Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Department of Justice Virus - Can't boot in safe mode [Solved]


  • This topic is locked This topic is locked

#31
iammykyl

iammykyl

    Tech Staff

  • Technician
  • 7,047 posts

Well done both of you :rockon:


  • 0

Advertisements


#32
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Certainly do appreciate your help in this iammmykyl :thumbsup:


  • 0

#33
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

What you have posted is the Additions.txt log file. Necessary, but I also the FRST log file. It will be located in same place as the Additions.txt is located.

 

BTW, does the machine boot normally now?


  • 0

#34
Warden

Warden

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts

It does boot normally now.Everything seems to be functioning properly. Here is the frst log.

 


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-11-2014 (ATTENTION: ====> FRST version is 24 days old and could be outdated)
Ran by Presenter (administrator) on TS8730WIMAGE on 17-12-2014 12:01:24
Running from C:\Documents and Settings\Presenter
Loaded Profile: Presenter (Available profiles: Presenter & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AuthenTec, Inc.) C:\Program Files\Fingerprint Sensor\AtService.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
(Emsisoft GmbH) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
(Agere Systems) C:\WINDOWS\system32\agrsmsvc.exe
(Anvisoft) C:\Program Files\Anvisoft\Cloud System Booster\CSBSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Hewlett-Packard Corporation) C:\WINDOWS\system32\accelerometerST.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
(Old McDonald's Farm) C:\Program Files\Autorun Eater\oldmcdonald.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Microsoft Corporation) C:\Program Files\EMET\EMET_notifier.exe
(Old McDonald's Farm) C:\Program Files\Autorun Eater\billy.exe
(Fitbit, Inc.) C:\Program Files\Fitbit Connect\Fitbit Connect.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(FileHippo.com) C:\Program Files\FileHippo.com\UpdateChecker.exe
(Anvisoft) C:\Program Files\Anvisoft\Cloud System Booster\CloudSystemBooster.exe
() C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
(Microsoft Corporation) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Intel Corporation) C:\Program Files\Intel\AMT\LMS.exe
(Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
(PDF Complete Inc) C:\Program Files\PDF Complete\pdfsvc.exe
(Farbar) C:\Documents and Settings\Presenter\FRST (1).exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1044480 2009-07-02] (Analog Devices, Inc.)
HKLM\...\Run: [AccelerometerSysTrayApplet] => C:\WINDOWS\system32\AccelerometerSt.Exe [82224 2008-10-14] (Hewlett-Packard Corporation)
HKLM\...\Run: [QlbCtrl.exe] => C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [181816 2009-04-15] ( Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [hpWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [IntelZeroConfig] => C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe [1368064 2009-02-27] (Intel® Corporation)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1202448 2009-02-27] (Intel® Corporation)
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [367128 2009-07-02] (Intel Corporation)
HKLM\...\Run: [PDF Complete] => C:\Program Files\PDF Complete\pdfsty.exe [319000 2008-08-08] (PDF Complete Inc)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1791272 2010-06-04] (Synaptics Incorporated)
HKLM\...\Run: [WatchDog] => C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [197904 2008-05-23] (InterVideo Inc.)
HKLM\...\Run: [AppleSyncNotifier] => C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2012-02-23] (Apple Inc.)
HKLM\...\Run: [Autorun Eater] => C:\Program Files\Autorun Eater\oldmcdonald.exe [549400 2009-05-26] (Old McDonald's Farm)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [1753192 2010-11-04] ()
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [EMET Notifier] => C:\Program Files\EMET\EMET_notifier.exe [152152 2012-05-09] (Microsoft Corporation)
HKLM\...\Run: [Fitbit Connect] => C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3093024 2013-02-25] (Fitbit, Inc.)
HKLM\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2014-01-17] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [4873248 2014-10-13] (Emsisoft GmbH)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-14] (Microsoft Corporation)
HKU\S-1-5-19\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-20\...\Run: [Adobe CSx Manager] => C:\Documents and Settings\NetworkService\Application Data\e08c65b2-6be0-44ba-9628-b61063a7657dad\ecbbebabadad.exe [0 2013-05-06] ()
HKU\S-1-5-20\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-21-3866077675-454247996-117300071-1006\...\Run: [FileHippo.com] => C:\Program Files\FileHippo.com\UpdateChecker.exe [307712 2012-11-23] (FileHippo.com)
HKU\S-1-5-21-3866077675-454247996-117300071-1006\...\Run: [Fitbit Connect] => C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3093024 2013-02-25] (Fitbit, Inc.)
HKU\S-1-5-21-3866077675-454247996-117300071-1006\...\Run: [CloudSystemBooster] => C:\Program Files\Anvisoft\Cloud System Booster\CloudSystemBooster.exe [527544 2014-05-29] (Anvisoft)
HKU\S-1-5-21-3866077675-454247996-117300071-1006\...\Run: [Google Update] => C:\Documents and Settings\Presenter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [107912 2014-10-18] (Google Inc.)
HKU\S-1-5-18\...\Policies\Explorer: [NoSetActiveDesktop] 0
Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk
ShortcutTarget: Monitor My eRooms (V7).lnk -> C:\Program Files\eRoom 7\ERClient7.exe (Documentum, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
ShortcutTarget: DVD Check.lnk -> C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
Startup: C:\Documents and Settings\Presenter\Start Menu\Programs\Startup\program.lnk
ShortcutTarget: program.lnk -> C:\DOCUME~1\ALLUSE~1\APPLIC~1\84F92340.cpp (No File)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Presenter\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Presenter\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Presenter\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Presenter\Application Data\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
AlternateShell: 
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...d=ie&ar=msnhome
HKU\S-1-5-21-3866077675-454247996-117300071-1006\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3866077675-454247996-117300071-1006\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing.
SearchScopes: HKLM -> {31090377-0740-419E-BEFC-A56E50500D5B} URL = http://speedial.com/...r=282919698&ir=
SearchScopes: HKU\S-1-5-21-3866077675-454247996-117300071-1006 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3866077675-454247996-117300071-1006 -> {31090377-0740-419E-BEFC-A56E50500D5B} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKU\S-1-5-21-3866077675-454247996-117300071-1006 -> &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-3866077675-454247996-117300071-1006 -> &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.co...sreqlab_nvd.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://bos-link01a....ries/vpnweb.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_14_0_0_179.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\Documents and Settings\All Users\Application Data\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll No File
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3866077675-454247996-117300071-1006: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Presenter\Local Settings\Application Data\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-3866077675-454247996-117300071-1006: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Presenter\Local Settings\Application Data\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-07-02]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Documents and Settings\Presenter\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\Presenter\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-24]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Presenter\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-24]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [4816568 2014-10-13] (Emsisoft GmbH)
S4 AffinegyService; C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe [566688 2011-02-24] (Affinegy, Inc.)
R2 AnviCsbSvc; C:\Program Files\Anvisoft\Cloud System Booster\CSBSvc.exe [42680 2014-05-29] (Anvisoft)
R2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1164536 2008-06-12] (AuthenTec, Inc.)
S4 Belkin Local Backup Service; C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [152064 2010-02-17] () [File not signed]
S4 Belkin Network USB Helper; C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [49152 2010-02-09] () [File not signed]
S3 Blackberry Device Manager; C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited) [File not signed]
R2 Fitbit Connect; C:\Program Files\Fitbit Connect\FitbitConnectService.exe [1239584 2013-02-25] (Fitbit, Inc.) [File not signed]
R2 FlipShare Service; C:\Program Files\Flip Video\FlipShare\FlipShareService.exe [460144 2011-05-06] ()
R2 FlipShareServer; C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe [1085440 2011-05-06] () [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-23] (Oracle Corporation)
S3 LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE [2528960 2006-09-02] (Symantec Corporation)
R2 Net Driver HPZ12; C:\WINDOWS\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe [777240 2008-08-08] (PDF Complete Inc)
R2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 S24EventMonitor; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [909312 2009-02-27] (Intel® Corporation) [File not signed]
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2058776 2009-07-02] (Intel Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 a2acc; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys [58200 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\Program Files\Emsisoft Anti-Malware\a2ddax86.sys [22056 2013-03-28] (Emsisoft GmbH)
R1 a2injectiondriver; C:\Program Files\Emsisoft Anti-Malware\a2dix86.sys [38248 2013-09-30] (Emsisoft GmbH)
R1 a2util; C:\Program Files\Emsisoft Anti-Malware\a2util32.sys [18552 2014-05-12] (Emsisoft GmbH)
S3 AFGSp50; C:\WINDOWS\System32\Drivers\AFGSp50.sys [27072 2011-02-15] (Printing Communications Assoc., Inc. (PCAUSA))
S3 btaudio; C:\WINDOWS\System32\drivers\btaudio.sys [539512 2009-07-02] (Broadcom Corporation.)
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [879624 2009-07-02] (Broadcom Corporation.)
S3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [74688 2009-07-02] (Broadcom Corporation.)
R3 cleanhlp; C:\Program Files\Emsisoft Anti-Malware\cleanhlp32.sys [50200 2013-12-04] (Emsisoft GmbH)
R3 e1yexpress; C:\WINDOWS\System32\DRIVERS\e1y5132.sys [239760 2009-03-27] (Intel Corporation)
S3 gfiark; C:\WINDOWS\System32\drivers\gfiark.sys [43368 2013-05-23] (ThreatTrack Security)
S3 gfiutil; C:\WINDOWS\System32\drivers\gfiutil.sys [24040 2013-09-04] (ThreatTrack Security)
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49920 2008-10-28] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2008-10-28] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2008-10-28] (HP)
R3 IFXTPM; C:\WINDOWS\System32\DRIVERS\IFXTPM.SYS [44800 2009-07-02] (Infineon Technologies AG)
R0 MpFilter; C:\WINDOWS\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R3 NETw5x32; C:\WINDOWS\System32\DRIVERS\NETw5x32.sys [4202496 2009-07-02] (Intel Corporation)
S3 NWUSBCDFIL; C:\WINDOWS\System32\DRIVERS\NwUsbCdFil.sys [20480 2009-12-18] (Novatel Wireless Inc.)
S3 NWUSBPort2; C:\WINDOWS\System32\DRIVERS\nwusbser2.sys [174720 2009-12-18] (Novatel Wireless Inc.)
S3 PCASp50; C:\WINDOWS\System32\Drivers\PCASp50.sys [27072 2009-03-31] (Printing Communications Assoc., Inc. (PCAUSA))
R3 rismc32; C:\WINDOWS\System32\DRIVERS\rismc32.sys [47616 2006-12-20] (RICOH Company, Ltd.)
R2 s24trans; C:\WINDOWS\System32\DRIVERS\s24trans.sys [11904 2008-08-13] (Intel Corporation)
R0 SFAUDIO; C:\WINDOWS\System32\drivers\sfaudio.sys [24064 2009-07-02] (Sonic Focus, Inc)
R3 swmsflt; C:\WINDOWS\System32\drivers\swmsflt.sys [28288 2009-12-02] ()
R2 sxuptp; C:\WINDOWS\System32\DRIVERS\sxuptp.sys [246936 2009-06-22] (silex technology, Inc.)
S3 AFGMp50; System32\Drivers\AFGMp50.sys [X]
U2 CertPropSvc; No ImagePath
S4 IntelIde; No ImagePath
U5 Tcpip6; C:\Windows\System32\Drivers\Tcpip6.sys [226880 2010-02-11] (Microsoft Corporation)
S3 vpnva; system32\DRIVERS\vpnva.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-17 12:01 - 2014-12-17 12:02 - 00021194 _____ () C:\Documents and Settings\Presenter\FRST.txt
2014-12-17 12:00 - 2014-12-17 12:01 - 00000000 ____D () C:\FRST
2014-12-07 20:25 - 2014-11-24 03:13 - 01110016 _____ (Farbar) C:\Documents and Settings\Presenter\FRST (1).exe
2014-11-22 20:48 - 2014-12-17 08:32 - 00005768 _____ () C:\WINDOWS\setupapi.log
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-17 12:02 - 2010-07-12 11:49 - 00000000 ____D () C:\Documents and Settings\Presenter\Local Settings\temp
2014-12-17 12:02 - 2009-07-02 03:18 - 00632450 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-12-17 12:01 - 2009-07-15 10:43 - 00000000 ____D () C:\Documents and Settings\Presenter
2014-12-17 12:01 - 2009-07-02 07:30 - 01238555 _____ () C:\WINDOWS\WindowsUpdate.log
2014-12-17 12:00 - 2014-10-24 17:42 - 00000000 ____D () C:\Program Files\Emsisoft Anti-Malware
2014-12-17 12:00 - 2014-05-24 06:38 - 00000430 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{DC2ABE27-FEA3-4C83-AFF4-55B4F05FBEF4}.job
2014-12-17 12:00 - 2010-08-29 20:51 - 00066713 _____ () C:\WINDOWS\system32\nvModes.001
2014-12-17 12:00 - 2009-07-02 14:36 - 00000281 ___SH () C:\boot.ini
2014-12-17 12:00 - 2009-07-02 03:20 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-12-17 12:00 - 2009-07-02 03:20 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-12-17 12:00 - 2008-04-14 07:00 - 00000673 _____ () C:\WINDOWS\win.ini
2014-12-17 12:00 - 2008-04-14 07:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-12-17 11:59 - 2014-02-06 08:12 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-17 11:59 - 2009-07-02 07:36 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-12-17 11:59 - 2008-04-14 07:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-12-17 11:56 - 2009-07-02 07:36 - 00032462 _____ () C:\WINDOWS\SchedLgU.Txt
2014-12-17 11:51 - 2014-02-06 08:12 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-17 11:43 - 2014-10-24 21:07 - 00002354 _____ () C:\Documents and Settings\Presenter\Desktop\Google Chrome Canary.lnk
2014-12-17 08:32 - 2013-01-18 09:29 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\HitmanPro
2014-12-16 11:22 - 2009-07-15 10:43 - 00000178 ___SH () C:\Documents and Settings\Presenter\ntuser.ini
2014-11-23 20:56 - 2010-03-22 20:08 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-11-23 20:18 - 2013-05-07 06:42 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-11-23 20:16 - 2014-10-24 21:04 - 00000994 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3866077675-454247996-117300071-1006UA.job
2014-11-21 22:23 - 2013-03-29 20:07 - 00000000 ____D () C:\Documents and Settings\Presenter\Application Data\uTorrent
2014-11-21 11:15 - 2014-10-24 21:04 - 00000942 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3866077675-454247996-117300071-1006Core.job
2014-11-21 10:53 - 2014-10-24 20:47 - 00001813 _____ () C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2014-11-21 01:47 - 2014-03-25 20:26 - 00000384 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
 
Files to move or delete:
====================
C:\Documents and Settings\Presenter\FRST (1).exe
 
 
Some content of TEMP:
====================
C:\Documents and Settings\Presenter\Local Settings\temp\stuprt.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End Of Log ============================

  • 0

#35
Biscuithd

Biscuithd

    Trusted Helper

  • Malware Removal
  • 2,573 posts

Next steps :)

 

adwcleaner_new.png Scan with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your desktop.
 
  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and click Scan.
  • Upon completion, click Report. A log (AdwCleaner[R*].txt) will open.
  •  
    Please include the contents of that file in your reply.
     
    JRTbythisisu.png Fix with Junkware Removal Tool
     
    Please download JRT by Thisisu and save the file to your desktop.
    Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
     
    • Right-click on JRTbythisisu.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and let this process run uninterrupted.
  • This scan can take a while, depending on your System specs.
  • Upon completion, a log (JRT.txt) will open on your desktop.
  •  
    Please include the contents of that file in your reply.
     
    Do not forget to re-enable your previously switched off protection software!
    Please also manually reboot your machine after this procedure.

     

    51c9d14017fa0-SecurityCheck.PNG Scan with Security Check

    Please download Security Check by Screen317 and save it to your desktop.

    • Right-click on 51c9d14017fa0-SecurityCheck.PNG icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    • Follow onscreen instructions inside the black box. This scan won't take long.
    • Soon a notepad document called checkup.txt will open automaticaly.

    Please include the content of that document.

     


    • 0

    #36
    Warden

    Warden

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 162 posts

    Adw:

     

    # AdwCleaner v4.105 - Report created 19/12/2014 at 14:46:20
    # Updated 08/12/2014 by Xplode
    # Database : 2014-12-16.1 [Live]
    # Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
    # Username : Presenter - TS8730WIMAGE
    # Running from : C:\Documents and Settings\Presenter\My Documents\Downloads\AdwCleaner.exe
    # Option : Clean
     
    ***** [ Services ] *****
     
     
    ***** [ Files / Folders ] *****
     
     
    ***** [ Scheduled Tasks ] *****
     
     
    ***** [ Shortcuts ] *****
     
     
    ***** [ Registry ] *****
     
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\bakijjialdiiboeaknfpmflphhmljfkd
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bakijjialdiiboeaknfpmflphhmljfkd
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\cflheckfmhopnialghigdlggahiomebp
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\SelectionLinks.DLL
     
    ***** [ Browsers ] *****
     
    -\\ Internet Explorer v8.0.6001.18702
     
     
    -\\ Google Chrome v38.0.2125.104
     
     
    *************************
     
    AdwCleaner[R0].txt - [1102 octets] - [19/12/2014 14:39:50]
    AdwCleaner[R1].txt - [1163 octets] - [19/12/2014 14:44:35]
    AdwCleaner[S0].txt - [1092 octets] - [19/12/2014 14:46:20]
     
    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1152 octets] ##########
     
    JRT
     

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.4.0 (11.29.2014:1)
    OS: Microsoft Windows XP x86
    Ran by Presenter on Fri 12/19/2014 at 14:53:29.39
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     
     
     
     
    ~~~ Services
     
     
     
    ~~~ Registry Values
     
     
     
    ~~~ Registry Keys
     
    Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{31090377-0740-419E-BEFC-A56E50500D5B}
     
     
     
    ~~~ Files
     
     
     
    ~~~ Folders
     
     
     
     
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Fri 12/19/2014 at 14:58:20.00
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     
     
    checkup.txt
     

     Results of screen317's Security Check version 0.99.93  
     Windows XP Service Pack 3 x86   
     Internet Explorer 8  
    ``````````````Antivirus/Firewall Check:`````````````` 
     Windows Firewall Enabled!  
    Microsoft Security Essentials   
    avast! Antivirus                
    Emsisoft Anti-Malware           
     Antivirus out of date! (On Access scanning disabled!) 
    `````````Anti-malware/Other Utilities Check:````````` 
     SpywareBlaster 5.0    
     Auslogics Registry Cleaner   
     Java 7 Update 71  
      Adobe Flash Player 14.0.0.179 Flash Player out of Date!  
     Adobe Reader XI  
     Google Chrome 38.0.2125.111 Google Chrome out of date!  
    ````````Process Check: objlist.exe by Laurent````````  
    `````````````````System Health check````````````````` 
     Total Fragmentation on Drive C::  
    ````````````````````End of Log`````````````````````` 
     

    • 0

    #37
    Biscuithd

    Biscuithd

      Trusted Helper

    • Malware Removal
    • 2,573 posts

    Ok, there's a couple of things to do here.

     

    Your adobe Flash player is out of date, up date flash from Here UN-Check any optional offers like McAfee security scan.

     

    Your anti-virus is out of date. Please update it or alternatively (if it is a paid for version and your subscription has run out) look at installing one of the options below:

    Here are three good antivirus free for personal use:

    Note: Do not use more than one anti-virus or firewall. Running two or more real-time anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

     

    Last, Chrome needs to be updated. Please allow Chrome to update or manually update it.

     

    When you have each of those complete, run Security Check again to assure that the updates worked and are current.

     

    Let me know when you have that complete. Also, let me know how the computer is working. :thumbsup:


    • 0

    #38
    Warden

    Warden

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 162 posts

    I tried to update google but keep getting error code 3.  Some quick research into fixes suggested opening the registry and going to saoftware policies then google.  However, there is no google under policies. I have included a screenshot of the error.  I also updated adobe using the link but it still looks like I have the latest version.  Screenshot attached as well. I did install avast as well.  Here is the log file from latest scan.  Computer seems to be running fine.  Haven't really been using it too much though.

     

     Results of screen317's Security Check version 0.99.93  
     Windows XP Service Pack 3 x86   
     Internet Explorer 8  
    ``````````````Antivirus/Firewall Check:``````````````
     Windows Firewall Enabled!  
    Microsoft Security Essentials   
    avast! Antivirus                
    Emsisoft Anti-Malware           
     Antivirus out of date! (On Access scanning disabled!) 
    `````````Anti-malware/Other Utilities Check:`````````
     Auslogics Registry Cleaner   
     Java 7 Update 71  
      Adobe Flash Player 14.0.0.179 Flash Player out of Date!
     Adobe Reader XI  
     Google Chrome (39.0.2171.95) 
    ````````Process Check: objlist.exe by Laurent````````
     system32 AvastSvc.exe -?-   
     system32 AvastUI.exe -?-   
    `````````````````System Health check`````````````````
     Total Fragmentation on Drive C::  
    ````````````````````End of Log``````````````````````
     

    Attached Thumbnails

    • ADOBE.JPG
    • Chrome error.JPG

    • 0

    #39
    Biscuithd

    Biscuithd

      Trusted Helper

    • Malware Removal
    • 2,573 posts

    I tried to update google but keep getting error code 3.  Some quick research into fixes suggested opening the registry and going to saoftware policies then google. 

     

    If you're not using Chrome, then it's not an issues. However, if you do start to use it, you do need to update it as there are significant vulnerabilities. I'd completely uninstall Chrome and then re-install and then you'll get the newest version.

     

     

    However, there is no google under policies. I have included a screenshot of the error.

     

    The internet has a lot of good information and idea, however, that...is not one of them. The average home user should not perform "surgery" on the registry without some help. By way of example, if I were coaching you through a Registry fix, we'd Back Up the Registry first. Then, we'd use scripts and not "type" directly into the Registry.

     

     

    I also updated adobe using the link but it still looks like I have the latest version.  Screenshot attached as well.

     

    Same as above, uninstall all versions of Flash and then re-install.

     

    There are a handful of significant items you absolutely need to keep updated. Adobe Reader, Java, Flash, Windows Operating System and A/V. Feel free to run System Check periodically and make sure things are up to date.

     

     

    I did install avast as well.

     

    Excellent! I'm a big fan of Avast.

     

     

    Computer seems to be running fine.

     

    That's good to hear! Let me know if you are going to work through the above issues. If so, I'll keep the topic open until all is well. If not, I'll help you remove all the tools that we used.

     

    My suggestion is that we work through all the issues before closing the topic, but I'll let it be your choice :)


    • 0

    #40
    Warden

    Warden

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 162 posts

    untitled.JPG

     

    Ok, so I did as instructed and uninstalled chrome and adobe and here is the latest log file. I did just find out that I can't run the defragmeter. When I go to start all programs, accessories, system utilities, disk defragmenter the window opens but it won't analyze or defragment. No error messages or anything. Not sure if this is related to the malware but thought I should mention it just in case.

     

    Also it appears as though chrome is updated but when I check the about chrome information I still get an error 3 message.  I have been doing some reading, but have not taken any action.

     

     Results of screen317's Security Check version 0.99.93  
     Windows XP Service Pack 3 x86   
     Internet Explorer 8  
    ``````````````Antivirus/Firewall Check:``````````````
     Windows Firewall Enabled!  
    Microsoft Security Essentials   
    avast! Antivirus                
     Antivirus up to date!  
    `````````Anti-malware/Other Utilities Check:`````````
     Java 7 Update 71  
     Adobe Reader XI  
     Google Chrome (41.0.2251.0) 
    ````````Process Check: objlist.exe by Laurent````````
     system32 AvastSvc.exe -?-   
     system32 avastui.exe -?-   
    `````````````````System Health check`````````````````
     Total Fragmentation on Drive C::  
    ````````````````````End of Log``````````````````````

    Edited by Warden, 23 December 2014 - 12:08 PM.

    • 0

    Advertisements


    #41
    Biscuithd

    Biscuithd

      Trusted Helper

    • Malware Removal
    • 2,573 posts
    Try running chkdsk /r If that runs, then try the Defrag.
    • 0

    #42
    Warden

    Warden

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 162 posts

    Ran chkdsk /r and then tried to run defrag with no luck.  No issue for me unless you think it is symptomatic of lingering malware.


    • 0

    #43
    iammykyl

    iammykyl

      Tech Staff

    • Technician
    • 7,047 posts

    Observation only.

    You do need to be able to defrag a drive, otherwise performance will get slower and slower. 

    You appear to be running 2 AVs

    Info, > http://windows.micro...ntials-download.


    • 0

    #44
    Biscuithd

    Biscuithd

      Trusted Helper

    • Malware Removal
    • 2,573 posts
    Yes, defraging would be a good thing. However, your dealing with a very old OS and there are a myriad of reasons why it might not defrag. I doubt that malware is one of them.

    How is the machine running otherwise? And yes, one use one a/v. Since you have Avast installed and running, just "disable" MSE (Micrososoft Security Essentials)

    Disable Microsoft Security Essentials
    1
    Click "Start," type "msconfig" into the search field and press "Enter." The System Configuration window opens.

    2
    Click the "Startup" tab.

    3
    Uncheck the box next to "Microsoft Antimalware Service," click "Apply" and "OK." Microsoft Security Essentials is now disabled.
    • 0

    #45
    Warden

    Warden

      Member

    • Topic Starter
    • Member
    • PipPipPip
    • 162 posts

    So it is not in the add/remove programs or sys config files.  It shows when i go to start-all programs. When I do rty to start it I get Microsoft Security Client error code 0x80070002,  I did some reading and tried the microsoft fixit 50535 with no success either.  There are some other methods which suggest manually editing the registry but I have not tried those yet.  I think we have it to the best point possible now and I appreciate all of your efforts in assisting me with these issues.  It may be timeto suck it up and upgrade or buy a new machine, unless you have any further suggestions.


    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP