Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Vista Home Premium (32bit) ZeroAccess


  • This topic is locked This topic is locked
7 replies to this topic

#1 ndonaldson2912

ndonaldson2912

  • Members
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 PM

Posted 08 February 2016 - 10:18 AM

Hi guys,

 

Im having problems with my DELL Vostro. Its running Vista Home Premium. I ran rkill and it has detected Rootkit ZeroAccess. I downloaded Malwarebytes Anti-Rootkit. It removed several files, but I downloaded FARBAR and would really appreciate if someone could take a look at the FRST and Addition files and see if the problems could be resolved. I will copy the files in below...

 

many thanks

ndonaldson2912

 

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:07-02-2016
Ran by ROOSKEY (administrator) on ROOSKEY-PC (08-02-2016 15:05:12)
Running from F:\Anti Virus
Loaded Profiles: ROOSKEY (Available Profiles: ROOSKEY)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 7 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [] => [X]
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-05-07] (Oracle Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll [2012-01-10] (Citrix Online, a division of Citrix Systems, Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll <==== ATTENTION
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2008-01-04] (Google Inc.)
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\MountPoints2: {d53a9e2b-1448-11dd-b247-001d09b60d24} - F:\sysboot.scr
HKU\S-1-5-18\...\Run: [msnmsgr] => "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{652D0F85-E121-43FC-ACA3-540CA0D4DBC4}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{66F0EC5F-E464-4DF7-8D4F-923E4B4ADE75}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bbc.co.uk/
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.ie/ig/dell?hl=en&client=dell-row&channel=ie&ibd=3080104
URLSearchHook: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = hxxp://127.0.0.1:4664/search&s=M94oU4l9h1CewCNi6I_kxDAGnbU?q={searchTerms}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2010-09-18] (RealPlayer)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-05-07] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-03] (Google Inc.)
BHO: Windows Live Toolbar Helper -> {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -> C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19] (Microsoft Corporation)
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> C:\Program Files\Dell\BAE\BAE.dll [2006-11-09] (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-05-07] (Oracle Corporation)
Toolbar: HKLM - Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19] (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-03] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-03] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-03] (Google Inc.)
Toolbar: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 -> Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19] (Microsoft Corporation)
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2006-06-05] (Microsoft Corporation)
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll [2006-03-06] ()
 
FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2011-10-05] (Adobe Systems, Inc.)
FF Plugin: @entriq.com/Download Manager Plugin Version Chk,version=3.8.2.9 -> C:\Program Files\Entriq\MediaSphere\3.8.2.9 [2008-08-02] ()
FF Plugin: @entriq.com/Download Manager Plugin,version=3.8.2.9 -> C:\Program Files\Entriq\MediaSphere\3.8.2.9 [2008-08-02] ()
FF Plugin: @java.com/DTPlugin,version=10.60.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-05-07] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.60.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-05-07] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll [2013-01-24] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.4 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2009-06-09] (Microsoft Corp.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 -> C:\Program Files\Common Files\Motive\npMotive.dll [2013-03-24] (Alcatel-Lucent)
FF Plugin: @Motive.com/npMotiveRequest,version=1.0 -> C:\Program Files\Common Files\Motive\npMotiveRequest.dll [2013-03-24] (Alcatel-Lucent)
FF Plugin: @real.com/nppl3260;version=6.0.12.775 -> C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll [2010-09-18] (RealNetworks, Inc.)
FF Plugin: @real.com/nprjplug;version=1.0.3.775 -> C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll [2010-09-18] (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=1.0.0.0 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [2010-09-18] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.775 -> C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll [2010-09-18] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-08] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-08] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-09-26] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3052671113-688549900-3555380559-1000: @entriq.com/Download Manager Plugin Version Chk,version=3.8.2.9 -> C:\Program Files\Entriq\MediaSphere\3.8.2.9 [2008-08-02] ()
FF Plugin HKU\S-1-5-21-3052671113-688549900-3555380559-1000: @entriq.com/Download Manager Plugin,version=3.8.2.9 -> C:\Program Files\Entriq\MediaSphere\3.8.2.9 [2008-08-02] ()
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-09-06] [not signed]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: RealPlayer Browser Record Plugin - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010-09-18] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com"
CHR Profile: C:\Users\ROOSKEY\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (RealPlayer HTML5Video Downloader Extension) - C:\Users\ROOSKEY\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk [2014-06-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ROOSKEY\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-30]
CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2010-09-18]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 dlcg_device; C:\Windows\system32\dlcgcoms.exe [537480 2006-12-08] ( )
S4 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-08-06] (Google)
S4 GoToAssist; C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe [16680 2012-01-10] (Citrix Online, a division of Citrix Systems, Inc.)
S4 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S4 KService; C:\Program Files\Kontiki\KService.exe [3068352 2008-04-09] ()
S4 RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [880640 2006-11-05] (Sonic Solutions) [File not signed]
S4 RoxWatch9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [159744 2006-11-05] (Sonic Solutions) [File not signed]
S4 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-13] (SupportSoft, Inc.)
S4 STacSV; C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe [90112 2007-02-08] (SigmaTel, Inc.) [File not signed]
S4 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [73728 2006-09-14] (MicroVision Development, Inc.) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
S3 WLSetupSvc; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [266240 2007-10-25] (Microsoft Corporation) [File not signed]
S4 wltrysvc; C:\Windows\System32\bcmwltry.exe [2506752 2007-12-08] (Dell Inc.) [File not signed]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2013-03-24] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2013-03-24] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [36528 2006-07-24] (Sonic Solutions) [File not signed]
R3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2007-02-08] (SigmaTel, Inc.)
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-08 15:05 - 2016-02-08 15:05 - 00000000 ____D C:\FRST
2016-02-08 14:26 - 2016-02-08 14:56 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-02-08 14:24 - 2016-02-08 14:52 - 00000000 ____D C:\Users\ROOSKEY\Desktop\mbar
2016-02-08 14:18 - 2016-02-08 15:02 - 00012830 _____ C:\Users\ROOSKEY\Desktop\Rkill.txt
2016-02-08 14:01 - 2016-02-08 14:26 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-02-08 14:00 - 2016-02-08 14:25 - 00094936 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-02-08 14:00 - 2016-02-08 14:00 - 00000901 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-02-08 14:00 - 2016-02-08 14:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-02-08 14:00 - 2016-02-08 14:00 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-02-08 14:00 - 2015-10-05 09:50 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-02-08 14:00 - 2015-10-05 09:50 - 00023256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-02-08 12:21 - 2016-02-08 12:36 - 00000000 ____D C:\AdwCleaner
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-02-08 15:02 - 2010-02-08 21:01 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-08 14:58 - 2008-01-19 20:59 - 00052224 _____ C:\Users\ROOSKEY\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-02-08 14:55 - 2012-02-03 09:04 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cce252c9b31c40.job
2016-02-08 14:55 - 2006-11-02 13:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-08 14:55 - 2006-11-02 12:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-08 14:55 - 2006-11-02 12:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-08 14:54 - 2008-01-04 04:32 - 00000012 _____ C:\Windows\bthservsdp.dat
2016-02-08 14:54 - 2006-11-02 13:01 - 00032650 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-02-08 14:00 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\inf
2016-02-08 14:00 - 2006-11-02 10:33 - 00642244 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-08 13:08 - 2010-09-18 17:35 - 00001941 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-02-08 13:08 - 2010-09-18 17:35 - 00001929 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-02-08 12:43 - 2012-01-10 16:19 - 00000000 ____D C:\Users\ROOSKEY\AppData\Roaming\Yahoo!
2016-02-08 12:37 - 2013-04-10 10:55 - 00000000 ____D C:\Users\ROOSKEY\AppData\LocalLow\Yahoo!
2016-02-08 12:27 - 2012-01-10 16:19 - 00000000 ____D C:\Program Files\Yahoo!
2016-02-02 14:54 - 2006-11-02 12:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2016-02-02 14:50 - 2008-01-19 20:48 - 00000000 ____D C:\Users\ROOSKEY\AppData\Local\Google
 
==================== Files in the root of some directories =======
 
2013-03-31 01:10 - 2013-04-03 17:22 - 0000004 _____ () C:\Users\ROOSKEY\AppData\Roaming\AltShell.ini
2008-04-07 13:27 - 2013-04-12 10:18 - 0000588 _____ () C:\Users\ROOSKEY\AppData\Roaming\wklnhst.dat
2008-01-20 11:03 - 2013-05-11 08:55 - 0001356 _____ () C:\Users\ROOSKEY\AppData\Local\d3d9caps.dat
2008-01-19 20:59 - 2016-02-08 14:58 - 0052224 _____ () C:\Users\ROOSKEY\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-10-28 18:38 - 2015-10-28 18:38 - 0000000 _____ () C:\Users\ROOSKEY\AppData\Local\{21CEA263-E2C3-449D-AABF-02498EA05CAF}
2013-08-15 22:10 - 2013-08-15 22:10 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-05-11 08:31 - 2013-10-01 11:58 - 0000000 _____ () C:\ProgramData\as98213.txt
2013-05-11 08:33 - 2013-05-11 08:34 - 95023320 ____T () C:\ProgramData\ej9otj.pad
2013-05-11 08:31 - 2013-05-11 08:31 - 0002633 _____ () C:\ProgramData\jz6dzb.js
2013-05-11 08:29 - 2013-10-01 11:58 - 95023320 ____T () C:\ProgramData\jz6dzb.pad
2013-05-11 08:31 - 2013-05-11 08:32 - 95023320 ____T () C:\ProgramData\lv9e.pad
 
Files to move or delete:
====================
C:\ProgramData\ej9otj.pad
C:\ProgramData\jz6dzb.js
C:\ProgramData\jz6dzb.pad
C:\ProgramData\lv9e.pad
C:\Users\ROOSKEY\AppData\Roaming\AltShell.ini
 
 
Some files in TEMP:
====================
C:\Users\ROOSKEY\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\ROOSKEY\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\ROOSKEY\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\ROOSKEY\AppData\Local\Temp\sqlite3.dll
C:\Users\ROOSKEY\AppData\Local\Temp\{4CC6CD40-8A24-468B-8454-3D1975F78113}-40.0.2214.115_chrome_installer.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-02-08 15:02
 
==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:07-02-2016
Ran by ROOSKEY (2016-02-08 15:06:02)
Running from F:\Anti Virus
Microsoft® Windows Vista™ Home Premium  Service Pack 1 (X86) (2008-01-04 04:18:35)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3052671113-688549900-3555380559-500 - Administrator - Disabled)
Guest (S-1-5-21-3052671113-688549900-3555380559-501 - Limited - Disabled)
ROOSKEY (S-1-5-21-3052671113-688549900-3555380559-1000 - Administrator - Enabled) => C:\Users\ROOSKEY
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
ABBYY FineReader 6.0 Sprint (HKLM\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1784.41616 - ABBYY Software House)
Adobe Flash Player 10 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 10.0.32.18 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.05) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.05 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.1.629 - Adobe Systems, Inc.)
Browser Address Error Redirector (HKLM\...\{62230596-37E5-4618-A329-0D21F529A86F}) (Version: 1.00.0000 - Dell)
BT Desktop Help (HKLM\...\BT Desktop Help) (Version:  - )
BTHomeHub (HKLM\...\BTHomeHub) (Version:  - British Telecommunications Plc.)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant HDA D110 MDC V.92 Modem (HKLM\...\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3) (Version:  - )
Dell AIO 810 (HKLM\...\Dell AIO 810) (Version:  - Dell, Inc.)
Dell Getting Started Guide (HKLM\...\{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}) (Version: 1.00.0000 - Dell Inc.)
Dell PC Fax (HKLM\...\Dell Fax Solutions) (Version:  - )
Dell Support Center (Support Software) (HKLM\...\{E3BFEE55-39E2-4BE0-B966-89FE583822C1}) (Version: 2.2.09085 - Dell)
Dell Wireless WLAN Card (HKLM\...\Broadcom 802.11b Network Adapter) (Version: 4.170.25.12 - Dell Inc.)
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.21 - BVRP Software, Inc)
Google Chrome (HKLM\...\Google Chrome) (Version: 48.0.2564.103 - Google Inc.)
Google Desktop (HKLM\...\Google Desktop) (Version: 5.9.1005.12335 - Google)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7210.1528 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.29.5 - Google Inc.) Hidden
GoToAssist Corporate (HKLM\...\GoToAssist) (Version: 9.0.0.570 - Citrix Online, a division of Citrix Systems, Inc.)
GoToAssist Corporate (Version: 9.0.570 - Citrix) Hidden
Highlight Viewer (Windows Live Toolbar) (Version: 03.01.0146 - Microsoft Corporation) Hidden
HP Deskjet 1050 J410 series Basic Device Software (HKLM\...\{C111B73A-93EA-4A12-80E2-0460F11D431F}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Deskjet 1050 J410 series Help (HKLM\...\{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}) (Version: 140.0.66.66 - Hewlett Packard)
HP Deskjet 1050 J410 series Product Improvement Study (HKLM\...\{5E83AB6E-2284-4468-BF97-A451904F186C}) (Version: 28.0.1313.0 - Hewlett-Packard Co.)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Java 7 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217040FF}) (Version: 7.0.600 - Oracle)
Java™ SE Runtime Environment 6 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160000}) (Version: 1.6.0.0 - Sun Microsystems, Inc.)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Map Button (Windows Live Toolbar) (Version: 03.01.0146 - Microsoft Corporation) Hidden
MediaDirect (HKLM\...\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}) (Version: 4.7 - Dell)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Live Add-in 1.4 (HKLM\...\{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}) (Version: 2.0.3008.0 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20125.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation)
Modem Diagnostic Tool (HKLM\...\{F63A3748-B93D-4360-9AD4-B064481A5C7B}) (Version: 1.0.17.8 - Dell)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NetWaiting (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 2.5.41 - BVRP Software, Inc)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
OutlookAddinSetup (HKLM\...\{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}) (Version: 1.0.0 - CyberLink)
QuickSet (HKLM\...\{7F0C4457-8E64-491B-8D7B-991504365D1E}) (Version: 8.0.13 - Dell Inc.)
RealArcade (HKLM\...\RealArcade) (Version:  - )
RealPlayer (HKLM\...\RealPlayer 12.0) (Version:  - RealNetworks)
RealUpgrade 1.0 (Version: 1.0.0 - RealNetworks, Inc.) Hidden
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.3.0 - Roxio)
Roxio Creator BDAV Plugin (HKLM\...\{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}) (Version: 3.3.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.3.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.3.0 - Roxio)
Roxio Creator DE (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.3.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.3.0 - Roxio)
Roxio Express Labeler (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 2.1.0 - Roxio)
Roxio MyDVD DE (HKLM\...\{D639085F-4B6E-4105-9F37-A0DBB023E2FB}) (Version: 9.0.116 - Roxio, Inc.)
Roxio Update Manager (HKLM\...\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}) (Version: 3.0.0 - Roxio)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.5102.0 - SigmaTel)
Smart Menus (Windows Live Toolbar) (Version: 03.01.0146 - Microsoft Corporation) Hidden
Sonic Activation Module (Version: 1.0 - Sonic Solutions) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 9.0.1.3 - Synaptics)
Tiscali Internet (HKLM\...\{58B2B6D3-E5FF-4D16-87AC-52CC5717C7C6}) (Version: 1.0.0.38 - Tiscali)
Uninstall Entriq MediaSphere (HKLM\...\Entriq MediaSphere_is1) (Version: 3.8.2.9 - )
User's Guides (HKLM\...\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}) (Version:  - )
Windows Live Favorites for Windows Live Toolbar (HKLM\...\{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}) (Version: 03.01.0146 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{10A44844-4465-456E-8C97-80BDD4F68845}) (Version: 6.500.3146.0 - Microsoft Corporation)
Windows Live installer (HKLM\...\{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}) (Version: 12.0.1471.1025 - Microsoft Corporation)
Windows Live Toolbar (HKLM\...\Windows Live Toolbar) (Version: 03.01.0146 - Microsoft Corporation)
Windows Mobile Device Center (HKLM\...\{904CCF62-818D-4675-BC76-D37EB399F917}) (Version: 6.1.6965.0 - Microsoft Corporation)
Windows Mobile Device Center Driver Update (HKLM\...\{E7044E25-3038-4A76-9064-344AC038043E}) (Version: 6.1.6965.0 - Microsoft Corporation)
Yahoo! Software Update (HKLM\...\Yahoo! Software Update) (Version:  - )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3052671113-688549900-3555380559-1000_Classes\CLSID\{4052D303-74C5-49EA-BC6B-66099C8D4007}\InprocServer32 -> C:\Program Files\Google\Google Desktop Search\GoogleDesktopAPI2.dll (Google)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {335426A1-BAD2-4096-8493-B5F5AC939177} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-3052671113-688549900-3555380559-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2010-06-03] (RealNetworks, Inc.)
Task: {6C4D98EA-0A4C-469F-B469-13BBC07DC3FC} - System32\Tasks\Vista Task Low => c:\Program Files\RealArcade\RealArcade.exe [2009-07-01] ()
Task: {7C6F35DC-E9DE-455C-A1F8-24A412BF134A} - System32\Tasks\Microsoft\Office Genuine Advantage\OGALogon => C:\Windows\system32\OGAExec.exe [2009-08-03] ()
Task: {7F3D4911-7D3A-422A-9910-171C9CF4A508} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-3052671113-688549900-3555380559-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2010-06-03] (RealNetworks, Inc.)
Task: {89E55621-5BA4-4381-AFF6-B6F3940F764D} - System32\Tasks\{C7453963-547B-4601-846B-9115798C9814} => Chrome.exe hxxp://ui.skype.com/ui/0/6.3.73.105.457/en/abandoninstall?page=tsWLM
Task: {A6BFB02F-D8DF-4B35-9871-1B179224501B} - System32\Tasks\HPCustParticipation HP Deskjet 1050 J410 series => C:\Program Files\HP\HP Deskjet 1050 J410 series\Bin\HPCustPartic.exe [2012-10-02] (Hewlett-Packard Co.)
Task: {B4778764-E809-4C10-9DE8-F8D41B982145} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {CD4836EE-B278-4D58-AA99-FA08BD3C0F3A} - System32\Tasks\GoogleUpdateTaskMachineCore1cce252c9b31c40 => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {F0AB83A9-956B-4AAA-85B4-E161C97644D2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job => C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cce252c9b31c40.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3052671113-688549900-3555380559-1000.job => C:\Program Files\Real\RealUpgrade\realupgrade.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\Public\Desktop\BT email & search.LNK -> C:\Program Files\BTHomeHub\Launcher\LaunchHM.exe (British Telecommunications plc) -> hxxp://www.bt.yahoo.com
ShortcutWithArgument: C:\Users\Public\Desktop\My BT.LNK -> C:\Program Files\BTHomeHub\Launcher\LaunchHM.exe (British Telecommunications plc) -> hxxp://www.bt.com/mybt
 
==================== Loaded Modules (Whitelisted) ==============
 
2008-01-20 11:21 - 2006-10-06 12:06 - 00045056 _____ () C:\Windows\System32\DLPRMON.DLL
2008-01-20 11:20 - 2006-10-06 12:24 - 00016384 _____ () C:\Program Files\Dell Fax Solutions\DlCtrStr.dll
2008-01-20 11:20 - 2006-10-06 12:04 - 00032768 _____ () C:\Program Files\Dell Fax Solutions\ipcmt.dll
2008-01-04 12:08 - 2006-12-12 10:04 - 00061440 _____ () C:\Windows\system32\igfxTMM.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Bank:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Downloads:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0007.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0011.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0072.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0091.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Emma Flinthams folder:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\GIRLS PIC.jpg:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Granddad.jpg:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Historic Rainfall:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\My Received Files:Roxio EMC Stream
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com
 
There are 7585 more sites.
 
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-3052671113-688549900-3555380559-1000\...\123simsen.com -> www.123simsen.com
 
There are 7585 more sites.
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2006-11-02 10:23 - 2011-10-14 09:29 - 00430993 ___RA C:\Windows\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com
 
There are 14827 more lines.
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\ROOSKEY\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: dlcg_device => 2
MSCONFIG\Services: GoogleDesktopManager-051210-111108 => 3
MSCONFIG\Services: GoToAssist => 3
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: IDriverT => 3
MSCONFIG\Services: KService => 2
MSCONFIG\Services: pcCMService => 2
MSCONFIG\Services: RoxMediaDB9 => 3
MSCONFIG\Services: RoxWatch9 => 2
MSCONFIG\Services: sprtsvc_dellsupportcenter => 2
MSCONFIG\Services: STacSV => 2
MSCONFIG\Services: stllssvr => 3
MSCONFIG\Services: wltrysvc => 2
MSCONFIG\Services: XAudioService => 2
MSCONFIG\Services: YahooAUService => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk => C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk => C:\Windows\pss\QuickSet.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^ROOSKEY^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk => C:\Windows\pss\Monitor Ink Alerts - HP Deskjet 1050 J410 series.lnk.Startup
MSCONFIG\startupfolder: C:^Users^ROOSKEY^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^msconfig.lnk => C:\Windows\pss\msconfig.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AdobeUpdater => C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
MSCONFIG\startupreg: Broadcom Wireless Manager UI => C:\Windows\system32\WLTRAY.exe
MSCONFIG\startupreg: btbb_McciTrayApp => "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
MSCONFIG\startupreg: DellSupportCenter => "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
MSCONFIG\startupreg: DLCGCATS => rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
MSCONFIG\startupreg: dlcgmon.exe => "C:\Program Files\Dell AIO 810\dlcgmon.exe"
MSCONFIG\startupreg: dscactivate => "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
MSCONFIG\startupreg: ECenter => C:\Dell\E-Center\EULALauncher.exe
MSCONFIG\startupreg: FaxCenterServer => "C:\Program Files\Dell Fax Solutions\fm3032.exe" /s
MSCONFIG\startupreg: Google Desktop Search => "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: HP Software Update => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: ISUSScheduler => "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
MSCONFIG\startupreg: MsnMsgr => "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
MSCONFIG\startupreg: PCMService => "C:\Program Files\Dell\MediaDirect\PCMService.exe"
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe
MSCONFIG\startupreg: RoxWatchTray => "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
MSCONFIG\startupreg: SigmatelSysTrayApp => sttray.exe
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: SynTPEnh => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
MSCONFIG\startupreg: TkBellExe => "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
MSCONFIG\startupreg: Windows Mobile Device Center => %windir%\WindowsMobile\wmdc.exe
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [SLSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [SLSVC-In-TCP] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WMPNSS-WMP-Out-TCP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-Out-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-In-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-Out-TCP-NoScope-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-Out-UDP-NoScope-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-In-UDP-NoScope-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-Out-TCP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-Out-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-In-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
 
==================== Restore Points =========================
 
04-04-2015 10:14:22 Scheduled Checkpoint
08-04-2015 17:49:57 Scheduled Checkpoint
28-06-2015 17:30:45 Scheduled Checkpoint
26-07-2015 19:05:26 Scheduled Checkpoint
28-08-2015 08:41:04 Scheduled Checkpoint
29-10-2015 13:25:56 Scheduled Checkpoint
30-10-2015 16:57:10 Scheduled Checkpoint
16-12-2015 11:05:29 Scheduled Checkpoint
08-02-2016 14:51:19 Malwarebytes Anti-Rootkit Restore Point
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (02/08/2016 03:08:56 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (02/08/2016 03:08:54 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (02/08/2016 02:57:26 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (02/08/2016 02:56:01 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (02/08/2016 02:51:10 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.
 
 
Operation:
   Gathering Writer Data
 
Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {106a41bc-afbd-4d0c-829b-dac23e20b871}
 
Error: (02/08/2016 01:23:01 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (02/08/2016 12:37:27 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (02/08/2016 12:34:25 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program AdwCleaner (1).exe version 5.0.3.3 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 870
Start Time: 01d1626b3c1a04c6
Termination Time: 31
 
Error: (02/08/2016 12:27:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (02/08/2016 12:21:36 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 11) (User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
 
System errors:
=============
Error: (08/17/2011 05:19:01 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 18:17:23 on 17/08/2011 was unexpected.
 
Error: (08/17/2011 04:57:03 PM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos
 
Error: (08/17/2011 04:56:44 PM) (Source: volsnap) (EventID: 29) (User: )
Description: The shadow copies of volume C: were aborted during detection.
 
Error: (08/17/2011 12:52:55 PM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos
 
Error: (08/17/2011 12:52:52 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 12:56:24 on 17/08/2011 was unexpected.
 
Error: (08/17/2011 11:07:26 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: 30000Netman
 
Error: (08/17/2011 09:44:59 AM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos
 
Error: (08/17/2011 09:44:56 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:43:57 on 17/08/2011 was unexpected.
 
Error: (08/17/2011 09:39:09 AM) (Source: HTTP) (EventID: 15016) (User: )
Description: \Device\Http\ReqQueueKerberos
 
Error: (08/17/2011 09:39:05 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:37:48 on 17/08/2011 was unexpected.
 
 
CodeIntegrity:
===================================
  Date: 2016-02-08 15:05:56.633
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:56.368
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:56.102
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:55.853
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:55.369
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:55.104
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:54.839
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:54.574
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:32.858
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-02-08 15:05:32.593
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Celeron® M CPU 520 @ 1.60GHz
Percentage of memory in use: 69%
Total physical RAM: 1013.71 MB
Available physical RAM: 308.87 MB
Total Virtual: 2293.77 MB
Available Virtual: 1538.88 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:99.7 GB) (Free:46.61 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:5.97 GB) NTFS
Drive f: (My Passport) (Fixed) (Total:232.83 GB) (Free:19.96 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 111.8 GB) (Disk ID: 78000000)
Partition 1: (Not Active) - (Size=94 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=99.7 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=OF Extended)
 
========================================================
Disk: 1 (Size: 232.9 GB) (Disk ID: 02D23F90)
Partition 1: (Not Active) - (Size=232.9 GB) - (Type=0C)
 
==================== End of Addition.txt ============================

Edited by Queen-Evie, 08 February 2016 - 10:53 AM.
moved from Vista to Malware Removal Logs. FRST logs are allowed only in MRL forum


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:21 AM

Posted 09 February 2016 - 09:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
Enable Window Defender.
http://windows.microsoft.com/en-ca/windows/turn-windows-defender-on-off#turn-windows-defender-on-off=windows-vista

I suggest also that you install a Firewall

Comodo has as a free one.
https://personalfirewall.comodo.com/free-download.html
Select the one for your Vista operating system.
Install the application after you have run this suggested fix.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: netsh winsock reset catalog

HKLM\...\Run: [] => [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll <==== ATTENTION
Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
URLSearchHook: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = hxxp://127.0.0.1:4664/search&s=M94oU4l9h1CewCNi6I_kxDAGnbU?q={searchTerms}
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
C:\ProgramData\ej9otj.pad
C:\ProgramData\jz6dzb.js
C:\ProgramData\jz6dzb.pad
C:\ProgramData\lv9e.pad
C:\Users\ROOSKEY\AppData\Roaming\AltShell.ini
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Bank:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Downloads:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0007.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0011.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0072.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0091.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Emma Flinthams folder:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\GIRLS PIC.jpg:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Granddad.jpg:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Historic Rainfall:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\My Received Files:Roxio EMC Stream

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
====

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If present remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 7 Update 60 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217040FF}) (Version: 7.0.600 - Oracle)

Please post the logs and let me know what problem persists.

#3 ndonaldson2912

ndonaldson2912
  • Topic Starter

  • Members
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 PM

Posted 09 February 2016 - 09:52 AM

Hi,

 

Thanks for your reply. Will follow your instructions and will post my results...

 

thanks

ndonaldson2912



#4 ndonaldson2912

ndonaldson2912
  • Topic Starter

  • Members
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 PM

Posted 09 February 2016 - 11:02 AM

Fix result of Farbar Recovery Scan Tool (x86) Version:07-02-2016
Ran by ROOSKEY (2016-02-09 14:58:24) Run:1
Running from F:\Anti Virus
Loaded Profiles: ROOSKEY (Available Profiles: ROOSKEY)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: netsh winsock reset catalog
 
HKLM\...\Run: [] => [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll <==== ATTENTION
Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
URLSearchHook: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
SearchScopes: HKU\S-1-5-21-3052671113-688549900-3555380559-1000 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = hxxp://127.0.0.1:4664/search&s=M94oU4l9h1CewCNi6I_kxDAGnbU?q={searchTerms}
S3 BCM42RLY; system32\drivers\BCM42RLY.sys [X]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
C:\ProgramData\ej9otj.pad
C:\ProgramData\jz6dzb.js
C:\ProgramData\jz6dzb.pad
C:\ProgramData\lv9e.pad
C:\Users\ROOSKEY\AppData\Roaming\AltShell.ini
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Bank:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Downloads:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0007.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0011.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0072.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\DSC_0091.JPG:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Emma Flinthams folder:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\GIRLS PIC.jpg:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Granddad.jpg:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\Historic Rainfall:Roxio EMC Stream
AlternateDataStreams: C:\Users\ROOSKEY\Documents\My Received Files:Roxio EMC Stream
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
=========  netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => value restored successfully
Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5 000000000005\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
HKU\S-1-5-21-3052671113-688549900-3555380559-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} => value removed successfully.
"HKU\S-1-5-21-3052671113-688549900-3555380559-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}" => key removed successfully.
HKCR\CLSID\{70D46D94-BF1E-45ED-B567-48701376298E} => key not found. 
BCM42RLY => service removed successfully.
blbdrive => service removed successfully.
IpInIp => service removed successfully.
MREMPR5 => service removed successfully.
MRENDIS5 => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
C:\ProgramData\ej9otj.pad => moved successfully
C:\ProgramData\jz6dzb.js => moved successfully
C:\ProgramData\jz6dzb.pad => moved successfully
C:\ProgramData\lv9e.pad => moved successfully
C:\Users\ROOSKEY\AppData\Roaming\AltShell.ini => moved successfully
C:\Users\ROOSKEY\Documents\Bank => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\Downloads => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\DSC_0007.JPG => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\DSC_0011.JPG => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\DSC_0072.JPG => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\DSC_0091.JPG => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\Emma Flinthams folder => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\GIRLS PIC.jpg => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\Granddad.jpg => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\Historic Rainfall => ":Roxio EMC Stream" ADS removed successfully..
C:\Users\ROOSKEY\Documents\My Received Files => ":Roxio EMC Stream" ADS removed successfully..
EmptyTemp: => 9.6 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 15:34:00 ====


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:21 AM

Posted 10 February 2016 - 07:36 AM

Any remaining issues?

#6 ndonaldson2912

ndonaldson2912
  • Topic Starter

  • Members
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:21 PM

Posted 10 February 2016 - 07:47 AM

All seems to be resolved. Computer acting and updating normally! Many thanks

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:21 AM

Posted 10 February 2016 - 08:21 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:21 AM

Posted 16 February 2016 - 09:30 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users