Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows desktop won't fully load; suspect malware


  • Please log in to reply

#16
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Now we're getting somewhere :)  Hadn't thought of Start -> Run -> msconfig. 

 

Diagnostic Startup worked.  Although everything is miniaturized, the taskbar and icons are now visible.  Explorer.exe is back among the processes shown in Task Manager and has by far the highest memory usage of any listed process.  The biggest downside at this point is that 2 restarts are required to get out of Diagnostic Startup in either normal or safe mode.

 

No security programs will launch automatically.  I can open EMET but it is disabled, while MBAE won't launch at all (potential conflicts between the two were addressed ahead of time).  Might have to jettison MBAE.  Bitdefender opens but is also disabled.  MBAM opens but can't be updated.  I'd like to update these programs ASAP.

 

Since I've already spent the majority of my day working on the computer, I'm gonna quit for the night.  I'll get to work on some of your configuration suggestions tomorrow.

 

Thanks for getting me this far.


  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Not a lot of third party stuff will run in Diagnostic Startup mode.  The main idea  is just to see if it's a Windows problem or some program.  Appears windows is healthy enough so something else is causing the problem.  Zero Access used to replace some anti-virus programs with its own stuff so you may need to reinstall them.  Haven't seen Zero Access in a couple of years so I'm a bit rusty on it.  

 

I'm flying to FL today so won't be online again until tomorrow.   


  • 0

#18
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Did the unchecking you advised; desktop looks the same using Selective Startup as it did with Diagnostic Startup--everything miniaturized.  Haven't had time to check through all the services one-by-one yet.  The rest of my life is getting in the way.  I'll have another go at it on Thursday.

 

ZeroAccess replacing some anti-virus programs with its own stuff bugs me.  Is there a guide somewhere that lists what needs to be looked at after ComboFix kills ZeroAccess?  I know MBAE has issues and needs to go, but I'd like to avoid uninstalling and reinstalling my older AV, EMET, and MBAM.

 

FWIW, my infection isn't an isolated occurrence.  I found recent posts on another board that describe the same symptom in Windows 10 and 8.1, as well as XP.  We seem to be the closest to defeating this thing.


Edited by Lamont_Cranston, 06 June 2017 - 11:42 PM.

  • 0

#19
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Something odd happened today.  When I got home from work I found that my PC had rebooted on its own.  It wasn't connected to the web. 

 

Clicking on my user name and continuing to my desktop, I saw random icons in the tray that hadn't been there for a long time, along with the MBAE icon which had only appeared once before when the program was initially installed.  The 3 icons that would ordinarily be in the tray--EMET, Bitdefender, and MBAM--were absent.  Checked msconfig and learned Windows was running in Normal Startup mode.

 

Launched Firefox and restored my previous session.  Only one tab opened.  Checked Firefox history and could see that my machine had somehow restored itself to approximately May 23rd, which was about the last day I was able to  get into Windows normally.  Opened System Restore and discovered that all previous restore points have been wiped out.  My only option is a system checkpoint on June 7th at 2:28 p.m., created several hours before I got home.

 

Rebooted into Safe Mode and checked System Restore again.  Same June 7 checkpoint as the only option.  Launched Firefox in Safe Mode and restored my previous session.  The same 4 tabs I had open early this morning (I work outdoors--needed to check the weather forecast) were still there.  Figured I'd better add a post to this thread to report what I found.

 

The good news is that Windows can now be started normally.  The bad news is I had nothing to do with it.  Let me know what you think.  In the meantime I'll run Panda's online scan again and see if it picks up anything.


  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Run a new FRST scan with Addition.txt checked and let's see what it looks like now.


  • 0

#21
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Sorry, fell asleep while the Panda scan was running.  FRST logs pasted below.

 

Results of the Panda Cloud Cleaner scan were nearly identical to what it found back on May 24th--Malware:System Hijack, with no additional information, and this Suspicious Policy

 

Key: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value: HIDEFILEEXT

 

Didn't let Panda clean it up this time around.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-05-2017
Ran by dave (administrator) on BADDABING (08-06-2017 06:51:38)
Running from C:\Documents and Settings\dave\My Documents\Downloads
Loaded Profiles: steveo & dean & dave (Available Profiles: steveo & dean & dave)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\Panda Security\Panda Cloud Cleaner\PCloudCleaner.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2650576 2017-05-12] (Malwarebytes Corporation)
HKLM\...\Run: [BCMSMMSG] => C:\WINDOWS\BCMSMMSG.exe [122880 2003-08-29] (Broadcom Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1085656 2015-12-17] (Adobe Systems Incorporated)
HKLM\...\Run: [MSConfig] => C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE [169984 2008-04-13] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19] (Intel Corporation)
Winlogon\Notify\NavLogon:
HKU\S-1-5-19\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-20\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-21-57989841-179605362-1644491937-1003\...\Run: [Google Update] => C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [107912 2015-01-10] (Google Inc.)
HKU\S-1-5-21-57989841-179605362-1644491937-1003\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe [1224896 2016-11-13] (Adobe Systems Incorporated)
HKU\S-1-5-18\...\Policies\Explorer: [NoSetActiveDesktop] 0
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk [2016-03-06]
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (No File)
Startup: C:\Documents and Settings\steveo\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk [2010-10-09]
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864 2010-05-18] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
Tcpip\..\Interfaces\{2CE76E6F-8826-4E90-8653-9EFFF1ED8DA0}: [DhcpNameServer] 192.168.0.1 205.171.3.25

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-57989841-179605362-1644491937-1004\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-57989841-179605362-1644491937-1005\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-57989841-179605362-1644491937-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://qwest.live.com
HKU\S-1-5-21-57989841-179605362-1644491937-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-57989841-179605362-1644491937-1003\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKU\S-1-5-21-57989841-179605362-1644491937-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://qwest.live.com
HKU\S-1-5-21-57989841-179605362-1644491937-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://qwest.live.com
HKU\S-1-5-21-57989841-179605362-1644491937-1004\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-57989841-179605362-1644491937-1004\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
HKU\S-1-5-21-57989841-179605362-1644491937-1004\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxps://duckduckgo.com/
hxxps://duckduckgo.com/
HKU\S-1-5-21-57989841-179605362-1644491937-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-57989841-179605362-1644491937-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://qwest.live.com
SearchScopes: HKU\S-1-5-21-57989841-179605362-1644491937-1004 -> DefaultScope {A1367404-C3D9-4CCD-8676-89CA9E44E012} URL = hxxps://duckduckgo.com/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-57989841-179605362-1644491937-1004 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-57989841-179605362-1644491937-1004 -> {A1367404-C3D9-4CCD-8676-89CA9E44E012} URL = hxxps://duckduckgo.com/?q={searchTerms}
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_71-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0071-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_71-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_71-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

FireFox:
========
FF ProfilePath: C:\Documents and Settings\dave\Application Data\Mozilla\Firefox\Profiles\omdtrzrs.default [2017-06-08]
FF Extension: (Java Console) - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2016-11-04] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-08-26] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-29] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2010-07-21] ()
FF Plugin: @emusic.com/dlm-plugin -> C:\Program Files\eMusic Download Manager\plugin\npemusic.dll [2010-01-20] (eMusic.com)
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2014-08-12] (Google, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-30] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-30] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-57989841-179605362-1644491937-1003: @emusic.com/dlm-plugin -> C:\Program Files\eMusic Download Manager\plugin\npemusic.dll [2010-01-20] (eMusic.com)
FF Plugin HKU\S-1-5-21-57989841-179605362-1644491937-1003: @talk.google.com/GoogleTalkPlugin -> C:\Documents and Settings\steveo\Application Data\Mozilla\plugins\npgoogletalk.dll [2014-06-06] (Google)
FF Plugin HKU\S-1-5-21-57989841-179605362-1644491937-1003: @talk.google.com/O1DPlugin -> C:\Documents and Settings\steveo\Application Data\Mozilla\plugins\npo1d.dll [2014-06-06] (Google)
FF Plugin HKU\S-1-5-21-57989841-179605362-1644491937-1003: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2015-01-10] (Google Inc.)
FF Plugin HKU\S-1-5-21-57989841-179605362-1644491937-1003: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\npGoogleUpdate3.dll [2015-01-10] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\itms.js [2010-07-21]

Chrome:
=======
StartMenuInternet: Google Chrome - C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 EMET_Service; C:\Program Files\EMET 5.0\EMET_Service.exe [31880 2014-07-30] (Microsoft Corporation)
S4 gzserv; C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [67592 2016-03-02] (Bitdefender)
S2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2017-05-12] (Malwarebytes Corporation)
S4 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [652360 2012-01-13] (Malwarebytes Corporation)
S2 sprtlisten; C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe [1213728 2008-01-08] (SupportSoft, Inc.)
S2 sprtsvc_quickcare; C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe [206120 2010-01-16] (SupportSoft, Inc.)
S3 SupportSoft RemoteAssist; C:\Program Files\Common Files\supportsoft\bin\ssrc.exe [382320 2010-01-16] (SupportSoft, Inc.)
S2 tgsrvc_quickcare; C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe [185640 2010-01-16] (SupportSoft, Inc.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 avc3; C:\WINDOWS\System32\DRIVERS\avc3.sys [633344 2013-04-17] (BitDefender)
S3 avckf; C:\WINDOWS\System32\DRIVERS\avckf.sys [486536 2013-04-17] (BitDefender)
S3 BCM42XX; C:\WINDOWS\System32\DRIVERS\bcm42xx5.sys [54271 2001-08-17] (Broadcom Corporation)
S3 BCM44X2; C:\WINDOWS\System32\DRIVERS\BCM4E5.SYS [26568 2001-08-17] (Broadcom Corporation)
S3 BCMModem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [1101696 2003-08-29] (Broadcom Corporation)
S1 bdftdif; C:\Program Files\Bitdefender\Antivirus Free Edition\bdftdif.sys [148600 2013-04-17] (Bitdefender SRL)
S1 bdselfpr; C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys [135472 2013-07-16] (BitDefender LLC)
S3 cmuda3; C:\WINDOWS\System32\drivers\cmudax3.sys [1512960 2010-02-26] (C-Media Inc)
S1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [59872 2017-05-12] ()
S1 gzflt; C:\WINDOWS\System32\DRIVERS\gzflt.sys [164952 2013-04-22] (BitDefender LLC)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [20464 2011-12-10] (Malwarebytes Corporation) [File not signed]
S0 trufos; C:\WINDOWS\System32\DRIVERS\trufos.sys [355744 2013-05-28] (BitDefender S.R.L.)
U0 aswVmm; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S0 cerc6; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-08 06:34 - 2017-06-08 06:34 - 00000405 _____ C:\Documents and Settings\dave\Desktop\May24ditto.txt
2017-06-04 18:47 - 2017-06-04 18:47 - 05200384 _____ (AVAST Software) C:\Documents and Settings\dave\Desktop\aswmbr.exe
2017-06-04 18:44 - 2017-06-04 18:44 - 00000000 _____ C:\WINDOWS\system32\lic2.xml19118
2017-06-04 15:08 - 2017-06-04 15:08 - 00000000 ____D C:\Documents and Settings\dave\Start Menu\Programs\NirSoft ShellExView
2017-06-04 14:09 - 2017-06-04 14:57 - 00232734 _____ C:\TDSSKiller.3.1.0.15_04.06.2017_14.09.23_log.txt
2017-06-04 14:07 - 2017-06-04 14:07 - 04922400 _____ (AO Kaspersky Lab) C:\Documents and Settings\dave\Desktop\tdsskiller.exe
2017-05-31 11:48 - 2017-06-08 06:52 - 00000000 ____D C:\Documents and Settings\dave\Local Settings\temp
2017-05-31 11:48 - 2017-06-07 19:43 - 00000000 ____D C:\Documents and Settings\dean\Local Settings\temp
2017-05-31 11:48 - 2017-05-31 11:48 - 00011918 _____ C:\ComboFix.txt
2017-05-31 11:48 - 2017-05-31 11:48 - 00000000 ____D C:\Documents and Settings\steveo\Local Settings\temp
2017-05-31 11:48 - 2017-05-31 11:48 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2017-05-31 11:48 - 2017-05-31 11:48 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\temp
2017-05-31 11:21 - 2017-05-31 11:21 - 00000000 _____ C:\WINDOWS\system32\lic2.xml8031
2017-05-31 11:02 - 2011-06-26 01:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2017-05-31 11:02 - 2010-11-07 12:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2017-05-31 11:02 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2017-05-31 11:02 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2017-05-31 11:02 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2017-05-31 11:02 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2017-05-31 11:02 - 2000-08-30 19:00 - 00098816 _____ C:\WINDOWS\sed.exe
2017-05-31 11:02 - 2000-08-30 19:00 - 00080412 _____ C:\WINDOWS\grep.exe
2017-05-31 11:02 - 2000-08-30 19:00 - 00068096 _____ C:\WINDOWS\zip.exe
2017-05-31 10:50 - 2017-05-31 10:51 - 05659512 ____R (Swearware) C:\Documents and Settings\dave\Desktop\ComboFix.exe
2017-05-31 10:44 - 2017-05-31 10:44 - 00000000 ___RD C:\Documents and Settings\dave\My Documents\My Videos
2017-05-24 22:48 - 2017-06-04 18:55 - 00000000 ____D C:\Program Files\Farbar
2017-05-24 20:51 - 2017-06-08 06:51 - 00000000 ____D C:\FRST
2017-05-24 20:38 - 2017-05-24 20:38 - 00000633 _____ C:\Documents and Settings\dave\Desktop\Shortcut to FRST.lnk
2017-05-24 19:30 - 2017-05-24 19:32 - 00118940 _____ C:\TDSSKiller.3.1.0.15_24.05.2017_19.30.57_log.txt
2017-05-24 19:27 - 2017-05-24 19:27 - 00000364 _____ C:\TDSSKiller.3.1.0.9_24.05.2017_19.27.51_log.txt
2017-05-24 18:00 - 2017-05-24 18:00 - 00000000 ____D C:\Documents and Settings\dave\Local Settings\Application Data\ESET
2017-05-24 18:00 - 2017-05-24 18:00 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Panda Security
2017-05-24 18:00 - 2017-05-24 18:00 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Exploit
2017-05-24 17:59 - 2017-05-24 17:59 - 00000000 ____D C:\Program Files\MS Safety Scanner
2017-05-24 17:59 - 2017-05-24 17:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\CPUID
2017-05-24 17:59 - 2017-05-24 17:59 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus Free Edition
2017-05-24 15:21 - 2015-09-14 13:03 - 00038520 _____ C:\WINDOWS\system32\Drivers\DasPtct.SYS
2017-05-24 15:19 - 2017-05-24 15:19 - 00000935 _____ C:\Documents and Settings\All Users\Desktop\Panda Cloud Cleaner.lnk
2017-05-24 15:19 - 2017-05-24 15:19 - 00000000 ____D C:\Program Files\Panda Security
2017-05-24 13:00 - 2017-05-24 18:00 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2017-05-24 13:00 - 2017-05-24 13:00 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes Anti-Exploit
2017-05-24 08:35 - 2017-05-24 08:35 - 00000000 ____D C:\Program Files\CPUID
2017-05-23 21:24 - 2017-05-23 21:24 - 00242504 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avchv.sys
2017-05-23 12:24 - 2017-05-23 12:24 - 00000000 ____D C:\Documents and Settings\steveo\Start Menu\Programs\Google Chrome
2017-05-22 12:03 - 2017-05-22 12:07 - 00117518 _____ C:\TDSSKiller.3.1.0.15_22.05.2017_12.03.54_log.txt
2017-05-22 11:58 - 2017-05-22 11:58 - 00000366 _____ C:\TDSSKiller.3.0.0.44_22.05.2017_11.58.19_log.txt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-06-08 05:28 - 2016-11-08 20:30 - 02220458 _____ C:\WINDOWS\ntbtlog.txt
2017-06-07 22:06 - 2008-04-13 18:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-06-07 22:05 - 2010-08-22 22:42 - 00000178 ___SH C:\Documents and Settings\dave\ntuser.ini
2017-06-07 20:12 - 2010-08-21 09:32 - 00000327 __RSH C:\boot.ini
2017-06-07 20:12 - 2008-04-13 18:00 - 00000507 _____ C:\WINDOWS\win.ini
2017-06-07 20:12 - 2008-04-13 18:00 - 00000227 _____ C:\WINDOWS\system.ini
2017-06-07 19:56 - 2016-09-24 06:52 - 00277063 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-57989841-179605362-1644491937-1004-0.dat
2017-06-07 19:56 - 2016-09-19 16:45 - 00151982 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2017-06-07 19:56 - 2010-08-22 00:14 - 00000178 ___SH C:\Documents and Settings\dean\ntuser.ini
2017-06-07 19:56 - 2010-08-21 21:47 - 00032574 _____ C:\WINDOWS\SchedLgU.Txt
2017-06-07 19:56 - 2010-08-21 21:47 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-07 19:37 - 2010-10-18 21:03 - 00000982 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003UA.job
2017-06-07 19:11 - 2016-08-11 12:33 - 00000400 _____ C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1470936737.job
2017-06-07 19:11 - 2016-08-11 12:32 - 00000000 ____D C:\Program Files\Opera
2017-06-07 18:18 - 2014-03-26 18:25 - 00000220 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-06-07 18:15 - 2016-08-12 22:06 - 00000892 _____ C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job
2017-06-07 18:15 - 2010-08-21 21:40 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-06-06 20:04 - 2010-08-22 03:20 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2017-06-04 15:08 - 2016-09-19 12:37 - 00000000 ____D C:\Program Files\NirSoft
2017-06-04 09:49 - 2012-03-29 22:25 - 00000000 __SHD C:\WINDOWS\CSC
2017-06-01 11:14 - 2010-08-21 21:47 - 00000000 __SHD C:\Documents and Settings\NetworkService
2017-05-31 11:48 - 2012-03-29 22:30 - 00000000 ____D C:\Qoobox
2017-05-31 11:48 - 2010-08-21 21:47 - 00000000 __SHD C:\Documents and Settings\LocalService
2017-05-31 11:48 - 2010-08-21 09:33 - 00000000 ___HD C:\Documents and Settings\Default User
2017-05-31 11:37 - 2012-03-29 22:30 - 00000000 ____D C:\WINDOWS\ERDNT
2017-05-31 11:37 - 2010-08-21 09:33 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2017-05-31 11:37 - 2010-08-21 09:33 - 00028672 _____ C:\WINDOWS\system32\config\SAM.bak
2017-05-31 11:37 - 2010-08-21 09:32 - 27394048 _____ C:\WINDOWS\system32\config\software.bak
2017-05-31 11:37 - 2010-08-21 09:32 - 06815744 _____ C:\WINDOWS\system32\config\system.bak
2017-05-31 11:37 - 2010-08-21 09:32 - 00516096 _____ C:\WINDOWS\system32\config\default.bak
2017-05-31 10:44 - 2010-08-22 22:42 - 00000000 ___RD C:\Documents and Settings\dave\My Documents
2017-05-24 19:29 - 2016-12-25 14:21 - 00000000 ____D C:\Documents and Settings\dean\My Documents\GEICO Damage Inspection Cancellation Confirmation_files
2017-05-24 19:29 - 2016-12-18 10:12 - 00000000 ____D C:\Documents and Settings\dean\My Documents\Gold Nugget Army Surplus  Invoice 11876_files
2017-05-24 19:29 - 2010-08-22 00:14 - 00000000 ___RD C:\Documents and Settings\dean\My Documents\My Music
2017-05-24 17:58 - 2016-11-04 20:24 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-05-24 17:58 - 2012-05-04 23:00 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-05-24 10:37 - 2010-10-18 21:03 - 00000930 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003Core.job
2017-05-23 19:03 - 2016-09-19 15:27 - 00000000 ____D C:\Program Files\Bitdefender
2017-05-23 12:24 - 2010-08-22 22:42 - 00000000 ____D C:\Documents and Settings\dave
2017-05-23 12:24 - 2010-08-22 00:14 - 00000000 ____D C:\Documents and Settings\dean
2017-05-23 12:24 - 2010-08-21 21:49 - 00000000 ____D C:\Documents and Settings\steveo
2017-05-23 12:24 - 2010-08-21 21:39 - 00000000 ____D C:\WINDOWS\Registration
2017-05-22 12:08 - 2010-08-21 23:33 - 00000000 ____D C:\Documents and Settings\steveo\Application Data\Adobe
2017-05-22 12:01 - 2014-05-18 22:33 - 00000000 ____D C:\Program Files\TDSSkiller
2017-05-22 10:42 - 2010-08-21 22:02 - 00000000 ____D C:\Documents and Settings\steveo\Application Data\Mozilla
2017-05-22 10:32 - 2010-08-23 18:30 - 00000000 ____D C:\Program Files\Google
2017-05-22 10:28 - 2010-08-21 22:17 - 00000000 ____D C:\Documents and Settings\steveo\Application Data\Apple Computer

==================== Files in the root of some directories =======

2016-10-05 20:25 - 2016-10-05 20:26 - 48013312 _____ () C:\Program Files\AdbeRdrUpd11017.msp
2016-09-19 14:10 - 2016-09-19 14:15 - 0196944 _____ () C:\Program Files\Antivirus_Free_Edition.exe
2016-09-19 15:11 - 2016-09-19 15:11 - 10056744 _____ () C:\Program Files\Antivirus_Free_Edition_x86.exe
2016-09-18 11:48 - 2016-09-18 11:48 - 8244656 _____ (Piriform Ltd) C:\Program Files\ccsetup522.exe
2016-09-05 13:54 - 2016-09-05 13:54 - 1718016 _____ (                                                            ) C:\Program Files\cpu-z_1.77-en.exe
2016-09-07 16:08 - 2016-09-07 16:08 - 0473291 _____ () C:\Program Files\Everything-1.3.4.686.x86-Setup.exe
2016-09-19 09:39 - 2016-09-19 09:39 - 0146112 _____ () C:\Program Files\regscanner_setup.exe
2011-12-09 15:04 - 2011-12-09 15:07 - 0000112 _____ () C:\Documents and Settings\All Users\Application Data\0sJT3AhC.dat

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-05-2017
Ran by dave (08-06-2017 06:53:41)
Running from C:\Documents and Settings\dave\My Documents\Downloads
Microsoft Windows XP Professional Service Pack 3 (X86) (2010-08-22 02:46:34)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-57989841-179605362-1644491937-500 - Administrator - Enabled)
ASPNET (S-1-5-21-57989841-179605362-1644491937-1006 - Limited - Enabled)
dave (S-1-5-21-57989841-179605362-1644491937-1005 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\dave
dean (S-1-5-21-57989841-179605362-1644491937-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\dean
Guest (S-1-5-21-57989841-179605362-1644491937-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-57989841-179605362-1644491937-1000 - Limited - Disabled)
steveo (S-1-5-21-57989841-179605362-1644491937-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\steveo
SUPPORT_388945a0 (S-1-5-21-57989841-179605362-1644491937-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Bitdefender Antivirus Free Edition (Enabled - Up to date) {9488E0FA-F058-4673-850E-E755F112BABC}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.32 (HKLM\...\7-Zip) (Version:  - )
Adobe Flash Player 23 PPAPI (HKLM\...\Adobe Flash Player PPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.17) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.17 - Adobe Systems Incorporated)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{85991ED2-010C-4930-96FA-52F43C2CE98A}) (Version: 3.1.0.62 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
BCM V.92 56K Modem (HKLM\...\BCM V.92 56K Modem) (Version:  - )
Bitdefender Antivirus Free Edition (HKLM\...\BitDefender Gonzales) (Version: 1.0.21.1109 - Bitdefender)
Bonjour (HKLM\...\{0CB9668D-F979-4F31-B8B8-67FE90F929F8}) (Version: 2.0.2.0 - Apple Inc.)
Broadcom 440x 10/100 Integrated Controller (HKLM\...\InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}) (Version: 3.29 - Broadcom)
Broadcom 440x 10/100 Integrated Controller (Version: 3.29 - Broadcom) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.22 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CPUID CPU-Z 1.77 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
Diamond Xtreme Audio (HKLM\...\C-Media PCI Sound) (Version:  - )
EMET 5.0 (HKLM\...\{FDDEBC40-9491-4978-8EF7-3FABA86595FB}) (Version: 5.0 - Microsoft Corporation)
eMusic Download Manager 4.1.4 (HKLM\...\eMusic Download Manager) (Version: 4.1.4 - eMusic, Inc.)
Everything 1.3.4.686 (x86) (HKLM\...\Everything) (Version:  - )
Google Chrome (HKU\S-1-5-21-57989841-179605362-1644491937-1003\...\Google Chrome) (Version: 36.0.1985.125 - Google Inc.)
Google Talk Plugin (HKLM\...\{C1E3DFE7-4EAD-3E9E-A826-E06055BA5921}) (Version: 5.4.2.18903 - Google)
Intel® Extreme Graphics Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version:  - )
iTunes (HKLM\...\{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}) (Version: 9.2.1.5 - Apple Inc.)
Java 8 Update 111 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Mahjongg Dimensions Deluxe (HKLM\...\am-mahjonggdimensionsdeluxe) (Version:  - )
Malwarebytes Anti-Exploit version 1.9.1.1410 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.9.1.1410 - Malwarebytes)
Malwarebytes Anti-Malware version 1.60.1.1000 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.60.1.1000 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Mozilla Firefox 52.1.2 ESR (x86 en-US) (HKLM\...\Mozilla Firefox 52.1.2 ESR (x86 en-US)) (Version: 52.1.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.1.2.6346 - Mozilla)
Mozilla Thunderbird (3.1.20) (HKLM\...\Mozilla Thunderbird (3.1.20)) (Version: 3.1.20 (en-US) - Mozilla)
NirSoft RegScanner (HKLM\...\NirSoft RegScanner) (Version:  - )
NirSoft ShellExView (HKLM\...\NirSoft ShellExView) (Version:  - )
Octoshape add-in for Adobe Flash Player (HKU\S-1-5-21-57989841-179605362-1644491937-1003\...\Octoshape add-in for Adobe Flash Player) (Version:  - )
OpenOffice.org 3.2 (HKLM\...\{5A13987D-55F4-4271-A40E-76AC9B1B38FD}) (Version: 3.2.9502 - OpenOffice.org)
Opera Stable 36.0.2130.80 (HKLM\...\Opera 36.0.2130.80) (Version: 36.0.2130.80 - Opera Software)
Panda Cloud Cleaner (HKLM\...\{92B2B132-C7F0-43DC-921A-4493C04F78A4}_is1) (Version: 1.1.10 - Panda Security)
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Plants vs. Zombies™ (HKLM\...\am-plantsvszombiestm) (Version:  - )
Qwest Installer (HKLM\...\{C96FF998-45BD-411E-9253-B7F2660FE280}) (Version: 1.0 - Qwest Communications International Inc.)
Qwest Personal Digital Vault™ (HKLM\...\{746FB02B-1D03-43B7-917A-E1341AB69A00}) (Version: 1.0.0002 - Qwest)
Qwest QuickAssist Desktop Tools (HKLM\...\{A63E18AC-B504-4045-AFE6-A279BBABB988}) (Version: 23 - SupportSoft)
Qwest Quickcare 2.7 (HKLM\...\QwestQuickCare_is1) (Version: 2.7.1002.1512 - Qwest)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Rhapsody (HKLM\...\Rhapsody) (Version:  - )
Roads of Rome (HKLM\...\am-roadsofrome) (Version:  - )
VLC media player 1.1.3 (HKLM\...\VLC media player) (Version: 1.1.3 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray (HKLM\...\KB952011) (Version: 1.0 - Microsoft Corporation)
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

HKU\S-1-5-21-57989841-179605362-1644491937-1003\...\ChromeHTML: -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.) <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.21.69\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{29A96789-9595-4947-BEDB-0FCC776F7DB8}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.2.183.39\goopdate.dll => No File
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Google Talk Plugin\googletalkax.dll (Google)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Chrome\Application\36.0.1985.125\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.21.153\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.24.15\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Google Talk Plugin\o1dax.dll (Google)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.21.115\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.25.11\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1003_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\1.3.21.111\psuser.dll => No File
CustomCLSID: HKU\S-1-5-21-57989841-179605362-1644491937-1005_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll => No File

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003Core.job => C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003UA.job => C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\jucheck.job => C:\Program Files\Common Files\Java\Java Update\jucheck.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1470936737.job => C:\Program Files\Opera\launcher.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2017-05-24 15:19 - 2016-09-12 11:28 - 04649488 _____ () C:\Program Files\Panda Security\Panda Cloud Cleaner\PCloudCleaner.exe
2017-05-24 15:19 - 2013-07-24 17:33 - 00930784 _____ () C:\Program Files\Panda Security\Panda Cloud Cleaner\libxml2.dll
2017-05-24 15:19 - 2015-11-17 13:46 - 00218360 _____ () C:\Program Files\Panda Security\Panda Cloud Cleaner\PRSBLib.dll
2017-05-24 15:19 - 2010-03-30 21:29 - 00279955 _____ () C:\Program Files\Panda Security\Panda Cloud Cleaner\libidn-11.dll
2017-05-24 15:19 - 2013-06-22 18:23 - 00113166 _____ () C:\Program Files\Panda Security\Panda Cloud Cleaner\zlib1.dll
2008-04-13 18:00 - 2013-01-02 01:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Program Files\Antivirus_Free_Edition.exe:SummaryInformation [43]
AlternateDataStreams: C:\Program Files\Antivirus_Free_Edition.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
AlternateDataStreams: C:\WINDOWS\$NtUninstallKB26929$:SummaryInformation [0]
AlternateDataStreams: C:\Documents and Settings\dean\My Documents\K20 Truck Parts List.rtf:SummaryInformation [43]
AlternateDataStreams: C:\Documents and Settings\dean\My Documents\K20 Truck Parts List.rtf:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"
e"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SupportSoft RemoteAssist => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-03-29 22:52 - 2017-05-31 11:44 - 00000027 _____ C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-57989841-179605362-1644491937-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\steveo\Application Data\Mozilla\Firefox\Desktop Background.bmp
HKU\S-1-5-21-57989841-179605362-1644491937-1004\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-57989841-179605362-1644491937-1005\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp
DNS Servers: 192.168.0.1 - 205.171.3.25
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Qwest Personal Digital Vault => "C:\Program Files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe" /m
MSCONFIG\startupreg: QwestTouchPointAgent => "C:\Program Files\Qwest\Desktop\QwestTouchPointAgent.exe" /autostart

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\WINDOWS\Network Diagnostic\xpnetdiag.exe] => Enabled:Network Diagnostic for Windows XP
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
StandardProfile\AuthorizedApplications: [C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe] => Enabled:WebKit
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)

==================== Restore Points =========================

07-06-2017 14:28:31 System Checkpoint

==================== Faulty Device Manager Devices =============

Name: Multimedia Audio Controller
Description: Multimedia Audio Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================

System errors:
=============
Error: (06/07/2017 10:08:27 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
avc3
bdftdif
bdselfpr
ESProtectionDriver
Fips
gzflt
intelppm
trufos

Error: (06/07/2017 10:07:13 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/07/2017 10:05:58 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/07/2017 08:04:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/07/2017 07:59:08 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
avc3
bdftdif
bdselfpr
ESProtectionDriver
Fips
gzflt
intelppm
trufos

Error: (06/07/2017 02:09:05 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for Start with the following error:
Access is denied.

Error: (06/07/2017 02:06:27 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/06/2017 08:48:09 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
avc3
bdftdif
bdselfpr
ESProtectionDriver
Fips
gzflt
intelppm
trufos

Error: (06/06/2017 08:46:54 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (06/06/2017 08:40:29 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084 = This service cannot be started in Safe Mode" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}


==================== Memory info ===========================

Processor:  Intel® Pentium® 4 CPU 2.20GHz
Percentage of memory in use: 66%
Total physical RAM: 759 MB
Available physical RAM: 255.56 MB
Total Virtual: 1853.38 MB
Available Virtual: 1253.96 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.47 GB) (Free:55.51 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 9DC96E9E)
Partition 1: (Not Active) - (Size=31 MB) - (Type=DE)
Partition 2: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================


  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Let's see if anything is broken:

Start, Run, eventvwr.msc, OK to bring up the Event Viewer.  Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application. (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 


  • 0

#23
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Ran VEW in Safe Mode.  Here's the System log:

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 08/06/2017 9:41:20 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 08/06/2017 9:35:58 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load:  avc3 bdftdif bdselfpr ESProtectionDriver Fips gzflt intelppm trufos

Log: 'System' Date/Time: 08/06/2017 9:34:44 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 08/06/2017 9:33:31 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

And the Application log:

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 08/06/2017 9:48:43 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Why Safe Mode?  Won't it go into regular mode now?


  • 0

#25
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

I apologize, got accustomed to using Safe Mode.  Went to Selective Startup to keep the older programs from starting, but kept MBAE for now. 

Repeated all steps from post #22 in regular mode.

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 08/06/2017 11:56:52 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 08/06/2017 12:01:04 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Learned with this post that I can now get on the web in normal mode.


Edited by Lamont_Cranston, 08 June 2017 - 11:09 AM.

  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Looks like a miracle cure.  XP probably did something like revert back to last known good or something.  Is it running OK?


  • 0

#27
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

The scary thing is that it happened when I was miles away. 

 

After viewing the weather forecast in Safe Mode yesterday morning, I summoned msconfig and unchecked a few boxes to keep those unused icons from populating the tray again; chose not to restart.  Just wanted that done in case I forgot.  Leaving Windows in Safe Mode, I then disconnected the internet cable and left for work.  Even if a brief power spike prompted the afternoon restart, I'd have expected Selective Startup to kick in instead of Normal Startup. 

 

The machine seems to be running OK.  The tiny screen font bugs me but that's easy enough to correct.  Bitdefender and EMET won't start with Windows, and although MBAM never stopped working its tray icon is gone (no biggie, its on-demand only).  A repair install will probably fix Bitdefender.  I'll have to do a little more digging to figure out what's wrong with EMET.  I'll keep MBAE for now since its the only active security program I've got.

 

Have you seen anything bothersome in any of the recent logs?  When signing in at geekstogo Firefox warned me that "This connection is not secure. Logins entered here could be compromised."  If there's anything I can do to run this old box safer and leaner I'm open to suggestions. 

 

Maybe I'm still a little skittish, but I'd like to run the ESET online scanner and compare its results to what the Panda scan found.  Downloaded the ESET program a couple of weeks ago but couldn't install it in Safe Mode.


Edited by Lamont_Cranston, 08 June 2017 - 02:53 PM.

  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

I get the same warning when logging in to G2G.  It's because G2G doesn't use HTTPS for the logon.

 

Reading up on the Zero Access since it been so long it appears that what it usually does to antivirus files is take away their permissions and that keeps them from running so anything that won't run you right click on it and select Properties then Security and maybe take ownership if you have to to give the proper permissions.  Alternatively you can run Windows Repair All In One and just check the file permissions box and maybe the registry permissions too:

 


http://www.tweaking....all_in_one.html

Download it and save it then run it.

You can skip to step 4 or 5 where it gives you the same picture as in the above link.

Make sure just these are checked before hitting Start:

Reset Registry Permissions
Reset File Permissions
 

Reboot then try your security programs.


  • 0

#29
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Downloaded and installed Windows Repair using the link you provided.  Tried to use it in Safe Mode as recommended but couldn't see all the controls and gave up on that. 

 

Since I've never seen this before it took me a while to find the Repairs window.  The registry was backed up automatically and Reset Registry Permissions and Reset File Permissions were checked by default.  Didn't create a new restore point, but I probably should have since I still only have one restore point available.

 

After unchecking the 4 Windows 8/10 options, the program wants to perform 40 repairs.  I'm concerned about a few like Set Windows Services to Default Startup, Repair Windows Updates (I have some sp4 options & tweaks installed), and Restore Important Windows Services, which is kinda vague.  There are some options I've never seen or used before, and I don't know how many of the 40 were affected by ZeroAccess.

 

Would it be advisable to uncheck any options I'm not sure about (like the 3 mentioned above, maybe a couple of others) and run the program again later if needed?  Or should I just assume my machine has been messed up to the point where its not going to matter?


  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

We just want the two options checked so uncheck all of the rest.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP