Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me with malware remove [Closed]


  • This topic is locked This topic is locked

#46
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, here is my log:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-11-2014
Ran by Administrator at 2014-11-06 09:39:59 Run:1
Running from L:\
Loaded Profiles: SomeNewUser & Administrator (Available profiles: SomeNewUser & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
2014-10-22 09:04 - 2014-10-22 09:04 - 00000000 ____D () C:\sh4ldr
2014-10-22 09:04 - 2014-10-22 09:04 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\SpyHunter
2014-10-10 12:54 - 2014-10-10 12:54 - 00000000 ___SH () C:\WINDOWS\PsfjH4KN.txt
2014-10-10 12:54 - 2014-10-10 12:54 - 00000000 ___SH () C:\WINDOWS\F5Ws94kb.txt
S2 BTTUNER; system32\drivers\BTTUNER.SYS [X]
S2 BTXBAR; system32\drivers\BTXBAR.SYS [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 epfwtdir; system32\DRIVERS\epfwtdir.sys [X]
S4 IntelIde; No ImagePath
Reboot:
end
*****************

Processes closed successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
C:\sh4ldr => Moved successfully.
C:\Documents and Settings\SomeNewUser\Start Menu\Programs\SpyHunter => Moved successfully.
C:\WINDOWS\PsfjH4KN.txt => Moved successfully.
C:\WINDOWS\F5Ws94kb.txt => Moved successfully.
BTTUNER => Service deleted successfully.
BTXBAR => Service deleted successfully.
catchme => Service deleted successfully.
epfwtdir => Service deleted successfully.
IntelIde => Service deleted successfully.


The system needed a reboot.

==== End of Fixlog ====

 

 

 

If it is cleaned now - suggest me the best protection software (antivirus and/or firewall) - by your opinion.

 

Thanks again for your time.


  • 0

Advertisements


#47
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts
Hi,

Your logs should be clean, I hope we caught everything. For clarity I'd like you to post me fresh FRST report.



FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press Scan button and wait.
  • The tool will produce a logfile on your desktop named FRST.txt.
Please include its content in your next reply.


We will talk about protection later.
  • 0

#48
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi, there are few Attentions:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-11-2014 01
Ran by Administrator (administrator) on PC on 10-11-2014 22:24:04
Running from L:\
Loaded Profiles: SomeNewUser & Administrator (Available profiles: SomeNewUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 6
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Lexmark International, Inc.) C:\WINDOWS\system32\LEXBCES.EXE
(Lexmark International, Inc.) C:\WINDOWS\system32\LEXPPS.EXE
(Apache Software Foundation) C:\Program Files\Apache Group\Apache2\bin\Apache.exe
(Apache Software Foundation) C:\Program Files\Apache Group\Apache2\bin\Apache.exe
(CrypKey (Canada) Ltd.) C:\WINDOWS\system32\Crypserv.exe
(NVIDIA) C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(TightVNC Group) C:\Program Files\TightVNC\WinVNC.exe
(WIBU-SYSTEMS AG) C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\tv_w32.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16876032 2008-07-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1634112 2012-05-15] ()
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [Lexmark 1200 Series] => C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe [57344 2006-07-13] (Lexmark International, Inc.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\...\Run: [IDMan] => C:\Program Files\Internet Download Manager\IDMan.exe [3417496 2011-08-01] (Tonec Inc.)
HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\...\Policies\Explorer: [TaskbarNoNotification] 0
ShellIconOverlayIdentifiers: [IDM Shell Extension] -> {CDC95B92-E27C-4745-A8C5-64A52A78855D} => C:\Program Files\Internet Download Manager\IDMShellExt.dll (Tonec Inc.)
BootExecute:

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1957994488-1177238915-1801674531-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> C:\Program Files\Internet Download Manager\IDMIECC.dll (Internet Download Manager, Tonec Inc.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt


FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vuf7q31d.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll No File
FF Plugin: hbgk.net/WebDvrCtrl -> C:\Program Files\WebControl\npWebCtrl.dll (TODO: <公司名>)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np-mswmp.dll (Mozilla Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-07-26]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======
CHR Profile: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx []
CHR StartMenuInternet: Google Chrome - C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apache2; C:\Program Files\Apache Group\Apache2\bin\Apache.exe [20541 2006-04-29] (Apache Software Foundation) [File not signed]
R2 CodeMeter.exe; C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe [2568120 2012-07-19] (WIBU-SYSTEMS AG)
R2 Crypkey License; C:\WINDOWS\system32\crypserv.exe [69632 2006-03-01] (CrypKey (Canada) Ltd.) [File not signed]
R2 LexBceS; C:\WINDOWS\system32\LEXBCES.EXE [311296 2006-04-18] (Lexmark International, Inc.)
R2 nTuneService; C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [192832 2011-09-19] (NVIDIA)
R2 winvnc; C:\Program Files\TightVNC\WinVNC.exe [585728 2009-03-05] (TightVNC Group) [File not signed]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AndNetDiag; C:\WINDOWS\System32\DRIVERS\lgandnetdiag.sys [23168 2013-04-18] (LG Electronics Inc.)
S3 AndNetDiag2; C:\WINDOWS\System32\DRIVERS\lgandnetdiag2.sys [23168 2013-04-18] (LG Electronics Inc.)
S3 ANDNetModem; C:\WINDOWS\System32\DRIVERS\lgandnetmodem.sys [27776 2013-06-28] (LG Electronics Inc.)
S3 andnetndis; C:\WINDOWS\System32\DRIVERS\lgandnetndis.sys [70656 2013-04-23] (LG Electronics Inc.)
R1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12400 2007-12-17] ()
R3 axsaki; C:\WINDOWS\System32\DRIVERS\axsaki.sys [102624 2003-03-30] ( ) [File not signed]
R3 axskbus; C:\WINDOWS\System32\DRIVERS\axskbus.sys [8640 2003-03-28] ( ) [File not signed]
S2 BT848; C:\WINDOWS\System32\drivers\BT848.SYS [294380 2002-02-22] (TelSignal Co., Ltd.) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R1 IDMTDI; C:\WINDOWS\System32\DRIVERS\idmtdi.sys [101616 2011-07-06] (Tonec Inc.)
S3 L1e; C:\WINDOWS\System32\DRIVERS\l1e51x86.sys [36864 2008-06-25] (Atheros Communications, Inc.)
R0 Lbd; C:\WINDOWS\System32\DRIVERS\Lbd.sys [64288 2009-12-02] (Lavasoft AB)
R0 mrdd; C:\WINDOWS\System32\DRIVERS\mrdd.sys [18984 2008-11-12] (Marvell Semiconductor, Inc.)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
R0 mv61xx; C:\WINDOWS\System32\DRIVERS\mv61xx.sys [152616 2009-02-09] (Marvell Semiconductor, Inc.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R1 NetworkX; C:\WINDOWS\system32\ckldrv.sys [31846 2006-01-10] () [File not signed]
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-14] (Microsoft Corporation)
R2 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-03-01] (Riverbed Technology, Inc.)
S3 PAC7302; C:\WINDOWS\System32\DRIVERS\PAC7302.SYS [461824 2009-04-28] (PixArt Imaging Inc.) [File not signed]
S3 PortTalk; C:\WINDOWS\System32\Drivers\PortTalk.sys [3567 2002-01-12] (Beyond Logic http://www.beyondlogic.org) [File not signed]
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [46080 2006-05-16] (Sonic Solutions) [File not signed]
S3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation)
R0 snapman; C:\WINDOWS\System32\DRIVERS\snapman.sys [99776 2012-08-14] (Acronis) [File not signed]
S4 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [685816 2013-10-09] (Duplex Secure Ltd.)
U3 TrueSight; C:\WINDOWS\system32\drivers\TrueSight.sys [34808 2014-10-10] ()
S3 w810bus; C:\WINDOWS\System32\DRIVERS\w810bus.sys [58288 2006-02-20] (MCCI)
S3 w810mdfl; C:\WINDOWS\System32\DRIVERS\w810mdfl.sys [8336 2006-02-20] (MCCI)
S3 w810mdm; C:\WINDOWS\System32\DRIVERS\w810mdm.sys [94064 2006-02-20] (MCCI)
S3 w810mgmt; C:\WINDOWS\System32\DRIVERS\w810mgmt.sys [85408 2006-02-20] (MCCI)
S3 w810obex; C:\WINDOWS\System32\DRIVERS\w810obex.sys [83344 2006-02-20] (MCCI)
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [4096 2006-02-18] () [File not signed]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-10 09:23 - 2014-11-10 09:23 - 00000000 ____H () C:\Documents and Settings\All Users\Application Data\cm-lock
2014-11-07 21:32 - 2014-11-07 21:33 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-11-05 14:12 - 2014-11-05 22:46 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\DMCache
2014-11-05 14:12 - 2014-11-05 22:42 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\IDM
2014-11-05 14:12 - 2014-11-05 14:12 - 00000000 ____D () C:\Program Files\Internet Download Manager
2014-11-05 14:12 - 2014-11-05 14:12 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Start Menu\Programs\Internet Download Manager
2014-11-05 14:12 - 2014-11-05 14:12 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\0F1L1I1P0H1L1E1E1F
2014-11-05 14:12 - 2014-11-05 14:12 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Internet Download Manager
2014-10-24 19:27 - 2014-10-23 18:45 - 00000077 _____ () C:\WINDOWS\system32\Desktop.scf
2014-10-24 11:33 - 2014-10-24 11:33 - 00000994 _____ () C:\Documents and Settings\SomeNewUser\Desktop\BlitzBlankScript.txt
2014-10-24 09:59 - 2014-11-10 22:24 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-10-24 09:59 - 2014-11-10 22:19 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\temp
2014-10-24 09:59 - 2014-10-24 09:59 - 00020748 _____ () C:\ComboFix.txt
2014-10-24 09:59 - 2014-10-24 09:59 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-10-24 09:59 - 2014-10-24 09:59 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-10-24 09:48 - 2014-10-24 09:59 - 00000000 ____D () C:\ComboFix
2014-10-22 12:21 - 2014-10-22 12:21 - 00000073 _____ () C:\WINDOWS\system32\-1
2014-10-22 12:21 - 2014-10-22 12:21 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
2014-10-22 12:20 - 2014-10-26 18:25 - 00002519 _____ () C:\Documents and Settings\All Users\Desktop\TRENDnet Powerline Utility.lnk
2014-10-22 12:20 - 2014-10-22 12:20 - 00000000 ____D () C:\Program Files\TRENDnet
2014-10-22 12:20 - 2014-10-22 12:20 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\TRENDnet Inc
2014-10-19 21:51 - 2014-10-19 21:51 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-10-19 21:50 - 2014-10-19 21:50 - 00146432 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-10-19 21:50 - 2014-10-19 21:50 - 00000000 ____D () C:\Program Files\Java
2014-10-19 21:40 - 2014-10-19 21:40 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Oracle
2014-10-15 09:44 - 2014-10-15 09:45 - 00000160 _____ () C:\Documents and Settings\SomeNewUser\defogger_reenable
2014-10-14 17:57 - 2014-10-14 17:57 - 00021764 _____ () C:\Documents and Settings\Administrator\Desktop\gmer.log
2014-10-14 17:27 - 2014-10-14 17:23 - 00380416 _____ () C:\Documents and Settings\SomeNewUser\Desktop\d3v1cegw.exe
2014-10-12 02:30 - 2014-11-10 22:24 - 00000000 ____D () C:\FRST
2014-10-11 20:59 - 2014-10-11 20:59 - 00001919 _____ () C:\WINDOWS\epplauncher.mif
2014-10-11 20:59 - 2014-10-11 20:59 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2014-10-11 16:54 - 2014-10-11 17:04 - 00000013 _____ () C:\Documents and Settings\Administrator\Desktop\New Text Document.txt
2014-10-11 16:42 - 2014-10-11 16:42 - 00000000 ____D () C:\Program Files\Windows Resource Kits
2014-10-11 16:21 - 2014-10-11 16:21 - 00060408 _____ () C:\Documents and Settings\Administrator\Desktop\regscanner.zip
2014-10-11 15:05 - 2014-10-11 15:05 - 00014215 _____ () C:\WINDOWS\KB942288-v3.log
2014-10-11 15:05 - 2014-10-11 15:05 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB942288-v3$
2014-10-11 15:05 - 2007-11-30 04:39 - 00017272 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsg.dll
2014-10-11 14:57 - 2014-10-11 14:57 - 00011348 _____ () C:\Documents and Settings\Administrator\Desktop\safemsi.zip
2014-10-11 14:57 - 2014-10-11 14:57 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\safemsi
2014-10-11 14:44 - 2014-10-11 14:44 - 00001153 _____ () C:\Documents and Settings\Administrator\Desktop\fix2.zip
2014-10-11 14:44 - 2014-10-11 14:44 - 00000397 _____ () C:\Documents and Settings\Administrator\Desktop\fix1.zip
2014-10-11 01:40 - 2014-10-24 09:54 - 00008192 ____H () C:\WINDOWS\system32\config\SECURITY.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\system.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\software.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\SAM.tmp.LOG
2014-10-11 01:40 - 2014-10-11 01:40 - 00000000 ____H () C:\WINDOWS\system32\config\default.tmp.LOG
2014-10-11 01:31 - 2014-10-11 01:31 - 00000000 _RSHD () C:\cmdcons
2014-10-11 01:31 - 2014-08-26 13:30 - 00000245 _____ () C:\Boot.bak
2014-10-11 01:31 - 2004-08-03 22:00 - 00260272 __RSH () C:\cmldr
2014-10-11 01:29 - 2014-10-24 09:59 - 00000000 ____D () C:\Qoobox
2014-10-11 01:29 - 2014-10-24 09:54 - 00000000 ____D () C:\WINDOWS\erdnt
2014-10-11 01:29 - 2011-06-26 08:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-10-11 01:29 - 2010-11-07 19:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-10-11 01:29 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-10-11 01:29 - 2000-08-31 02:00 - 00068096 _____ () C:\WINDOWS\zip.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-10 22:23 - 2012-07-25 12:07 - 00000600 _____ () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\PUTTY.RND
2014-11-10 22:17 - 2014-03-03 18:17 - 00009382 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Mihail Zadornov.txt
2014-11-10 21:40 - 2012-08-28 16:29 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-10 21:28 - 2012-07-25 16:14 - 00001082 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003UA.job
2014-11-10 21:28 - 2012-07-25 16:14 - 00001030 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1177238915-1801674531-1003Core.job
2014-11-10 20:40 - 2012-08-28 16:29 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-10 13:28 - 2012-07-25 01:07 - 00032560 _____ () C:\WINDOWS\SchedLgU.Txt
2014-11-10 10:43 - 2012-07-25 16:08 - 00000000 ____D () C:\Program Files\The KMPlayer
2014-11-10 09:29 - 2012-07-25 01:03 - 00398354 _____ () C:\WINDOWS\WindowsUpdate.log
2014-11-10 09:25 - 2012-10-28 12:22 - 00901072 _____ () C:\WINDOWS\error.log
2014-11-10 09:25 - 2012-07-25 12:26 - 00002497 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Word 2003.lnk
2014-11-10 09:25 - 2008-04-14 14:00 - 00001068 _____ () C:\WINDOWS\win.ini
2014-11-10 09:23 - 2012-10-28 12:22 - 00017564 _____ () C:\WINDOWS\errord.log
2014-11-10 09:23 - 2012-07-25 03:53 - 00000159 ____C () C:\WINDOWS\wiadebug.log
2014-11-10 09:23 - 2012-07-25 03:53 - 00000053 ____C () C:\WINDOWS\wiaservc.log
2014-11-10 09:23 - 2012-07-25 01:07 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-11-10 09:23 - 2008-04-14 14:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-11-10 02:20 - 2013-12-29 02:20 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\BitTorrent
2014-11-10 02:20 - 2012-07-25 01:07 - 00000278 ___SH () C:\Documents and Settings\SomeNewUser\ntuser.ini
2014-11-09 23:55 - 2012-07-25 23:07 - 00000116 _____ () C:\WINDOWS\NeroDigital.ini
2014-11-09 22:02 - 2014-07-07 20:16 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Desktop\Config files - Routers
2014-11-09 00:05 - 2012-07-26 01:35 - 00070144 _____ () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-11-08 23:24 - 2012-07-25 03:51 - 00219407 _____ () C:\WINDOWS\setupapi.log
2014-11-08 21:10 - 2013-10-05 01:11 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\vlc
2014-11-08 19:38 - 2012-07-27 09:16 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\My Documents\Readon Player
2014-11-08 08:10 - 2012-07-25 11:04 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-07 11:13 - 2012-07-25 17:40 - 00000041 _____ () C:\WINDOWS\crw.ini
2014-11-06 09:40 - 2012-07-26 11:37 - 00000178 __SHC () C:\Documents and Settings\Administrator\ntuser.ini
2014-11-04 01:26 - 2012-07-25 12:26 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\Skype
2014-11-03 14:30 - 2012-07-25 03:43 - 00000000 ____D () C:\WINDOWS\Help
2014-11-02 01:23 - 2012-07-25 17:12 - 00002397 _____ () C:\Documents and Settings\All Users\Desktop\ACDSee 5.0.lnk
2014-10-31 19:00 - 2012-07-25 17:53 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\Adobe
2014-10-31 18:59 - 2012-07-25 12:15 - 00701104 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2014-10-31 18:59 - 2012-07-25 12:15 - 00071344 ____C (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2014-10-31 18:59 - 2012-07-25 01:02 - 00000000 ____D () C:\WINDOWS\system32\Macromed
2014-10-27 14:46 - 2012-07-25 12:25 - 00002495 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Excel 2003.lnk
2014-10-27 10:39 - 2013-03-21 22:24 - 00002375 _____ () C:\Documents and Settings\SomeNewUser\Desktop\Microsoft Office Visio 2003.lnk
2014-10-26 08:09 - 2012-07-25 03:52 - 00588920 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-24 09:57 - 2008-04-14 14:00 - 00000435 _____ () C:\WINDOWS\system.ini
2014-10-24 09:55 - 2012-07-25 03:51 - 00053248 _____ () C:\WINDOWS\system32\config\SECURITY.bak
2014-10-24 09:55 - 2012-07-25 03:51 - 00028672 _____ () C:\WINDOWS\system32\config\SAM.bak
2014-10-24 09:55 - 2012-07-25 03:50 - 28135424 _____ () C:\WINDOWS\system32\config\software.bak
2014-10-24 09:55 - 2012-07-25 03:50 - 10485760 _____ () C:\WINDOWS\system32\config\system.bak
2014-10-24 09:55 - 2012-07-25 03:50 - 00315392 _____ () C:\WINDOWS\system32\config\default.bak
2014-10-24 09:13 - 2012-07-25 12:26 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Skype
2014-10-22 12:21 - 2012-11-20 02:23 - 00000000 ____D () C:\Program Files\WinPcap
2014-10-22 08:29 - 2012-07-25 01:07 - 00000000 ____D () C:\Documents and Settings\NetworkService
2014-10-20 02:21 - 2013-09-09 19:58 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Desktop\123
2014-10-19 21:50 - 2014-08-08 07:02 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2014-10-18 20:56 - 2012-10-05 22:41 - 00000000 ____D () C:\Program Files\Cheat Engine
2014-10-18 20:56 - 2012-07-25 16:22 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Local Settings\Application Data\CRE
2014-10-18 18:53 - 2012-08-05 00:20 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\SimpleTV V03
2014-10-17 19:11 - 2013-11-06 08:41 - 00000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\uTorrent
2014-10-15 09:44 - 2012-07-25 01:07 - 00000000 ____D () C:\Documents and Settings\SomeNewUser
2014-10-15 03:11 - 2012-07-26 11:37 - 00000000 ____D () C:\Documents and Settings\Administrator
2014-10-12 15:37 - 2012-07-26 10:39 - 00000000 ____D () C:\WINDOWS\Microsoft.NET
2014-10-12 02:29 - 2012-07-25 01:02 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-10-11 21:48 - 2013-12-29 02:21 - 00000823 _____ () C:\Documents and Settings\SomeNewUser\Desktop\BitTorrent.lnk
2014-10-11 21:41 - 2012-11-14 00:26 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-10-11 21:41 - 2012-07-25 01:04 - 00002577 _____ () C:\WINDOWS\system32\CONFIG.NT
2014-10-11 17:03 - 2012-07-25 03:52 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-10-11 15:05 - 2012-07-25 03:52 - 00068219 ____C () C:\WINDOWS\iis6.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00030088 ____C () C:\WINDOWS\FaxSetup.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00023640 ____C () C:\WINDOWS\ocgen.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00021922 ____C () C:\WINDOWS\comsetup.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00019266 ____C () C:\WINDOWS\tsoc.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00015592 ____C () C:\WINDOWS\msmqinst.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00011613 ____C () C:\WINDOWS\ntdtcsetup.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00006039 ____C () C:\WINDOWS\netfxocm.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00002762 ____C () C:\WINDOWS\MedCtrOC.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00002185 ____C () C:\WINDOWS\tabletoc.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00001911 ____C () C:\WINDOWS\ocmsn.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00001798 ____C () C:\WINDOWS\msgsocm.log
2014-10-11 15:05 - 2012-07-25 03:52 - 00001393 _____ () C:\WINDOWS\imsins.log
2014-10-11 15:05 - 2012-07-25 03:43 - 00000000 ____D () C:\WINDOWS\system32\mui
2014-10-11 14:46 - 2014-01-13 14:53 - 00006238 __RSH () C:\Documents and Settings\All Users\ntuser.pol
2014-10-11 14:21 - 2014-02-25 20:19 - 00000000 __SHD () C:\WINDOWS\CSC
2014-10-11 01:31 - 2012-07-25 03:50 - 00000355 __RSH () C:\boot.ini

Some content of TEMP:
====================
C:\Documents and Settings\SomeNewUser\Local Settings\temp\CloudBackup5902.exe
C:\Documents and Settings\SomeNewUser\Local Settings\temp\rtdrvmon.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

 

 

 

 

 

And about the protection?


  • 0

#49
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts
You should be able to run the tools normally from the desktop now. We have removed the policies that were blocking it. I will take care about these ones now.



FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire content of the codebox below and paste into the Notepad document:
    start
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-1957994488-1177238915-1801674531-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    Folder: C:\Documents and Settings\SomeNewUser\Application Data\0F1L1I1P0H1L1E1E1F
    
    end
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please include it in your reply.


About the protection - there isn't any good protection as you are still running Windows XP. This system is no longer updated and due to this You will be constantly vulnerable.
Your first set of security should be:
- Anti-virus (I recommend Avast free)
- Firewall (I recommend ZoneAlarm)
- Anti-malware (Malwarebytes')
- Anti-exploit (Malwarebytes' or EMET)

However I think that you should start to consider purchasing Windows 7/8.
  • 0

#50
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#51
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts
Topic re-opened per OP's request.
  • 0

#52
SomeNewUser

SomeNewUser

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts

Hi sorry for the delay - i have to travel a lot last week, here is my last log:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 16-11-2014 03
Ran by SomeNewUser at 2014-11-16 21:27:45 Run:2
Running from L:\
Loaded Profile: SomeNewUser (Available profiles: SomeNewUser & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1957994488-1177238915-1801674531-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Folder: C:\Documents and Settings\SomeNewUser\Application Data\0F1L1I1P0H1L1E1E1F

end
*****************

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1957994488-1177238915-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1957994488-1177238915-1801674531-500\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found.

========================= Folder: C:\Documents and Settings\SomeNewUser\Application Data\0F1L1I1P0H1L1E1E1F ========================

2014-11-05 14:12 - 2014-11-05 14:12 - 0000000 ____D () C:\Documents and Settings\SomeNewUser\Application Data\0F1L1I1P0H1L1E1E1F\Internet Download Manager Packages
2014-11-05 14:12 - 2014-04-28 15:53 - 0572739 _____ () C:\Documents and Settings\SomeNewUser\Application Data\0F1L1I1P0H1L1E1E1F\Internet Download Manager

Packages\uninstaller.exe

====== End of Folder: ======


==== End of Fixlog ====


It's look ok now, thank you for your time again, and i have a question - did you hear about an exploit that breaks XP users and crypt their hard drives - are there any protection from it?
Thanks in advance.


  • 0

#53
Naathim

Naathim

    GeekU Minion

  • Expert
  • 4,568 posts

Hi.
 
Looks good for me. Are you able to run tools normally from your desktop? Any other issues remaining?

 

did you hear about an exploit that breaks XP users and crypt their hard drives

I know an infection, but not an exploit tbh. Can you be more specific?


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP