Jump to content

Suspected Malware


Recommended Posts

I originally posted in Malwarebytes Anti-Malware Help - Cannot close Malware Bytes V2 in XP. As title suggests i was having trouble particularly in closing down MB. I uploaded three files as requested: Addition.txt CheckResults.txt and FRST.txt and was told i may have an infection and directed to instructions that invited me to post a new topic here.

 

I've delayed because of lack of opportunity and also because i found that if i waited about 30secs - 60secs, MB would indeed close down, so i just carried on. Neither avira nor MB nor Windows MRT have found anything on scanning my system. However, this morning on start up, i found my antivrus did not start which alarmed me and in (XP) Startup i found two instances of avgnt, one of which was ticked.

 

This alarmed me and having had numerous 'funny litle things' happen in recent weeks, i uninstalled iobit uninstaller and (i hope) all my p2p software using revo uninstaller, ran FRST again and started this topic.

 

I hope i've done everything right and that you are able to help.

 

Thanks.

FRST.txt

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

 

 

Also, please upload the addition.txt by FRST.

Link to post
Share on other sites

Hi and thanks very much for the reply.

 

Before i start on your instructions, i should clarify that the addition.txt file was uploaded in the course of my posts 5 days ago. I believe this file is only produced on the first run of FRST - do you need that actual one, or can i produce a new one for you by ticking that option if i run FRST again?

Link to post
Share on other sites

OK here's the ark.txt file below with additions.txt attached.

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-08-14 15:38:25
Windows 5.1.2600 Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-10 SanDisk_SDSSDHP128G rev.X2316RL 119.24GB
Running: y0m80hxq.exe; Driver: C:\DOCUME~1\bully\LOCALS~1\Temp\afrdipow.sys


---- System - GMER 2.1 ----

SSDT            BA70752C                                ZwClose
SSDT            BA7074E6                                ZwCreateKey
SSDT            BA707536                                ZwCreateSection
SSDT            BA7074DC                                ZwCreateThread
SSDT            BA7074EB                                ZwDeleteKey
SSDT            BA7074F5                                ZwDeleteValueKey
SSDT            BA707527                                ZwDuplicateObject
SSDT            BA7074FA                                ZwLoadKey
SSDT            BA7074C8                                ZwOpenProcess
SSDT            BA7074CD                                ZwOpenThread
SSDT            BA70754F                                ZwQueryValueKey
SSDT            BA707504                                ZwReplaceKey
SSDT            BA707540                                ZwRequestWaitReplyPort
SSDT            BA7074FF                                ZwRestoreKey
SSDT            BA70753B                                ZwSetContextThread
SSDT            BA707545                                ZwSetSecurityObject
SSDT            BA7074F0                                ZwSetValueKey
SSDT            BA70754A                                ZwSystemDebugControl
SSDT            BA7074D7                                ZwTerminateProcess

---- Devices - GMER 2.1 ----

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1  snapman.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2  snapman.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3  snapman.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume4  snapman.sys
AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume5  snapman.sys

---- EOF - GMER 2.1 ----
 

Addition.txt

Link to post
Share on other sites

Sorry, addition.txt as a post

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:13-08-2014 01
Ran by bully at 2014-08-14 15:27:10
Running from C:\Documents and Settings\bully\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Disabled - Up to date) {AD166499-45F9-482A-A743-FDD3350758C7}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AC-3 ACM Codec 2.1 (HKLM\...\AC3ACM) (Version: 2.1 - fccHandler)
Acronis Disk Director Home (HKLM\...\{9CCC78EF-027E-40E0-9B61-39932C65E3FE}) (Version: 11.0.216 - Acronis)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.3.300.257 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 11.9.900.117 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.05) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.05 - Adobe Systems Incorporated)
ATI Catalyst Install Manager (HKLM\...\{B000FB7B-A489-25FC-EA84-1AA54AAD55BB}) (Version: 3.0.790.0 - ATI Technologies, Inc.)
Audacity 2.0.3 (HKLM\...\Audacity_is1) (Version: 2.0.3 - Audacity Team)
Avira (HKLM\...\{df495620-2ba9-412d-828d-b27f020d9fc8}) (Version: 1.1.18.28431 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.18.28431 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM\...\Avira AntiVir Desktop) (Version: 14.0.6.552 - Avira)
AviSynth 2.5 (HKLM\...\AviSynth) (Version:  - )
BearPaw 2400CU Plus web V1.2 (HKLM\...\InstallShield_{27F8D5CE-421C-4324-8402-4D551A364F5F}) (Version: 1.2 - Mustek)
BearPaw 2400CU Plus web V1.2 (Version: 1.2 - Mustek) Hidden
calibre (HKLM\...\{D0AA226A-712B-4119-9B28-ABEDD936720F}) (Version: 1.26.0 - Kovid Goyal)
Catalyst Control Center - Branding (Version: 1.00.0000 - ATI) Hidden
Catalyst Control Center Graphics Previews Common (Version: 2010.0825.2146.37182 - ATI) Hidden
CCC Help English (Version: 2010.0825.2145.37182 - ATI) Hidden
ccc-core-static (Version: 2010.0825.2146.37182 - ATI) Hidden
ccc-utility (Version: 2010.0825.2146.37182 - ATI) Hidden
CCExtractor (HKLM\...\{3843A421-F062-4CE7-BAF9-44176B61CF4D}) (Version: 0.64.0 - CCExtractor)
CDDRV_Installer (Version: 4.60 - Logitech) Hidden
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
ConvertHelper 2.2 (HKLM\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1) (Version:  - DownloadHelper)
DVD Decrypter (Remove Only) (HKLM\...\DVD Decrypter) (Version:  - )
DVD Flick 1.3.0.7 (HKLM\...\DVD Flick_is1) (Version: 1.3.0.7 - Dennis Meuwissen)
DVD Shrink 3.2 (HKLM\...\DVD Shrink_is1) (Version:  - DVD Shrink)
Exact Audio Copy 1.0beta3 (HKLM\...\Exact Audio Copy) (Version: 1.0beta3 - Andre Wiethoff)
exPressit SE (HKLM\...\{BB42C935-456E-4A6C-B357-FDEE7A59FE21}) (Version: 3.10.0000 - Medea International Ltd)
ffdshow v1.2.4422 [2012-04-09] (HKLM\...\ffdshow_is1) (Version: 1.2.4422.0 - )
FFmpeg v0.6.2 for Audacity (HKLM\...\FFmpeg for Audacity_is1) (Version:  - )
FileZilla Client 3.6.0.2 (HKLM\...\FileZilla Client) (Version: 3.6.0.2 - FileZilla Project)
Haali Media Splitter (HKLM\...\HaaliMkx) (Version:  - )
HiJackThis (HKLM\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)
HP Drive Key Boot Utility (HKLM\...\HP Drive Key Boot Utility) (Version:  - )
HP USB Disk Storage Format Tool (HKLM\...\{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}) (Version:  - )
Image Analyzer (HKLM\...\Image Analyzer) (Version:  - )
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.7.0 - LIGHTNING UK!)
KhalInstallWrapper (Version: 2.00.0000 - Logitech) Hidden
Lame ACM MP3 Codec (HKLM\...\LameACM) (Version:  - )
LAME v3.99.3 (for Windows) (HKLM\...\LAME_is1) (Version:  - )
Lexmark 640 Series (HKLM\...\Lexmark 640 Series) (Version:  - )
Logitech SetPoint (HKLM\...\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}) (Version: 4.80 - Logitech)
Lotus SmartSuite - English (HKLM\...\{536D6172-7453-7569-7465-392E36300409}) (Version:  - Lotus Development Corporation)
Macrium Reflect Free Edition (HKLM\...\MacriumReflect) (Version: 5.2 - Paramount Software (UK) Ltd.)
Macrium Reflect Free Edition (Version: 5.3.7109 - Paramount Software (UK) Ltd.) Hidden
Macromedia Dreamweaver 4 (HKLM\...\{ABDA9912-5D00-11D4-BAE7-9367CA097955}) (Version: 4.0 - Macromedia)
Macromedia Extension Manager (HKLM\...\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}) (Version: 1.2 - Macromedia)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 (Version:  - Microsoft Corporation) Hidden
Microsoft Office XP Professional with FrontPage (HKLM\...\{90280409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Tool Web Package:diskpart.exe (HKLM\...\{9782762F-639B-499B-A23D-5EBEAFC160E6}) (Version: 1.0.0.1 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MKVToolNix 5.8.0 (HKLM\...\MKVToolNix) (Version: 5.8.0 - Moritz Bunkus)
Mozilla Firefox 31.0 (x86 en-US) (HKLM\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
MP3 Diags (HKLM\...\MP3Diags) (Version:  - )
Mp3tag v2.57 (HKLM\...\Mp3tag) (Version: v2.57 - Florian Heidenreich)
MSXML 6.0 Parser (HKLM\...\{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}) (Version: 6.10.1129.0 - Microsoft Corporation)
Nero 11 DiscSpeed (HKLM\...\{B8B03F99-F600-4D96-ADBD-2F384240FB9C}) (Version: 11.0.00400 - Nero AG)
Nero Core Components 11 (Version: 11.0.15401.1.15 - Nero AG) Hidden
Nero DiscSpeed 11 (Version: 7.0.10400.2.100 - Nero AG) Hidden
Nero DiscSpeed 11 Help (CHM) (Version: 11.0.10000 - Nero AG) Hidden
Nero OEM (HKLM\...\Nero - Burning Rom!UninstallKey) (Version:  - )
nero.prerequisites.msi (Version: 11.0.20008 - Nero AG) Hidden
NET Traffic Meter (HKLM\...\NET Traffic Meter) (Version: 2.0 - KC's ToolBox)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
Opera 12.17 (HKLM\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
Paint Shop Pro 4.12 (HKLM\...\Paint Shop Pro 4.12) (Version:  - )
PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)
Safari (HKLM\...\{C779648B-410E-4BBA-B75B-5815BCEFE71D}) (Version: 5.34.57.2 - Apple Inc.)
SanDisk SSD Toolkit 1.0.0.1 (HKLM\...\{26326B5B-3D62-4C12-8841-6B55A19B552D}_is1) (Version: 1.0.0.1 - SanDisk Corporation)
SDFormatter (HKLM\...\{179324FF-7B16-4BA8-9836-055CAAEE4F08}) (Version: 4.0.0 - SD Association)
Sigil 0.6.2 (HKLM\...\Sigil_is1) (Version:  - John Schember)
SkypeMate (HKLM\...\SkypeMate) (Version:  - SkypeMate)
Skype™ 6.14 (HKLM\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.14.104 - Skype Technologies S.A.)
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.10.01.6110 - Analog Devices)
SpywareBlaster 5.0 (HKLM\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
Subtitle Workshop 2.51 (HKLM\...\SubtitleWorkshop) (Version:  - )
SubtitleCreator (HKLM\...\SubtitleCreator) (Version: V2.3rc1 - Erik Vullings)
SyncBackFree (HKLM\...\SyncBackFree_is1) (Version: 6.5.30.0 - 2BrightSparks)
TMPGEnc DVD Author 1.6 (HKLM\...\{9CD89DD7-234A-4801-9D87-3DE352E146A0}) (Version: 1.6.34 - Pegasys Inc.)
Tweak UI (HKLM\...\Tweak UI 2.10) (Version:  - )
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2598845) (HKLM\...\KB2598845-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2632503) (HKLM\...\KB2632503-IE8) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (HKLM\...\KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2467659) (HKLM\...\KB2467659) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2492386) (HKLM\...\KB2492386) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2641690) (HKLM\...\KB2641690) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (HKLM\...\KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2718704) (HKLM\...\KB2718704) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2736233) (HKLM\...\KB2736233) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (HKLM\...\KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2808679) (HKLM\...\KB2808679) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2863058) (HKLM\...\KB2863058) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2904266) (HKLM\...\KB2904266) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2934207) (HKLM\...\KB2934207) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation) Hidden
Update for Windows XP (KB955759) (HKLM\...\KB955759) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB967715) (HKLM\...\KB967715) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (HKLM\...\KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (HKLM\...\KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973687) (HKLM\...\KB973687) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (HKLM\...\KB973815) (Version: 1 - Microsoft Corporation)
VideoReDo TVSuite Version 4.20.6.612 (HKLM\...\VideoReDo4_is1) (Version:  - DRD Systems, Inc.)
VobSub v2.23 (Remove Only) (HKLM\...\VobSub) (Version:  - )
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Automated Installation Kit (HKLM\...\{31E8F586-4EF7-4500-844D-BA8756474FF1}) (Version: 2.0.0.0 - Microsoft Corporation)
Windows Backup Utility (HKLM\...\{76EFFC7C-17A6-479D-9E47-8E658C1695AE}) (Version: 5.1 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Encoder 9 Series (HKLM\...\Windows Media Encoder 9) (Version:  - )
Windows Media Encoder 9 Series (Version: 9.00.2980 - Microsoft Corporation) Hidden
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Format 11 runtime (Version:  - Microsoft Corporation) Hidden
Windows Media Format 11 SDK (HKLM\...\{009435FA-9011-4C36-AE7C-CCC9669E7875}) (Version: 11.0.0.5145 - Microsoft Corporation)
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows Media Player 11 (Version:  - Microsoft Corporation) Hidden
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinRAR 4.01 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH)
x264vfw - H.264/MPEG-4 AVC codec (remove only) (HKLM\...\x264vfw) (Version:  - )
Xvid MPEG-4 Video Codec (HKLM\...\xvid) (Version:  - Xvid Development Team)
Xvid Video Codec (HKLM\...\Xvid Video Codec 1.3.2) (Version: 1.3.2 - Xvid Team)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-02-28 13:00 - 2014-07-21 12:46 - 00000842 ____R C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1    localhost

==================== Scheduled Tasks (whitelisted) =============


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

2012-11-29 22:59 - 2012-11-29 22:59 - 00093696 _____ () C:\Program Files\FileZilla FTP Client\fzshellext.dll
2012-05-07 14:28 - 2011-05-28 22:04 - 00140288 _____ () C:\Program Files\WinRAR\rarext.dll
2014-07-21 12:50 - 2014-07-21 12:50 - 00082384 _____ () C:\Program Files\Macrium\Reflect\AESDll.dll
2014-07-30 12:05 - 2014-07-14 16:49 - 00049744 _____ () C:\Documents and Settings\bully\Local Settings\Temp\avgnt.exe\Avira.OE.ExtApi.dll
2014-07-14 16:49 - 2014-07-14 16:49 - 00137296 _____ () C:\Program Files\Avira\My Avira\Avira.OE.NativeCore.dll
2010-03-16 12:22 - 2010-03-16 12:22 - 00014848 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\AxInterop.WBOCXLib.dll
2010-08-04 15:58 - 2010-08-04 15:58 - 00016384 ____R () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
2010-08-25 21:44 - 2010-08-25 21:44 - 00270336 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2014-07-14 16:49 - 2014-07-14 16:49 - 00065104 _____ () C:\Program Files\Avira\My Avira\Avira.OE.AvConnectorNative.dll
2010-05-25 19:53 - 2010-05-25 19:53 - 02139400 _____ () C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0888F409
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:3440EB47
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:3C57BFC0
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:66633281
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:6EEE61F0

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WdfLoadGroup => ""=""

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk => C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lotus QuickStart.lnk => C:\WINDOWS\pss\Lotus QuickStart.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^bully^Start Menu^Programs^Startup^Lotus SmartSuite 9.6 - English Registration.lnk => C:\WINDOWS\pss\Lotus SmartSuite 9.6 - English Registration.lnkStartup
MSCONFIG\startupreg: AceStream => C:\Documents and Settings\bully\Application Data\ACEStream\engine\ace_engine.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: Advanced SystemCare 7 => "C:\Program Files\IObit\Advanced SystemCare 7\ASCTray.exe" /Auto
MSCONFIG\startupreg: ApnUpdater => "C:\Program Files\Ask.com\Updater\Updater.exe"
MSCONFIG\startupreg: Boxoft Tools => "C:\Documents and Settings\All Users\Application Data\Boxtools\Boxofttoolbox.exe" -autorun
MSCONFIG\startupreg: Ext2 Volume Manager => "C:\Program Files\Ext2Fsd\Ext2Mgr.exe" -quiet
MSCONFIG\startupreg: Google Update => "C:\Documents and Settings\bully\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
MSCONFIG\startupreg: ISUSPM Startup => C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
MSCONFIG\startupreg: ISUSScheduler => "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
MSCONFIG\startupreg: Kernel and Hardware Abstraction Layer => KHALMNPR.EXE
MSCONFIG\startupreg: KernelFaultCheck => %systemroot%\system32\dumprep 0 -k
MSCONFIG\startupreg: LVCOMSX => C:\WINDOWS\system32\LVCOMSX.EXE
MSCONFIG\startupreg: NeroFilterCheck => C:\WINDOWS\system32\NeroCheck.exe
MSCONFIG\startupreg: SDTray => "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
MSCONFIG\startupreg: SearchSettings => "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"
MSCONFIG\startupreg: Skype => "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: Slick Savings => "C:\Documents and Settings\bully\Application Data\Slick Savings\CouponsHelper.exe"
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: TkBellExe => "C:\Program Files\Real\RealPlayer\update\realsched.exe"  -osboot
MSCONFIG\startupreg: TorrentStream => C:\Documents and Settings\bully\Application Data\TorrentStream\engine\tsengine.exe

==================== Faulty Device Manager Devices =============

Name: Standard floppy disk controller
Description: Standard floppy disk controller
Class Guid: {4D36E969-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard floppy disk controllers)
Service: fdc
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: 1394 Net Adapter
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/28/2014 01:05:59 PM) (Source: Microsoft Office 10) (EventID: 1001) (User: )
Description: Fault bucket 2059394427.

Error: (07/28/2014 01:05:27 PM) (Source: Microsoft Office 10) (EventID: 1000) (User: )
Description: Faulting application winword.exe, version 10.0.6866.0, faulting module winword.exe, version 10.0.6866.0, fault address 0x00005c97.

Error: (07/28/2014 01:03:49 PM) (Source: Microsoft Office 10) (EventID: 1000) (User: )
Description: Faulting application winword.exe, version 10.0.6866.0, faulting module winword.exe, version 10.0.6866.0, fault address 0x00005c97.

Error: (07/27/2014 09:23:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application mbam.exe, version 1.0.0.532, faulting module mbamcore.dll, version 1.0.11.0, fault address 0x0003c560.
Processing media-specific event for [mbam.exe!ws!]

Error: (07/27/2014 05:27:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application subtitleworkshop.exe, version 0.0.0.0, faulting module ffmpeg.dll, version 0.0.0.0, fault address 0x001c1db3.
Processing media-specific event for [subtitleworkshop.exe!ws!]

Error: (07/24/2014 11:50:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application ace_engine.exe, version 0.0.0.0, faulting module wxmsw28uh_adv_vc.dll, version 2.8.12.1, fault address 0x0004a839.
Processing media-specific event for [ace_engine.exe!ws!]

Error: (07/18/2014 00:37:13 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket 221484091.

Error: (07/18/2014 00:37:10 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application MediaInfo.exe, version 0.7.69.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/12/2014 05:58:14 PM) (Source: Application Error) (EventID: 1001) (User: )
Description: Fault bucket -430527053.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication.  The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (07/12/2014 05:58:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application ace_player.exe, version 2.1.6.0, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x0000100b.
Processing media-specific event for [ace_player.exe!ws!]


System errors:
=============
Error: (08/14/2014 11:51:07 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Error: (08/14/2014 10:20:29 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Error: (08/14/2014 10:17:05 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Error: (08/14/2014 10:16:21 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 001BFC9C7BD8 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (08/13/2014 04:30:25 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Error: (08/13/2014 04:29:58 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 001BFC9C7BD8 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (08/13/2014 00:11:31 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Error: (08/13/2014 00:11:04 PM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 001BFC9C7BD8 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Error: (08/13/2014 11:33:50 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058" attempting to start the service upnphost with arguments ""
in order to run the server:
{204810B9-73B2-11D4-BF42-00B0D0118B56}

Error: (08/13/2014 11:33:23 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.1.2 for the Network Card with network address 001BFC9C7BD8 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).


Microsoft Office Sessions:
=========================
Error: (07/28/2014 01:05:59 PM) (Source: Microsoft Office 10) (EventID: 1001) (User: )
Description: 2059394427

Error: (07/28/2014 01:05:27 PM) (Source: Microsoft Office 10) (EventID: 1000) (User: )
Description: winword.exe10.0.6866.0winword.exe10.0.6866.000005c97

Error: (07/28/2014 01:03:49 PM) (Source: Microsoft Office 10) (EventID: 1000) (User: )
Description: winword.exe10.0.6866.0winword.exe10.0.6866.000005c97

Error: (07/27/2014 09:23:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: mbam.exe1.0.0.532mbamcore.dll1.0.11.00003c560

Error: (07/27/2014 05:27:56 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: subtitleworkshop.exe0.0.0.0ffmpeg.dll0.0.0.0001c1db3

Error: (07/24/2014 11:50:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ace_engine.exe0.0.0.0wxmsw28uh_adv_vc.dll2.8.12.10004a839

Error: (07/18/2014 00:37:13 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: 221484091

Error: (07/18/2014 00:37:10 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: MediaInfo.exe0.7.69.0hungapp0.0.0.000000000

Error: (07/12/2014 05:58:14 PM) (Source: Application Error) (EventID: 1001) (User: )
Description: -430527053

Error: (07/12/2014 05:58:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ace_player.exe2.1.6.0ntdll.dll5.1.2600.60550000100b


==================== Memory info ===========================

Processor: Intel® Core2 Quad CPU Q6600 @ 2.40GHz
Percentage of memory in use: 20%
Total physical RAM: 3326.48 MB
Available physical RAM: 2657.04 MB
Total Pagefile: 5210.6 MB
Available Pagefile: 4556.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1930.95 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:119.24 GB) (Free:102.36 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (Local Disk) (Fixed) (Total:931.51 GB) (Free:306.04 GB) NTFS
Drive e: (Local Disk) (Fixed) (Total:19.53 GB) (Free:2.54 GB) NTFS
Drive f: (Local Disk) (Fixed) (Total:213.35 GB) (Free:88.79 GB) NTFS
Drive i: (WD HDD) (Fixed) (Total:232.88 GB) (Free:108.75 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 932 GB) (Disk ID: DC8F9784)
Partition 1: (Active) - (Size=932 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 119 GB) (Disk ID: 0104DCD2)
Partition 1: (Active) - (Size=119 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 233 GB) (Disk ID: C532C532)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 3 (Size: 233 GB) (Disk ID: 09840983)
Partition 1: (Not Active) - (Size=20 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=213 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

fixlist.txt

Link to post
Share on other sites

No threat was detected so i didn't reboot. But MB took almost exactly 60 seconds to close after i clicked 'are you sure you want to exit' - which was the original query.

 

The Application log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 14/08/2014
Scan Time: 16:04:55
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.08.14.07
Rootkit Database: v2014.08.04.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: bully

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 274657
Time Elapsed: 5 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:13-08-2014 01
Ran by bully at 2014-08-14 15:58:09 Run:1
Running from C:\Documents and Settings\bully\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:0888F409
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:3440EB47
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:3C57BFC0
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:66633281
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:6EEE61F0
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

EmptyTemp:
*****************

C:\Documents and Settings\All Users\Application Data\TEMP => ":0888F409" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":3440EB47" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":3C57BFC0" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":5C321E34" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":66633281" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":6EEE61F0" ADS removed successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
EmptyTemp: => Removed 1 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====

Link to post
Share on other sites

Hi Marius - i did everything you suggested, even uninstalled avira because i could not disable it. But the problem of shutting down MB remains. Does this mean i definitely do not have a virus? It's just that i can't find anyone else reporting problems shutting down MB.

Link to post
Share on other sites

Let´s finish the process. If we cannot find anything malicious, we´ll handle you over to the MBAM support guys. :)

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

OK 18 infected files:

 

C:\Program Files\InstallConverter bundle uninstaller\uninstaller.exe    a variant of Win32/ClientConnect.A potentially unwanted application
D:\Downloads\BT clients\Portforward-Setup-Static-IP-Address.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
D:\Downloads\Freefootie\Acestream\Advanced-SystemCare.exe    a variant of Win32/Toolbar.Widgi.B potentially unwanted application
D:\Downloads\Freefootie\SopCast\SopCast-3.8.2.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
D:\Downloads\Nero\Nero-6.6.1.15c_wch.exe    Win32/Toolbar.AskSBar potentially unwanted application
D:\Downloads\Partion tool\tb_free.exe    a variant of Win32/TFTPD32.A potentially unsafe application
D:\Downloads\Peer Guardian\Blocklist_Manager_Install_2.7.7.exe    Win32/NetTool.Portscan.C potentially unsafe application
D:\Downloads\recover files\PandoraRecovery.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\Downloads\recover files\undeleteplus_setup_ask.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
E:\Back-up\WinXP SP2 OS bootleg\Windows XP Home SP2 [OEM Edition].rar    Win32/HackTool.WpaKill.B potentially unsafe application
E:\synchback\Downloads\BT clients\Portforward-Setup-Static-IP-Address.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
E:\synchback\Downloads\Freefootie\Acestream\Advanced-SystemCare.exe    a variant of Win32/Toolbar.Widgi.B potentially unwanted application
E:\synchback\Downloads\Freefootie\SopCast\SopCast-3.8.2.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
E:\synchback\Downloads\Nero\Nero-6.6.1.15c_wch.exe    Win32/Toolbar.AskSBar potentially unwanted application
E:\synchback\Downloads\Partion tool\tb_free.exe    a variant of Win32/TFTPD32.A potentially unsafe application
E:\synchback\Downloads\Peer Guardian\Blocklist_Manager_Install_2.7.7.exe    Win32/NetTool.Portscan.C potentially unsafe application
E:\synchback\Downloads\recover files\PandoraRecovery.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
E:\synchback\Downloads\recover files\undeleteplus_setup_ask.exe    a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
 

Link to post
Share on other sites

I should mention that in the course of the steps taken over the last 24 hours i have completely lost the contents of my C:\Temp directory and all of it's subdirectories - some 64gd of data. Luckily i back up regularly but god knows what happened. Incidentally, the bootleg\Windows XP Home SP2 [OEM Edition].rar file has been on my HDD back up for ages. I use a genuine copy of Win XP and have now deleted this old one.
 

Link to post
Share on other sites

Got real problems here. For example (following on the loss of my Temp folder), the store folder containing my OE messages shows up in explorer as empty. However, they all show in OE and the location of the message store tallies with the empty folder. Both these folders are regularly backed up using syncback, but it's all very worrying. I'm going to run eset again and delete anything it finds.

Link to post
Share on other sites

Temporary files are purged during our removal processes because they may slow down the system and contain older malicious files.

Never save your working data there!

 

The files ESET found are no malware but contain security risks. I´d delete them immediately - your choice.

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.





SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

OK, thanks, i'll get on with these steps. I should mention that the Temp file was a top level one i created on my C: drive in which i keep a lot of not crucial but important working files - it isn't stashed away in documents and settings or anything. Perhaps i should rename it.

 

I also found that my OE email folder was empty. I use italics because although the folder showed no files when i opened it, they were clearly there in the OE user interface. And when i used syncback to back up the OE folder, all the files were visible in the back up folder but not in the OE folder. So they - and maybe the Temp files - were presumably there, just not showing for some reason. [both the OE and the Temp folders showed 0 objects and 0 MB in the status bar].

Link to post
Share on other sites

Adwcleaner report

 

# AdwCleaner v3.307 - Report created 18/08/2014 at 11:32:09
# Updated 17/08/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : bully - WWFC-B7DFF83E8A
# Running from : C:\Documents and Settings\bully\Desktop\adwcleaner_3.307.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchSettings
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKLM\SOFTWARE\ParetoLogic
Key Deleted : HKLM\SOFTWARE\PIP

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v31.0 (x86 en-US)

[ File : C:\Documents and Settings\bully\Application Data\Mozilla\Firefox\Profiles\e8sr68fs.default-1406300849984\prefs.js ]


[ File : C:\Documents and Settings\bully\Application Data\Mozilla\Firefox\Profiles\tkwibr2f.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2053 octets] - [18/08/2014 11:24:04]
AdwCleaner[R1].txt - [2113 octets] - [18/08/2014 11:26:57]
AdwCleaner[s0].txt - [2062 octets] - [18/08/2014 11:32:09]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2122 octets] ##########


Link to post
Share on other sites

JRT.txt

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Microsoft Windows XP x86
Ran by bully on 18/08/2014 at 11:38:08.53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Documents and Settings\bully\Local Settings\Application Data\apn"



~~~ FireFox

Successfully deleted the following from C:\Documents and Settings\bully\Application Data\mozilla\firefox\profiles\e8sr68fs.default-1406300849984\prefs.js

user_pref("avira.safe_search.search_was_active", "false");
user_pref("extensions.bootstrappedAddons", "{\"safesearch@avira.com\":{\"version\":\"1.0.1\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Documents and Settings\\\\bully\\\\A
user_pref("extensions.safesearch.MP_DISTINCT_ID", "\"147d92f55232d-03f79fbc9499ce-7c6f1635-0-147d92f55241bf\"");
user_pref("extensions.safesearch.SAUTH_rndsnr", "\"0fa24ed3a1660c99cf6f800178c2f43ff2a83d8a\"");
user_pref("extensions.safesearch.install", "1408098063657");





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18/08/2014 at 11:41:06.75
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Link to post
Share on other sites

Checkup.txt

 Results of screen317's Security Check version 0.99.87  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 Avira Free Antivirus    
 Avira      
 ESET Online Scanner v3   
 Avira successfully updated!
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0    
  Adobe Flash Player     11.9.900.117 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox (31.0)
````````Process Check: objlist.exe by Laurent````````  
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````


Link to post
Share on other sites

Most cleanup tools also search for and remove the temp folder on the c drive.

It is never a good idea to store such data in a directory named tmp or temp.

 

Your system is clean now! :)

 

 

Adobe Flash Player out of date

Your Adobe flash player is outdated. We will fix this.

  • Get the actual player from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.





Delete System Restore Points

To ensure your System Restore Points are free of malware, we will delete all of them but the most recent or create a new one.

On Windows Vista: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows 7/8: Please follow these instructions to delete all but the most common System Protection Restore Points.
On Windows XP: Please follow these instructions to delete all but the most common System Protection Restore Points.




Temp File Cleaner

We need to download Temp File Cleaner (TFC) by OldTimer:

  • Please download TFC.exe by Oldtimer at one of the two links: Link 1 Link 2
  • Save and close all running applications
  • Double-click on TFC.exe to run the program
  • Click on Start to begin the cleaning process note: this program may close running applications, make your screen disappear temporarily, or require a reboot of your PC - this is normal and part of the cleanup
  • When the scan is complete, if you were not asked to reboot the computer, please do so now

More Information can be found about the tool here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

    [*]Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

    [*]Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.

    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.



Link to post
Share on other sites

You´re right - I´ve fixed the link.

 

 

Adobe Flash Player out of date

Your Adobe flash player is outdated. We will fix this.

  • Get the actual player from here. Important: Uncheck any optional software (for example Google Chrome, etc.) offered.
  • Click upon Start-->control panel-->add/remove programs.
  • Search for and remove any older reader versions.

 

No need to modify anything else. :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.