueKiller V10.4.3.0 [Feb 23 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Suzette [Administrator]
Mode : Delete -- Date : 02/27/2015  21:29:43

¤¤¤ Processes : 2 ¤¤¤
[Suspicious.Path] explorer.exe(1856) -- C:\Documents and Settings\Suzette\Application Data\Dropbox\bin\DropboxExt.24.dll[7] -> Unloaded
[Suspicious.Path] explorer.exe(1856) -- C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll[7] -> Unloaded

¤¤¤ Registry : 22 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1" | (default) : {FB314ED9-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2" | (default) : {FB314EDA-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3" | (default) : {FB314EDD-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4" | (default) : {FB314EDE-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5" | (default) : {FB314EDB-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6" | (default) : {FB314EDF-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7" | (default) : {FB314EDC-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8" | (default) : {FB314EE0-A251-47B7-93E1-CDD82E34AF8B}  -> Deleted
[Suspicious.Path] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | Google Update : "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c [7][x] -> Deleted
[Suspicious.Path] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run | EPSON Stylus Photo R1800 : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /FU "C:\DOCUME~1\Suzette\LOCALS~1\Temp\E_SB.tmp" /EF "HKCU" [-][x][-][x][x] -> Deleted
[Suspicious.Path] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run | Google Update : "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c  -> ERROR [2]
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowControlPanel : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowHelp : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRun : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSearch : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Replaced (1)
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1935655697-1284227242-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 0  -> Replaced (1)
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Replaced (0)

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] GoogleUpdateTaskUserS-1-5-18Core.job -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (/c) -> Deleted
[Suspicious.Path] GoogleUpdateTaskUserS-1-5-18UA.job -- C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (/ua /installsource scheduler) -> Deleted

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] yv0h34i6.default : user_pref("network.proxy.type", 4); -> Replaced (0)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1200JB-00CRA1 +++++
--- User ---
[MBR] aa055278fab22c9493918f4ddeef0367
[BSP] 98a551c56d6d9f24b15469d84829134c : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 7623 | Size: 111653 MB [Unknown Bootstrap | Unknown Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 228674880 | Size: 2805 MB [Unknown Bootstrap | Unknown Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_02272015_211755.log

 

 

I hope the above is what you required.  I look forward to hearing from you and I will let you know tomorrow how the computer is running now.  Thanks again for all your help :bounce: !



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 PM

Posted 28 February 2015 - 09:08 AM

Looking good.

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#9 TaraTara

TaraTara
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 02 March 2015 - 02:19 PM

In your last Post, you asked "How is the computer running now?"  So, after running SecurityCheck.exe (as requested, I have posted the contents of checkup.txt at the end of this Post); I carried out tests on all of the matters I had been having trouble with at the start of my Topic.

A. TESTS - ONGOING PROBLEMS
***************************
1. In summary, the computer is running slightly better than it was WHEN NOT CONNECTED TO THE INTERNET BUT AS SOON AS I RECONNECTED AND DID A GOOGELE SEARCH IN FIREFOX, IT DRAMATICALLY SLOWED.  I know this is not a question of our Internet connection as I get around 16Mbps download speed and my other computer is quick when doing a Google search.  Then, anything I do, such as opening the Downloads folder in Windows Explorer or starting any program, is very slow.

2. I did notice that when I did a check to see that Firefox was up to date, by going to 'Help' and then 'About Firefox'; it had a suspicious link on the 'About Mozilla Firefox' dialog box, while downloading the update.  It said, "firefox for google pack/referral google-cjk - 1.1"?  Also, when I open the 'Options' at the 'General' tab, the button which should say 'Use Current Page' under the 'Home Page:' section, says '©': however, if I close it and open it again, it then shows 'Use Current Page'.

3. Firefox is VERY SLOW in loading up and THEN takes a VERY long time to open the Home page, which is set to 'https://www.google.co.uk/' (to avoid the Country redirect from 'http://www.google.co.uk/').

4. In Firefox, the Avast Online Security symbol is not showing against each site listed (WOT Add-on is showing correctly) when I do a Google search, even though it shows as being enabled in Add-ons and is showing correctly as a Green icon (i.e. it is on, whereas it shows as grey if it is disabled).

5. When I tried moving a combination of RAW and jpg photo files on the internal drive, it crashed Windows Explorer.  I've attached a Screenshot as 'Windows Explorer Crash.jpg' (I did not have a problem when I did this within folders on the External drive).

6. In Adobe Photoshop, When I try to save a .jpg file at max quality of 12, with Baseline Optimized, it says, "Could not complete your request because of a program error". I've attached a Screenshot as 'Adobe Photoshop Error.jpg'.  I use the same program on my other computer and have no problems, so I know it cannot be the program.

7. In the Nikon 'ViewNX 2' program, when I try to convert a .RAW file to .jpg and save as High , it is taking a very long time to do one picture i.e. about 10 minutes, when it should be a matter of seconds.

8. When I do a Restart of the Computer, it takes a very long time with the screen saying, "Saving your settings..." for about 5 minutes.

9. When I went to update Java as I was informed that 'Java 7 Update 71' was out of date, I started by trying to uninstall the old version as they recommend.  I went to 'Add or Remove Programs' & pressed the 'Remove' button.  The removal progress bar went most of the way but then stuck.  I left it for 15 minutes to see if it would sort itself out but no success.  I then opened Windows Task Manager & saw that CPU Usage was stuck at 100% & rundll32.exe was using 97% of the CPU (I've attached a Screenshot as 'Java 7 Update 71 Crash.jpg').  I then went to the 'Applications' tab and clicked 'End Task' of 'Java 7 Update 71'.  This still did not clear the CPU; so I clicked the 'Processes' tab and clicked 'End Process' of rundll32.exe.  The CPU still stayed at 97%, showing that this was being taken by msiexec.exe and lsass.exe at which it stayed for a long time, before it finally went back down to around 7%.  I went to 'Add or Remove Programs' and saw that 'Java 7 Update 71' was no longer there but have little faith it had been properly removed.  I see from wikipedia that lsass.exe "is often faked by malware". Do you think this is what is happening?

10. I then went on and did an offline installation of 'Java 8 Update 31', which appeared to work but don't know about the impact of point 9. above re the previous version.

11. Several years ago, I installed Google Desktop and Google Desktop Extreme version 2.1.2.  When the Computer started to slow down, I disabled it, but it is still installed.  I notice that Google is no longer supporting it.  Is it safe to re-enable it when the Computer is sorted out?  If not, is there a free program which can do the same job, including storing the info in files and not just file names?




B. TESTS - PROBLEMS SOLVED
**************************
12. After a full closedown and turning the mains off, the computer now starts up as soon as I press the power button.  HOWEVER, I haven't done a full Avast scan, so this isn't a proper test.  I will do a full Avast scan tonight & let you know the outcome of that tomorrow morning.

13. Microsoft Outlook now working well.

14. I found under point . below a possible Malware reason as to why "the machine failed to start up & had to press the startup buttton many times before it finally started" as I said at the start of this topic.

15. Encrypting a file would sometimes freeze before and not work but seems to be working now without difficulty.

16. Adobe Digital Editions would not work before even when I tried uninstalling.  Now, I've re-downloaded and re-installed and it appears to be working properly.



C. ITEMS OF CONCERN/QUERY
*************************
17. Firstly, I re-enabled TeaTimer so that the tests would be in my normal operating mode.  While I re-enabled TeaTimer, I came across the following suspicious items, which I thought I should bring to your attention:-

a. This is an extract of Spybot's 'BHO's' list, which look suspicious as they have no details and seemed to be confirmed when checked with Google:-

"--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

{DBC80044-A445-435b-BC74-9C25C1C588A9} ()
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name:
        CLSID name:

{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} ()
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name:
        CLSID name:

{FFCB3198-32F3-4E8B-9539-4324694ED663} ()
          location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
          BHO name:
        CLSID name: "

b. This is an extract of Spybot's 'Uninstall info' list, which look suspicious as they have no details and seemed to be confirmed when checked with Google:-

"--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

  (MSI30-Beta1)
  (MSI30-Beta2)
  (MSI30-KB884016)
  (MSI30-RC1)
  (MSI30-RC2)
  (MSI30a-KB884016)
  (MSI31-Beta)
  (MSI31-RC1)
  (NetMeeting)
  (NLSDownlevelMapping)
  (Wdf01000)
  (Wdf01001)
  (Wdf01005)
  (Wdf01007)
  (WIC)
  ({26A24AE4-039D-4CA4-87B4-2F03217065FB})
  ({26A24AE4-039D-4CA4-87B4-2F83216018FB})
  ({26A24AE4-039D-4CA4-87B4-2F83216020FB})
  ({26A24AE4-039D-4CA4-87B4-2F83216021FB})
  ({26A24AE4-039D-4CA4-87B4-2F83216022FB})
  ({26A24AE4-039D-4CA4-87B4-2F83216023FB})
  ({26A24AE4-039D-4CA4-87B4-2F83216024FB})
  ({26A24AE4-039D-4CA4-87B4-2F83216026FB})
  ({26A24AE4-039D-4CA4-87B4-2F83217009FB})
  ({26A24AE4-039D-4CA4-87B4-2F83217011FB})
  ({26A24AE4-039D-4CA4-87B4-2F83217045FB})
  ({26A24AE4-039D-4CA4-87B4-2F83217051FB})
  ({26A24AE4-039D-4CA4-87B4-2F83217055FB})"



18. I then looked in Windows Explorer and found the following suspicious looking folders, which I thought I should inform you about:-

a. Path: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
Folders: MSHist012011082720110828
         MSHist012011082820110829

b. Path: C:\Documents and Settings\All Users\Application Data
Folders: {429CAD59-35B1-4DBC-BB6D-1DB246563521}
     {755AC846-7372-4AC8-8550-C52491DAA8BD}
     54F3DE4E-B7BA-4EBD-8B3B-385D272CC583
     188F1432-103A-4ffb-80F1-36B633C5C9E1
     B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
     boost_interprocess

c. Path: C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folders: Select LastBootUpTime from Win32_OperatingSystem (<== Was this why I had trouble booting up?)

d. Path: C:\Documents and Settings\All Users\Application Data
Folders: Skype Extras

e. Path: C:\Documents and Settings\All Users\Application Data
Folders: Ultima_T15

f. Path: C:\Documents and Settings\Suzette\Local Settings\Application Data\Temp
Folders: avastBCLTMP

g. Path: C:\Documents and Settings\Suzette\Local Settings\Application Data\Temp\avastBCLTMP
Folders: firefox <==with many sub-folders

h. Path: C:\Documents and Settings\Suzette\UserData
Folders: 0H6V4DYV
     OT6NC9QR
     OTQZKTYJ
     ZF1JAERU

i. Path: C:\Program Files\ashampoo
Folders: Ashampoo Power Encrypt Deluxe <==Has file 'PowEnc.dat' which virustotal.com says may be suspect!!

j. Path: C:\Program Files\Bradbury
Folders: TopStyle3

k. Path: C:\Program Files\Common Files
Folders: LogiShrd

l. Path: C:\WINDOWS\system32\Defaults
File: MX0002_80641102{B591EC40-11D1-DBC3-A000-9D9D737F8EC9}.rdf

m. Path: C:\WINDOWS\Temp
File: Perflib_Perfdata_a18.dat <==Google says this is used to redirect in Google Search: wonder if this why so slow in Firefox?



19. When I looked at Services, I noted the following which looked suspicious as there was no description or it was not clear what their purpose was:-

a. Anpormt_
Anpormt_\C:\WINDOWS\system32\drivers\hidir.sys

b. Background Intelligent Transfer Service
Background Intelligent Transfer Service\C:\WINDOWS\system32\svchost.exe -k netsvcs <== has this been hacked?

c. ClipBook
ClipBook\C:\WINDOWS\system32\clipsrv.exe

d. Creative Service for CDROM Access
Creative Service for CDROM Access\C:\WINDOWS\system32\CTsvcCDA.exe

e. Google Desktop Manager 5.9.1005.12335
Google Desktop Manager 5.9.1005.12335\Service Information.txt

f. Google Update Service (gupdate)
Google Update Service (gupdate)\"C:\Program Files\Google\Update\GoogleUpdate.exe" /svc

g. Google Update Service (gupdatem)
Google Update Service (gupdatem)\"C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc

h. PACSPTISVR
PACSPTISVR\C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe

i. Sony SPTI Service
Sony SPTI Service\C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

j. WMDM PMSP Service
WMDM PMSP Service\C:\WINDOWS\system32\MsPMSPSv.exe


20. I have attached a screenshot of the running Processes from Windows Task Manager, as 'Processes Post Cleanup.jpg' in case this helps you when you are reviewing the above.



D. SECURITY CHECK
*****************
21. As requested, here are the contents of checkup.txt:-

" Results of screen317's Security Check version 0.99.97  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Spybot - Search & Destroy
 SUPERAntiSpyware     
 JavaFX 2.0.3    
 Java 7 Update 71  
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31  
 Adobe Flash Player     16.0.0.235  
 Adobe Reader XI  
 Mozilla Firefox 35.0.1 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Alwil Software Avast5 AvastSvc.exe  
 Alwil Software Avast5 AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 2%
````````````````````End of Log``````````````````````"



I look forward to hearing from you re the above and, again, thank you for all your much appreciated help.

 

 

 

 

 

 



#10 TaraTara

TaraTara
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 03 March 2015 - 05:15 AM

 

12. After a full closedown and turning the mains off, the computer now starts up as soon as I press the power button.  HOWEVER, I haven't done a full Avast scan, so this isn't a proper test.  I will do a full Avast scan tonight & let you know the outcome of that tomorrow morning.

 

As I said in my previous Post, I did a full Avast scan last night & it was good news that the computer started up as soon as I pressed the power button after a full closedown and turning the mains off.

 

I look forward to hearing from you concerning the points in my previous post.  Thank you.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 PM

Posted 03 March 2015 - 08:48 AM

I appreciate you concern but my task is to remove any malware that may still be active on this computer.

Now that you have started the computer and is starting OK what are the problems you are experiencing now?

#12 TaraTara

TaraTara
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 03 March 2015 - 11:04 AM

The problems I am experiencing now are as follows:-

1. If I start the computer CONNECTED TO THE INTERNET, it operates VERY SLOWLY doing anything such as even opening Windows Explorer or any program.  It feels like something is taking all its power.  Could it be a Rootkit?

2. If I disconnect from the Internet before starting, it runs at normal speed BUT AS SOON AS I RECONNECT AND DO A GOOGLE SEARCH IN FIREFOX, IT DRAMATICALLY SLOWS DOWN AND ANY PROGRAMS I THEN RUN ARE SLOW, EVEN AFTER I'VE CLOSED FIREFOX.  It continues this way unless I close down and restart WITHOUT BEING CONNECTED TO THE INTERNET.

3. When I do a restart or full closedown of the Computer, it takes a very long time with the screen saying, "Saving your settings..." for about 5 minutes.

4. When I tried moving a combination of RAW and jpg photo files on the internal drive, it crashed Windows Explorer.  I've attached a Screenshot of the message that came up as 'Windows Explorer Crash.jpg'.

5. In Adobe Photoshop, When I try to save a .jpg file at max quality of 12, with Baseline Optimized, it says, "Could not complete your request because of a program error". I've attached a Screenshot as 'Adobe Photoshop Error.jpg'.  I use the same program on my other computer and have no problems, so I know it cannot be the program.

6. In the Nikon 'ViewNX 2' program, when I try to convert a .RAW file to .jpg and save as High , it is taking a very long time to do one picture i.e. about 10 minutes, when it should be a matter of seconds.



I look forward to hearing from you.

 

Attached File  Windows Explorer Crash.jpg   36.11KB   0 downloads

 

Attached File  Adobe Photoshop Error.jpg   18.87KB   4 downloads
 



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 PM

Posted 03 March 2015 - 02:40 PM

Download and install this Service Pack 6 for Visual Basic 6.0:

Follow the instructions on this page.
http://www.microsoft.com/en-us/download/details.aspx?id=24417

How is it now?

#14 TaraTara

TaraTara
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cambridge, UK
  • Local time:10:07 PM

Posted 03 March 2015 - 05:35 PM

I did as you suggested and downloaded and installed Service Pack 6 for Visual Basic 6.0.  It certainly improved the speed of opening up Windows Explorer but when I tried to copy some RAW and jpg photo files on the internal drive, from one folder to another; as before, it crashed Windows Explorer and the same message as before came up as the Screenshot of 'Windows Explorer Crash.jpg' which I attached to Post #12.

 

What would you like me to do next?



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:07 PM

Posted 04 March 2015 - 08:50 AM


Re-install the 'ViewNX 2' program.
http://www.nikonusa.com/en/Nikon-Products/Product/Imaging-Software/ViewNX-2.html

When done, restart the computer normally.

Is the problem persisting?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users