1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Resolved] Slow running computer with AVG

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by bgc, May 31, 2014.

  1. bgc

    bgc Established Techie7 Member

    My computer has been running painfully slow for the past 2 weeks and AVG has found and secured several Win32/DH{***} threats.

    Thanks for checking the logs below:



    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2014.05.31.08

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Administrator :: HOMESALE [administrator]

    5/31/2014 11:20:46 AM
    mbam-log-2014-05-31 (11-20-46).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System |

    Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 254202
    Time elapsed: 2 hour(s), 21 minute(s), 16 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    --------------------------

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
    Run by Administrator at 13:50:58 on 2014-05-31
    .
    ============== Running Processes ================
    .
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\PCPitstop\Info Center\InfoCenter.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
    C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxps://duckduckgo.com/
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [AVG-Secure-Search-Update_1113a] c:\documents and settings\administrator\application data\avg 1113a campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=e09d66ab3833d67674561a1882f787ec-67831d2594c69cce441cb969e397e8d512b2267f /CMPID=1113a
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Info Center] c:\program files\pcpitstop\info center\InfoCenter.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    uPolicies-Explorer: NoDriveAutoRun = dword:67108863
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
    mPolicies-Explorer: NoDriveAutoRun = dword:67108863
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    INFO: HKCU has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    .
    INFO: HKLM has more than 50 listed domains.
    If you wish to scan all of them, select the 'Force scan all domains' option.
    .
    DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://pcpitstop.com/internet/pcpConnCheck.cab
    DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
    DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://navigatela.lacity.org/download/mgaxctrl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194646323811
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194646358889
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {DA684E88-66C9-4CD4-9AD1-0E643D8F3107} - hxxp://eoscount.com/eoscount_xp.cab
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{AEB14E2D-3C89-4C45-B2D2-A7C01379D391} : DHCPNameServer = 192.168.1.1
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\6ybkd31d.default\
    FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
    FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
    FF - plugin: c:\windows\system32\npDeployJava1.dll
    FF - plugin: c:\windows\system32\npptools.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    S? Avgdiskx;AVG Disk Driver
    S? AVGIDSAgent;AVGIDSAgent
    S? AVGIDSDriver;AVGIDSDriver
    S? AVGIDSHX;AVGIDSHX
    S? AVGIDSShim;AVGIDSShim
    S? Avgldx86;AVG AVI Loader Driver
    S? Avglogx;AVG Logging Driver
    S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
    S? Avgrkx86;AVG Anti-Rootkit Driver
    S? Avgtdix;AVG TDI Driver
    S? avgwd;AVG WatchDog
    S? MpFilter;Microsoft Malware Protection Driver
    .
    =============== Created Last 30 ================
    .
    2014-05-28 20:31:21 20080 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
    2014-05-28 20:31:19 75376 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
    2014-05-28 20:31:19 46704 ----a-w- c:\program files\mozilla firefox\browser\components\browsercomps.dll
    2014-05-28 20:31:19 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2014-05-28 20:31:09 275568 ----a-w- c:\program files\mozilla firefox\firefox.exe
    2014-05-28 20:31:09 117360 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
    2014-05-28 20:31:08 305264 ----a-w- c:\program files\mozilla firefox\freebl3.dll
    2014-05-28 20:31:03 4881520 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
    2014-05-28 20:29:57 23516272 ----a-w- c:\program files\mozilla firefox\xul.dll
    .
    ==================== Find3M ====================
    .
    2014-04-18 22:02:04 199960 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2014-03-31 23:11:58 211224 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2014-03-28 05:15:18 193304 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2014-03-28 05:14:40 123160 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
    2014-03-28 05:04:22 150296 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2014-03-28 05:04:02 238872 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2014-03-28 05:03:22 28440 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2014-03-28 05:03:20 22296 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    2014-03-06 17:59:23 920064 ----a-w- c:\windows\system32\wininet.dll
    2014-03-06 17:59:22 43520 ------w- c:\windows\system32\licmgr10.dll
    2014-03-06 17:59:22 18944 ----a-w- c:\windows\system32\corpol.dll
    2014-03-06 17:59:22 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2014-03-06 00:46:54 385024 ------w- c:\windows\system32\html.iec
    .
    ============= FINISH: 14:00:37.17 ===============
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/9/2007 11:42:08 AM
    System Uptime: 5/26/2014 7:04:17 PM (115 hours ago)
    .
    Motherboard: Dell Computer Corp. | |
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | Microprocessor | 2391/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 15.818 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 19 GiB total, 9.748 GiB free.
    F: is Removable
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1321: 4/14/2014 11:12:14 PM - System Checkpoint
    RP1322: 4/15/2014 11:45:55 PM - System Checkpoint
    RP1323: 4/17/2014 1:55:15 AM - System Checkpoint
    RP1324: 4/18/2014 2:10:17 AM - System Checkpoint
    RP1325: 4/19/2014 3:01:44 AM - System Checkpoint
    RP1326: 4/20/2014 3:09:43 AM - System Checkpoint
    RP1327: 4/21/2014 4:09:43 AM - System Checkpoint
    RP1328: 4/22/2014 5:09:44 AM - System Checkpoint
    RP1329: 4/23/2014 5:21:46 AM - System Checkpoint
    RP1330: 4/24/2014 6:09:46 AM - System Checkpoint
    RP1331: 4/25/2014 7:10:01 AM - System Checkpoint
    RP1332: 4/26/2014 8:09:46 AM - System Checkpoint
    RP1333: 4/27/2014 8:10:51 AM - System Checkpoint
    RP1334: 4/28/2014 9:10:50 AM - System Checkpoint
    RP1335: 4/29/2014 10:09:46 AM - System Checkpoint
    RP1336: 4/30/2014 11:41:21 AM - System Checkpoint
    RP1337: 5/1/2014 2:09:21 PM - System Checkpoint
    RP1338: 5/2/2014 5:32:59 PM - System Checkpoint
    RP1339: 5/3/2014 9:14:15 PM - System Checkpoint
    RP1340: 5/4/2014 11:19:42 PM - System Checkpoint
    RP1341: 5/5/2014 11:47:26 PM - System Checkpoint
    RP1342: 5/7/2014 2:25:10 AM - System Checkpoint
    RP1343: 5/8/2014 2:53:01 AM - System Checkpoint
    RP1344: 5/9/2014 3:39:46 AM - System Checkpoint
    RP1345: 5/10/2014 4:44:05 AM - System Checkpoint
    RP1346: 5/10/2014 5:09:24 PM - Installed EOSInfo
    RP1347: 5/10/2014 6:44:10 PM - Removed EOSInfo
    RP1348: 5/11/2014 6:47:26 PM - System Checkpoint
    RP1349: 5/12/2014 6:52:23 PM - System Checkpoint
    RP1350: 5/13/2014 7:47:16 PM - System Checkpoint
    RP1351: 5/14/2014 8:47:16 PM - System Checkpoint
    RP1352: 5/15/2014 11:09:13 PM - System Checkpoint
    RP1353: 5/16/2014 11:32:51 PM - System Checkpoint
    RP1354: 5/18/2014 1:20:41 AM - System Checkpoint
    RP1355: 5/19/2014 2:28:54 AM - System Checkpoint
    RP1356: 5/20/2014 2:47:26 AM - System Checkpoint
    RP1357: 5/21/2014 3:47:19 AM - System Checkpoint
    RP1358: 5/22/2014 4:46:48 AM - System Checkpoint
    RP1359: 5/23/2014 5:46:49 AM - System Checkpoint
    RP1360: 5/24/2014 6:50:03 AM - System Checkpoint
    RP1361: 5/25/2014 7:55:23 AM - System Checkpoint
    RP1362: 5/26/2014 9:06:15 AM - System Checkpoint
    RP1363: 5/27/2014 9:27:08 AM - System Checkpoint
    RP1364: 5/28/2014 10:16:14 AM - System Checkpoint
    RP1365: 5/29/2014 2:23:22 PM - System Checkpoint
    RP1366: 5/30/2014 2:44:14 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.1.2
    AiO_Scan_CDA
    Apple Software Update
    AVG 2014
    Batch Thumbs 1.7
    CCleaner
    Dropbox
    GPStamper 4.2.0.6
    Hotfix for Microsoft .NET Framework 3.0 (KB932471)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB2779562)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    HP Deskjet 3000 J310 series Basic Device Software
    HP Deskjet 3000 J310 series Help
    HP Photosmart, Officejet and Deskjet 7.0.A
    Info Center 1.0.0.10
    Insul7.0
    Intel(R) Extreme Graphics Driver
    Intel(R) Network Connections 12.4.38.0
    Java(TM) 6 Update 31
    Java(TM) 7 Update 5
    JavaFX 2.1.1
    Malwarebytes Anti-Malware version 1.75.0.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2833941)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Mozilla Firefox 29.0.1 (x86 en-US)
    Mozilla Maintenance Service
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB933579)
    Nikon Scan 1.6
    PhotoStamp 4.7.1.0
    Polaroid Dust and Scratch Removal v1.0.0.15.2e
    QFolder
    Quicken 2005
    QuickTime
    Roxio DLA
    Roxio Express Labeler
    Roxio RecordNow Copy
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB2544521)
    Security Update for Windows Internet Explorer 7 (KB2675157)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB2675157)
    Security Update for Windows Internet Explorer 8 (KB2699988)
    Security Update for Windows Internet Explorer 8 (KB2817183)
    Security Update for Windows Internet Explorer 8 (KB2909210)
    Security Update for Windows Internet Explorer 8 (KB2936068)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2653956)
    Security Update for Windows XP (KB2655992)
    Security Update for Windows XP (KB2659262)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB2676562)
    Security Update for Windows XP (KB2685939)
    Security Update for Windows XP (KB2686509)
    Security Update for Windows XP (KB2691442)
    Security Update for Windows XP (KB2695962)
    Security Update for Windows XP (KB2698365)
    Security Update for Windows XP (KB2705219-v2)
    Security Update for Windows XP (KB2707511)
    Security Update for Windows XP (KB2709162)
    Security Update for Windows XP (KB2712808)
    Security Update for Windows XP (KB2719985)
    Security Update for Windows XP (KB2723135-v2)
    Security Update for Windows XP (KB2727528)
    Security Update for Windows XP (KB2753842-v2)
    Security Update for Windows XP (KB2757638)
    Security Update for Windows XP (KB2758857)
    Security Update for Windows XP (KB2770660)
    Security Update for Windows XP (KB2780091)
    Security Update for Windows XP (KB2802968)
    Security Update for Windows XP (KB2807986)
    Security Update for Windows XP (KB2808735)
    Security Update for Windows XP (KB2813170)
    Security Update for Windows XP (KB2813345)
    Security Update for Windows XP (KB2820917)
    Security Update for Windows XP (KB2834886)
    Security Update for Windows XP (KB2850869)
    Security Update for Windows XP (KB2859537)
    Security Update for Windows XP (KB2862152)
    Security Update for Windows XP (KB2862335)
    Security Update for Windows XP (KB2864063)
    Security Update for Windows XP (KB2868038)
    Security Update for Windows XP (KB2868626)
    Security Update for Windows XP (KB2876217)
    Security Update for Windows XP (KB2876331)
    Security Update for Windows XP (KB2892075)
    Security Update for Windows XP (KB2893294)
    Security Update for Windows XP (KB2898715)
    Security Update for Windows XP (KB2900986)
    Security Update for Windows XP (KB2914368)
    Security Update for Windows XP (KB2916036)
    Security Update for Windows XP (KB2922229)
    Security Update for Windows XP (KB2929961)
    Security Update for Windows XP (KB2930275)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    SMS Advanced Client
    Sonic Update Manager
    SoundMAX
    Sybase Adaptive Server Enterprise PC Client
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2661254-v2)
    Update for Windows XP (KB2718704)
    Update for Windows XP (KB2749655)
    Update for Windows XP (KB2904266)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Visual Studio 2012 x86 Redistributables
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows Presentation Foundation
    Windows XP Service Pack 3
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/31/2014 2:03:42 AM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    .
    ==== End Of File ===========================
     
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==========================================

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  3. bgc

    bgc Established Techie7 Member

    When the RogueKiller initial scan blue progress line gets 1/4 across the screen, while checking svchost.exe, I get a 60 second warning and the system will shut down. I have restarted Rogue Killer 4 times - is this normal? The message is: "Windows must now restart because DCOM Server Process launcher terminated unexpectedly." Also, the message contained something about "NT/Authority/System" I did notice that Rogue Killer found some virus or malware while scanning svchost.exe. No logs.

    What next?

    Thanks
     
  4. bgc

    bgc Established Techie7 Member

    And, the system has been running faster during the 3-4 hours since my previous post.
     
  5. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    You may be infected with Zekos malware.
    See if MBAR will complete.
     
  6. bgc

    bgc Established Techie7 Member

    Yes. I did see a reference to Zekos during the scan. I will run the other program and post the logs. Thanks.
     
  7. bgc

    bgc Established Techie7 Member

    I ran MBAR - it found 26 malware problems and cleaned them. Restart is now: very slow from "windows is starting up" to "ctl-alt-dlt" After "ctl-alt-dlt" the screen icons appear for 60 seconds then the system shutdown message appears as I described above when using RogueKiller. This happened about 6 times. Tried to get MBAR started again before the shutdown message appears - can't get anything to open.
     
  8. bgc

    bgc Established Techie7 Member

    I also tried to start the computer in Safemode - the Shutdown message appeared earlier in the boot process - before screen icons appear.
     
  9. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Using another working computer....
    • Download Farbar Recovery Scan Tool and save it to a flash drive.
    • Download OTLPENet.exe to your Desktop
    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open ImgBurn to burn the file to CD
    • Boot your BAD computer using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a Reatogo desktop.
    • Insert the flash drive with FRST on it
    • Open My Computer to locate the flash drive and run FRST
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  10. bgc

    bgc Established Techie7 Member

    I downloaded OTLPENet.exe to the desktop of my Lenovo laptop running Windows 8, put a disk in for burning and ImgBurn gives the
    following message and log:

    No Writers Detected!

    Log:
    I 19:11:25 ImgBurn Version 2.5.1.0 started!
    I 19:11:25 Microsoft Windows XP Professional (5.1, Build 2600 : Service Pack 3)
    I 19:11:25 Total Physical Memory: 523,760 KB - Available: 218,072 KB
    I 19:11:25 Initialising SPTI...
    I 19:11:25 Searching for SCSI / ATAPI devices...
    I 19:11:25 -> Drive 1 - Info: MS C/DVD-ROM 3.0 (D:) (ATA)
    I 19:11:25 Found 1 DVD-ROM!

    Any idea why the burner can not be found by ImgBurn?

    Thanks
     
  11. broni

    broni Malware Annihilator Techie7 Moderator Head Security

  12. bgc

    bgc Established Techie7 Member

    I was eventually able to get OTLPENet.exe burned to disk on my laptop. The program may not have detected the CD burner I mentioned in the previous post because I was in "Windows Virtual PC" that gives me a WindowsXP style screen. When I downloaded OTPLENet.exe to the desktop of Windows 7, I was able to burn the disk but, it did not go exactly as instructed. The program was on the desktop but ImgBurn never opened. I had to right click on the program to burn the disk. Don't know if that makes a difference. And, I did not have any blank CD's available so I used a DVD+RW. In the BAD computer is a Teac DW552G and, the Teac specs say it will read the DVD+RW disk. I assumed everything would load as described but, this disk is not being read. I changed the boot-up order to start with CD but the computer reacts like I did not change the boot drive. The system continues to load from the HDD. The BAD computer is a Dell Optiplex and the boot sequence is reached with F2. There is also a F12 option that will display the Boot Device Menu. If using a CD is mandatory I will get some more and burn. If ImgBurn is mandatory I do not know how to get to it, double clicking on OTLPENet.exe opens a window asking if I want to allow the program to make changes to the computer (laptop.) Thanks.
     
  13. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Yes, it's better if you try blank CD instead of DVD.
     
  14. bgc

    bgc Established Techie7 Member

    Here is the log requested:

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:02-06-2014
    Ran by SYSTEM on REATOGO on 05-06-2014 00:04:31
    Running from G:\
    Platform: Microsoft Windows XP (X86) OS Language: English(US)
    Internet Explorer Version 8
    Boot Mode: Recovery

    The current controlset is ControlSet003
    ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


    The only official download link for FRST:
    Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
    Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
    Download link from any site other than Bleeping Computer is unpermitted or outdated.
    See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Registry (Whitelisted) ==================

    HKLM\...\Run: [DLA] => C:\WINDOWS\System32\DLA\DLACTRLW.EXE [122940 2005-09-08] (Sonic Solutions)
    HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [385024 2008-02-01] (Apple Inc.)
    HKLM\...\Run: [Info Center] => C:\Program Files\PCPitstop\Info Center\InfoCenter.exe [26264 2012-01-31] (PC Pitstop LLC)
    HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2004-07-27] (InstallShield Software Corporation)
    HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [931200 2012-03-26] (Microsoft Corporation)
    HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2014\avgui.exe [5180432 2014-04-07] (AVG Technologies CZ, s.r.o.)
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxsrvc.dll (Intel Corporation)
    HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
    HKU\Administrator\...\Run: [AVG-Secure-Search-Update_1113a] => C:\Documents and Settings\Administrator\Application Data\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=e09d66ab3833d67674561a1882f787ec-67831d2594c69cce441cb969e397e8d512b2267f /CMPID=1113a

    ========================== Services (Whitelisted) =================

    S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3645456 2014-04-18] (AVG Technologies CZ, s.r.o.)
    S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [291912 2014-03-28] (AVG Technologies CZ, s.r.o.)
    S2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [590712 2007-04-13] (Microsoft Corporation)
    S2 JavaQuickStarterService; C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe [161704 2012-07-06] (Oracle Corporation)
    S2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [11552 2012-03-26] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    S2 Aspi32; C:\Windows\System32\Drivers\Aspi32.sys [17101 2001-12-10] (Adaptec)
    S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [123160 2014-03-28] (AVG Technologies CZ, s.r.o.)
    S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [199960 2014-04-18] (AVG Technologies CZ, s.r.o.)
    S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [150296 2014-03-28] (AVG Technologies CZ, s.r.o.)
    S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22296 2014-03-28] (AVG Technologies CZ, s.r.o.)
    S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [193304 2014-03-28] (AVG Technologies CZ, s.r.o.)
    S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [238872 2014-03-28] (AVG Technologies CZ, s.r.o.)
    S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [108312 2014-03-31] (AVG Technologies CZ, s.r.o.)
    S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [28440 2014-03-28] (AVG Technologies CZ, s.r.o.)
    S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [211224 2014-03-31] (AVG Technologies CZ, s.r.o.)
    S2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions)
    S1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions)
    S2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions)
    S2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions)
    S2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions)
    S2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions)
    S1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions)
    S2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions)
    S2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions)
    S2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions)
    S3 E1000; C:\Windows\System32\DRIVERS\e1000325.sys [171152 2007-11-07] (Intel Corporation)
    S3 HPZid412; C:\Windows\System32\DRIVERS\HPZid412.sys [49664 2006-04-12] (HP)
    S3 HPZipr12; C:\Windows\System32\DRIVERS\HPZipr12.sys [16496 2006-04-12] (HP)
    S3 HPZius12; C:\Windows\System32\DRIVERS\HPZius12.sys [21568 2006-04-12] (HP)
    S3 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [52312 2014-06-03] (Malwarebytes Corporation)
    S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
    S3 prepdrvr; C:\WINDOWS\system32\CCM\prepdrv.sys [23416 2007-04-13] (Microsoft Corporation)
    S3 TrueSight; C:\WINDOWS\system32\drivers\TrueSight.sys [26624 2014-06-01] ()
    S4 hpt3xx; No ImagePath
    S4 IntelIde; No ImagePath
    S1 RCHelp;
    S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========

    2014-06-05 00:04 - 2014-06-05 00:04 - 00000000 ____D () C:\FRST
    2014-06-03 16:57 - 2014-06-03 16:57 - 00024166 _____ () C:\Documents and Settings\Administrator\temp.reg
    2014-06-03 15:52 - 2014-06-03 16:58 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
    2014-06-03 15:52 - 2014-06-03 15:52 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
    2014-06-03 15:48 - 2014-06-03 17:24 - 00052312 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
    2014-06-03 15:48 - 2014-06-03 16:51 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\mbar
    2014-06-02 19:21 - 2014-06-02 19:21 - 00090112 _____ () C:\Windows\Minidump\Mini060214-03.dmp
    2014-06-02 19:13 - 2014-06-02 19:13 - 00090112 _____ () C:\Windows\Minidump\Mini060214-02.dmp
    2014-06-02 19:05 - 2014-06-02 19:05 - 00090112 _____ () C:\Windows\Minidump\Mini060214-01.dmp
    2014-06-01 00:20 - 2014-06-01 00:20 - 00000000 ____S () C:\Windows\System32\yayzdr.wml
    2014-05-31 23:46 - 2014-06-01 00:44 - 00026624 _____ () C:\Windows\System32\Drivers\TrueSight.sys
    2014-05-31 23:46 - 2014-05-31 23:46 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
    2014-05-31 23:42 - 2014-05-31 23:42 - 04668928 _____ () C:\Documents and Settings\Administrator\Desktop\RogueKiller.exe
    2014-05-31 17:01 - 2014-05-31 17:01 - 00014983 _____ () C:\Documents and Settings\Administrator\Desktop\attach.txt
    2014-05-31 17:01 - 2014-05-31 17:00 - 00007667 _____ () C:\Documents and Settings\Administrator\Desktop\dds.txt
    2014-05-31 13:41 - 2014-05-31 13:42 - 00688992 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.com
    2014-05-29 17:42 - 2014-05-29 17:42 - 00000000 ____S () C:\Windows\System32\ycwd.fdq
    2014-05-28 16:24 - 2014-05-30 05:33 - 00000000 ____D () C:\Program Files\Mozilla Firefox
    2014-05-10 21:20 - 2014-05-10 21:35 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Canon 6d

    ==================== One Month Modified Files and Folders =======

    2014-06-05 00:35 - 2013-11-02 00:35 - 01873060 _____ () C:\Windows\WindowsUpdate.log
    2014-06-05 00:35 - 2013-11-02 00:35 - 00000275 _____ () C:\Windows\wiadebug.log
    2014-06-05 00:35 - 2007-11-09 15:50 - 00032556 _____ () C:\Windows\SchedLgU.Txt
    2014-06-05 00:34 - 2013-11-02 00:35 - 00000048 _____ () C:\Windows\wiaservc.log
    2014-06-05 00:33 - 2012-04-21 22:36 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
    2014-06-05 00:04 - 2014-06-05 00:04 - 00000000 ____D () C:\FRST
    2014-06-04 00:25 - 2007-11-09 15:50 - 00000278 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
    2014-06-04 00:23 - 2013-11-02 00:34 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
    2014-06-03 17:24 - 2014-06-03 15:48 - 00052312 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys
    2014-06-03 17:01 - 2012-04-23 19:34 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\PCPitstop
    2014-06-03 16:58 - 2014-06-03 15:52 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
    2014-06-03 16:57 - 2014-06-03 16:57 - 00024166 _____ () C:\Documents and Settings\Administrator\temp.reg
    2014-06-03 16:51 - 2014-06-03 15:48 - 00000000 ____D () C:\Documents and Settings\Administrator\Desktop\mbar
    2014-06-03 16:51 - 2007-11-09 07:31 - 00520586 _____ () C:\Windows\System32\PerfStringBackup.INI
    2014-06-03 16:45 - 2014-04-10 15:13 - 00000664 _____ () C:\Windows\System32\d3d9caps.dat
    2014-06-03 15:52 - 2014-06-03 15:52 - 00107224 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
    2014-06-03 15:47 - 2014-04-10 15:19 - 00000078 _____ () C:\Windows\System32\hnjycqx.ljm
    2014-06-03 13:20 - 2011-09-29 03:46 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Files from laptop 2006
    2014-06-03 11:36 - 2008-12-07 02:37 - 00012800 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2014-06-03 07:52 - 2012-01-12 13:21 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
    2014-06-03 00:34 - 2011-09-29 03:50 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\PMI
    2014-06-03 00:33 - 2011-09-29 03:50 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\PLAYA HOUSE
    2014-06-02 23:36 - 2011-09-29 03:45 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Credit Report
    2014-06-02 19:23 - 2001-08-23 08:00 - 00002206 _____ () C:\Windows\System32\wpa.dbl
    2014-06-02 19:22 - 2008-03-06 15:12 - 00000494 _____ () C:\Windows\SMSCFG.ini
    2014-06-02 19:21 - 2014-06-02 19:21 - 00090112 _____ () C:\Windows\Minidump\Mini060214-03.dmp
    2014-06-02 19:21 - 2010-10-01 17:26 - 00000000 ____D () C:\Windows\Minidump
    2014-06-02 19:21 - 2007-11-27 19:15 - 00000000 __SHD () C:\Windows\CSC
    2014-06-02 19:13 - 2014-06-02 19:13 - 00090112 _____ () C:\Windows\Minidump\Mini060214-02.dmp
    2014-06-02 19:05 - 2014-06-02 19:05 - 00090112 _____ () C:\Windows\Minidump\Mini060214-01.dmp
    2014-06-02 15:41 - 2011-09-29 03:43 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\_LAX_WINDOWS
    2014-06-02 15:36 - 2010-11-06 20:19 - 00002497 _____ () C:\Documents and Settings\Administrator\Desktop\Microsoft Office Word 2003 (2).lnk
    2014-06-01 02:49 - 2013-02-05 14:57 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\LOCATION INFO
    2014-06-01 00:44 - 2014-05-31 23:46 - 00026624 _____ () C:\Windows\System32\Drivers\TrueSight.sys
    2014-06-01 00:20 - 2014-06-01 00:20 - 00000000 ____S () C:\Windows\System32\yayzdr.wml
    2014-06-01 00:11 - 2013-02-11 21:12 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
    2014-05-31 23:46 - 2014-05-31 23:46 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
    2014-05-31 23:42 - 2014-05-31 23:42 - 04668928 _____ () C:\Documents and Settings\Administrator\Desktop\RogueKiller.exe
    2014-05-31 17:01 - 2014-05-31 17:01 - 00014983 _____ () C:\Documents and Settings\Administrator\Desktop\attach.txt
    2014-05-31 17:00 - 2014-05-31 17:01 - 00007667 _____ () C:\Documents and Settings\Administrator\Desktop\dds.txt
    2014-05-31 13:42 - 2014-05-31 13:41 - 00688992 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.com
    2014-05-30 05:33 - 2014-05-28 16:24 - 00000000 ____D () C:\Program Files\Mozilla Firefox
    2014-05-29 17:42 - 2014-05-29 17:42 - 00000000 ____S () C:\Windows\System32\ycwd.fdq
    2014-05-27 23:38 - 2014-03-24 13:30 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Auto purchase
    2014-05-27 23:38 - 2011-09-29 03:45 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Delorean
    2014-05-25 22:00 - 2011-09-29 03:50 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\SAAB
    2014-05-18 17:39 - 2013-03-10 23:57 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Quicken data files
    2014-05-14 03:55 - 2008-11-19 20:14 - 00002495 _____ () C:\Documents and Settings\Administrator\Desktop\Microsoft Office Excel 2003.lnk
    2014-05-13 20:28 - 2007-11-09 18:12 - 00000000 __SHD () C:\Documents and Settings\Administrator\UserData
    2014-05-13 20:12 - 2014-04-23 22:10 - 00106496 _____ () C:\Documents and Settings\Administrator\Desktop\new car offer spreadsheet.xls
    2014-05-13 20:12 - 2014-04-02 23:13 - 00033792 _____ () C:\Documents and Settings\Administrator\Desktop\New Car calculator.xls
    2014-05-10 21:35 - 2014-05-10 21:20 - 00000000 ____D () C:\Documents and Settings\Administrator\My Documents\Canon 6d
    ZeroAccess:
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Desktop\Install
    ZeroAccess:
    C:\Program Files\Google\Desktop\Install

    Files to move or delete:
    ====================
    C:\Documents and Settings\Administrator\temp.reg


    ==================== Known DLLs (Whitelisted) ============


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll
    [2007-11-09 20:05] - [2009-02-09 08:10] - 0404480 ____A (Microsoft Corporation) c9a2c89d041fcf5d020c368a2988bc7f

    ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== Restore Points (XP) =====================

    RP: -> 2014-06-03 16:47 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1371

    RP: -> 2014-06-03 15:39 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1370

    RP: -> 2014-06-02 22:26 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1369

    RP: -> 2014-06-01 22:15 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1368

    RP: -> 2014-05-31 21:38 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1367

    RP: -> 2014-05-30 17:44 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1366

    RP: -> 2014-05-29 17:23 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1365

    RP: -> 2014-05-28 13:16 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1364

    RP: -> 2014-05-27 12:26 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1363

    RP: -> 2014-05-26 12:06 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1362

    RP: -> 2014-05-25 10:55 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1361

    RP: -> 2014-05-24 09:49 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1360

    RP: -> 2014-05-23 08:46 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1359

    RP: -> 2014-05-22 07:46 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1358

    RP: -> 2014-05-21 06:47 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1357

    RP: -> 2014-05-20 05:47 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1356

    RP: -> 2014-05-19 05:28 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1355

    RP: -> 2014-05-18 04:20 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1354

    RP: -> 2014-05-17 02:32 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1353

    RP: -> 2014-05-16 02:09 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1352

    RP: -> 2014-05-14 23:47 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1351

    RP: -> 2014-05-13 22:47 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1350

    RP: -> 2014-05-12 21:52 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1349

    RP: -> 2014-05-11 21:47 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1348

    RP: -> 2014-05-10 21:44 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1347

    RP: -> 2014-05-10 20:09 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1346

    RP: -> 2014-05-10 07:44 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1345

    RP: -> 2014-05-09 06:39 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1344

    RP: -> 2014-05-08 05:53 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1343

    RP: -> 2014-05-07 05:25 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1342

    RP: -> 2014-05-06 02:47 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1341

    RP: -> 2014-05-05 02:19 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1340

    RP: -> 2014-05-04 00:14 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1339

    RP: -> 2014-05-02 20:32 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1338

    RP: -> 2014-05-01 17:09 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1337

    RP: -> 2014-04-30 14:41 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1336

    RP: -> 2014-04-29 13:09 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1335

    RP: -> 2014-04-28 12:10 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1334

    RP: -> 2014-04-27 11:10 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1333

    RP: -> 2014-04-26 11:09 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1332

    RP: -> 2014-04-25 10:10 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1331

    RP: -> 2014-04-24 09:09 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1330

    RP: -> 2014-04-23 08:21 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1329

    RP: -> 2014-04-22 08:09 - 032768 _restore{989A3549-8FBC-458B-AFFD-C1637E7ADE3D}\RP1328


    ==================== Memory info ===========================

    Percentage of memory in use: 19%
    Total physical RAM: 1022.99 MB
    Available physical RAM: 820.73 MB
    Total Pagefile: 906.68 MB
    Available Pagefile: 843.52 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2000.22 MB

    ==================== Drives ================================

    Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    Drive c: () (Fixed) (Total:37.27 GB) (Free:17.24 GB) NTFS ==>[Drive with boot components (Windows XP)]
    Drive d: () (Fixed) (Total:19.41 GB) (Free:9.75 GB) NTFS ==>[Drive with boot components (Windows XP)]
    Drive g: (HP v125w) (Removable) (Total:15.22 GB) (Free:8.22 GB) FAT32
    Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows XP) (Size: 37 GB) (Disk ID: A727A727)
    Partition 1: (Active) - (Size=37 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 19 GB) (Disk ID: C0FFC0FF)
    Partition 1: (Active) - (Size=19 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 4 (MBR Code: Windows XP) (Size: 15 GB) (Disk ID: C3072E18)
    Partition 1: (Not Active) - (Size=15 GB) - (Type=0C)

    ==================== End Of Log ============================
     
  15. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Yes, you're infected with Zekos malware (at least).

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    rpcss.dll

    Click Search button and post the log (Search.txt) it makes in your reply.
     
  16. bgc

    bgc Established Techie7 Member

    Thank you for your response. There were 2 search buttons: Search Files & Search Registry. Below is the log for Files:


    Farbar Recovery Scan Tool (x86) Version:02-06-2014
    Ran by SYSTEM at 2014-06-05 22:11:41
    Running from G:\
    Boot Mode: Recovery

    ================== Search: "rpcss.dll" ===================

    C:\WINDOWS\system32\rpcss.dll
    [2007-11-09 20:05] - [2009-02-09 08:10] - 0404480 ____A (Microsoft Corporation) c9a2c89d041fcf5d020c368a2988bc7f

    C:\WINDOWS\system32\dllcache\rpcss.dll
    [2012-05-03 23:02] - [2009-02-09 08:10] - 0404480 ___AC (Microsoft Corporation) c9a2c89d041fcf5d020c368a2988bc7f

    C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
    [2004-08-04 03:56] - [2008-04-13 20:12] - 0399360 ____N (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

    C:\WINDOWS\ERDNT\cache\rpcss.dll
    [2012-04-21 22:34] - [2008-04-13 20:12] - 0399360 ____A (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

    C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
    [2012-05-04 03:56] - [2008-04-13 20:12] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

    C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
    [2008-09-10 13:36] - [2005-07-26 00:39] - 0397824 ____C (Microsoft Corporation) ce94a2bd25e3e9f4d46a7373ff455c6d

    C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
    [2012-05-03 23:02] - [2009-02-09 06:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

    X:\I386\SYSTEM32\RPCSS.DLL
    [2004-08-03 21:07] - [2004-08-03 21:07] - 0395776 ____R (Microsoft Corporation) 5c83a4408604f737717ab96371201680

    === End Of Search ===
     
  17. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    I'm sorry I missed your reply :)

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7/8: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the OTLPE CD.
    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    See if you can boot normally.
     

    Attached Files:

  18. bgc

    bgc Established Techie7 Member

    I am still booted with OTLPE va CD from a few days ago. Can I continue or, should I shutdown and reboot?
    Thanks
     
  19. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    You can continue.
     
  20. bgc

    bgc Established Techie7 Member

    I just noticed a pop up window for "Window Blinds 4" is in the middle of my desktop screen on Bad computer that was booted from CD a few days ago - there does not appear to be any way to close the window. Should I work around it, close and reboot, is it part of the OTLPE pgm?