Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM found several instances of Backdoor.0Access


  • This topic is locked This topic is locked
3 replies to this topic

#1 rkhyche

rkhyche

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 15 May 2016 - 05:57 PM

I've been working on cleaning up an older Windows XP laptop with the advice in another thread on this site. The machine runs pretty good now after having run Malwarebytes Anti-Malware, Junk Removal Tool, AdwCleaner and tidying some things up with CCleaner. MBAM, JRT and AdwC found hundreds of issues that have now been cleaned. Several needless programs were removed, as well as disabling useless startups and scheduled tasks with CCleaner.

 

I attempted to run an ESET Online Scan, but have been encountering proxy issues with it today, so that has not been done. The MBAM scan log revealed multiple items of "Backdoor.0Access", so I was referred to bring it to this sub-forum.

 

I was advised to create a new topic in this section and I have ran FRST. The contents of the log is as follows, with addition.txt attached.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:14-05-2016
Ran by Administrator (administrator) on NEO-LAPTOP001 (15-05-2016 18:10:40)
Running from C:\Documents and Settings\Administrator\Desktop\Tools
Loaded Profiles: Administrator (Available Profiles: Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(Microsoft Corporation) C:\WINDOWS\system32\scardsvr.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
() C:\Program Files\Canon\IJPLM\ijplmsvc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(SigmaTel, Inc.) C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\stacsv.exe
(SigmaTel, Inc.) C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Dell Inc.) C:\WINDOWS\system32\WLTRAY.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SigmatelSysTrayApp] => C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [405504 2007-05-10] (SigmaTel, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [1392640 2007-03-16] (Dell Inc.)
HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe [1368064 2008-08-20] (Intel® Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1191936 2008-08-20] (Intel® Corporation)
HKU\S-1-5-21-606747145-1935655697-1177238915-500\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [6675672 2016-04-15] (Piriform Ltd)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 01 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\system32\mswsock.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{C4CEA8C2-6A9D-4C99-AA44-0D3EAE346D55}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-606747145-1935655697-1177238915-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-606747145-1935655697-1177238915-500 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\.DEFAULT -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\.DEFAULT -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-19 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-19 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> DefaultScope {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-20 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
SearchScopes: HKU\S-1-5-21-606747145-1935655697-1177238915-500 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL =
SearchScopes: HKU\S-1-5-21-606747145-1935655697-1177238915-500 -> {2381E4B7-5C04-459E-9D46-2F9AC1608B66} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default
FF Homepage: hxxp://www.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_197.dll [2016-04-02] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-20] ()
FF Plugin: @canon.com/EPPEX -> C:\Program Files\Canon\My Image Garden\AddOn\CIG\npmigfpi.dll [2011-11-30] (CANON INC.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)
FF Plugin: @java.com/DTPlugin,version=10.5.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-05-04] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2011-04-08] ()
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-15] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-15] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPGTSPlugin.dll [2011-09-11] ( )
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Extension: SearchNewTab - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\8nk@mtyauo.co.uk [2016-05-15] [not signed]
FF Extension: Download keaePer - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\doi@ydebyeuabck.org [2016-05-15] [not signed]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011-04-06] [not signed]
FF Extension: Yahoo! Toolbar - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2015-03-21] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-03-06] [not signed]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 EvtEng; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [860160 2008-08-20] (Intel® Corporation) [File not signed]
R2 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [140456 2011-09-06] ()
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 RegSrvc; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [466944 2008-08-20] (Intel® Corporation) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [905216 2008-08-20] (Intel® Corporation) [File not signed]
R2 STacSV; C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe [94208 2007-05-10] (SigmaTel, Inc.)
R2 WLANKEEPER; C:\Program Files\Intel\WiFi\bin\WLKeeper.exe [348160 2008-08-20] (Intel® Corporation) [File not signed]
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [1253376 2007-03-16] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 eapihdrv; C:\Documents and Settings\Administrator\Local Settings\Temp\ehdrv.sys [135760 2016-05-15] (ESET)
S3 FlyUsb; C:\WINDOWS\System32\DRIVERS\FlyUsb.sys [18560 2008-02-26] (LeapFrog) [File not signed]
S3 FTDIBUS; C:\WINDOWS\System32\drivers\ftdibus.sys [57800 2009-10-22] (FTDI Ltd.)
R3 guardian2; C:\WINDOWS\System32\Drivers\oz776.sys [68696 2007-12-23] (O2Micro)
R3 HSFHWAZL; C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys [211200 2007-08-02] (Conexant Systems, Inc.)
R3 HSF_DPV; C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys [989952 2007-08-02] (Conexant Systems, Inc.)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
R3 NETw5x32; C:\WINDOWS\System32\DRIVERS\NETw5x32.sys [3632384 2008-08-28] (Intel Corporation)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [11904 2008-08-04] (Intel Corporation)
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S3 swmsflt; C:\WINDOWS\System32\drivers\swmsflt.sys [26760 2008-08-22] ()
R3 WinDriver6; C:\WINDOWS\System32\drivers\windrvr6.sys [299464 2005-11-09] (Jungo) [File not signed]
S0 cerc6; no ImagePath
S4 IntelIde; no ImagePath
S3 PCTINDIS5; \??\C:\WINDOWS\system32\PCTINDIS5.SYS [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S2 zumbus; system32\DRIVERS\zumbus.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-15 18:09 - 2016-05-15 18:10 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-05-15 17:36 - 2016-05-15 18:10 - 00000000 ____D C:\FRST
2016-05-15 17:26 - 2016-05-15 17:26 - 00000000 ____D C:\Program Files\Research In Motion
2016-05-15 17:26 - 2016-05-15 17:26 - 00000000 ____D C:\Program Files\Common Files\Research In Motion
2016-05-15 17:26 - 2016-05-15 17:26 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\BlackBerry
2016-05-15 17:26 - 2016-05-15 17:26 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Research In Motion
2016-05-15 14:30 - 2016-05-15 17:38 - 00000000 ____D C:\Documents and Settings\Administrator\Desktop\Tools
2016-05-15 14:19 - 2016-05-15 14:21 - 00000000 ____D C:\AdwCleaner
2016-05-15 13:24 - 2016-05-15 17:17 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-05-15 13:23 - 2016-05-15 13:58 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-05-15 13:23 - 2016-05-15 13:23 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-05-15 13:23 - 2016-05-15 13:23 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-05-15 13:23 - 2016-03-10 14:09 - 00123264 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-05-15 13:23 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-05-15 12:53 - 2016-05-15 12:53 - 00000000 ____D C:\Program Files\ESET
2016-05-15 12:42 - 2016-05-15 15:57 - 00006044 _____ C:\WINDOWS\SchedLgU.Txt
2016-05-15 12:32 - 2012-05-04 19:29 - 00772504 _____ (Oracle Corporation) C:\WINDOWS\system32\npDeployJava1.dll
2016-05-15 12:32 - 2012-05-04 19:29 - 00687504 _____ (Oracle Corporation) C:\WINDOWS\system32\deployJava1.dll
2016-05-15 12:28 - 2016-05-15 12:38 - 00022112 _____ C:\WINDOWS\ntbtlog.txt
2016-05-15 12:21 - 2016-05-15 12:34 - 00000000 ____D C:\Program Files\CCleaner

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-15 18:10 - 2012-10-05 17:05 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-05-15 18:10 - 2009-10-12 10:06 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp
2016-05-15 17:49 - 2010-10-21 18:15 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-05-15 17:28 - 2010-05-09 13:37 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Adobe
2016-05-15 17:28 - 2010-05-09 13:37 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
2016-05-15 17:28 - 2010-05-09 13:36 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-05-15 17:27 - 2010-03-02 21:53 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-05-15 17:27 - 2010-03-02 21:53 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Apple
2016-05-15 17:27 - 2009-10-12 04:06 - 00000000 ___HD C:\WINDOWS\inf
2016-05-15 17:22 - 2010-03-02 21:54 - 00000000 ____D C:\Program Files\Apple Software Update
2016-05-15 17:20 - 2013-09-25 19:10 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\InstallMate
2016-05-15 17:20 - 2009-10-12 04:14 - 00000000 ____D C:\Documents and Settings\All Users
2016-05-15 17:16 - 2010-10-21 18:15 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-05-15 17:16 - 2009-10-12 09:39 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-05-15 15:57 - 2009-10-12 10:06 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2016-05-15 14:03 - 2013-07-21 09:52 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-05-15 14:01 - 2009-10-12 10:06 - 00000000 ____D C:\Documents and Settings\Administrator
2016-05-15 13:58 - 2009-10-12 04:06 - 00000000 _SHDC C:\WINDOWS\$NtUninstallKB59735$
2016-05-15 13:16 - 2010-06-02 18:15 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
2016-05-15 12:55 - 2010-05-09 21:57 - 141270216 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-05-15 12:45 - 2013-10-07 19:24 - 00000000 ____D C:\WINDOWS\system32\cache
2016-05-15 12:43 - 2010-04-27 18:30 - 00000260 _____ C:\WINDOWS\Tasks\WGASetup.job
2016-05-15 12:42 - 2014-11-28 12:05 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVG2015
2016-05-15 12:42 - 2014-03-30 14:34 - 00000238 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2016-05-15 12:42 - 2014-03-30 14:34 - 00000232 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2016-05-15 12:42 - 2013-11-04 15:25 - 00000000 ____D C:\Program Files\AVG
2016-05-15 12:42 - 2013-11-04 15:12 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2016-05-15 12:42 - 2013-07-12 12:38 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-05-15 12:39 - 2011-11-08 15:26 - 00000000 ____D C:\WINDOWS\pss
2016-05-15 12:37 - 2010-11-03 20:03 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2016-05-15 12:37 - 2010-04-29 20:53 - 00000000 ____D C:\Program Files\Yahoo!
2016-05-15 12:36 - 2010-04-29 20:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Yahoo!
2016-05-15 12:33 - 2010-12-25 21:43 - 00000000 ____D C:\Program Files\LeapFrog
2016-05-15 12:32 - 2010-05-09 22:00 - 00000000 ____D C:\Program Files\Java
2016-05-15 12:30 - 2014-04-03 20:30 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Philipp Winterberg
2016-05-15 12:30 - 2014-03-02 15:43 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\BitTorrent
2016-05-15 12:28 - 2013-11-04 15:27 - 00000000 ___HD C:\$AVG
2016-05-15 12:24 - 2011-01-17 18:52 - 00000000 ____D C:\WINDOWS\Minidump
2016-05-15 12:24 - 2010-11-03 20:03 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Skype
2016-05-15 12:15 - 2011-02-26 16:35 - 00000000 __SHD C:\WINDOWS\CSC
2016-05-15 12:15 - 2008-04-14 07:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl

==================== Files in the root of some directories =======

2013-11-06 20:20 - 2014-06-13 17:49 - 0003748 _____ () C:\Program Files\Mozilla Firefoxsafeguard-secure-search.xml
2013-09-25 19:22 - 2013-09-25 19:22 - 0000777 _____ () C:\Documents and Settings\Administrator\Application Data\explorer.exe_log.txt
2013-09-25 19:12 - 2013-09-25 19:23 - 0002441 _____ () C:\Documents and Settings\Administrator\Application Data\LiveSupport.exe_log.txt
2013-09-25 19:12 - 2013-09-25 19:23 - 0000084 _____ () C:\Documents and Settings\Administrator\Application Data\regsvr32.exe_log.txt
2011-05-11 08:31 - 2011-05-12 13:49 - 0000077 _____ () C:\Documents and Settings\Administrator\Application Data\Rim.Desktop.Exception.log
2011-05-11 08:02 - 2016-05-15 17:26 - 0001925 _____ () C:\Documents and Settings\Administrator\Application Data\Rim.Desktop.HttpServerSetup.log
2013-10-07 19:38 - 2013-10-07 19:38 - 0000094 _____ () C:\Documents and Settings\Administrator\Application Data\WB.CFG
2013-10-07 19:38 - 2013-10-07 19:38 - 0000006 _____ () C:\Documents and Settings\Administrator\Application Data\WBPU-TTL.DAT
2009-11-25 17:47 - 2015-03-21 22:58 - 0077824 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some files in TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\bpuninstall.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\libeay32.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\msvcr120.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\sqlite3.dll
C:\Documents and Settings\Administrator\Local Settings\Temp\_TinDel.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Attached Files


Edited by rkhyche, 15 May 2016 - 06:11 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 16 May 2016 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: netsh winsock reset

Winsock: Catalog5 01 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\system32\mswsock.dll"
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-606747145-1935655697-1177238915-500 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL =
FF Extension: SearchNewTab - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\8nk@mtyauo.co.uk [2016-05-15] [not signed]
FF Extension: Download keaePer - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\doi@ydebyeuabck.org [2016-05-15] [not signed]
S0 cerc6; no ImagePath
S4 IntelIde; no ImagePath
S3 PCTINDIS5; \??\C:\WINDOWS\system32\PCTINDIS5.SYS [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S2 zumbus; system32\DRIVERS\zumbus.sys  [X]
AlternateDataStreams: C:\WINDOWS\$NtUninstallKB59735$:SummaryInformation [0]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:33384BC0 [143]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:F69BB936 
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Is the problem solved?

#3 rkhyche

rkhyche
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 16 May 2016 - 06:38 PM

It seems to work fine operationally once it boots up, the only issue I am having is while trying to boot. While booting, it usually throws an error on login, saying "The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case."

 

Once it throws this logon message, I can hit ok and it will load windows and take me to the user selection and run fine. But every now and then, it will not throw the logon message and windows will not load, it just hangs up at the "Windows Loading" screen.

 

It also runs very hot at all times, the fan never turns off nor catches up.

 

Otherwise, it runs fine and was not able to find any backdoor or other malware.

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:14-05-2016
Ran by Administrator (2016-05-16 17:48:15) Run:1
Running from C:\Documents and Settings\Administrator\Desktop\Tools
Loaded Profiles: Administrator &  (Available Profiles: Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: netsh winsock reset

Winsock: Catalog5 01 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll No File  ATTENTION: LibraryPath should be "%SystemRoot%\system32\mswsock.dll"
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-606747145-1935655697-1177238915-500 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL =
FF Extension: SearchNewTab - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\8nk@mtyauo.co.uk [2016-05-15] [not signed]
FF Extension: Download keaePer - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\doi@ydebyeuabck.org [2016-05-15] [not
signed]
S0 cerc6; no ImagePath
S4 IntelIde; no ImagePath
S3 PCTINDIS5; \??\C:\WINDOWS\system32\PCTINDIS5.SYS [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S2 zumbus; system32\DRIVERS\zumbus.sys  [X]
AlternateDataStreams: C:\WINDOWS\$NtUninstallKB59735$:SummaryInformation [0]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:33384BC0 [143]
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:F69BB936
End
*****************

Restore point was successfully created.
Processes closed successfully.

=========  netsh winsock reset =========


Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.


========= End of CMD: =========

Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
Winsock: Catalog5 000000000003\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-606747145-1935655697-1177238915-500\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\8nk@mtyauo.co.uk => moved successfully
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w93gpge7.default\Extensions\doi@ydebyeuabck.org => moved successfully
signed] => Error: No automatic fix found for this entry.
cerc6 => service removed successfully.
IntelIde => service removed successfully.
PCTINDIS5 => service removed successfully.
USBAAPL => service removed successfully.
zumbus => service removed successfully.
C:\WINDOWS\$NtUninstallKB59735$ => ":SummaryInformation" ADS removed successfully..
C:\Documents and Settings\All Users\Application Data\TEMP => ":33384BC0" ADS removed successfully..
"C:\Documents and Settings\All Users\Application Data\TEMP" => "AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:F69BB936" ADS not found.
EmptyTemp: => 1 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:50:10 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:35 PM

Posted 17 May 2016 - 07:55 AM


The best solution I could find on this startup error is this one.

http://www.computing.net/answers/windows-xp/during-windows-xp-start-up-logon-message/196182.html

The suggestion by ursynw

I do not have an XP computer to check this out.

I suggest you start a new topic in the XP forum and expert may be able to confirm or give you a better solution.

http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/

Hope that helps.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users