Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gozes.exe


  • This topic is locked This topic is locked
25 replies to this topic

#1 S1b

S1b

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 25 May 2015 - 09:20 AM

Anyone out there have any idea what this process does. CPU usage is always high...
Also noticed that gozes.scr is also keeping the processor busy.


Edited by hamluis, 25 May 2015 - 10:09 AM.
Moved from XP to MRL - Hamluis.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:25 PM

Posted 25 May 2015 - 09:27 AM

Hi S1b,

 

Do you know where this file is located?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 25 May 2015 - 09:53 AM

Not sure...virus scan has just picked it up as a worm.
Yikes!

#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:25 PM

Posted 25 May 2015 - 09:56 AM

Hi S1b,
 
I figured as much that it was malware. Lets run this tool to see.
 

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 25 May 2015 - 11:19 AM


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-05-2015 01
Ran by Hurniwell (administrator) on ISABEL-8C7DF0CB on 25-05-2015 17:36:23
Running from C:\Documents and Settings\Hurniwell\Desktop
Loaded Profiles: Hurniwell (Available Profiles: Hurniwell)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(COMODO) C:\Program Files\COMODO\Firewall\cmdagent.exe
(Comodo Inc.) C:\Program Files\COMODO\Common\CAVASpy\cavasm.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\realplay.exe
(COMODO) C:\Program Files\COMODO\Firewall\cfp.exe
(COMODO) C:\Program Files\COMODO\Comodo AntiVirus\CMain.exe
() C:\WINDOWS\FixCamera.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\s3hotkey.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\S3TRAY.exe
(Microsoft Corporation) C:\Program Files\Messenger\msmsgs.exe
() C:\Documents and Settings\Hurniwell\gozes.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\CavAUD.exe
Failed to access process -> gozes.scr
Failed to access process -> gozes.exe
() C:\Documents and Settings\Hurniwell\alg.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(COMODO) C:\Program Files\COMODO\Comodo AntiVirus\CavApp.exe
(Microsoft Corporation) C:\Documents and Settings\Hurniwell\Desktop\dotNetFx40_Full_x86_x64.exe
(Microsoft Corporation) C:\c0e368fac64432b0fd\Setup.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [DXM6Patch_981116] => C:\WINDOWS\p_981116.exe [497376 1998-11-30] (Microsoft Corporation)
HKLM\...\Run: [RealTray] => C:\Program Files\Real\RealPlayer\RealPlay.exe [19456 2007-12-17] (RealNetworks, Inc.)
HKLM\...\Run: [COMODO Firewall Pro] => C:\Program Files\COMODO\Firewall\cfp.exe [1481984 2007-12-17] (COMODO)
HKLM\...\Run: [cnfgCav] => C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe [110592 2007-12-17] (COMODO)
HKLM\...\Run: [FixCamera] => C:\WINDOWS\FixCamera.exe [20480 2007-02-12] ()
HKLM\...\Run: [S3Hotkey] => C:\WINDOWS\system32\s3hotkey.exe [40960 2001-09-12] (S3 Graphics, Inc.)
HKLM\...\Run: [S3TRAY] => C:\WINDOWS\system32\S3tray.exe [73728 2001-10-04] (S3 Graphics, Inc.)
Winlogon\Notify\monln: C:\WINDOWS\system32\monln.dll [2007-12-17] (Comodo Inc.)
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1667584 2004-08-04] (Microsoft Corporation)
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [gozes] => C:\Documents and Settings\Hurniwell\gozes.exe [138240 2014-05-09] ()
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {4d905480-d795-11e3-9f38-00d059a1545b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL kieecUm.EXE
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {649a2730-f426-11e4-9f50-00d059a1545b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GOZes.ExE
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {dd374520-02ba-11e5-9f58-00d059a1545b} - E:\Autorun.exe
AppInit_DLLs: C:\WINDOWS\system32\guard32.dll => C:\WINDOWS\system32\guard32.dll [139008 2007-12-17] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-1844237615-920026266-854245398-1005\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-1844237615-920026266-854245398-1005\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1844237615-920026266-854245398-1005 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
Winsock: Catalog9 01 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 02 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 03 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 18 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)

FireFox:
========

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 cmdAgent; C:\Program Files\COMODO\Firewall\cmdagent.exe [544512 2007-12-17] (COMODO)
R2 Comodo Anti-Virus and Anti-Spyware Service; C:\Program Files\Comodo\common\CAVASpy\cavasm.exe [523264 2007-12-17] (Comodo Inc.) []

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 allegro; C:\WINDOWS\System32\drivers\es198x.sys [174464 2001-08-17] (ESS Technology, Inc.)
R3 AN983; C:\WINDOWS\System32\DRIVERS\AN983.sys [36224 2004-08-04] (ADMtek Incorporated.)
R0 Cavasm; C:\WINDOWS\System32\DRIVERS\cavasm.sys [102400 2007-12-17] (Comodo Inc.) []
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
R1 cmdGuard; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [79096 2007-12-17] (COMODO)
R1 cmdHlp; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [23672 2007-12-17] (COMODO)
R3 Edspport; C:\WINDOWS\System32\DRIVERS\es56cvmp.sys [595647 2001-08-17] (ESS Technology, Inc.)
R0 Inspect; C:\WINDOWS\System32\DRIVERS\inspect.sys [74616 2007-12-17] (COMODO)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
R1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42496 2004-08-04] (Microsoft Corporation)
S3 QCDonner; C:\WINDOWS\System32\DRIVERS\OVCD.sys [28032 2001-08-17] (Microsoft Corporation)
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 S3GSavageMX; C:\WINDOWS\System32\DRIVERS\s3gsavm.sys [80384 2002-04-16] (S3 Graphics, Inc.)
S3 S3SavageMX; C:\WINDOWS\System32\DRIVERS\s3savmxm.sys [75392 2001-08-17] (S3 Graphics, Inc.)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
R3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
S3 SNP325; system32\DRIVERS\snp325.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-25 17:36 - 2015-05-25 17:40 - 00008285 _____ () C:\Documents and Settings\Hurniwell\Desktop\FRST.txt
2015-05-25 17:35 - 2015-05-25 17:37 - 00000000 ____D () C:\FRST
2015-05-25 17:31 - 2015-05-25 17:18 - 01146880 _____ (Farbar) C:\Documents and Settings\Hurniwell\Desktop\FRST.exe
2015-05-25 16:41 - 2015-05-25 16:44 - 00000000 ____D () C:\c0e368fac64432b0fd
2015-05-25 16:41 - 2015-05-25 15:44 - 50449456 _____ (Microsoft Corporation) C:\Documents and Settings\Hurniwell\Desktop\dotNetFx40_Full_x86_x64.exe
2015-05-25 16:41 - 2015-05-25 15:42 - 22544384 _____ (Microsoft Corporation) C:\Documents and Settings\Hurniwell\Desktop\NetFx20SP1_x86.exe
2015-05-25 16:40 - 2015-05-21 21:32 - 00559063 _____ () C:\Documents and Settings\Hurniwell\Desktop\Everything-1.3.4.686.x64-Setup.exe
2015-05-25 15:49 - 2015-05-25 15:49 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\TMP
2015-05-25 15:47 - 2015-05-25 15:47 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\New Folder
2015-05-25 14:49 - 2015-05-25 14:49 - 00000724 _____ () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2015-05-25 14:48 - 2015-05-25 14:49 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2015-05-25 14:48 - 2015-05-25 14:48 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-05-25 14:48 - 2015-05-25 14:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Mozilla
2015-05-25 14:47 - 2015-05-25 14:49 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-05-25 14:22 - 2015-05-25 14:22 - 00452858 _____ () C:\Documents and Settings\Hurniwell\My Documents\MSI2643.LOG
2015-05-25 13:08 - 2015-05-25 13:50 - 00000000 ____D () C:\e4d7b143daf03e0c0fb179bb61
2015-05-25 13:04 - 2015-05-25 13:08 - 00008072 _____ () C:\WINDOWS\WIC.log
2015-05-25 13:04 - 2015-05-25 13:04 - 00000000 __HDC () C:\WINDOWS\$NtUninstallWIC$
2015-05-25 13:04 - 2006-10-16 16:10 - 00023856 _____ (Microsoft Corporation) C:\WINDOWS\system32\spupdsvc.exe
2015-05-25 12:47 - 2015-05-25 13:25 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2015-05-25 11:10 - 2015-05-25 11:10 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Local Settings\Application Data\Downloaded Installations
2015-05-25 11:01 - 2015-05-25 11:02 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB942288-v3$
2015-05-25 11:00 - 2015-05-25 11:05 - 00008821 _____ () C:\WINDOWS\KB942288-v3.log
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zuQ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zSJ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zrp.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zOM.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zLZ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zkz.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zjU.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zfe.lnk
2015-05-25 10:52 - 2015-05-25 10:52 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Application Data\Adobe
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zYD.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zVN.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zSN.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zpv.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zKo.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zJJ.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zis.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zdN.lnk
2015-05-25 10:50 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zQa.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zxi.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRX.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRC.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRb.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zNW.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zHq.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zgj.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEr.lnk
2015-05-23 14:05 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zQZ.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zVI.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zPq.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\znT.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zlP.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zFG.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEz.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEv.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zCx.lnk
2015-05-23 14:04 - 2014-05-09 18:18 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\gozes.scr
2015-05-21 17:38 - 2015-05-25 13:08 - 00008685 _____ () C:\WINDOWS\tsoc.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00003670 _____ () C:\WINDOWS\netfxocm.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001531 _____ () C:\WINDOWS\MedCtrOC.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001374 _____ () C:\WINDOWS\imsins.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001028 _____ () C:\WINDOWS\ocmsn.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00000967 _____ () C:\WINDOWS\msgsocm.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00000894 _____ () C:\WINDOWS\tabletoc.log
2015-05-21 17:38 - 2015-05-25 13:07 - 00005594 _____ () C:\WINDOWS\msmqinst.log
2015-05-21 17:38 - 2015-05-25 11:05 - 00001374 _____ () C:\WINDOWS\imsins.BAK
2015-05-21 17:37 - 2015-05-25 13:08 - 00017455 _____ () C:\WINDOWS\FaxSetup.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00014330 _____ () C:\WINDOWS\iis6.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00011142 _____ () C:\WINDOWS\ocgen.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00005855 _____ () C:\WINDOWS\comsetup.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00003883 _____ () C:\WINDOWS\ntdtcsetup.log
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zXR.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zUV.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRR.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zOy.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zlK.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zLh.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zcG.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zbi.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zAY.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000182 _____ () C:\Documents and Settings\Hurniwell\Application Data.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000178 _____ () C:\Documents and Settings\Hurniwell\Local Settings.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000174 _____ () C:\Documents and Settings\Hurniwell\My Documents.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000170 _____ () C:\Documents and Settings\Hurniwell\Start Menu.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000170 _____ () C:\Documents and Settings\Hurniwell\New Folder.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Templates.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\PrintHood.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Passwords.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Favorites.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Documents.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000166 _____ () C:\Documents and Settings\Hurniwell\UserData.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000166 _____ () C:\Documents and Settings\Hurniwell\Pictures.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\NetHood.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\Desktop.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\Cookies.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000162 _____ () C:\Documents and Settings\Hurniwell\SendTo.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000162 _____ () C:\Documents and Settings\Hurniwell\Recent.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000160 _____ () C:\Documents and Settings\Hurniwell\Video.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000160 _____ () C:\Documents and Settings\Hurniwell\Music.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000154 _____ () C:\Documents and Settings\Hurniwell\...lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000152 _____ () C:\Documents and Settings\Hurniwell\..lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00010752 __RSH () C:\Documents and Settings\Hurniwell\zzz.dll
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zzf.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zXx.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zvz.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zux.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRY.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zqy.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zmV.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zMa.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zhL.lnk
2015-05-13 19:26 - 2014-05-09 18:18 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\gozesx.exe
2015-05-13 19:26 - 2014-05-09 18:18 - 00138240 _____ () C:\Documents and Settings\Hurniwell\x.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-25 17:40 - 2014-01-18 19:42 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Local Settings\Temp
2015-05-25 16:20 - 2007-12-02 17:33 - 00338014 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-25 15:56 - 2007-12-02 19:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-05-25 15:56 - 2007-12-02 19:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-05-25 15:56 - 2007-12-02 17:44 - 00032604 _____ () C:\WINDOWS\SchedLgU.Txt
2015-05-25 15:56 - 2007-12-02 17:44 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-05-25 15:55 - 2014-01-18 19:42 - 00000178 ___SH () C:\Documents and Settings\Hurniwell\ntuser.ini
2015-05-25 15:46 - 2014-02-05 13:16 - 00040599 _____ () C:\WINDOWS\setupapi.log
2015-05-25 12:58 - 2007-12-02 19:03 - 00000000 ____D () C:\WINDOWS\pchealth
2015-05-25 12:48 - 2007-12-02 19:17 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-05-25 11:04 - 2007-12-02 19:03 - 00000000 ____D () C:\WINDOWS\system32\mui
2015-05-25 10:53 - 2014-01-18 19:42 - 00000000 __SHD () C:\Documents and Settings\Hurniwell
2015-05-24 15:53 - 2004-08-04 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-05-23 13:47 - 2014-04-28 18:20 - 00000000 __SHD () C:\WINDOWS\CSC
2015-05-20 20:02 - 2007-12-17 20:01 - 00000000 ____D () C:\WINDOWS\system32\appmgmt

Files to move or delete:
====================
C:\Documents and Settings\Hurniwell\alg.exe
C:\Documents and Settings\Hurniwell\gozes.exe
C:\Documents and Settings\Hurniwell\gozesx.exe
C:\Documents and Settings\Hurniwell\x.exe
C:\Documents and Settings\Hurniwell\zzz.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-05-2015 01
Ran by Hurniwell at 2015-05-25 17:47:30
Running from C:\Documents and Settings\Hurniwell\Desktop
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1844237615-920026266-854245398-500 - Administrator - Enabled)
Guest (S-1-5-21-1844237615-920026266-854245398-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1844237615-920026266-854245398-1000 - Limited - Disabled)
Hurniwell (S-1-5-21-1844237615-920026266-854245398-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Hurniwell
SUPPORT_388945a0 (S-1-5-21-1844237615-920026266-854245398-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

FW: COMODO Firewall Pro (Disabled) {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Comodo AntiVirus Beta 2.0 (HKLM\...\Comodo AntiVirus Beta 2.0) (Version: 2.0.17.58 - COMODO)
COMODO Firewall Pro (HKLM\...\COMODO Firewall Pro) (Version: 3.0.12.266 - COMODO)
Microsoft NetShow Tools 2.0 (HKLM\...\Microsoft NetShow Tools 2.0) (Version: - )
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 38.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 38.0.1 (x86 en-US)) (Version: 38.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 38.0.1 - Mozilla)
MSN (HKLM\...\MSNINST) (Version: - )
OpenOffice 4.0.1 (HKLM\...\{24B89186-2A56-4D28-B930-6F4FCF224E2F}) (Version: 4.01.9714 - Apache Software Foundation)
RealPlayer G2 (HKLM\...\RealPlayer 6.0) (Version: - )
S3 Gamma Utility (HKLM\...\S3 Gamma) (Version: - )
S3DuoVue Utility (HKLM\...\S3DUOVUE) (Version: - )
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

25-05-2015 11:02:42 Installed Windows XP KB942288-v3.
25-05-2015 13:05:33 Installed Windows XP WIC.

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 14:00 - 2004-08-04 14:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (Whitelisted) ==============

2007-12-17 18:26 - 2007-12-17 18:26 - 00139008 _____ () C:\WINDOWS\system32\guard32.dll
2007-12-17 16:58 - 2007-12-17 16:58 - 00034816 _____ () C:\Program Files\Common Files\Real\Plugins\pnxr3260.dll
2007-12-17 19:44 - 2007-02-12 14:50 - 00020480 _____ () C:\WINDOWS\FixCamera.exe
2014-05-09 18:18 - 2014-05-09 18:18 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\gozes.exe
2014-05-09 18:22 - 2014-05-09 18:22 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\alg.exe

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1844237615-920026266-854245398-1005\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp
DNS Servers: Media is not connected to internet.

==================== MSCONFIG/TASK MANAGER Error getting ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\Program Files\Gizmo Project\mDNSResponder.exe] => Enabled:Bonjour
StandardProfile\AuthorizedApplications: [C:\Program Files\Gizmo Project\Gizmo.exe] => Enabled:Gizmo Project
StandardProfile\AuthorizedApplications: [C:\Program Files\Skype\Phone\Skype.exe] => Enabled:Skype
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (05/25/2015 03:31:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (05/25/2015 03:31:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (05/25/2015 01:49:34 PM) (Source: MsiInstaller) (EventID: 11334) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 4 Client Profile -- Error 1334. The file '_001_dfshim_dll_x86' cannot be installed because the file cannot be found in cabinet file 'netfx_core.mzz'. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Error: (05/25/2015 01:25:30 PM) (Source: MsiInstaller) (EventID: 11310) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 4 Client Profile -- Error 1310. Error writing to file: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Aero.dll. System error 0. Verify that you have access to that directory.

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update '.NET Framework WinForms' could not be installed. Error code 1603. Additional information is available in the log file C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt.

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update '.NET Framework ASP .NET' could not be installed. Error code 1603. Additional information is available in the log file C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt.

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update '.NET Framework 2' could not be installed. Error code 1603. Additional information is available in the log file C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt.

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update '.NET Framework 1' could not be installed. Error code 1603. Additional information is available in the log file C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt.

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update 'Dr. Watson' could not be installed. Error code 1603. Additional information is available in the log file C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt.

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update '.NET Framework PreXP' could not be installed. Error code 1603. Additional information is available in the log file C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt.


System errors:
=============
Error: (05/25/2015 03:56:56 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IPSEC Services service terminated with the following error:
%%10022

Error: (05/25/2015 02:47:33 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:31 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:29 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:26 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:24 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:22 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:20 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:17 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D

Error: (05/25/2015 02:47:15 PM) (Source: 0) (EventID: 7) (User: )
Description: \Device\Harddisk0\D


Microsoft Office:
=========================
Error: (05/25/2015 03:31:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE6.0.2900.2180hungapp0.0.0.000000000

Error: (05/25/2015 03:31:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: IEXPLORE.EXE6.0.2900.2180hungapp0.0.0.000000000

Error: (05/25/2015 01:49:34 PM) (Source: MsiInstaller) (EventID: 11334) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 4 Client Profile -- Error 1334. The file '_001_dfshim_dll_x86' cannot be installed because the file cannot be found in cabinet file 'netfx_core.mzz'. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.(NULL)(NULL)(NULL)(NULL)

Error: (05/25/2015 01:25:30 PM) (Source: MsiInstaller) (EventID: 11310) (User: ISABEL-8C7DF0CB)
Description: Product: Microsoft .NET Framework 4 Client Profile -- Error 1310. Error writing to file: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Aero.dll. System error 0. Verify that you have access to that directory.(NULL)(NULL)(NULL)(NULL)

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Microsoft .NET Framework 2.0 Service Pack 2.NET Framework WinForms1603C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt(NULL)

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Microsoft .NET Framework 2.0 Service Pack 2.NET Framework ASP .NET1603C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt(NULL)

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Microsoft .NET Framework 2.0 Service Pack 2.NET Framework 21603C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt(NULL)

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Microsoft .NET Framework 2.0 Service Pack 2.NET Framework 11603C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt(NULL)

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Microsoft .NET Framework 2.0 Service Pack 2Dr. Watson1603C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt(NULL)

Error: (05/25/2015 00:58:35 PM) (Source: MsiInstaller) (EventID: 1023) (User: ISABEL-8C7DF0CB)
Description: Microsoft .NET Framework 2.0 Service Pack 2.NET Framework PreXP1603C:\DOCUME~1\HURNIW~1\LOCALS~1\Temp\dd_NET_Framework20_Setup3DB4.txt(NULL)


==================== Memory info ===========================

Percentage of memory in use: 72%
Total physical RAM: 383.48 MB
Available physical RAM: 104.99 MB
Total Pagefile: 921.98 MB
Available Pagefile: 671.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1961.36 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:18.62 GB) (Free:14.3 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive e: (16GIG LIME) (Removable) (Total:15.08 GB) (Free:14.97 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 18.6 GB) (Disk ID: E80F0222)
Partition 1: (Active) - (Size=18.6 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 15.1 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=15.1 GB) - (Type=0C)

==================== End of log ============================

#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:25 PM

Posted 25 May 2015 - 11:51 AM

Hi S1b,

 

  • Please go to: VirusTotal
  • On the page you'll find a "Choose File" button.
  • Click on the Choose File button.
  • In the Choose File to Upload window which opens, copy and paste this into the File Name box:

C:\WINDOWS\FixCamera.exe
C:\c0e368fac64432b0fd\Setup.exe
C:\WINDOWS\p_981116.exe

  • Next, click the Open button.
  • Then click the "Scan It!" button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.
  • Repeat for each of the files

--------------
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
() C:\Documents and Settings\Hurniwell\gozes.exe
() C:\Documents and Settings\Hurniwell\alg.exe
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [gozes] => C:\Documents and Settings\Hurniwell\gozes.exe [138240 2014-05-09] ()
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {4d905480-d795-11e3-9f38-00d059a1545b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL kieecUm.EXE
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {649a2730-f426-11e4-9f50-00d059a1545b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GOZes.ExE
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zuQ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zSJ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zrp.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zOM.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zLZ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zkz.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zjU.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zfe.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zYD.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zVN.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zSN.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zpv.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zKo.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zJJ.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zis.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zdN.lnk
2015-05-25 10:50 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zQa.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zxi.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRX.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRC.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRb.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zNW.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zHq.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zgj.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEr.lnk
2015-05-23 14:05 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zQZ.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zVI.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zPq.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\znT.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zlP.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zFG.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEz.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEv.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zCx.lnk
2015-05-23 14:04 - 2014-05-09 18:18 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\gozes.scr
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zXR.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zUV.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRR.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zOy.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zlK.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zLh.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zcG.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zbi.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zAY.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000154 _____ () C:\Documents and Settings\Hurniwell\...lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000152 _____ () C:\Documents and Settings\Hurniwell\..lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00010752 __RSH () C:\Documents and Settings\Hurniwell\zzz.dll
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zzf.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zXx.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zvz.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zux.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRY.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zqy.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zmV.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zMa.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zhL.lnk
2015-05-13 19:26 - 2014-05-09 18:18 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\gozesx.exe
2015-05-13 19:26 - 2014-05-09 18:18 - 00138240 _____ () C:\Documents and Settings\Hurniwell\x.exe
C:\Documents and Settings\Hurniwell\alg.exe
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt
  • New FRST.txt

xXToffeeXx~


Edited by xXToffeeXx, 25 May 2015 - 11:51 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 25 May 2015 - 12:31 PM

Cant' seem to get onto the VirusTotal site. Keeps saying "page unavailable"
Does the same thing for any other kind of virus or antivirus link/websites or if trying to download another kind of browser.
Any advice?

#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:25 PM

Posted 25 May 2015 - 03:27 PM

Hi S1b,

 

It is possible that this is due to the malware blocking it or due to running an outdated browser and OS.

 

Skip this step and continue with the others for the time being.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 26 May 2015 - 01:46 AM

Fix result of Farbar Recovery Scan Tool (x86) Version: 24-05-2015 01
Ran by Hurniwell at 2015-05-26 08:31:23 Run:1
Running from C:\Documents and Settings\Hurniwell\Desktop
Loaded Profiles: Hurniwell (Available Profiles: Hurniwell)
Boot Mode: Normal

==============================================

fixlist content:
*****************
() C:\Documents and Settings\Hurniwell\gozes.exe
() C:\Documents and Settings\Hurniwell\alg.exe
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [gozes] => C:\Documents and Settings\Hurniwell\gozes.exe [138240 2014-05-09] ()
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {4d905480-d795-11e3-9f38-00d059a1545b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL kieecUm.EXE
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {649a2730-f426-11e4-9f50-00d059a1545b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL GOZes.ExE
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zuQ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zSJ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zrp.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zOM.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zLZ.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zkz.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zjU.lnk
2015-05-25 10:53 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zfe.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zYD.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zVN.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zSN.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zpv.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zKo.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zJJ.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zis.lnk
2015-05-25 10:51 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zdN.lnk
2015-05-25 10:50 - 2015-05-25 10:53 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zQa.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zxi.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRX.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRC.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRb.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zNW.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zHq.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zgj.lnk
2015-05-25 10:50 - 2015-05-25 10:50 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEr.lnk
2015-05-23 14:05 - 2015-05-25 10:51 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zQZ.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zVI.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zPq.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\znT.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zlP.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zFG.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEz.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zEv.lnk
2015-05-23 14:05 - 2015-05-23 14:05 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zCx.lnk
2015-05-23 14:04 - 2014-05-09 18:18 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\gozes.scr
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zXR.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zUV.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRR.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zOy.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zlK.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zLh.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zcG.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zbi.lnk
2015-05-13 19:33 - 2015-05-13 19:33 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zAY.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000154 _____ () C:\Documents and Settings\Hurniwell\...lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000152 _____ () C:\Documents and Settings\Hurniwell\..lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00010752 __RSH () C:\Documents and Settings\Hurniwell\zzz.dll
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zzf.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zXx.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zvz.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zux.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zRY.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zqy.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zmV.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zMa.lnk
2015-05-13 19:26 - 2015-05-13 19:26 - 00000161 _____ () C:\Documents and Settings\Hurniwell\zhL.lnk
2015-05-13 19:26 - 2014-05-09 18:18 - 00138240 __RSH () C:\Documents and Settings\Hurniwell\gozesx.exe
2015-05-13 19:26 - 2014-05-09 18:18 - 00138240 _____ () C:\Documents and Settings\Hurniwell\x.exe
C:\Documents and Settings\Hurniwell\alg.exe
*****************

C:\Documents and Settings\Hurniwell\gozes.exe => No running process found
C:\Documents and Settings\Hurniwell\alg.exe => No running process found
HKU\S-1-5-21-1844237615-920026266-854245398-1005\Software\Microsoft\Windows\CurrentVersion\Run\\gozes => value Removed successfully.
"HKU\S-1-5-21-1844237615-920026266-854245398-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d905480-d795-11e3-9f38-00d059a1545b}" => key Removed successfully.
HKCR\CLSID\{4d905480-d795-11e3-9f38-00d059a1545b} => key not found.
"HKU\S-1-5-21-1844237615-920026266-854245398-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{649a2730-f426-11e4-9f50-00d059a1545b}" => key Removed successfully.
HKCR\CLSID\{649a2730-f426-11e4-9f50-00d059a1545b} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\\Tabs => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
C:\Documents and Settings\Hurniwell\zuQ.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zSJ.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zrp.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zOM.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zLZ.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zkz.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zjU.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zfe.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zYD.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zVN.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zSN.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zpv.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zKo.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zJJ.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zis.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zdN.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zQa.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zxi.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zRX.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zRC.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zRb.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zNW.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zHq.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zgj.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zEr.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zQZ.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zVI.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zPq.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\znT.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zlP.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zFG.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zEz.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zEv.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zCx.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\gozes.scr => Moved successfully.
C:\Documents and Settings\Hurniwell\zXR.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zUV.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zRR.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zOy.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zlK.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zLh.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zcG.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zbi.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zAY.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\...lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\..lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zzz.dll => Moved successfully.
C:\Documents and Settings\Hurniwell\zzf.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zXx.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zvz.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zux.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zRY.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zqy.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zmV.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zMa.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\zhL.lnk => Moved successfully.
C:\Documents and Settings\Hurniwell\gozesx.exe => Moved successfully.
C:\Documents and Settings\Hurniwell\x.exe => Moved successfully.
C:\Documents and Settings\Hurniwell\alg.exe => Moved successfully.

==== End of Fixlog 08:31:35 ====

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-05-2015 01
Ran by Hurniwell (administrator) on ISABEL-8C7DF0CB on 26-05-2015 08:35:16
Running from C:\Documents and Settings\Hurniwell\Desktop
Loaded Profiles: Hurniwell (Available Profiles: Hurniwell)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(COMODO) C:\Program Files\COMODO\Firewall\cmdagent.exe
(Comodo Inc.) C:\Program Files\COMODO\Common\CAVASpy\cavasm.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\realplay.exe
(COMODO) C:\Program Files\COMODO\Firewall\cfp.exe
(COMODO) C:\Program Files\COMODO\Comodo AntiVirus\CMain.exe
() C:\WINDOWS\FixCamera.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\s3hotkey.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\S3TRAY.exe
(Microsoft Corporation) C:\Program Files\Messenger\msmsgs.exe
() C:\Documents and Settings\Hurniwell\gozes.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\CavAUD.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [DXM6Patch_981116] => C:\WINDOWS\p_981116.exe [497376 1998-11-30] (Microsoft Corporation)
HKLM\...\Run: [RealTray] => C:\Program Files\Real\RealPlayer\RealPlay.exe [19456 2007-12-17] (RealNetworks, Inc.)
HKLM\...\Run: [COMODO Firewall Pro] => C:\Program Files\COMODO\Firewall\cfp.exe [1481984 2007-12-17] (COMODO)
HKLM\...\Run: [cnfgCav] => C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe [110592 2007-12-17] (COMODO)
HKLM\...\Run: [FixCamera] => C:\WINDOWS\FixCamera.exe [20480 2007-02-12] ()
HKLM\...\Run: [S3Hotkey] => C:\WINDOWS\system32\s3hotkey.exe [40960 2001-09-12] (S3 Graphics, Inc.)
HKLM\...\Run: [S3TRAY] => C:\WINDOWS\system32\S3tray.exe [73728 2001-10-04] (S3 Graphics, Inc.)
Winlogon\Notify\monln: C:\WINDOWS\system32\monln.dll [2007-12-17] (Comodo Inc.)
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1667584 2004-08-04] (Microsoft Corporation)
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [gozes] => C:\Documents and Settings\Hurniwell\gozes.exe [138240 2014-05-09] ()
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {dd374520-02ba-11e5-9f58-00d059a1545b} - E:\Autorun.exe
AppInit_DLLs: C:\WINDOWS\system32\guard32.dll => C:\WINDOWS\system32\guard32.dll [139008 2007-12-17] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-1844237615-920026266-854245398-1005\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1844237615-920026266-854245398-1005\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1844237615-920026266-854245398-1005 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Winsock: Catalog9 01 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 02 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 03 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 18 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)

FireFox:
========

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 cmdAgent; C:\Program Files\COMODO\Firewall\cmdagent.exe [544512 2007-12-17] (COMODO)
R2 Comodo Anti-Virus and Anti-Spyware Service; C:\Program Files\Comodo\common\CAVASpy\cavasm.exe [523264 2007-12-17] (Comodo Inc.) []

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 allegro; C:\WINDOWS\System32\drivers\es198x.sys [174464 2001-08-17] (ESS Technology, Inc.)
R3 AN983; C:\WINDOWS\System32\DRIVERS\AN983.sys [36224 2004-08-04] (ADMtek Incorporated.)
R0 Cavasm; C:\WINDOWS\System32\DRIVERS\cavasm.sys [102400 2007-12-17] (Comodo Inc.) []
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
R1 cmdGuard; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [79096 2007-12-17] (COMODO)
R1 cmdHlp; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [23672 2007-12-17] (COMODO)
R3 Edspport; C:\WINDOWS\System32\DRIVERS\es56cvmp.sys [595647 2001-08-17] (ESS Technology, Inc.)
R0 Inspect; C:\WINDOWS\System32\DRIVERS\inspect.sys [74616 2007-12-17] (COMODO)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
R1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42496 2004-08-04] (Microsoft Corporation)
S3 QCDonner; C:\WINDOWS\System32\DRIVERS\OVCD.sys [28032 2001-08-17] (Microsoft Corporation)
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 S3GSavageMX; C:\WINDOWS\System32\DRIVERS\s3gsavm.sys [80384 2002-04-16] (S3 Graphics, Inc.)
S3 S3SavageMX; C:\WINDOWS\System32\DRIVERS\s3savmxm.sys [75392 2001-08-17] (S3 Graphics, Inc.)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
R3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
S3 SNP325; system32\DRIVERS\snp325.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-26 08:27 - 2015-05-26 08:30 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\FRST-OlderVersion
2015-05-25 17:47 - 2015-05-25 17:50 - 00013673 _____ () C:\Documents and Settings\Hurniwell\Desktop\Addition.txt
2015-05-25 17:36 - 2015-05-26 08:39 - 00007546 _____ () C:\Documents and Settings\Hurniwell\Desktop\FRST.txt
2015-05-25 17:35 - 2015-05-26 08:35 - 00000000 ____D () C:\FRST
2015-05-25 17:31 - 2015-05-25 17:18 - 01146880 _____ (Farbar) C:\Documents and Settings\Hurniwell\Desktop\FRST.exe
2015-05-25 16:41 - 2015-05-25 15:44 - 50449456 _____ (Microsoft Corporation) C:\Documents and Settings\Hurniwell\Desktop\dotNetFx40_Full_x86_x64.exe
2015-05-25 16:41 - 2015-05-25 15:42 - 22544384 _____ (Microsoft Corporation) C:\Documents and Settings\Hurniwell\Desktop\NetFx20SP1_x86.exe
2015-05-25 16:40 - 2015-05-21 21:32 - 00559063 _____ () C:\Documents and Settings\Hurniwell\Desktop\Everything-1.3.4.686.x64-Setup.exe
2015-05-25 15:49 - 2015-05-25 15:49 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\TMP
2015-05-25 15:47 - 2015-05-25 15:47 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\New Folder
2015-05-25 14:48 - 2015-05-25 14:49 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2015-05-25 14:48 - 2015-05-25 14:48 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-05-25 14:48 - 2015-05-25 14:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Mozilla
2015-05-25 14:47 - 2015-05-25 14:49 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-05-25 14:22 - 2015-05-25 14:22 - 00452858 _____ () C:\Documents and Settings\Hurniwell\My Documents\MSI2643.LOG
2015-05-25 13:08 - 2015-05-25 13:50 - 00000000 ____D () C:\e4d7b143daf03e0c0fb179bb61
2015-05-25 13:04 - 2015-05-25 13:08 - 00008072 _____ () C:\WINDOWS\WIC.log
2015-05-25 13:04 - 2015-05-25 13:04 - 00000000 __HDC () C:\WINDOWS\$NtUninstallWIC$
2015-05-25 13:04 - 2006-10-16 16:10 - 00023856 _____ (Microsoft Corporation) C:\WINDOWS\system32\spupdsvc.exe
2015-05-25 12:47 - 2015-05-25 13:25 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2015-05-25 11:10 - 2015-05-25 11:10 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Local Settings\Application Data\Downloaded Installations
2015-05-25 11:01 - 2015-05-25 11:02 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB942288-v3$
2015-05-25 11:00 - 2015-05-25 11:05 - 00008821 _____ () C:\WINDOWS\KB942288-v3.log
2015-05-25 10:52 - 2015-05-25 10:52 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Application Data\Adobe
2015-05-21 17:38 - 2015-05-25 13:08 - 00008685 _____ () C:\WINDOWS\tsoc.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00003670 _____ () C:\WINDOWS\netfxocm.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001531 _____ () C:\WINDOWS\MedCtrOC.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001374 _____ () C:\WINDOWS\imsins.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001028 _____ () C:\WINDOWS\ocmsn.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00000967 _____ () C:\WINDOWS\msgsocm.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00000894 _____ () C:\WINDOWS\tabletoc.log
2015-05-21 17:38 - 2015-05-25 13:07 - 00005594 _____ () C:\WINDOWS\msmqinst.log
2015-05-21 17:38 - 2015-05-25 11:05 - 00001374 _____ () C:\WINDOWS\imsins.BAK
2015-05-21 17:37 - 2015-05-25 13:08 - 00017455 _____ () C:\WINDOWS\FaxSetup.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00014330 _____ () C:\WINDOWS\iis6.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00011142 _____ () C:\WINDOWS\ocgen.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00005855 _____ () C:\WINDOWS\comsetup.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00003883 _____ () C:\WINDOWS\ntdtcsetup.log
2015-05-13 19:26 - 2015-05-25 10:53 - 00000182 _____ () C:\Documents and Settings\Hurniwell\Application Data.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000178 _____ () C:\Documents and Settings\Hurniwell\Local Settings.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000174 _____ () C:\Documents and Settings\Hurniwell\My Documents.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000170 _____ () C:\Documents and Settings\Hurniwell\Start Menu.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000170 _____ () C:\Documents and Settings\Hurniwell\New Folder.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Templates.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\PrintHood.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Passwords.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Favorites.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Documents.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000166 _____ () C:\Documents and Settings\Hurniwell\UserData.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000166 _____ () C:\Documents and Settings\Hurniwell\Pictures.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\NetHood.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\Desktop.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\Cookies.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000162 _____ () C:\Documents and Settings\Hurniwell\SendTo.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000162 _____ () C:\Documents and Settings\Hurniwell\Recent.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000160 _____ () C:\Documents and Settings\Hurniwell\Video.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000160 _____ () C:\Documents and Settings\Hurniwell\Music.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-26 08:39 - 2014-01-18 19:42 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Local Settings\Temp
2015-05-26 08:31 - 2014-01-18 19:42 - 00000000 __SHD () C:\Documents and Settings\Hurniwell
2015-05-26 08:16 - 2007-12-02 17:33 - 00352695 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-26 08:08 - 2007-12-02 19:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-05-26 08:08 - 2007-12-02 19:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-05-26 08:08 - 2007-12-02 17:44 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-05-25 20:43 - 2014-01-18 19:42 - 00000178 ___SH () C:\Documents and Settings\Hurniwell\ntuser.ini
2015-05-25 20:43 - 2007-12-02 17:44 - 00032616 _____ () C:\WINDOWS\SchedLgU.Txt
2015-05-25 19:14 - 2014-04-28 18:20 - 00000000 __SHD () C:\WINDOWS\CSC
2015-05-25 15:46 - 2014-02-05 13:16 - 00040599 _____ () C:\WINDOWS\setupapi.log
2015-05-25 12:58 - 2007-12-02 19:03 - 00000000 ____D () C:\WINDOWS\pchealth
2015-05-25 12:48 - 2007-12-02 19:17 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-05-25 11:04 - 2007-12-02 19:03 - 00000000 ____D () C:\WINDOWS\system32\mui
2015-05-24 15:53 - 2004-08-04 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-05-20 20:02 - 2007-12-17 20:01 - 00000000 ____D () C:\WINDOWS\system32\appmgmt

Files to move or delete:
====================
C:\Documents and Settings\Hurniwell\gozes.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:25 PM

Posted 26 May 2015 - 12:30 PM

Hi S1b,
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
() C:\Documents and Settings\Hurniwell\gozes.exe
C:\Documents and Settings\Hurniwell\gozes.exe
EmptyTemp:
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt
  • New FRST.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 26 May 2015 - 01:02 PM

Fix result of Farbar Recovery Scan Tool (x86) Version: 24-05-2015 01
Ran by Hurniwell at 2015-05-26 19:45:56 Run:2
Running from C:\Documents and Settings\Hurniwell\Desktop
Loaded Profiles: Hurniwell (Available Profiles: Hurniwell & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
() C:\Documents and Settings\Hurniwell\gozes.exe
C:\Documents and Settings\Hurniwell\gozes.exe
EmptyTemp:
*****************

C:\Documents and Settings\Hurniwell\gozes.exe => No running process found
C:\Documents and Settings\Hurniwell\gozes.exe => Moved successfully.
EmptyTemp: => Removed 49.7 MB temporary data.


The system needed a reboot.

==== End of Fixlog 19:47:14 ====

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-05-2015 01
Ran by Hurniwell (administrator) on ISABEL-8C7DF0CB on 26-05-2015 19:58:25
Running from C:\Documents and Settings\Hurniwell\Desktop
Loaded Profiles: Hurniwell (Available Profiles: Hurniwell & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(COMODO) C:\Program Files\COMODO\Firewall\cmdagent.exe
(Comodo Inc.) C:\Program Files\COMODO\Common\CAVASpy\cavasm.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\cavse.exe
(RealNetworks, Inc.) C:\Program Files\Real\RealPlayer\realplay.exe
(COMODO) C:\Program Files\COMODO\Firewall\cfp.exe
(COMODO) C:\Program Files\COMODO\Comodo AntiVirus\CMain.exe
() C:\WINDOWS\FixCamera.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\s3hotkey.exe
(S3 Graphics, Inc.) C:\WINDOWS\system32\S3TRAY.exe
(Microsoft Corporation) C:\Program Files\Messenger\msmsgs.exe
(Comodo Inc.) C:\Program Files\COMODO\Comodo AntiVirus\CavAUD.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IEXPLORE.EXE


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2004-08-04] (Microsoft Corporation)
HKLM\...\Run: [DXM6Patch_981116] => C:\WINDOWS\p_981116.exe [497376 1998-11-30] (Microsoft Corporation)
HKLM\...\Run: [RealTray] => C:\Program Files\Real\RealPlayer\RealPlay.exe [19456 2007-12-17] (RealNetworks, Inc.)
HKLM\...\Run: [COMODO Firewall Pro] => C:\Program Files\COMODO\Firewall\cfp.exe [1481984 2007-12-17] (COMODO)
HKLM\...\Run: [cnfgCav] => C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe [110592 2007-12-17] (COMODO)
HKLM\...\Run: [FixCamera] => C:\WINDOWS\FixCamera.exe [20480 2007-02-12] ()
HKLM\...\Run: [S3Hotkey] => C:\WINDOWS\system32\s3hotkey.exe [40960 2001-09-12] (S3 Graphics, Inc.)
HKLM\...\Run: [S3TRAY] => C:\WINDOWS\system32\S3tray.exe [73728 2001-10-04] (S3 Graphics, Inc.)
Winlogon\Notify\monln: C:\WINDOWS\system32\monln.dll [2007-12-17] (Comodo Inc.)
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1667584 2004-08-04] (Microsoft Corporation)
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [gozes] => C:\Documents and Settings\Hurniwell\gozes.exe
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\MountPoints2: {dd374520-02ba-11e5-9f58-00d059a1545b} - E:\Autorun.exe
AppInit_DLLs: C:\WINDOWS\system32\guard32.dll => C:\WINDOWS\system32\guard32.dll [139008 2007-12-17] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-1844237615-920026266-854245398-1005\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1844237615-920026266-854245398-1005\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1844237615-920026266-854245398-1005 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Winsock: Catalog9 01 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 02 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 03 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)
Winsock: Catalog9 18 C:\WINDOWS\system32\CavEmLSP.dll [73728 2007-12-17] (COMODO)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Hurniwell\Application Data\Mozilla\Firefox\Profiles\o3mzzm65.default

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 cmdAgent; C:\Program Files\COMODO\Firewall\cmdagent.exe [544512 2007-12-17] (COMODO)
R2 Comodo Anti-Virus and Anti-Spyware Service; C:\Program Files\Comodo\common\CAVASpy\cavasm.exe [523264 2007-12-17] (Comodo Inc.) []

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 allegro; C:\WINDOWS\System32\drivers\es198x.sys [174464 2001-08-17] (ESS Technology, Inc.)
R3 AN983; C:\WINDOWS\System32\DRIVERS\AN983.sys [36224 2004-08-04] (ADMtek Incorporated.)
R0 Cavasm; C:\WINDOWS\System32\DRIVERS\cavasm.sys [102400 2007-12-17] (Comodo Inc.) []
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
R1 cmdGuard; C:\WINDOWS\System32\DRIVERS\cmdguard.sys [79096 2007-12-17] (COMODO)
R1 cmdHlp; C:\WINDOWS\System32\DRIVERS\cmdhlp.sys [23672 2007-12-17] (COMODO)
R3 Edspport; C:\WINDOWS\System32\DRIVERS\es56cvmp.sys [595647 2001-08-17] (ESS Technology, Inc.)
R0 Inspect; C:\WINDOWS\System32\DRIVERS\inspect.sys [74616 2007-12-17] (COMODO)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
R1 P3; C:\WINDOWS\System32\DRIVERS\p3.sys [42496 2004-08-04] (Microsoft Corporation)
S3 QCDonner; C:\WINDOWS\System32\DRIVERS\OVCD.sys [28032 2001-08-17] (Microsoft Corporation)
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 S3GSavageMX; C:\WINDOWS\System32\DRIVERS\s3gsavm.sys [80384 2002-04-16] (S3 Graphics, Inc.)
S3 S3SavageMX; C:\WINDOWS\System32\DRIVERS\s3savmxm.sys [75392 2001-08-17] (S3 Graphics, Inc.)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
R3 SMCIRDA; C:\WINDOWS\System32\DRIVERS\smcirda.sys [35913 2001-08-17] (SMC)
S3 SNP325; system32\DRIVERS\snp325.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-26 19:03 - 2015-05-26 19:03 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Local Settings\Application Data\Mozilla
2015-05-26 19:03 - 2015-05-26 19:03 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Application Data\Mozilla
2015-05-26 19:01 - 2015-05-26 19:01 - 00000285 _____ () C:\WINDOWS\nsw.log
2015-05-26 18:43 - 2015-05-26 18:43 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
2015-05-26 18:43 - 2015-05-26 18:43 - 00000000 ____D () C:\Documents and Settings\Administrator\Application Data\Mozilla
2015-05-26 18:42 - 2015-05-26 18:42 - 00000724 _____ () C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2015-05-26 18:30 - 2015-05-26 19:02 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-05-26 18:30 - 2015-05-26 18:43 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
2015-05-26 18:30 - 2015-05-26 18:30 - 00000000 ____D () C:\Documents and Settings\Administrator
2015-05-26 18:30 - 2007-12-02 17:36 - 00001599 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
2015-05-26 18:30 - 2007-12-02 17:36 - 00000792 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
2015-05-26 18:30 - 2007-12-02 17:36 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
2015-05-26 08:27 - 2015-05-26 19:45 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\FRST-OlderVersion
2015-05-25 17:47 - 2015-05-25 17:50 - 00013673 _____ () C:\Documents and Settings\Hurniwell\Desktop\Addition.txt
2015-05-25 17:36 - 2015-05-26 19:58 - 00007544 _____ () C:\Documents and Settings\Hurniwell\Desktop\FRST.txt
2015-05-25 17:35 - 2015-05-26 19:58 - 00000000 ____D () C:\FRST
2015-05-25 17:31 - 2015-05-25 17:18 - 01146880 _____ (Farbar) C:\Documents and Settings\Hurniwell\Desktop\FRST.exe
2015-05-25 16:41 - 2015-05-25 15:44 - 50449456 _____ (Microsoft Corporation) C:\Documents and Settings\Hurniwell\Desktop\dotNetFx40_Full_x86_x64.exe
2015-05-25 16:41 - 2015-05-25 15:42 - 22544384 _____ (Microsoft Corporation) C:\Documents and Settings\Hurniwell\Desktop\NetFx20SP1_x86.exe
2015-05-25 16:40 - 2015-05-21 21:32 - 00559063 _____ () C:\Documents and Settings\Hurniwell\Desktop\Everything-1.3.4.686.x64-Setup.exe
2015-05-25 15:49 - 2015-05-25 15:49 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\TMP
2015-05-25 15:47 - 2015-05-25 15:47 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Desktop\New Folder
2015-05-25 14:48 - 2015-05-26 19:02 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-05-25 14:48 - 2015-05-26 18:42 - 00000730 _____ () C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2015-05-25 14:48 - 2015-05-25 14:48 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Mozilla
2015-05-25 14:47 - 2015-05-26 18:42 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-05-25 14:22 - 2015-05-25 14:22 - 00452858 _____ () C:\Documents and Settings\Hurniwell\My Documents\MSI2643.LOG
2015-05-25 13:08 - 2015-05-25 13:50 - 00000000 ____D () C:\e4d7b143daf03e0c0fb179bb61
2015-05-25 13:04 - 2015-05-25 13:08 - 00008072 _____ () C:\WINDOWS\WIC.log
2015-05-25 13:04 - 2015-05-25 13:04 - 00000000 __HDC () C:\WINDOWS\$NtUninstallWIC$
2015-05-25 13:04 - 2006-10-16 16:10 - 00023856 _____ (Microsoft Corporation) C:\WINDOWS\system32\spupdsvc.exe
2015-05-25 12:47 - 2015-05-25 13:25 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2015-05-25 11:10 - 2015-05-25 11:10 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Local Settings\Application Data\Downloaded Installations
2015-05-25 11:01 - 2015-05-25 11:02 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB942288-v3$
2015-05-25 11:00 - 2015-05-25 11:05 - 00008821 _____ () C:\WINDOWS\KB942288-v3.log
2015-05-25 10:52 - 2015-05-25 10:52 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Application Data\Adobe
2015-05-21 17:38 - 2015-05-25 13:08 - 00008685 _____ () C:\WINDOWS\tsoc.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00003670 _____ () C:\WINDOWS\netfxocm.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001531 _____ () C:\WINDOWS\MedCtrOC.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001374 _____ () C:\WINDOWS\imsins.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00001028 _____ () C:\WINDOWS\ocmsn.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00000967 _____ () C:\WINDOWS\msgsocm.log
2015-05-21 17:38 - 2015-05-25 13:08 - 00000894 _____ () C:\WINDOWS\tabletoc.log
2015-05-21 17:38 - 2015-05-25 13:07 - 00005594 _____ () C:\WINDOWS\msmqinst.log
2015-05-21 17:38 - 2015-05-25 11:05 - 00001374 _____ () C:\WINDOWS\imsins.BAK
2015-05-21 17:37 - 2015-05-25 13:08 - 00017455 _____ () C:\WINDOWS\FaxSetup.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00014330 _____ () C:\WINDOWS\iis6.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00011142 _____ () C:\WINDOWS\ocgen.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00005855 _____ () C:\WINDOWS\comsetup.log
2015-05-21 17:37 - 2015-05-25 13:08 - 00003883 _____ () C:\WINDOWS\ntdtcsetup.log
2015-05-13 19:26 - 2015-05-25 10:53 - 00000182 _____ () C:\Documents and Settings\Hurniwell\Application Data.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000178 _____ () C:\Documents and Settings\Hurniwell\Local Settings.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000174 _____ () C:\Documents and Settings\Hurniwell\My Documents.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000170 _____ () C:\Documents and Settings\Hurniwell\Start Menu.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000170 _____ () C:\Documents and Settings\Hurniwell\New Folder.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Templates.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\PrintHood.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Passwords.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Favorites.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000168 _____ () C:\Documents and Settings\Hurniwell\Documents.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000166 _____ () C:\Documents and Settings\Hurniwell\UserData.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000166 _____ () C:\Documents and Settings\Hurniwell\Pictures.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\NetHood.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\Desktop.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000164 _____ () C:\Documents and Settings\Hurniwell\Cookies.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000162 _____ () C:\Documents and Settings\Hurniwell\SendTo.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000162 _____ () C:\Documents and Settings\Hurniwell\Recent.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000160 _____ () C:\Documents and Settings\Hurniwell\Video.lnk
2015-05-13 19:26 - 2015-05-25 10:53 - 00000160 _____ () C:\Documents and Settings\Hurniwell\Music.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-05-26 19:59 - 2014-01-18 19:42 - 00000000 ____D () C:\Documents and Settings\Hurniwell\Local Settings\Temp
2015-05-26 19:58 - 2007-12-02 17:33 - 00371969 _____ () C:\WINDOWS\WindowsUpdate.log
2015-05-26 19:48 - 2007-12-02 19:23 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2015-05-26 19:48 - 2007-12-02 19:23 - 00000049 _____ () C:\WINDOWS\wiaservc.log
2015-05-26 19:48 - 2007-12-02 17:44 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-05-26 19:47 - 2014-01-18 19:42 - 00000178 ___SH () C:\Documents and Settings\Hurniwell\ntuser.ini
2015-05-26 19:47 - 2007-12-02 17:44 - 00032616 _____ () C:\WINDOWS\SchedLgU.Txt
2015-05-26 19:45 - 2014-01-18 19:42 - 00000000 __SHD () C:\Documents and Settings\Hurniwell
2015-05-26 19:01 - 2014-02-05 13:16 - 00042371 _____ () C:\WINDOWS\setupapi.log
2015-05-25 19:14 - 2014-04-28 18:20 - 00000000 __SHD () C:\WINDOWS\CSC
2015-05-25 12:58 - 2007-12-02 19:03 - 00000000 ____D () C:\WINDOWS\pchealth
2015-05-25 12:48 - 2007-12-02 19:17 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2015-05-25 11:04 - 2007-12-02 19:03 - 00000000 ____D () C:\WINDOWS\system32\mui
2015-05-24 15:53 - 2004-08-04 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2015-05-20 20:02 - 2007-12-17 20:01 - 00000000 ____D () C:\WINDOWS\system32\appmgmt

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of log ============================

#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:25 PM

Posted 26 May 2015 - 02:45 PM

Hi S1b,
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKU\S-1-5-21-1844237615-920026266-854245398-1005\...\Run: [gozes] => C:\Documents and Settings\Hurniwell\gozes.exe
C:\Documents and Settings\Hurniwell\gozes.exe
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

--------------
 
Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

--------------
 
This scan can take a long time, so it is best done overnight or when you do not need the computer
 
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Fixlog.txt
  • Emsisoft log
  • ESET log

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 27 May 2015 - 02:58 AM

Fix result of Farbar Recovery Scan Tool (x86) Version: 24-05-2015 01
Ran by Hurniwell at 2015-05-26 21:54:10 Run:3
Running from C:\Documents and Settings\Hurniwell\Desktop
Loaded Profiles: Hurniwell (Available Profiles: Hurniwell & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
() C:\Documents and Settings\Hurniwell\gozes.exe
C:\Documents and Settings\Hurniwell\gozes.exe
EmptyTemp:
*****************

C:\Documents and Settings\Hurniwell\gozes.exe => No running process found
"C:\Documents and Settings\Hurniwell\gozes.exe" => File/Folder not found.
EmptyTemp: => Removed 8.3 MB temporary data.


The system needed a reboot.

==== End of Fixlog 21:54:19 ====



#14 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 27 May 2015 - 03:01 AM

C:\Documents and Settings\Hurniwell\Local Settings\Temp\tmp00007332\tmp00014862    Win32/AutoRun.VB.RT worm    cleaned by deleting - quarantined
C:\Documents and Settings\Hurniwell\Local Settings\Temp\tmp00007332\tmp0001486a    Win32/AutoRun.VB.RT worm    cleaned by deleting - quarantined
C:\WINDOWS\FixCamera.exe    a variant of Win32/KillProc.A potentially unwanted application    deleted - quarantined
 



#15 S1b

S1b
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 27 May 2015 - 03:03 AM

Hi Toffee,

 

I can't seem to copy and paste the Emisoft log. The webpage says I've exceeded the allowed number of emoticons...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users