Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

MALWARE help needed - procedure entry point RegDeleteKeyExW couldnt b

Started by silver3 , Jun 19 2015 09:34 AM

  • This topic is locked This topic is locked

#1
silver3
Posted 19 June 2015 - 09:34 AM

silver3

    Member

  • Member
  • PipPip
  • 11 posts
Hi,
I got an email from my ISP that they have detected malware in my PC and recommended that I download internet security software recommended by them. However when I tried to open download link for above software I got error - DNS lookup failed. I then tried to download the Mcfee antivirus 30 day trial version and again the webpage didnt open on my infected pc. I used another laptop to download the installer - copied it across to infected pc via usb stick and when I try to run the Mcfee master installer on the infected pc I get error saying 'the procedure entry point RegDeleteKeyExW could not be located in the dynamic link library ADVAPI32.dll' I looked this up on your website and came across topic '321807 - roguekillerexe-entry-point-not-found'. The solution to that topic advised downloading OTL and aswMBR which I have now done. Please see attached. 
 
I also followed your guide to clearing malware and have the Addition and FRST details for you below:
 
Addition.txt:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by Dharmesh at 2015-06-19 15:49:08
Running from C:\Documents and Settings\Dharmesh\My Documents\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1202660629-413027322-682003330-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Dharmesh (S-1-5-21-1202660629-413027322-682003330-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Dharmesh
Guest (S-1-5-21-1202660629-413027322-682003330-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1202660629-413027322-682003330-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1202660629-413027322-682003330-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Reader 9.5.0 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.0 - Adobe Systems Incorporated)
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - )
Express Zip (HKLM\...\ExpressZip) (Version: 2.28 - NCH Software)
Google Chrome (HKLM\...\Google Chrome) (Version: 43.0.2357.124 - Google Inc.)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
Marvell Miniport Driver (HKLM\...\{C950420B-4182-49EA-850A-A6A2ABF06C6B}) (Version: 9.14.5.3 - Marvell)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft WinUsb 2.0 (HKLM\...\winusb0200) (Version:  - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - Realtek Semiconductor Corp.)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1202660629-413027322-682003330-1003_Classes\CLSID\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\InprocServer32 -> C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Update\1.2.131.11\goopdate (the data entry has 12 more characters).
 
==================== Restore Points =========================
 
01-07-2014 15:42:19 System Checkpoint
04-07-2014 16:13:04 System Checkpoint
01-01-2006 00:10:01 Removed TomTom HOME.
01-01-2006 00:10:20 Removed TomTom HOME Visual Studio Merge Modules
04-09-2014 12:43:33 System Checkpoint
06-09-2014 19:12:27 System Checkpoint
10-09-2014 12:55:03 System Checkpoint
11-09-2014 16:40:50 System Checkpoint
12-09-2014 16:03:47 Sony PC Companion
15-09-2014 10:00:50 System Checkpoint
19-09-2014 11:27:47 System Checkpoint
24-09-2014 13:28:00 System Checkpoint
27-09-2014 20:20:29 System Checkpoint
01-01-2006 01:48:07 System Checkpoint
12-06-2015 14:11:35 System Checkpoint
19-06-2015 15:38:24 OTL Restore Point - 6/19/2015 3:38:22 PM
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2001-08-23 13:00 - 2001-08-23 13:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\ExpressZipSevenDays.job => C:\Program Files\NCH Software\ExpressZip\expresszip.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2014-06-15 21:40 - 2014-06-15 21:40 - 00083456 _____ () C:\Program Files\NCH Software\ExpressZip\ezcm.dll
2006-07-12 13:19 - 2006-07-12 13:19 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2004-08-03 17:56 - 2004-08-03 17:56 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2004-08-03 17:56 - 2004-08-03 17:56 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\google.co.uk -> hxxps://www.google.co.uk
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1202660629-413027322-682003330-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 8.8.8.8 - 8.8.4.4
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\GROOVE.EXE] => Enabled:Microsoft Office Groove
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE] => Enabled:Microsoft Office OneNote
StandardProfile\AuthorizedApplications: [C:\Program Files\Internet Explorer\IEXPLORE.EXE] => Enabled:Internet Explorer
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: The server name or address could not be resolved
 
Error: (06/19/2015 03:44:20 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:44:20 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:20:10 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
Error: (06/19/2015 03:20:10 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:20:10 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
 
System errors:
=============
Error: (06/19/2015 03:15:22 PM) (Source: DCOM) (EventID: 10005) (User: DHARMESH-1665FE)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:26 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:26 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:20 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:08:35 PM) (Source: DCOM) (EventID: 10005) (User: DHARMESH-1665FE)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:08:35 PM) (Source: DCOM) (EventID: 10005) (User: DHARMESH-1665FE)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 02:58:28 PM) (Source: WPDMTPDriver) (EventID: 15300) (User: )
Description: MTP WPD Driver has failed to start. Error 0x8007048f.
 
 
Microsoft Office:
=========================
 
==================== Memory info =========================== 
 
Processor: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Percentage of memory in use: 66%
Total physical RAM: 767.48 MB
Available physical RAM: 257.29 MB
Total Pagefile: 1875.35 MB
Available Pagefile: 1355.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 1953.88 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:73.24 GB) (Free:65.29 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:74.28 GB) (Free:70.08 GB) NTFS
Drive j: () (Removable) (Total:0.96 GB) (Free:0.86 GB) FAT
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 153.4 GB) (Disk ID: BE08D558)
Partition 1: (Not Active) - (Size=5.9 GB) - (Type=12)
Partition 2: (Active) - (Size=73.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=74.3 GB) - (Type=OF Extended)
 
========================================================
Disk: 5 (Size: 980 MB) (Disk ID: 6B736964)
No partition Table on disk 5.
 
==================== End of log ============================Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by Dharmesh at 2015-06-19 15:49:08
Running from C:\Documents and Settings\Dharmesh\My Documents\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1202660629-413027322-682003330-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Dharmesh (S-1-5-21-1202660629-413027322-682003330-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Dharmesh
Guest (S-1-5-21-1202660629-413027322-682003330-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1202660629-413027322-682003330-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1202660629-413027322-682003330-1002 - Limited - Disabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Reader 9.5.0 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.0 - Adobe Systems Incorporated)
EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - )
Express Zip (HKLM\...\ExpressZip) (Version: 2.28 - NCH Software)
Google Chrome (HKLM\...\Google Chrome) (Version: 43.0.2357.124 - Google Inc.)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
High Definition Audio Driver Package - KB888111 (HKLM\...\KB888111WXPSP2) (Version: 20040219.000000 - Microsoft Corporation)
Marvell Miniport Driver (HKLM\...\{C950420B-4182-49EA-850A-A6A2ABF06C6B}) (Version: 9.14.5.3 - Marvell)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft WinUsb 2.0 (HKLM\...\winusb0200) (Version:  - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version:  - Realtek Semiconductor Corp.)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-1202660629-413027322-682003330-1003_Classes\CLSID\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\InprocServer32 -> C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Update\1.2.131.11\goopdate (the data entry has 12 more characters).
 
==================== Restore Points =========================
 
01-07-2014 15:42:19 System Checkpoint
04-07-2014 16:13:04 System Checkpoint
01-01-2006 00:10:01 Removed TomTom HOME.
01-01-2006 00:10:20 Removed TomTom HOME Visual Studio Merge Modules
04-09-2014 12:43:33 System Checkpoint
06-09-2014 19:12:27 System Checkpoint
10-09-2014 12:55:03 System Checkpoint
11-09-2014 16:40:50 System Checkpoint
12-09-2014 16:03:47 Sony PC Companion
15-09-2014 10:00:50 System Checkpoint
19-09-2014 11:27:47 System Checkpoint
24-09-2014 13:28:00 System Checkpoint
27-09-2014 20:20:29 System Checkpoint
01-01-2006 01:48:07 System Checkpoint
12-06-2015 14:11:35 System Checkpoint
19-06-2015 15:38:24 OTL Restore Point - 6/19/2015 3:38:22 PM
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2001-08-23 13:00 - 2001-08-23 13:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\ExpressZipSevenDays.job => C:\Program Files\NCH Software\ExpressZip\expresszip.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2014-06-15 21:40 - 2014-06-15 21:40 - 00083456 _____ () C:\Program Files\NCH Software\ExpressZip\ezcm.dll
2006-07-12 13:19 - 2006-07-12 13:19 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2004-08-03 17:56 - 2004-08-03 17:56 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2004-08-03 17:56 - 2004-08-03 17:56 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\google.co.uk -> hxxps://www.google.co.uk
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1202660629-413027322-682003330-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 8.8.8.8 - 8.8.4.4
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE] => Enabled:Microsoft Office Outlook
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\GROOVE.EXE] => Enabled:Microsoft Office Groove
StandardProfile\AuthorizedApplications: [C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE] => Enabled:Microsoft Office OneNote
StandardProfile\AuthorizedApplications: [C:\Program Files\Internet Explorer\IEXPLORE.EXE] => Enabled:Internet Explorer
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:44:25 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: The server name or address could not be resolved
 
Error: (06/19/2015 03:44:20 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:44:20 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:20:10 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
Error: (06/19/2015 03:20:10 PM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
 
Error: (06/19/2015 03:20:10 PM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt>with error: This network connection does not exist.
 
 
System errors:
=============
Error: (06/19/2015 03:15:22 PM) (Source: DCOM) (EventID: 10005) (User: DHARMESH-1665FE)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:26 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:26 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:20 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:12:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:08:35 PM) (Source: DCOM) (EventID: 10005) (User: DHARMESH-1665FE)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 03:08:35 PM) (Source: DCOM) (EventID: 10005) (User: DHARMESH-1665FE)
Description: DCOM got error "%%1058" attempting to start the service BITS with arguments ""
in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (06/19/2015 02:58:28 PM) (Source: WPDMTPDriver) (EventID: 15300) (User: )
Description: MTP WPD Driver has failed to start. Error 0x8007048f.
 
 
Microsoft Office:
=========================
 
==================== Memory info =========================== 
 
Processor: AMD Athlon™ 64 X2 Dual Core Processor 3800+
Percentage of memory in use: 66%
Total physical RAM: 767.48 MB
Available physical RAM: 257.29 MB
Total Pagefile: 1875.35 MB
Available Pagefile: 1355.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 1953.88 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:73.24 GB) (Free:65.29 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:74.28 GB) (Free:70.08 GB) NTFS
Drive j: () (Removable) (Total:0.96 GB) (Free:0.86 GB) FAT
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 153.4 GB) (Disk ID: BE08D558)
Partition 1: (Not Active) - (Size=5.9 GB) - (Type=12)
Partition 2: (Active) - (Size=73.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=74.3 GB) - (Type=OF Extended)
 
========================================================
Disk: 5 (Size: 980 MB) (Disk ID: 6B736964)
No partition Table on disk 5.
 
==================== End of log ============================
 
FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-06-2015
Ran by Dharmesh (administrator) on DHARMESH-1665FE on 19-06-2015 15:48:40
Running from C:\Documents and Settings\Dharmesh\My Documents\Downloads
Loaded Profiles: Dharmesh (Available Profiles: Dharmesh & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 6 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(SEIKO EPSON CORPORATION) C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I0S2.EXE
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [SkyTel] => C:\WINDOWS\SkyTel.EXE [2879488 2007-04-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16125440 2007-04-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [69632 2007-04-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [EPSON Stylus C66 Series] => C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE [99840 2003-11-26] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: J - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE  .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {1c490062-011a-11e4-aa1e-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {1facade7-168b-11e5-aa9a-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {78aeb65e-dc48-11e3-a9b1-0019212e3108} - J:\Startme.exe
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {ae832719-35eb-11e4-aa3d-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE  .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {ca658600-0239-11e4-aa26-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {eef94110-dc4a-11e3-a9b2-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=951822553&ir=
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-1202660629-413027322-682003330-1003\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1202660629-413027322-682003330-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
URLSearchHook: HKU\S-1-5-21-1202660629-413027322-682003330-1003 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "http://start.mysearc...=951822553&ir="<======= ATTENTION
SearchScopes: HKLM -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
SearchScopes: HKLM -> {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
SearchScopes: HKU\S-1-5-21-1202660629-413027322-682003330-1003 -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
SearchScopes: HKU\S-1-5-21-1202660629-413027322-682003330-1003 -> {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-01-03] (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{B2817F6F-A172-43D4-9DE6-786DD102C385}: [NameServer] 8.8.8.8,8.8.4.4
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-19] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-06-19] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2012-01-03] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-06-19]
CHR Extension: (Google Docs) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-19]
CHR Extension: (Google Drive) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-06-19]
CHR Extension: (YouTube) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-06-19]
CHR Extension: (Google Search) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-06-19]
CHR Extension: (Google Sheets) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-06-19]
CHR Extension: (Chrome Hotword Shared Module) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-06-19]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-19]
CHR Extension: (MySearchDial) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pflphaooapbgpeakohlggbpidpppgdff [2015-06-19]
CHR Extension: (Gmail) - C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-19]
CHR HKLM\...\Chrome\Extension: [pflphaooapbgpeakohlggbpidpppgdff] - https://clients2.goo...ice/update2/crx
CHR HKU\S-1-5-21-1202660629-413027322-682003330-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pflphaooapbgpeakohlggbpidpppgdff] - https://clients2.goo...ice/update2/crx
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 uliukt; C:\WINDOWS\system32\efmzn.dll [162979 2004-08-03] () [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 nvata; C:\WINDOWS\System32\DRIVERS\nvata.sys [105088 2006-06-28] (NVIDIA Corporation)
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-07-17] ()
R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [250496 2006-12-27] (Marvell)
S4 IntelIde; No ImagePath
U1 WS2IFSL; No ImagePath
U3 aswMBR; \??\C:\DOCUME~1\Dharmesh\LOCALS~1\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\DOCUME~1\Dharmesh\LOCALS~1\Temp\aswVmm.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: uliukt -> C:\WINDOWS\system32\efmzn.dll ()
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-19 15:48 - 2015-06-19 15:48 - 00000000 ____D C:\FRST
2015-06-19 15:42 - 2015-06-19 15:42 - 00002099 _____ C:\Documents and Settings\Dharmesh\Desktop\aswMBR.txt
2015-06-19 15:42 - 2015-06-19 15:42 - 00000512 _____ C:\Documents and Settings\Dharmesh\Desktop\MBR.dat
2015-06-19 15:40 - 2015-06-19 15:22 - 05198336 _____ (AVAST Software) C:\Documents and Settings\Dharmesh\Desktop\aswMBR.exe
2015-06-19 15:39 - 2015-06-19 15:39 - 00054960 _____ C:\Documents and Settings\Dharmesh\Desktop\OTL.Txt
2015-06-19 15:39 - 2015-06-19 15:39 - 00033146 _____ C:\Documents and Settings\Dharmesh\Desktop\Extras.Txt
2015-06-19 15:31 - 2015-06-19 15:21 - 00602112 _____ (OldTimer Tools) C:\Documents and Settings\Dharmesh\Desktop\OTL.exe
2015-06-19 15:09 - 2015-06-19 15:09 - 00001813 _____ C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
2015-06-19 15:09 - 2015-06-19 15:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
2015-06-19 15:07 - 2015-06-19 15:12 - 00000890 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-19 15:07 - 2015-06-19 15:12 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-13 14:40 - 2004-08-04 00:56 - 00159232 _____ (Microsoft Corporation) C:\WINDOWS\system32\ptpusd.dll
2015-06-13 14:40 - 2004-08-03 22:58 - 00015104 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\usbscan.sys
2015-06-13 14:40 - 2004-08-03 22:58 - 00015104 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\usbscan.sys
2015-06-13 14:40 - 2001-08-17 22:36 - 00005632 _____ (Microsoft Corporation) C:\WINDOWS\system32\ptpusb.dll
2015-06-12 14:46 - 2015-06-12 21:06 - 00000000 ____D C:\Documents and Settings\Dharmesh\Desktop\NEW
2015-06-04 17:12 - 2015-06-04 17:13 - 00000375 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-19 15:48 - 2014-04-29 21:25 - 00000000 ____D C:\Documents and Settings\Dharmesh\Local Settings\Temp
2015-06-19 15:15 - 2014-04-29 21:24 - 00032424 _____ C:\WINDOWS\SchedLgU.Txt
2015-06-19 15:15 - 2014-04-29 21:24 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-06-19 15:09 - 2014-04-29 21:39 - 00000000 ____D C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google
2015-06-19 15:08 - 2014-04-29 22:24 - 00000000 ____D C:\Program Files\Google
2015-06-19 15:07 - 2014-04-29 22:11 - 00123607 _____ C:\WINDOWS\setupapi.log
2015-06-19 14:30 - 2014-04-29 22:14 - 00000159 _____ C:\WINDOWS\wiadebug.log
2015-06-19 14:30 - 2014-04-29 22:14 - 00000049 _____ C:\WINDOWS\wiaservc.log
2015-06-19 14:29 - 2014-04-29 22:17 - 00073451 _____ C:\WINDOWS\system32\nvapps.xml
2015-06-19 14:29 - 2014-04-29 21:25 - 00000178 ___SH C:\Documents and Settings\Dharmesh\ntuser.ini
2015-06-19 14:29 - 2014-04-29 21:20 - 00529440 _____ C:\WINDOWS\WindowsUpdate.log
2015-06-19 14:29 - 2006-01-01 01:02 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2015-06-19 13:29 - 2001-08-23 13:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2015-06-17 19:59 - 2014-09-29 16:21 - 00000000 ____D C:\Documents and Settings\Dharmesh\Desktop\JES TRADERS LTD
2015-06-17 19:58 - 2014-05-01 16:27 - 00000000 ____D C:\Documents and Settings\Dharmesh\Desktop\Sale
2015-06-13 14:40 - 2014-04-29 21:16 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
2015-06-12 17:09 - 2014-04-29 22:11 - 00187069 _____ C:\WINDOWS\setupact.log
2015-06-12 16:35 - 2014-09-06 19:37 - 00004608 _____ C:\Documents and Settings\Dharmesh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-06-04 17:13 - 2006-01-01 01:31 - 00000754 _____ C:\WINDOWS\nsw.log
2015-06-04 16:38 - 2014-04-29 22:12 - 00356120 _____ C:\WINDOWS\system32\PerfStringBackup.INI
 
==================== Files in the root of some directories =======
 
2014-09-06 19:37 - 2015-06-12 16:35 - 0004608 _____ () C:\Documents and Settings\Dharmesh\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
Some files in TEMP:
====================
C:\Documents and Settings\Dharmesh\Local Settings\Temp\ose00000.exe
C:\Documents and Settings\Dharmesh\Local Settings\Temp\{30160F82-11D2-4C82-B803-3E273B71536D}-37.0.2062.103_35.0.1916.153_chrome_updater.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of log ============================
 
*** Please help me recover my PC **** I will be very grateful for your help.
 

Attached Files


Edited by silver3, 19 June 2015 - 11:23 AM.

  • 0

Advertisements

#2
Essexboy
Posted 19 June 2015 - 10:50 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi this is fairly badly infected

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: J - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {1c490062-011a-11e4-aa1e-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {1facade7-168b-11e5-aa9a-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {78aeb65e-dc48-11e3-a9b1-0019212e3108} - J:\Startme.exe
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {ae832719-35eb-11e4-aa3d-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {ca658600-0239-11e4-aa26-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKU\S-1-5-21-1202660629-413027322-682003330-1003\...\MountPoints2: {eef94110-dc4a-11e3-a9b2-0019212e3108} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=951822553&ir=
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "http://start.mysearc...=951822553&ir="<======= ATTENTION
SearchScopes: HKLM -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
SearchScopes: HKLM -> {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
SearchScopes: HKU\S-1-5-21-1202660629-413027322-682003330-1003 -> DefaultScope {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
SearchScopes: HKU\S-1-5-21-1202660629-413027322-682003330-1003 -> {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://start.mysearc...r=951822553&ir=
NETSVC: uliukt -> C:\WINDOWS\system32\efmzn.dll ()
U3 aswMBR; \??\C:\DOCUME~1\Dharmesh\LOCALS~1\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\DOCUME~1\Dharmesh\LOCALS~1\Temp\aswVmm.sys [X]
CustomCLSID: HKU\S-1-5-21-1202660629-413027322-682003330-1003_Classes\CLSID\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\InprocServer32 -> C:\Documents and Settings\Dharmesh\Local Settings\Application Data\Google\Update\1.2.131.11\goopdate (the data entry has 12 more characters).
C:\WINDOWS\system32\efmzn.dll
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    http://img.photobuck...claimer_ENG.png

    NSIS_extraction.png
    • When finished, it shall produce a log for you.
    • Please include the C:\ComboFix.txt in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
    3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


    Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

  • 0

#3
silver3
Posted 19 June 2015 - 11:21 AM

silver3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi,

I posted the topic from my laptop. The reports I submitted were from my pc that was infected. It has win xp installed. So are the above scripts that you posted for my infected pc? Thanks


  • 0

#4
Essexboy
Posted 19 June 2015 - 11:22 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes they are for an XP system
  • 0

#5
silver3
Posted 19 June 2015 - 11:30 AM

silver3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi sorry. Where do I get FRST.exe from? Thanks


  • 0

#6
Essexboy
Posted 19 June 2015 - 11:41 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

You should have used it to generate the FRST log on the infected system .. 

 

Please download Farbar Recovery Scan Tool and save it to your Desktop.


  • 0

#7
silver3
Posted 19 June 2015 - 12:10 PM

silver3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi please see both logs attached. I feel my pc processing speed has improved now. Will wait for your feedback. Thanks

Attached Files


  • 0

#8
Essexboy
Posted 19 June 2015 - 12:43 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
On completion of this could you try to install your antivirus

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:
 

Driver::
fpuyruv


Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#9
silver3
Posted 19 June 2015 - 12:50 PM

silver3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi,

I had tried installing the antivirus when I was waiting for your reply. I could access the page but turns out the antivirus software isn't compatible with my Win XP OS! Is there any anti-virus I can download and use? Will do above as well. Thanks


  • 0

#10
silver3
Posted 19 June 2015 - 01:05 PM

silver3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Please see attached combofix.txt

Attached Files


  • 0

Advertisements

#11
Essexboy
Posted 19 June 2015 - 01:14 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The first thing you need to do is install SP 3. https://www.microsof...ails.aspx?id=24

Once you have done that then let me know and we will secure your system
  • 0

#12
silver3
Posted 19 June 2015 - 02:23 PM

silver3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi I have now completed that installation. 


  • 0

#13
Essexboy
Posted 19 June 2015 - 03:09 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets now get you secure

How to set up a reasonable and light security regime for your system. All other elements are install and forget.


Once completed let me know how the computer is behaving

DOWNLOAD AND INSTALL ANTIVIRUS

Download Avast - direct link Avast 2015

Select Custom install
Remove the ticks from the first page for the following unless you want them :
avastchrome.JPG
Dropbox
Chrome
Chrome toolbar

Select Next
Deselect the following from the middle column as you will not need them :
avasttools.JPG
SecureLine
Grimefighter

Select Continue and allow the programme to install

Be aware that the first reboot may take a few minutes as Avast builds the virtual machine

Avast will need to be registered as this helps them determine the server load, as updates are downloaded in small bursts every few minutes each is about 2Kb

How to register

Right click the Avast orange blob on the task bar
Select registration
Select Standard Protection
avast%20register1.JPG
Fill in your e-mail address
avast%20register2.JPG
Click register with e-mail address and you are done
Once registered open Avast
Go to Settings > General
Place a tick in "Scan for Potentially Unwanted Programmes (PUP's) "
Place a tick in "Silent /Gaming mode"
pups.JPG

PROTECT AGAINST UNWANTED BUNDLED SOFTWARE

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
unchecky.JPG
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)

IF YOU USE USB DRIVES

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
mcshield%20unhide.JPG
Plug in the drive and McShield will start a scan
  • 0

#14
silver3
Posted 21 June 2015 - 08:13 AM

silver3

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hi,

I have now done all above. Thank you so much for helping me! You're an absolute star!


  • 0

#15
Essexboy
Posted 21 June 2015 - 08:32 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Any further problems before I clear my rubbish away ? :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP