Jump to content

Recommended Posts

MBAM found FBI Moneypak but can't remove it.

 

Running in safe mode w/ networking. Keyboard is not working.

 

FRST logs below.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-01-2015
Ran by Administrator (administrator) on P4 on 01-01-2015 11:49:13
Running from C:\Documents and Settings\Administrator\Desktop
Loaded Profile: Administrator (Available profiles: Dan Nelson & Administrator)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [CTSysVol] => C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe [57344 2003-09-17] (Creative Technology Ltd)
HKLM\...\Run: [ATIPTA] => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [339968 2004-08-25] (ATI Technologies, Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-11-21] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-725345543-413027322-2147145749-500\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-725345543-413027322-2147145749-500\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: [s-1-5-21-725345543-413027322-2147145749-500] ATTENTION ==> Default URLSearchHook is missing.
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Hosts: Hosts file not detected in the default directory
Tcpip\..\Interfaces\{772E3146-9FBD-4404-986D-CB7B605FDCCE}: [NameServer] 192.168.2.1
Tcpip\..\Interfaces\{8A390629-F4C9-4326-A83B-26FE473C3C83}: [NameServer] 192.168.2.1

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-03-24]

Chrome:
=======

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [389120 2004-08-25] ()
S2 ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [593920 2008-07-31] () [File not signed]
S3 HP Status Server; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE [73728 2004-10-16] (Hewlett-Packard Company)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-12-12] (Oracle Corporation)
S2 Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [73728 2007-08-08] (HP) [File not signed]
S2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [20480 2009-09-16] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2007-05-24] (Intuit Inc.) [File not signed]
S2 WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [53520 2000-06-26] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 FETNDISB; C:\WINDOWS\System32\DRIVERS\dlkfet5b.sys [43008 2007-07-13] (D-Link                              )
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [49664 2006-04-12] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2006-04-12] (HP)
R3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21568 2006-04-12] (HP)
S3 mferkdk; C:\WINDOWS\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)
S3 mfesmfk; C:\WINDOWS\System32\drivers\mfesmfk.sys [40552 2009-09-16] (McAfee, Inc.)
R1 MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [120136 2012-04-04] (McAfee, Inc.)
S3 P17; C:\WINDOWS\System32\drivers\P17.sys [840960 2004-06-09] (Creative Technology Ltd.)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20576 2004-08-02] (Sonic Solutions) [File not signed]
S3 catchme; \??\C:\DOCUME~1\DANNEL~1\LOCALS~1\Temp\catchme.sys [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

NETSVC: F700isw -> No Registry Path.
NETSVC: wstcodec -> No Registry Path.
NETSVC: ELacpi -> No Registry Path.
NETSVC: DcLps -> No Registry Path.

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-01 11:49 - 2015-01-01 11:49 - 00008054 _____ () C:\Documents and Settings\Administrator\Desktop\FRST.txt
2015-01-01 11:48 - 2015-01-01 11:49 - 00000000 ____D () C:\FRST
2015-01-01 11:47 - 2015-01-01 11:42 - 01114624 _____ (Farbar) C:\Documents and Settings\Administrator\Desktop\FRST.exe
2014-12-31 10:58 - 2015-01-01 09:53 - 00003324 _____ () C:\Documents and Settings\Administrator\Desktop\Rkill.txt
2014-12-31 10:58 - 2014-12-31 10:30 - 01940728 _____ (Bleeping Computer, LLC) C:\Documents and Settings\Administrator\Desktop\rkill.exe
2014-12-12 16:25 - 2014-12-12 16:25 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-12-12 16:25 - 2014-12-12 16:25 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-12-12 16:25 - 2014-12-12 16:24 - 00272808 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-12-12 16:25 - 2014-12-12 16:24 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-12-12 16:25 - 2014-12-12 16:24 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-12-12 16:25 - 2014-12-12 16:24 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-12-12 16:25 - 2014-12-12 16:24 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-01 11:49 - 2012-03-07 15:02 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2015-01-01 11:18 - 2014-08-22 08:32 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-01 11:05 - 2014-08-20 07:14 - 00000000 ____D () C:\AdwCleaner
2015-01-01 09:46 - 2012-03-05 12:13 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
2015-01-01 09:46 - 2010-01-05 11:35 - 00000000 ___DC () C:\WINDOWS\$NtUninstallKB955759$
2015-01-01 09:46 - 2008-09-13 05:16 - 01810058 _____ () C:\WINDOWS\WindowsUpdate.log
2014-12-31 12:40 - 2012-03-07 15:02 - 00000000 ____D () C:\Documents and Settings\Dan Nelson\Local Settings\temp
2014-12-31 12:03 - 2014-08-22 08:31 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-31 12:02 - 2014-08-22 08:32 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-31 12:02 - 2014-08-22 08:32 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-31 10:57 - 2014-10-29 07:52 - 00006077 _____ () C:\WINDOWS\setupapi.log
2014-12-31 10:56 - 2014-05-02 10:01 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2929961$
2014-12-31 10:16 - 2008-09-13 05:25 - 00000278 ___SH () C:\Documents and Settings\Dan Nelson\ntuser.ini
2014-12-31 10:16 - 2008-09-13 05:24 - 00032612 _____ () C:\WINDOWS\SchedLgU.Txt
2014-12-31 10:16 - 2008-09-13 05:24 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-12-31 10:16 - 2008-09-12 23:11 - 00000275 _____ () C:\WINDOWS\wiadebug.log
2014-12-12 16:33 - 2008-09-12 16:09 - 00000327 ___SH () C:\boot.ini
2014-12-12 16:33 - 2004-08-12 06:09 - 00000668 _____ () C:\WINDOWS\win.ini
2014-12-12 16:33 - 2004-08-12 06:07 - 00000227 _____ () C:\WINDOWS\system.ini
2014-12-12 16:30 - 2014-05-02 10:17 - 00000232 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-12-12 16:30 - 2008-09-12 23:11 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-12-12 16:24 - 2011-11-17 10:01 - 00000000 ____D () C:\Program Files\Java
2014-12-11 02:13 - 2014-05-02 10:17 - 00000226 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-12-08 11:08 - 2008-09-12 23:10 - 00598640 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-12-08 11:06 - 2004-08-12 06:10 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

------------------------------------

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 01-01-2015
Ran by Administrator at 2015-01-01 11:51:13
Running from C:\Documents and Settings\Administrator\Desktop
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

530TX+ (HKLM\...\InstallShield_{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}) (Version: 1.00.0000 - D-Link)
530TX+ (Version: 1.00.0000 - D-Link) Hidden
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.5.502.146 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
AiO_Scan_CDA (Version: 70.0.231.000 - Hewlett-Packard) Hidden
AiOSoftwareNPI (Version: 70.0.231.000 - Hewlett-Packard) Hidden
Any Video Converter 2.7.1 (HKLM\...\Any Video Converter_is1) (Version:  - Any-Video-Converter.com)
ATI - Software Uninstall Utility (HKLM\...\All ATI Software) (Version: 6.14.10.1014 - )
ATI Control Panel (HKLM\...\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}) (Version: 6.14.10.5120 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.051-040825a-019641C-Dell - )
CCleaner (HKLM\...\CCleaner) (Version: 4.04 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CorelDRAW Graphics Suite 12 (HKLM\...\{505AFDC0-5E72-4928-8368-5DEA385E3647}) (Version: 12.0.0.536 - Corel Corporation)
Critical Update for Windows Media Player 11 (KB959772) (HKLM\...\KB959772_WM11) (Version:  - Microsoft Corporation)
Dell Printer Software Uninstall (HKLM\...\Dell_HostCD) (Version:  - Dell, Inc.)
Dell Resource CD (HKLM\...\{FCD9CD52-7222-4672-94A0-A722BA702FD0}) (Version: 1.00.0000 - Dell Inc.)
D-Link DFE-530TX+ (HKLM\...\InstallShield_{2D6A5BD9-FE4B-49CD-8D96-2C4746302A82}) (Version:  - D-Link)
D-Link DFE-530TX+ (Version:  - D-Link) Hidden
D-Link PCI Fast Ethernet Adapter (HKLM\...\VN_VUIns_Rhine_D-Link) (Version:  - )
Fax_CDA (Version: 70.0.231.000 - Hewlett-Packard) Hidden
Google SketchUp 8 (HKLM\...\{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}) (Version: 3.0.11752 - Google, Inc.)
HP Photosmart, Officejet and Deskjet 7.0.A (HKLM\...\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}) (Version:  - HP)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Standard Edition 2003 (HKLM\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
NewCopy_CDA (Version: 70.0.231.000 - Hewlett-Packard) Hidden
OmniFormat (HKLM\...\OmniFormat) (Version:  - )
Pdf995 (HKLM\...\Pdf995) (Version:  - )
PdfEdit995 (HKLM\...\PdfEdit995) (Version:  - )
QFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
QuickBooks Pro 2008 (HKLM\...\{8ECB8220-F422-4BEB-9596-97033C533702}) (Version: 18.0.4010.606 - Intuit Inc.)
Readme (Version: 70.0.231.000 - Hewlett-Packard) Hidden
Scan (Version: 7.0.0.0 - Hewlett-Packard) Hidden
Shared C Run-time for x86 (Version: 10.0.0 - McAfee) Hidden
Signature995 (HKLM\...\Signature995) (Version:  - )
Sonic RecordNow! (HKLM\...\{9541FED0-327F-4DF0-8B96-EF57EF622F19}) (Version: 7.3 - Sonic Solutions)
Sound Blaster Live! 24-bit (HKLM\...\{CEB481CC-F57C-4397-81A0-DADD22257047}) (Version:  - )
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
WebReg (Version: 70.0.170.000 - Hewlett-Packard) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows PowerShell 1.0 (HKLM\...\KB926139-v2) (Version: 2 - Microsoft Corporation)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinSCP 4.1.6 (HKLM\...\winscp3_is1) (Version: 4.1.6 - Martin Prikryl)
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

02-10-2014 20:38:40 System Checkpoint
03-10-2014 21:38:40 System Checkpoint
04-10-2014 22:38:40 System Checkpoint
05-10-2014 23:38:40 System Checkpoint
07-10-2014 00:38:33 System Checkpoint
08-10-2014 01:38:38 System Checkpoint
10-10-2014 14:11:16 System Checkpoint
11-10-2014 14:14:09 System Checkpoint
12-10-2014 15:26:10 System Checkpoint
13-10-2014 15:45:46 System Checkpoint
14-10-2014 16:45:57 System Checkpoint
15-10-2014 17:45:57 System Checkpoint
16-10-2014 18:45:57 System Checkpoint
17-10-2014 19:45:57 System Checkpoint
18-10-2014 20:45:57 System Checkpoint
19-10-2014 21:45:57 System Checkpoint
20-10-2014 22:45:42 System Checkpoint
21-10-2014 23:45:34 System Checkpoint
23-10-2014 00:45:34 System Checkpoint
24-10-2014 01:45:34 System Checkpoint
25-10-2014 02:45:34 System Checkpoint
26-10-2014 03:45:33 System Checkpoint
27-10-2014 04:45:33 System Checkpoint
28-10-2014 05:45:21 System Checkpoint
28-10-2014 13:29:05 Removed Turbo Lister 2.
29-10-2014 13:30:58 System Checkpoint
30-10-2014 14:30:56 System Checkpoint
31-10-2014 15:29:56 System Checkpoint
01-11-2014 16:29:57 System Checkpoint
02-11-2014 17:28:56 System Checkpoint
03-11-2014 18:29:03 System Checkpoint
04-11-2014 19:28:47 System Checkpoint
05-11-2014 20:28:49 System Checkpoint
06-11-2014 21:27:45 System Checkpoint
07-11-2014 22:26:43 System Checkpoint
08-11-2014 23:25:43 System Checkpoint
10-11-2014 14:12:11 System Checkpoint
11-11-2014 14:24:41 System Checkpoint
12-11-2014 15:24:41 System Checkpoint
13-11-2014 16:24:41 System Checkpoint
14-11-2014 17:24:41 System Checkpoint
15-11-2014 18:24:41 System Checkpoint
16-11-2014 19:24:42 System Checkpoint
17-11-2014 20:24:41 System Checkpoint
18-11-2014 21:22:13 System Checkpoint
19-11-2014 22:22:13 System Checkpoint
20-11-2014 23:22:13 System Checkpoint
22-11-2014 00:22:13 System Checkpoint
23-11-2014 01:22:13 System Checkpoint
24-11-2014 02:22:13 System Checkpoint
25-11-2014 03:22:13 System Checkpoint
08-12-2014 12:01:28 System Checkpoint
09-12-2014 15:34:59 System Checkpoint
10-12-2014 19:22:59 System Checkpoint
11-12-2014 20:24:19 System Checkpoint
12-12-2014 16:23:24 Removed Java 7 Update 67
12-12-2014 16:24:14 Installed Java 7 Update 71
13-12-2014 17:36:55 System Checkpoint
14-12-2014 17:38:00 System Checkpoint
15-12-2014 21:36:41 System Checkpoint
17-12-2014 01:36:40 System Checkpoint
18-12-2014 01:37:45 System Checkpoint
19-12-2014 05:36:40 System Checkpoint
20-12-2014 09:36:40 System Checkpoint
21-12-2014 13:36:40 System Checkpoint
22-12-2014 17:36:19 System Checkpoint
23-12-2014 21:36:13 System Checkpoint
25-12-2014 01:36:13 System Checkpoint
26-12-2014 05:36:13 System Checkpoint
27-12-2014 09:36:13 System Checkpoint
28-12-2014 13:36:13 System Checkpoint
29-12-2014 17:37:07 System Checkpoint
30-12-2014 21:35:54 System Checkpoint

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\WINDOWS\$NtUninstallKB8530$:SummaryInformation

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\36766867.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\36766867.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MpfService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-725345543-413027322-2147145749-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-725345543-413027322-2147145749-1005 - Limited - Enabled)
Dan Nelson (S-1-5-21-725345543-413027322-2147145749-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Dan Nelson
Guest (S-1-5-21-725345543-413027322-2147145749-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-725345543-413027322-2147145749-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-725345543-413027322-2147145749-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/01/2015 11:49:29 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (01/01/2015 11:49:29 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (11/24/2014 09:20:38 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (11/24/2014 09:20:38 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (11/24/2014 09:20:38 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/29/2014 10:49:01 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/29/2014 10:49:01 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/29/2014 10:49:01 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (08/20/2014 07:07:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0x07db5ac3.
Processing media-specific event for [iexplore.exe!ws!]

Error: (06/11/2014 07:26:32 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

System errors:
=============
Error: (01/01/2015 11:47:30 AM) (Source: DCOM) (EventID: 10005) (User: P4)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (01/01/2015 11:00:42 AM) (Source: DCOM) (EventID: 10005) (User: P4)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (01/01/2015 09:50:28 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/01/2015 09:48:54 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Fips
intelppm
PCIIde

Error: (01/01/2015 09:46:39 AM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (12/31/2014 00:54:13 PM) (Source: DCOM) (EventID: 10005) (User: P4)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (12/31/2014 00:41:18 PM) (Source: DCOM) (EventID: 10005) (User: P4)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (12/31/2014 00:36:09 PM) (Source: DCOM) (EventID: 10005) (User: P4)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (12/31/2014 00:34:43 PM) (Source: DCOM) (EventID: 10005) (User: P4)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (12/31/2014 00:33:07 PM) (Source: DCOM) (EventID: 10005) (User: P4)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor:  Intel® Pentium® 4 CPU 3.00GHz
Percentage of memory in use: 24%
Total physical RAM: 1022.07 MB
Available physical RAM: 772.77 MB
Total Pagefile: 1692.86 MB
Available Pagefile: 1605.03 MB
Total Virtual: 2047.88 MB
Available Virtual: 1937.75 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:298.08 GB) (Free:271.16 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive e: () (Removable) (Total:0.24 GB) (Free:0.21 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 298.1 GB) (Disk ID: 3A933A92)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 245 MB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

 

 

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

  • Download the attached fixlist.txt and save it to the location where FRST is saved to.
  • Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

When finished, try to boot into windows now.

fixlist.txt

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.