Jump to content

Win XP Hijack.controlpanelstyle detected


Recommended Posts

Thanks in advance for the help in removing this "stubborn" issue...Have tried removal but not having any luck. 

(Have had great success in the past with all prior "virus" type issues using Combofx. It didn't help this time. Attched ComboFX log at bottom of page)

Malwarebytes detects the "virus" after removal, restart and rescanning.

Ran FRST.exe with the following results: FRST.TXT and ADDITION.TXT are below.......

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2016 01
Ran by aa (administrator) on DELLERIFIC (25-08-2016 10:11:22)
Running from C:\Documents and Settings\aa\desktop
Loaded Profiles: aa (Available Profiles: aa)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Intel Corporation) C:\Program Files\Intel\AMT\atchksrv.exe
(ASUSTeK COMPUTER INC.) C:\WINDOWS\ATKKBService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Intel) C:\Program Files\Intel\AMT\LMS.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Intel) C:\Program Files\Intel\AMT\UNS.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
() C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2011-05-24] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [WrtMon.exe] => C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [20480 2006-09-20] ()
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227648 2015-03-30] (AVAST Software)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101584 2014-04-25] (Safer-Networking Ltd.)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2011-05-24] (ATI Technologies Inc.)
HKU\S-1-5-19\...\RunOnce: [_nltide_3] => C:\WINDOWS\system32\advpack.dll [128512 2009-03-08] (Microsoft Corporation)
HKU\S-1-5-19\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-19\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-19\...\Policies\Explorer: [NoStartMenuPinnedList] 1
HKU\S-1-5-19\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-20\...\RunOnce: [_nltide_3] => C:\WINDOWS\system32\advpack.dll [128512 2009-03-08] (Microsoft Corporation)
HKU\S-1-5-20\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-20\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-20\...\Policies\Explorer: [NoStartMenuPinnedList] 1
HKU\S-1-5-20\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\...\Policies\Explorer: [NoStartMenuPinnedList] 1
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\ssstars.scr [14336 2008-04-14] (Microsoft Corporation)
HKU\S-1-5-18\...\RunOnce: [_nltide_3] => C:\WINDOWS\system32\advpack.dll [128512 2009-03-08] (Microsoft Corporation)
HKU\S-1-5-18\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-18\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-18\...\Policies\Explorer: [NoStartMenuPinnedList] 1
HKU\S-1-5-18\...\Policies\Explorer: [NoSMConfigurePrograms] 1
Lsa: [Authentication Packages] msv1_0 relog_ap
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2014-12-21] (AVAST Software)
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.65
Tcpip\..\Interfaces\{2489DE76-B199-4E03-B7F6-1F40F2A81167}: [DhcpNameServer] 192.168.0.1 205.171.3.65

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?trackid=sp-006
HKU\S-1-5-21-1644491937-484061587-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKLM -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1644491937-484061587-1801674531-1003 -> DefaultScope {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1644491937-484061587-1801674531-1003 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2012-09-25] (Oracle Corporation)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2012-09-25] (Oracle Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1644491937-484061587-1801674531-1003 -> Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
DPF: {6602D627-F946-4A6E-BD5F-DCF8A0FB8AD1} hxxp://fir.imtv5.com/fir2/FIRAX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc.)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Homepage: hxxps://mail.google.com/mail/u/0/#inbox
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @canon.com/MycameraPlugin -> C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin: @garmin.com/GpsControl -> C:\Program Files\Garmin GPS Plugin\npGarmin.dll [2012-05-30] (GARMIN Corp.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-09-01] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.9.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2012-09-25] (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=6.0.11.2852 -> C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll [2008-04-27] (RealNetworks, Inc.)
FF Plugin: @real.com/nppl3260;version=6.0.12.46 -> C:\Program Files\Real Alternative\browser\plugins\nppl3260.dll [2008-04-27] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.1662 -> C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll [2008-04-27] (RealNetworks, Inc.)
FF Plugin: @real.com/nprpjplug;version=6.0.12.46 -> C:\Program Files\Real Alternative\browser\plugins\nprpjplug.dll [2008-04-27] (RealNetworks, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll [No File]
FF Plugin: @videolan.org/vlc,version=2.0.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2013-12-08] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2013-12-08] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-08-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1644491937-484061587-1801674531-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\aa\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2015-05-27] (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npatgpc.dll [2013-12-12] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-03] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll [2008-04-27] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpjplug.dll [2008-04-27] (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\aa\Application Data\mozilla\plugins\ieatgpc.dll [2014-10-06] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Documents and Settings\aa\Application Data\mozilla\plugins\npatgpc.dll [2013-12-12] (Cisco WebEx LLC)
FF SearchPlugin: C:\Documents and Settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default\searchplugins\youtube.xml [2012-09-16]
FF Extension: Pin It Button - C:\Documents and Settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default\Extensions\jid1-YcMV6ngYmQRA2w@jetpack.xpi [2014-08-06] [not signed]
FF Extension: Garmin Communicator - C:\Documents and Settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [2015-01-19] [not signed]
FF Extension: Share Button for Pinterest - C:\Documents and Settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default\Extensions\{677a8f98-fd64-40b0-a883-b8c95d0cbf17}.xpi [2016-02-09]
FF Extension: StumbleUpon - C:\Documents and Settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default\Extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}.xpi [2015-03-08] [not signed]
FF Extension: Adblock Plus - C:\Documents and Settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-25]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2012-03-23] [not signed]

Chrome:
=======
CHR Profile: C:\Documents and Settings\aa\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Documents and Settings\aa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-10]
CHR Extension: (Google Drive) - C:\Documents and Settings\aa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-10]
CHR Extension: (YouTube) - C:\Documents and Settings\aa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-10]
CHR Extension: (Google Search) - C:\Documents and Settings\aa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-10]
CHR Extension: (Google Wallet) - C:\Documents and Settings\aa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-10]
CHR Extension: (Gmail) - C:\Documents and Settings\aa\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [427288 2007-10-30] (Acronis)
R2 atchksrv; C:\Program Files\Intel\AMT\atchksrv.exe [176128 2009-12-01] (Intel Corporation) [File not signed]
R2 ATKKeyboardService; C:\WINDOWS\ATKKBService.exe [264704 2010-04-06] (ASUSTeK COMPUTER INC.) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-21] (AVAST Software)
S4 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96334 2009-09-08] (Canon Inc.) [File not signed]
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S4 IJPLMSVC; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [97432 2007-04-13] () [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [161768 2012-09-25] (Oracle Corporation)
R2 LMS; C:\Program Files\Intel\AMT\LMS.exe [102400 2009-12-01] (Intel) [File not signed]
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [241734 2008-02-14] () [File not signed]
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738200 2014-04-25] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2081752 2014-04-25] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S4 TryAndDecideService; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [492720 2007-10-30] ()
R2 UNS; C:\Program Files\Intel\AMT\UNS.exe [2519040 2009-12-01] (Intel) [File not signed]
S4 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [1921024 2007-10-09] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 asusgsb; C:\WINDOWS\System32\drivers\asusgsb.sys [12416 2009-02-17] (ASUSTeK Computer Inc.) [File not signed]
R1 asuskbnt; C:\WINDOWS\System32\drivers\atkkbnt.sys [11136 2009-02-17] (ASUSTeK COMPUTER INC.) [File not signed]
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [24184 2014-12-21] ()
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [70384 2014-12-21] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [55240 2014-12-21] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [49944 2014-12-21] ()
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [787800 2014-12-21] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [423784 2014-12-21] (AVAST Software)
R1 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [57928 2014-12-21] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [206248 2014-12-21] ()
R3 AtiHDAudioService; C:\WINDOWS\System32\drivers\AtihdXP3.sys [101392 2011-03-30] (Advanced Micro Devices)
R1 BANTExt; C:\WINDOWS\System32\Drivers\BANTExt.sys [3840 2013-09-10] () [File not signed]
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [1123328 2007-10-09] (Broadcom Corp.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R0 tdrpman; C:\WINDOWS\System32\DRIVERS\tdrpman.sys [368544 2012-02-21] (Acronis)
R2 tifsfilter; C:\WINDOWS\System32\DRIVERS\tifsfilt.sys [44384 2012-02-21] (Acronis)
R3 Video3D; C:\WINDOWS\System32\Drivers\Video3D32.sys [10752 2009-02-17] (ASUSTeK COMPUTER INC.) [File not signed]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B}; C:\Program Files\CyberLink\PowerDVD\000.fcl [87536 2009-09-01] (CyberLink Corp.)
S3 catchme; \??\C:\DOCUME~1\aa\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-25 10:11 - 2016-08-25 10:11 - 00019562 _____ C:\Documents and Settings\aa\desktop\FRST.txt
2016-08-25 10:11 - 2016-08-25 10:11 - 00000000 ____D C:\FRST
2016-08-25 10:10 - 2016-08-25 10:10 - 02030536 _____ (Bleeping Computer, LLC) C:\Documents and Settings\aa\desktop\rkill.exe
2016-08-25 10:10 - 2016-08-25 10:10 - 01746432 _____ (Farbar) C:\Documents and Settings\aa\desktop\FRST.exe
2016-08-25 09:36 - 2016-08-25 09:36 - 00586474 _____ C:\Documents and Settings\aa\desktop\bookmarks.html
2016-08-25 09:36 - 2016-08-25 09:36 - 00255912 _____ C:\Documents and Settings\aa\desktop\bookmarks-2016-08-25.json
2016-08-25 09:31 - 2016-08-25 09:31 - 00000258 __RSH C:\Documents and Settings\All Users\ntuser.pol
2016-08-25 09:29 - 2016-08-25 09:29 - 00002013 _____ C:\mwb_log.txt
2016-08-25 08:44 - 2016-08-25 08:44 - 00000020 ___SH C:\Documents and Settings\TEMP.NT AUTHORITY.001\ntuser.ini
2016-08-25 08:44 - 2016-08-25 08:44 - 00000020 ___SH C:\Documents and Settings\TEMP.NT AUTHORITY.000\ntuser.ini
2016-08-25 08:44 - 2016-08-25 08:44 - 00000000 __SHD C:\Documents and Settings\TEMP.NT AUTHORITY.001
2016-08-25 08:44 - 2016-08-25 08:44 - 00000000 __SHD C:\Documents and Settings\TEMP.NT AUTHORITY.000
2016-08-25 08:44 - 2016-08-25 08:44 - 00000000 ____D C:\Documents and Settings\TEMP.NT AUTHORITY.001\Local Settings\Temp
2016-08-25 08:44 - 2016-08-25 08:44 - 00000000 ____D C:\Documents and Settings\TEMP.NT AUTHORITY.000\Local Settings\Temp
2016-08-25 08:40 - 2016-08-25 10:11 - 00000000 ____D C:\Documents and Settings\aa\Local Settings\temp
2016-08-25 08:40 - 2016-08-25 08:40 - 00014264 _____ C:\ComboFix.txt
2016-08-25 08:31 - 2011-06-26 00:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2016-08-25 08:31 - 2010-11-07 11:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2016-08-25 08:31 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2016-08-25 08:31 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2016-08-25 08:31 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2016-08-25 08:31 - 2000-08-30 18:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2016-08-25 08:31 - 2000-08-30 18:00 - 00098816 _____ C:\WINDOWS\sed.exe
2016-08-25 08:31 - 2000-08-30 18:00 - 00080412 _____ C:\WINDOWS\grep.exe
2016-08-25 08:31 - 2000-08-30 18:00 - 00068096 _____ C:\WINDOWS\zip.exe
2016-08-25 08:30 - 2016-08-25 08:40 - 00000000 ____D C:\Qoobox
2016-08-25 08:12 - 2016-08-25 08:13 - 05659484 ____R (Swearware) C:\Documents and Settings\aa\desktop\ComboFix.exe
2016-08-24 19:52 - 2016-08-25 06:22 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-08-24 09:58 - 2016-08-24 09:58 - 00000000 _____ C:\Documents and Settings\aa\desktop\New Notepad++ Document.txt
2016-08-23 11:36 - 2016-08-23 11:36 - 00000777 _____ C:\Documents and Settings\All Users\desktop\Malwarebytes Anti-Malware.lnk
2016-08-22 06:26 - 2016-08-22 06:26 - 00000000 ____D C:\Documents and Settings\aa\Start Menu\Programs\CyberLink PowerDVD
2016-08-21 10:05 - 2016-08-21 10:05 - 00000000 _____ C:\WINDOWS\DMM.INI
2016-08-21 09:59 - 2016-08-21 09:59 - 00000000 ____D C:\Program Files\Sienzo

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-25 09:51 - 2012-04-10 18:02 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-25 09:49 - 2015-11-27 08:18 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-08-25 09:31 - 2014-06-15 05:50 - 00000216 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2016-08-25 09:31 - 2014-06-14 12:12 - 00000644 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2016-08-25 09:31 - 2012-10-09 12:58 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-08-25 09:31 - 2012-04-10 18:02 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-25 09:31 - 2012-02-21 12:42 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-25 09:31 - 2012-02-21 05:30 - 00000000 ___HD C:\Documents and Settings\All Users
2016-08-25 09:30 - 2012-03-20 14:57 - 00262144 _____ C:\WINDOWS\system32\config\ACEEvent.evt
2016-08-25 09:30 - 2012-02-21 12:42 - 00032412 _____ C:\WINDOWS\SchedLgU.Txt
2016-08-25 09:30 - 2012-02-21 12:42 - 00000178 ___SH C:\Documents and Settings\aa\ntuser.ini
2016-08-25 08:47 - 2014-08-02 10:07 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-25 08:44 - 2012-02-21 05:30 - 00000000 ____D C:\Documents and Settings
2016-08-25 08:39 - 2001-08-22 20:00 - 00000254 _____ C:\WINDOWS\system.ini
2016-08-25 08:30 - 2013-03-25 13:56 - 00000000 ____D C:\WINDOWS\erdnt
2016-08-25 08:16 - 2012-05-07 07:29 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-08-25 07:50 - 2012-07-07 19:22 - 00002521 _____ C:\Documents and Settings\aa\desktop\Microsoft Office Outlook 2007 (2).lnk
2016-08-25 07:46 - 2012-02-21 05:26 - 00000000 ___HD C:\WINDOWS\inf
2016-08-25 06:40 - 2012-02-21 18:32 - 00000000 ____D C:\Jts
2016-08-23 11:36 - 2014-08-02 10:06 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-08-22 11:43 - 2013-12-20 10:06 - 00000000 ____D C:\Ata Mann
2016-08-22 08:58 - 2012-02-21 12:42 - 00000000 ___HD C:\Documents and Settings\aa
2016-08-22 08:58 - 2012-02-21 05:30 - 00053248 _____ C:\WINDOWS\system32\config\SECURITY.gbck
2016-08-22 08:58 - 2012-02-21 05:30 - 00024576 _____ C:\WINDOWS\system32\config\SAM.gbck
2016-08-22 08:58 - 2012-02-21 05:29 - 39321600 _____ C:\WINDOWS\system32\config\software.gbck
2016-08-22 08:58 - 2012-02-21 05:29 - 06029312 _____ C:\WINDOWS\system32\config\system.gbck
2016-08-22 08:58 - 2012-02-21 05:29 - 00274432 _____ C:\WINDOWS\system32\config\default.gbck
2016-08-19 08:04 - 2012-02-21 05:30 - 00000000 ___HD C:\Documents and Settings\Default User
2016-08-18 22:03 - 2012-02-21 14:10 - 00065536 _____ C:\WINDOWS\system32\config\ODiag.evt
2016-08-17 13:24 - 2012-12-28 12:09 - 00000000 ____D C:\Documents and Settings\aa\Application Data\Real
2016-08-17 11:57 - 2014-12-24 14:40 - 00000000 ____D C:\Folder Shortcuts
2016-08-17 11:57 - 2012-04-25 07:21 - 00000000 ____D C:\RealEstate
2016-08-17 11:57 - 2012-04-02 08:12 - 00000000 ____D C:\tunes
2016-08-17 11:57 - 2012-03-31 13:45 - 00000000 ____D C:\guitar_files
2016-08-17 11:56 - 2012-03-31 17:16 - 00000000 ____D C:\Manual
2016-08-17 06:19 - 2001-08-22 20:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2016-08-16 10:01 - 2016-07-18 18:53 - 00000000 ____D C:\Program Files\BetOnline
2016-08-12 07:58 - 2012-03-21 16:29 - 00000000 ____D C:\canon
2016-08-10 10:13 - 2012-02-22 11:32 - 00000000 ____D C:\DAK_Temp
2016-08-10 10:03 - 2012-03-22 19:23 - 00000000 ____D C:\Documents and Settings\aa\Application Data\vlc
2016-08-09 12:04 - 2012-12-17 08:32 - 00000000 ____D C:\ebayclist
2016-08-08 15:46 - 2014-06-15 05:50 - 00000210 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2016-07-27 13:10 - 2013-06-14 08:58 - 00000000 ____D C:\DHNM

==================== Files in the root of some directories =======

2015-01-17 17:17 - 2015-01-17 17:17 - 0000288 _____ () C:\Documents and Settings\aa\Application Data\.backup.dm
2015-07-07 12:53 - 2015-07-07 12:53 - 0023890 _____ () C:\Documents and Settings\aa\Application Data\Comma Separated Values (Windows).ADR
2012-03-21 20:09 - 2016-06-23 18:50 - 0020992 _____ () C:\Documents and Settings\aa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some zero byte size files/folders:
==========================
C:\Windows\System32\QTWMCI32.DLL

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21-08-2016 01
Ran by aa (25-08-2016 10:12:15)
Running from C:\Documents and Settings\aa\desktop
Microsoft Windows XP Professional Service Pack 3 (X86) (2005-05-07 15:24:05)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

aa (S-1-5-21-1644491937-484061587-1801674531-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\aa
Administrator (S-1-5-21-1644491937-484061587-1801674531-500 - Administrator - Enabled)
Guest (S-1-5-21-1644491937-484061587-1801674531-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1644491937-484061587-1801674531-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1644491937-484061587-1801674531-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

2007 Microsoft Office Suite Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Acronis True Image Home (HKLM\...\{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}) (Version: 11.0.8053 - Acronis)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.1.0.5790 - Adobe Systems Inc.)
Adobe Creative Suite 4 Master Collection (HKLM\...\Adobe_b2d6abde968e6f277ddbfd501383e02) (Version: 4.0 - Adobe Systems Incorporated)
Adobe Flash Player 22 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Media Player (HKLM\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1 - Adobe Systems Incorporated)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
Amazing Slow Downer (remove only) (HKLM\...\Amazing Slow Downer) (Version:  - )
ASUS Gamer OSD (HKLM\...\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}) (Version: 2.08.0406 - ASUSTeK COMPUTER INC.)
ASUS Smart Doctor (HKLM\...\InstallShield_{809D7E6D-915D-4EAD-821F-E13D93F37161}) (Version: 5.82 - ASUSTek COMPUTER INC.)
ASUS Smart Doctor (Version: 5.82 - ASUSTek COMPUTER INC.) Hidden
ASUS VGA Driver (Version: 3.0.0.1 - ASUSTek) Hidden
ATI AVIVO Codecs (Version: 10.0.0.40103 - ATI Technologies Inc.) Hidden
Audacity 2.0.3 (HKLM\...\Audacity_is1) (Version: 2.0.3 - Audacity Team)
Auslogics Disk Defrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: version 3.3 - Auslogics Software Pty Ltd)
Avast Free Antivirus (HKLM\...\avast) (Version: 10.0.2208 - AVAST Software)
AVS Audio Editor 8.1.1 (HKLM\...\AVS Audio Editor_is1) (Version: 8.1.1.506 - Online Media Technologies Ltd.)
AVS Update Manager 1.0 (HKLM\...\AVS Update Manager_is1) (Version:  - Online Media Technologies Ltd.)
AVS Video Converter 6 (HKLM\...\AVS4YOU Video Converter 6_is1) (Version:  - Online Media Technologies Ltd.)
AVS4YOU Software Navigator 1.3 (HKLM\...\AVS4YOU Software Navigator_is1) (Version:  - Online Media Technologies Ltd.)
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
BetOnline (HKLM\...\BetOnline 0) (Version:  - )
BetOnline Client (remove only) (HKLM\...\BetOnLine Client) (Version: 1.0 - BetOnlineDevelopment)
Broadcom Gigabit Integrated Controller (HKLM\...\{D3B3B9B2-FE73-44CB-8C0A-F737D92F991B}) (Version: 10.15.08 - Broadcom Corporation)
Canon Camera Access Library (HKLM\...\CAL) (Version: 8.5.0.2 - Canon Inc.)
Canon DIGITAL CAMERA Solution Disk Software Guide (HKLM\...\Software Guide) (Version: 1.4.0.1 - Canon Inc.)
CANON iMAGE GATEWAY MyCamera Download Plugin (HKLM\...\MyCamera Download Plugin) (Version: 3.1.1.2 - Canon Inc.)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (HKLM\...\CANON iMAGE GATEWAY Task) (Version: 1.9.0.9 - Canon Inc.)
Canon MOV Decoder (HKLM\...\Canon MOV Decoder) (Version: 1.8.0.7 - Canon Inc.)
Canon MOV Encoder (HKLM\...\Canon MOV Encoder) (Version: 1.6.0.1 - Canon Inc.)
Canon MovieEdit Task for ZoomBrowser EX (HKLM\...\MovieEditTask) (Version: 3.7.0.4 - Canon Inc.)
Canon MP Navigator EX 1.0 (HKLM\...\MP Navigator EX 1.0) (Version:  - )
Canon MX310 series (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series) (Version:  - )
Canon MX310 series User Registration (HKLM\...\Canon MX310 series User Registration) (Version:  - )
Canon My Printer (HKLM\...\CanonMyPrinter) (Version:  - )
Canon PowerShot ELPH 300 HS_IXUS 220 HS Camera User Guide (HKLM\...\CameraUserGuide-PSELPH300HS_IXUS220HS) (Version: 1.0.0.1 - Canon Inc.)
Canon Utilities CameraWindow DC 8 (HKLM\...\CameraWindowDC8) (Version: 8.4.0.3 - Canon Inc.)
Canon Utilities CameraWindow Launcher (HKLM\...\CameraWindowLauncher) (Version: 7.5.0.2 - Canon Inc.)
Canon Utilities Easy-PhotoPrint EX (HKLM\...\Easy-PhotoPrint EX) (Version:  - )
Canon Utilities Movie Uploader for YouTube (HKLM\...\MovieUploaderForYouTube) (Version: 1.2.0.7 - Canon Inc.)
Canon Utilities MyCamera (HKLM\...\MyCamera) (Version: 7.4.0.2 - Canon Inc.)
Canon Utilities PhotoStitch (HKLM\...\PhotoStitch) (Version: 3.1.22.46 - Canon Inc.)
Canon Utilities Solution Menu (HKLM\...\CanonSolutionMenu) (Version:  - )
Canon Utilities ZoomBrowser EX (HKLM\...\ZoomBrowser EX) (Version: 6.7.0.24 - Canon Inc.)
Canon ZoomBrowser EX Memory Card Utility (HKLM\...\ZoomBrowser EX Memory Card Utility) (Version: 1.5.0.9 - Canon Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{6740FE60-43C1-4D15-8C4A-001624134B14}) (Version: 1.0.312 - Citrix)
Connect (Version: 1.0.0.1 - Adobe Systems Incorporated) Hidden
DAK Wave and MP3 Editor v4.2b (HKLM\...\{52752228-7A33-43C4-A2B6-028992E5CB13}) (Version: 4.2.0 - DAK)
Dell Wireless WLAN Card (HKLM\...\Broadcom 802.11b Network Adapter) (Version: 4.170.25.12 - Dell Inc.)
DEMIL (HKLM\...\{775823AF-8A52-11D4-9395-A00000103874}) (Version:  - )
DePopper 2.x (HKLM\...\DePopper2) (Version:  - )
DVD Shrink 3.2 (HKLM\...\DVD Shrink_is1) (Version:  - DVD Shrink)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
foobar2000 v1.1.11 (HKLM\...\foobar2000) (Version: 1.1.11 - Peter Pawlowski)
Garmin BaseCamp (HKLM\...\{18E928DE-ABBA-4CEB-A9E4-205769B03FE8}) (Version: 4.0.5 - Garmin Ltd or its subsidiaries)
Garmin Communicator Plugin (HKLM\...\{13F054F3-0B07-4D15-9E80-C55B496AB557}) (Version: 4.0.3 - Garmin Ltd or its subsidiaries)
Garmin MapSource (HKLM\...\{AFBAB9A0-DDE8-49AE-8C17-A01B61BEE64B}) (Version: 6.16.3 - Garmin Ltd or its subsidiaries)
Garmin USB Drivers (HKLM\...\{ABA5E381-EC46-425C-86C5-5CD15BBFB4BF}) (Version: 2.3.1.0 - Garmin Ltd or its subsidiaries)
Glary Utilities Pro 2.42.0.1389 (HKLM\...\Glary Utilities_is1) (Version: 2.42.0.1389 - Glarysoft Ltd)
GOM Player (HKLM\...\GOM Player) (Version: 2.2.56.5183 - Gretech Corporation)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 7.16.0.4800 (HKU\S-1-5-21-1644491937-484061587-1801674531-1003\...\GoToMeeting) (Version: 7.16.0.4800 - CitrixOnline)
Holdem Indicator 2.7.6 (HKLM\...\Holdem Indicator_is1) (Version:  - hxxp://www.HoldemIndicator.com)
HydraVision (Version: 4.2.206.0 - ATI Technologies Inc.) Hidden
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.7.0 - LIGHTNING UK!)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - Intel Corporation)
Intel(R) Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel(R) PRO Network Connections Drivers (HKLM\...\PROSet) (Version:  - )
Intel® Active Management Technology (HKLM\...\MESOL) (Version:  - Intel Corporation)
JamManagerXT version 2.0 (HKLM\...\{777248DB-00AD-4567-9382-E991118BC6CC}_is1) (Version: 2.0 - Harman International, Inc.)
Java 7 Update 9 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217007FF}) (Version: 7.0.90 - Oracle)
Java(TM) 6 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216031FF}) (Version: 6.0.310 - Oracle)
kuler (Version: 2.0 - Adobe Systems Incorporated) Hidden
Macromedia Dreamweaver 8 (HKLM\...\{0837A661-FEC3-48B3-876C-91E7D32048A9}) (Version: 8.0.2 - Macromedia)
Macromedia Extension Manager (HKLM\...\{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}) (Version: 1.7.240 - Macromedia, Inc.)
Macromedia Fireworks 8 (HKLM\...\{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}) (Version: 8.0.0.777 - Macromedia)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 48.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 48.0.2 (x86 en-US)) (Version: 48.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 48.0.2.6079 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 6.0 Parser (KB925673) (HKLM\...\{FE9126DB-5F84-495A-BB46-3C724F1C2D08}) (Version: 6.00.3888.0 - Microsoft Corporation)
Myst for Windows 95 (HKLM\...\Myst for Windows 95) (Version:  - )
Nero 6 Enterprise Edition (HKLM\...\Nero - Burning Rom!UninstallKey) (Version:  - )
New Mexico Topo Map (HKLM\...\New Mexico Topo) (Version: 1.50 - GPSFileDepot.com)
NM BLM Surface Ownership (HKLM\...\NM Land Usage) (Version:  - )
NM_BLM4GPS (HKLM\...\NM_BLM4GPS) (Version: 11.1 - hxxp://www.HuntingGPSmaps.com/)
ophcrack 3.6.0 (HKLM\...\ophcrack) (Version: 3.6.0 - OS Objectif Sécurité SA)
PDF Settings CS4 (Version: 9.0 - Adobe Systems Incorporated) Hidden
Photoshop Camera Raw (Version: 5.0 - Adobe Systems Incorporated) Hidden
Pixel Bender Toolkit (Version: 1.0 - Adobe Systems Incorporated) Hidden
PIXMA Extended Survey Program (HKLM\...\CANONIJPLM100) (Version:  - )
PLSS (HKLM\...\mm_plss) (Version:  - )
PowerDVD (Version: 7.3.5711.0 - CyberLink Corporation) Hidden
PowerDVD Ultra (HKLM\...\InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.3.5711.0 - CyberLink Corporation)
Presto! PageManager 7.15.16 (HKLM\...\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}) (Version: 7.15.16 - NewSoft Technology Corporation)
Real Alternative 1.8.0 (HKLM\...\RealAlt_is1) (Version: 1.8.0 - )
ScanSoft OmniPage SE 4 (HKLM\...\{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3}) (Version: 15.2.0020 - Nuance Communications, Inc.)
Select All Uninstall (HKLM\...\selall) (Version:  - )
Skins (Version: 2011.0524.2259.39378 - ATI) Hidden
SoundMAX (HKLM\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 5.10.01.7255 - Analog Devices)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.3.39 - Safer-Networking Ltd.)
Steinberg Cubase LE (HKLM\...\Steinberg Cubase LE) (Version:  - )
Suite Shared Configuration CS4 (Version: 1.0 - Adobe Systems Incorporated) Hidden
SurDoc (HKLM\...\{9D5BD899-355E-44B0-9465-F3DAEEE55F05}) (Version: 1.1.0.2 - Your Company Name)
Trader Workstation (HKU\S-1-5-21-1644491937-484061587-1801674531-1003\...\Trader Workstation) (Version:  - Interactive Brokers)
Trader Workstation 4.0 (HKLM\...\Trader Workstation 4.0) (Version:  - )
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Utility (Version: 1.00.0002 - ASUSTek) Hidden
Video Screen Trapper PRO (HKLM\...\{911C5B68-E2F7-45D3-8E23-FFAE40FEC8BB}) (Version: 1.20.0000 - a DAK software product )
VLC media player 2.1.2 (HKLM\...\VLC media player) (Version: 2.1.2 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Driver Package - Digitech (usbser) Ports  (04/24/2009 1.1.2600.0) (HKLM\...\9A5D99BED6F7F105B74795DCF16F3088223BEFBB) (Version: 04/24/2009 1.1.2600.0 - Digitech)
Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (04/19/2012 2.3.1.0) (HKLM\...\98157A226B40B173301B0F53C8E98C47805D5152) (Version: 04/19/2012 2.3.1.0 - Garmin)
Windows Genuine Advantage Validation 1.9.42.0 Cracked (HKLM\...\{EB1BE39D-4C36-40A0-8CFB-079A2D14CB79}) (Version: 1.5.0.0 - Wocarson)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
XAMPP (HKLM\...\xampp) (Version: 1.8.2-6 - Bitnami)
Xiph.Org Open Codecs 0.85.17777 (HKLM\...\Open Codecs) (Version: 0.85.17777 - Xiph.Org)
XML Paper Specification Shared Components Pack 1.0 (Version:  - Microsoft Corporation) Hidden
XnView 1.98.5 (HKLM\...\XnView_is1) (Version: 1.98.5 - Gougelet Pierre-e)
XviD MPEG-4 Video Codec (HKLM\...\xvid) (Version:  - XviD Development Team)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1644491937-484061587-1801674531-1003_Classes\CLSID\{0002E005-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1644491937-484061587-1801674531-1003_Classes\CLSID\{4B46EEDB-FFC8-4378-886D-659F81EE56AC}\InprocServer32 -> C:\Program Files\DAK\Video Screen Trapper PRO\Screen2Video.OCX (Viscom Software www.viscomsoft.com)
CustomCLSID: HKU\S-1-5-21-1644491937-484061587-1801674531-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\2553\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-1644491937-484061587-1801674531-1003_Classes\CLSID\{B6EC1E7F-2768-41DE-8A54-38AB88743F8E}\InprocServer32 -> C:\Program Files\DAK\Video Screen Trapper PRO\ScreenSource.ax ()
CustomCLSID: HKU\S-1-5-21-1644491937-484061587-1801674531-1003_Classes\CLSID\{C1E943ED-5A44-4688-944C-9B7C3C82513B}\InprocServer32 -> C:\Program Files\DAK\Video Screen Trapper PRO\Screen2Video.OCX (Viscom Software www.viscomsoft.com)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Songtrix Silver 3.0\ChordWizard Network.lnk -> hxxp://www.chordwizard.net/

==================== Loaded Modules (Whitelisted) ==============

2016-08-25 06:18 - 2016-08-25 06:18 - 03016192 _____ () C:\Program Files\AVAST Software\Avast\defs\16082500\algo.dll
2015-01-17 17:06 - 2008-02-14 12:00 - 00241734 _____ () C:\Program Files\CyberLink\Shared files\RichVideo.exe
2014-06-14 12:12 - 2014-04-25 14:11 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-06-14 12:12 - 2014-04-25 14:11 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-06-14 12:12 - 2014-04-25 14:11 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-06-14 12:12 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-06-14 12:12 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-04-09 12:54 - 2006-09-20 08:35 - 00020480 _____ () C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
2015-03-13 16:18 - 2015-03-13 16:18 - 38714440 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2012-04-09 12:54 - 2006-10-30 16:59 - 00024576 _____ () C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
2010-03-16 12:22 - 2010-03-16 12:22 - 00014848 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\AxInterop.WBOCXLib.dll
2011-03-14 14:20 - 2011-03-14 14:20 - 00430080 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
2011-05-24 22:58 - 2011-05-24 22:58 - 00270336 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2008-04-14 05:42 - 2013-01-02 00:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll
2016-07-12 12:49 - 2016-07-12 12:49 - 19483328 _____ () C:\WINDOWS\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2001-08-22 20:00 - 2016-08-25 08:39 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1644491937-484061587-1801674531-1003\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.0.1 - 205.171.3.65
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Documents and Settings^aa^Start Menu^Programs^Startup^Check for TWS Updates.lnk => C:\WINDOWS\pss\Check for TWS Updates.lnkStartup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: AcronisTimounterMonitor => C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
MSCONFIG\startupreg: Adobe Acrobat Speed Launcher => "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AdobeCS4ServiceManager => "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: ctfmon.exe => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: HydraVisionDesktopManager => "C:\Program Files\ATI Technologies\HydraVision\HydraDM.exe"
MSCONFIG\startupreg: HydraVisionMDEngine => "C:\Program Files\ATI Technologies\HydraVision\HydraMD.exe"
MSCONFIG\startupreg: MSMSGS => "C:\Program Files\Messenger\msmsgs.exe" /background
MSCONFIG\startupreg: NeroFilterCheck => C:\WINDOWS\system32\NeroCheck.exe
MSCONFIG\startupreg: SoundMAXPnP => C:\Program Files\Analog Devices\Core\smax4pnp.exe
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SurDoc => C:\Program Files\SurDoc\Surdoc\surdoc.exe
MSCONFIG\startupreg: TrueImageMonitor.exe => C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\dpvsetup.exe] => Enabled:Microsoft DirectPlay Voice Test
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [C:\xampp\apache\bin\httpd.exe] => Enabled:Apache HTTP Server
StandardProfile\AuthorizedApplications: [C:\xampp\mysql\bin\mysqld.exe] => Enabled:mysqld
StandardProfile\AuthorizedApplications: [C:\Program Files\Holdem Indicator\HoldemIndicator.exe] => Enabled:Holdem Indicator
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008

==================== Restore Points =========================

22-08-2016 08:45:24 System Checkpoint
23-08-2016 14:31:24 System Checkpoint
24-08-2016 14:39:00 System Checkpoint

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/25/2016 08:44:37 AM) (Source: Userenv) (EventID: 1511) (User: NT AUTHORITY)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (08/25/2016 08:44:37 AM) (Source: Userenv) (EventID: 1515) (User: NT AUTHORITY)
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Error: (08/25/2016 08:44:37 AM) (Source: Userenv) (EventID: 1502) (User: NT AUTHORITY)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.


DETAIL - Access is denied.

Error: (08/25/2016 08:44:35 AM) (Source: Userenv) (EventID: 1511) (User: NT AUTHORITY)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (08/25/2016 08:44:35 AM) (Source: Userenv) (EventID: 1515) (User: NT AUTHORITY)
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Error: (08/25/2016 08:44:35 AM) (Source: Userenv) (EventID: 1502) (User: NT AUTHORITY)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.


DETAIL - Access is denied.

Error: (08/25/2016 08:39:03 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (08/25/2016 08:37:20 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: A connection with the server could not be established

Error: (08/25/2016 08:37:17 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (08/25/2016 08:37:17 AM) (Source: crypt32) (EventID: 8) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


System errors:
=============
Error: (08/25/2016 08:03:57 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.0.4 for the Network Card with network address 001AA0848C91 has been
denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Error: (08/25/2016 06:15:41 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.

Error: (08/25/2016 06:15:41 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/25/2016 06:15:41 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.

Error: (08/24/2016 11:53:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/24/2016 11:53:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.

Error: (08/24/2016 11:53:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/24/2016 11:53:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.

Error: (08/24/2016 06:49:24 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
%%1053 = The service did not respond to the start or control request in a timely fashion.

Error: (08/24/2016 06:49:24 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Security Center Service service to connect.


==================== Memory info ===========================

Processor: Intel(R) Core(TM)2 Duo CPU E4400 @ 2.00GHz
Percentage of memory in use: 34%
Total physical RAM: 3325.54 MB
Available physical RAM: 2193.3 MB
Total Virtual: 5213.2 MB
Available Virtual: 4035.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.82 GB) (Free:126.59 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 232.8 GB) (Disk ID: 97BE5B6A)
Partition 1: (Active) - (Size=232.8 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

COMBOFX LOGS:

ComboFix 16-08-21.02 - aa 08/25/2016   8:33.4.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2613 [GMT -6:00]
Running from: c:\documents and settings\aa\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\ntuser.pol
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2016-07-25 to 2016-08-25  )))))))))))))))))))))))))))))))
.
.
2016-08-25 14:16 . 2016-08-25 14:16    --------    d-sh--w-    c:\documents and settings\TEMP.NT AUTHORITY.001
2016-08-25 14:16 . 2016-08-25 14:16    --------    d-sh--w-    c:\documents and settings\TEMP.NT AUTHORITY.000
2016-08-21 15:59 . 2016-08-21 15:59    --------    d-----w-    c:\program files\Sienzo
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-08-25 14:03 . 2014-08-02 16:07    170200    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-07-14 21:49 . 2012-04-09 23:07    796352    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2016-07-14 21:49 . 2012-02-22 14:11    142528    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-12-21 15:23    723976    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotPostWindows10UpgradeReInstall"="c:\program files\Common Files\AV\Spybot - Search and Destroy\Test.exe" [2015-07-29 1011200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-18 150040]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-18 141848]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-25 98304]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-03-30 5227648]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2014-04-25 4101584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKLM\~\startupfolder\C:^Documents and Settings^aa^Start Menu^Programs^Startup^Check for TWS Updates.lnk]
path=c:\documents and settings\aa\Start Menu\Programs\Startup\Check for TWS Updates.lnk
backup=c:\windows\pss\Check for TWS Updates.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-06-12 05:43    640376    ----a-w-    c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-31 03:11    909208    ----a-w-    c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2008-06-12 09:25    37232    ----a-w-    c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57    959904    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58    611712    ----a-w-    c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 11:42    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
2011-05-25 04:48    393216    ----a-w-    c:\program files\ATI Technologies\HydraVision\HydraDM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionMDEngine]
2011-05-25 04:48    569344    ----a-w-    c:\program files\ATI Technologies\HydraVision\HydraMD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50    155648    ----a-w-    c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2009-06-22 21:21    1044480    ----a-w-    c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 15:04    252848    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurDoc]
2012-06-04 21:54    507560    ----a-w-    c:\program files\SurDoc\Surdoc\surdoc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2007-10-31 03:06    2595616    ----a-w-    c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wltrysvc"=2 (0x2)
"TryAndDecideService"=2 (0x2)
"MozillaMaintenance"=3 (0x3)
"IJPLMSVC"=2 (0x2)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"CCALib8"=2 (0x2)
"AcrSch2Svc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"atchk"="c:\program files\Intel\AMT\atchk.exe"
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe"
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe"
"Broadcom Wireless Manager UI"=c:\windows\system32\WLTRAY.exe
"ASUSGamerOSD"=c:\program files\ASUS\GamerOSD\GamerOSD.exe
"SurDoc"=c:\program files\SurDoc\Surdoc\surdoc.exe
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
"BDRegion"=c:\program files\Cyberlink\Shared Files\brs.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\Holdem Indicator\\HoldemIndicator.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [1/10/2014 7:20 AM 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [1/10/2014 7:20 AM 206248]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2/21/2012 3:54 PM 787800]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2/21/2012 3:54 PM 423784]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [7/27/2014 11:15 AM 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [1/10/2014 7:20 AM 70384]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [6/14/2014 12:12 PM 1738200]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [6/14/2014 12:12 PM 2081752]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2/21/2012 1:08 PM 2519040]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [3/20/2012 2:53 PM 101392]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [6/14/2014 12:12 PM 171928]
.
Contents of the 'Scheduled Tasks' folder
.
2016-08-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 21:49]
.
2016-08-25 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2016-07-19 02:50]
.
2016-08-25 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-14 20:14]
.
2016-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-11 00:02]
.
2016-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-04-11 00:02]
.
2016-08-25 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-06-14 01:59]
.
2016-08-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-06-14 01:59]
.
2016-02-24 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-14 20:13]
.
2015-09-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-14 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/?trackid=sp-006
mStart Page = https://www.google.com/?trackid=sp-006
mSearch Bar = https://www.google.com/?trackid=sp-006
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 205.171.3.65
DPF: {6602D627-F946-4A6E-BD5F-DCF8A0FB8AD1} - hxxp://fir.imtv5.com/fir2/FIRAX.CAB
FF - ProfilePath - c:\documents and settings\aa\Application Data\Mozilla\Firefox\Profiles\pxll50bt.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/u/0/#inbox
.
.
------- File Associations -------
.
.txt=Notepad++_file
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-08-25 08:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_22_0_0_210_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_22_0_0_210_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\relog_ap.dll
.
Completion time: 2016-08-25  08:40:56
ComboFix-quarantined-files.txt  2016-08-25 14:40
ComboFix2.txt  2016-08-19 14:03
.
Pre-Run: 135,990,951,936 bytes free
Post-Run: 135,976,689,664 bytes free
.
- - End Of File - - C8B8889361B45923299BB1D43928397F
8F558EB6672622401DA993E1E865C861

 

Link to post
Share on other sites

  • Root Admin

Hello @aarchie and :welcome:

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed, please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large, then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable, it is unlikely, but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous; please be patient. Often we are also in a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to clean up all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)

STEP 01
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections.
When RKill runs, it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process and does not delete any files, after running it, you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill, you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1 | Link 2

  • On Windows XP Double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear, this is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer; you will need to run the application again.

STEP 02
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double-clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

STEP 03
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

Looking at this further your Registry Hive for you account is not found or loading.

DETAIL - Access is denied.

Error: (08/25/2016 08:44:35 AM) (Source: Userenv) (EventID: 1511) (User: NT AUTHORITY)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

Error: (08/25/2016 08:44:35 AM) (Source: Userenv) (EventID: 1515) (User: NT AUTHORITY)
Description: Windows has backed up this user's profile. Windows will automatically try to use the backed up profile the next time this user logs on.

Error: (08/25/2016 08:44:35 AM) (Source: Userenv) (EventID: 1502) (User: NT AUTHORITY)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.

 

Let's go ahead and run a Full Disk Check and see if that helps.

Open a Command Prompt and type in the following exactly.

 

CHKDSK   C:  /R

Then it will say it cannot lock the drive. Press the Y key to say yes to run it the next time the computer restarts. Then press the Enter key and reboot and let the disk check run.

 

Once done please a new FRST scan and make sure you place a check mark in the Additions.txt check box and ATTACH both logs on your next reply.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.