ekih Posted October 8, 2014 Share Posted October 8, 2014 I have tried many times using Malware removal, Malwarebytes Anti-Malware, SUPERAntiSpyware Free Edition and a few more.They say they find and fix but nothing seems to change.I keep getting many pop up adds. Also get many redirects and word on pages that display as links.I went into add and remove programs and got rid of anything I didn't recognize. On the bottom of some adds, (Ad by browser extension / close) When clicking on the ad by browser extension a new window pops up, as below telling me how to disable extensions. I tried to disable an extension, but could not find anything, as seen below. Any ideas?ThanksJames http://download.blee...om/sUBs/dds.com Download DDS from the link above and save it to your desktop. Disable any script blocking protection (How to Disable your Security Programs)Vista/Win7 right click on the DDS icon and select "Run as Administrator" to run the tool (may take up to 3 minutes to run). XP just double click the icon to run the tool.When done, DDS.txt will open.After a few moments, attach.txt will open in a second window.Save both reports to your desktop.Please post the contents of the DDS.txt and Attach.txt logs in a new thread that you start here > http://forums.pcpits...-been-hijacked/ dds.txt attach.txt Link to comment Share on other sites More sharing options...
Juliet Posted October 9, 2014 Share Posted October 9, 2014 Seems like it's been a long time since I tried to work on an XP system. We need to reset browsers first. Open Internet Explorer, click on the gear icon in the upper right part of your browser, then click again on Internet Options. In the Internet Options dialog box, click on the Advanced tab, then click on the Reset button. In the Reset Internet Explorer settings section, select the Delete personal settings check box, then click on Reset button. When Internet Explorer has completed its task, click on the Close button in the confirmation dialogue box. You will now need to close your browser, If youre having problems with Firefox, resetting it can help. The reset feature fixes many issues by restoring Firefox to its factory default state while saving your essential information like bookmarks, passwords, web form auto-fill information, browsing history and open tabs. In the upper-right corner of the Firefox window, click the Firefox menu button (3 thin lines), then click on the Help (light blue question mark) button. From the Help menu, choose Troubleshooting Information. If youre unable to access the Help menu, type about:support in your address bar to bring up the Troubleshooting information page. Click the Reset Firefox button in the upper-right corner of the Troubleshooting Information page. To continue, click on the Reset Firefox button in the new confirmation window that opens. Firefox will close itself and will revert to its default settings. When its done, a window will list the information that was imported. Click on the Finish. Note: Your old Firefox profile will be placed on your desktop in a folder named Old Firefox Data. If the reset didnt fix your problem you can restore some of the information not saved by copying files to the new profile that was created. If you dont need this folder any longer, you should delete it as it contains sensitive information. lets set Chome back to factory defaults Click the Chrome menu on the browser toolbar. Select Settings. Scroll down to Show advanced settings... Down on the bottom you will see an option for RESET BROWSER SETTINGS Click on it and it will set Chome back to defaults Click on Chromes main menu button, represented by three horizontal lines ( Chrome's main menu button) .When the drop-down menu appears, select the option labeled Settings. Chromes Settings should now be displayed in a new tab or window, depending on your configuration. Next, scroll to the bottom of the page and click on the Show advanced settings link Chromes advanced Settings should now be displayed. Scroll down until the Reset browser settings section is visible, as shown in the example below. Next, click on the Reset browser settings button. A confirmation dialog should now be displayed, detailing the components that will be restored to their default state should you continue on with the reset process. To complete the restoration process, click on the Reset button. ~~~~~~~~~~~~~~~~~~~~~ Scan with FRST in normal mode Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure which version: Start --> Computer (right click) --> properties) (To use correct version for your system.....Which system am I using?) Run FRST Don´t change the checkboxes just click on Scan. Logfiles are created on your desktop. Post the FRST.txt The first time the tool is run it generates another log Addition.txt - Please also paste that along with the FRST.txt into your reply. Link to comment Share on other sites More sharing options...
ekih Posted October 9, 2014 Author Share Posted October 9, 2014 After reseting Mozzilla and restarting I havn't seen any pop up etc. at least going to this site for my repy. The files are attached as asked. FRST.txt Addition.txt Link to comment Share on other sites More sharing options...
Juliet Posted October 9, 2014 Share Posted October 9, 2014 (edited) After reseting Mozzilla and restarting I havn't seen any pop up etcGood deal. Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com) There are 6 different versions. If one of them won't run then download and try to run the other one. Vista and Win7 users need to right click and choose Run as Admin You only need to get one of them to run, not all of them. rkill.exe rkill.com rkill.scr rkill.pif WiNlOgOn.exe uSeRiNiT.exe Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. save it to the Desktop as fixlist.txt NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow) start CloseProcesses: HKU\S-1-5-21-4142387912-4139637370-1198486558-1005\...\Run: [] => [X] Toolbar: HKCU - No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No File Task: C:\WINDOWS\Tasks\Express FilesUpdate.job => D:\Program Files\ExpressFiles\EFUpdater.exe <==== ATTENTION EmptyTemp: Hosts: End Open FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -AdwCleaner-by Xplode Click on this link to download : ADWCleaner Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop. Do not click on any links in the top Advertisment. Close all open programs and internet browsers. Double click on AdwCleaner.exe to run the tool. Click on Scan. After the scan is complete click on "Clean" Confirm each time with Ok. Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile with your next answer. You can find the logfile at C:\AdwCleaner[s1].txt as well. NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it. ~~~~~~~~~~~~ Please post RKill log Fixlog.txt C:\AdwCleaner.txt Edited October 10, 2014 by Juliet Link to comment Share on other sites More sharing options...
ekih Posted October 11, 2014 Author Share Posted October 11, 2014 Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-10-2014 01Ran by NCC at 2014-10-10 20:04:25 Run:1Running from C:\Documents and Settings\NCC\Desktop\DownloadsLoaded Profile: NCC (Available profiles: NCC & Administrator)Boot Mode: Normal==============================================Content of fixlist:*****************startCloseProcesses:HKU\S-1-5-21-4142387912-4139637370-1198486558-1005\...\Run: [] => [X]Toolbar: HKCU - No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No FileToolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No FileTask: C:\WINDOWS\Tasks\Express FilesUpdate.job => D:\Program Files\ExpressFiles\EFUpdater.exe <==== ATTENTIONEmptyTemp:Hosts:End*****************Processes closed successfully.HKU\S-1-5-21-4142387912-4139637370-1198486558-1005\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => value deleted successfully."HKCR\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}" => Key not found.HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} => value deleted successfully."HKCR\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}" => Key not found.C:\WINDOWS\Tasks\Express FilesUpdate.job => Moved successfully.C:\Windows\System32\Drivers\etc\hosts => Moved successfully.Hosts was reset successfully.EmptyTemp: => Removed 150.8 MB temporary data.The system needed a reboot.==== End of Fixlog ==== Link to comment Share on other sites More sharing options...
ekih Posted October 11, 2014 Author Share Posted October 11, 2014 # AdwCleaner v3.311 - Report created 10/10/2014 at 20:34:00# Updated 30/09/2014 by Xplode# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)# Username : NCC - GOSS-CONTROL# Running from : C:\Documents and Settings\NCC\Desktop\Downloads\AdwCleaner.exe# Option : Clean***** [ Services ] ********** [ Files / Folders ] *****Folder Deleted : C:\Documents and Settings\All Users\Application Data\NCH SoftwareFolder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma InstallerFolder Deleted : C:\Program Files\ExpressFilesFolder Deleted : C:\Program Files\NCH SoftwareFolder Deleted : C:\Program Files\SweetIMFolder Deleted : C:\Program Files\vGrabber-softwareFolder Deleted : C:\Documents and Settings\NCC\Local Settings\Application Data\ConduitFolder Deleted : C:\Documents and Settings\NCC\Application Data\CheckPoint\ZoneAlarm LTD ToolbarFolder Deleted : C:\Documents and Settings\NCC\Application Data\ExpressFilesFolder Deleted : C:\Documents and Settings\NCC\Start Menu\Programs\Video downloaderFile Deleted : C:\ENDFile Deleted : C:\WINDOWS\system32\conduitEngine.tmp***** [ Scheduled Tasks ] ********** [ Shortcuts ] ********** [ Registry ] *****Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXEKey Deleted : HKLM\SOFTWARE\Classes\Conduit.EngineKey Deleted : HKLM\SOFTWARE\Classes\ScriptHost.ToolKey Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApiKey Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{987D9269-F8A1-408F-BF62-4397D2F5363E}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E0722BEB-FDA1-4AA1-A2A8-15A74A5B3F70}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F1963E76-845B-474C-8C7F-D69A96D8AA34}Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E00DE9B9-B128-4C39-B732-B5D85013FA48}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}]Key Deleted : HKCU\Software\ConduitKey Deleted : HKCU\Software\eSupport.comKey Deleted : HKCU\Software\ExpressFilesKey Deleted : HKCU\Software\SmartBarKey Deleted : HKCU\Software\YahooPartnerToolbarKey Deleted : HKLM\SOFTWARE\ConduitKey Deleted : HKLM\SOFTWARE\ExpressFilesKey Deleted : HKLM\SOFTWARE\Tarma InstallerKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD ToolbarKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngineKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Video downloaderKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam***** [ Browsers ] *****-\\ Internet Explorer v8.0.6001.18702-\\ Mozilla Firefox v32.0.3 (x86 en-US)[ File : C:\Documents and Settings\NCC\Application Data\Mozilla\Firefox\Profiles\xncka1lv.default-1412820786984\prefs.js ]*************************AdwCleaner[R0].txt - [5675 octets] - [10/10/2014 20:32:55]AdwCleaner[s0].txt - [5726 octets] - [10/10/2014 20:34:00]########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [5786 octets] ########## Link to comment Share on other sites More sharing options...
ekih Posted October 11, 2014 Author Share Posted October 11, 2014 At the end of your last post there is this text. Was I to post some more info. Please postRKill logFixlog.txtC:\AdwCleaner.txt Link to comment Share on other sites More sharing options...
Juliet Posted October 11, 2014 Share Posted October 11, 2014 Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com) There are 6 different versions. If one of them won't run then download and try to run the other one. Vista and Win7 users need to right click and choose Run as Admin You only need to get one of them to run, not all of them. rkill.exe rkill.com rkill.scr rkill.pif WiNlOgOn.exe uSeRiNiT.exe ~~~~~~~~~~~~~~~ Please run a Threat Scan with Malwarebytes' Anti-Malware. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x When reinstalling the program please try the latest version. Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware. Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply. Please post RKill log Malwarebytes log Tell me what your computer is doing now? Link to comment Share on other sites More sharing options...
ekih Posted October 13, 2014 Author Share Posted October 13, 2014 Malware log was clear, computer seems to be just great. Since you directed me to the Malwarebytes Anti-Malware app. I take it this is a good program for keeping? Thanks very much for your help. James RKILL-LOG Rkill 2.6.8 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2014 BleepingComputer.comMore Information about Rkill can be found at this link:http://www.bleepingcomputer.com/forums/topic308364.htmlProgram started at: 10/12/2014 05:00:55 PM in x86 mode.Windows Version: Microsoft Windows XP Service Pack 3Checking for Windows services to stop: * No malware services found to stop.Checking for processes to terminate: * No malware processes found to kill.Checking Registry for malware related settings: * No issues found in the Registry.Resetting .EXE, .COM, & .BAT associations in the Windows Registry.Performing miscellaneous checks: * Windows Firewall Disabled [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = dword:00000000Checking Windows Service Integrity: * wuauserv [Missing Service]Searching for Missing Digital Signatures: * No issues found.Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 localhostProgram finished at: 10/12/2014 05:01:21 PMExecution time: 0 hours(s), 0 minute(s), and 27 seconds(s) MALWAREBYTES-LOG Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 10/12/2014Scan Time: 5:03:52 PMLogfile:Administrator: YesVersion: 2.00.2.1012Malware Database: v2014.10.12.08Rootkit Database: v2014.10.11.01License: TrialMalware Protection: EnabledMalicious Website Protection: EnabledSelf-protection: DisabledOS: Windows XP Service Pack 3CPU: x86File System: NTFSUser: NCCScan Type: Threat ScanResult: CompletedObjects Scanned: 320537Time Elapsed: 5 min, 8 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 0(No malicious items detected)Registry Values: 0(No malicious items detected)Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) Link to comment Share on other sites More sharing options...
Juliet Posted October 13, 2014 Share Posted October 13, 2014 Malware log was clear, computer seems to be just great. Since you directed me to the Malwarebytes Anti-Malware app. I take it this is a good program for keeping? Thanks very much for your help. James Glad to hear the computer is working good. MBAM (Malwarebytes Anti-Malware) is highly recommended to everyone. We're glad to help. ~~~~~~~~~~~~~~~~~~~~~~~~ Download Farbar service scanner Checkmark all the boxes Click on "Scan". Please copy and paste the log to your reply. ~~~~~~~~~~~~~~~~~~~~ What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner. Most reliable and thorough. The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find. This scanner can take quite a bit of time to run, depending of course how full your computer is. Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts. Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how. Click the blue Run ESET Online Scanner button Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications Click on Advanced Settings Make sure that the option Remove found threats is unticked. Ensure these options are tickedScan archives Scan for potentially unsafe applications Enable Anti-Stealth technology Click Start Wait for the scan to finish When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..." Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic. Close the ESET online scan. ************************************* Please post these 2 logs. Link to comment Share on other sites More sharing options...
ekih Posted October 13, 2014 Author Share Posted October 13, 2014 doing online scannner from ESET now. Farbar Service Scanner Version: 21-07-2014Ran by NCC (administrator) on 12-10-2014 at 20:15:29Running from "C:\Documents and Settings\NCC\Desktop\Downloads\Malware"Microsoft Windows XP Professional Service Pack 3 (X86)Boot Mode: Normal****************************************************************Internet Services:============Connection Status:==============Localhost is accessible.LAN connected.Google IP is accessible.Google.com is accessible.Yahoo.com is accessible.Windows Firewall:=============sharedaccess Service is not running. Checking service configuration:The start type of sharedaccess service is set to Disabled. The default start type is Auto.The ImagePath of sharedaccess service is OK.The ServiceDll of sharedaccess service is OK.Firewall Disabled Policy:==================[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]"EnableFirewall"=DWORD:0System Restore:============System Restore Disabled Policy:========================Security Center:============Windows Update:============wuauserv Service is not running. Checking service configuration:Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.Windows Autoupdate Disabled Policy:============================Other Services:==============File Check:========C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signedC:\WINDOWS\system32\Drivers\afd.sys => File is digitally signedC:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signedC:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signedC:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signedC:\WINDOWS\system32\dnsrslvr.dll => File is digitally signedC:\WINDOWS\system32\ipnathlp.dll => File is digitally signedC:\WINDOWS\system32\netman.dll => File is digitally signedC:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signedC:\WINDOWS\system32\srsvc.dll => File is digitally signedC:\WINDOWS\system32\Drivers\sr.sys => File is digitally signedC:\WINDOWS\system32\wscsvc.dll => File is digitally signedC:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signedC:\WINDOWS\system32\wuauserv.dll => File is digitally signedC:\WINDOWS\system32\qmgr.dll => File is digitally signedC:\WINDOWS\system32\es.dll => File is digitally signedC:\WINDOWS\system32\cryptsvc.dll => File is digitally signedC:\WINDOWS\system32\svchost.exe => File is digitally signedC:\WINDOWS\system32\rpcss.dll => File is digitally signedC:\WINDOWS\system32\services.exe => File is digitally signedExtra List:=======Gpc(6) IPSec(4) kl2(8) NetBT(5) PSched(7) Tcpip(3)0x080000000800000004000000010000000200000003000000050000000600000007000000**** End of log **** Link to comment Share on other sites More sharing options...
Juliet Posted October 13, 2014 Share Posted October 13, 2014 doing online scannner from ESET now. Link to comment Share on other sites More sharing options...
ekih Posted October 13, 2014 Author Share Posted October 13, 2014 Here it is. C:\ is my main drive D:\ is the same drive but used for my data F & G are my backup drive. C:\AdwCleaner\Quarantine\C\Program Files\ExpressFiles\EFUpdater.exe.vir a variant of Win32/YourFileDownloader.B potentially unwanted applicationC:\AdwCleaner\Quarantine\C\Program Files\ExpressFiles\ExpressFiles.exe.vir a variant of Win32/ExpressFiles.A potentially unwanted applicationC:\AdwCleaner\Quarantine\C\Program Files\ExpressFiles\uninstall.exe.vir a variant of Win32/ExpressFiles.B potentially unwanted applicationC:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe Win32/DownloadAdmin.G potentially unwanted applicationC:\Documents and Settings\NCC\Desktop\Downloads\Player.exe a variant of Win32/SoftPulse.H potentially unwanted applicationC:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe Win32/Toolbar.Conduit potentially unwanted applicationC:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe Win32/Toolbar.Conduit potentially unwanted applicationC:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe Win32/Toolbar.Conduit potentially unwanted applicationC:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe Win32/Toolbar.Conduit potentially unwanted applicationC:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\M1uwW0@47z8gRpK8sULXXLivB.com.xpi JS/Adware.Agent.H applicationC:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\ffxtlbr@zonealarm.com\uninstall.exe Win32/Toolbar.Montiera.B potentially unwanted applicationC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe Win32/Toolbar.Montiera.B potentially unwanted applicationC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted applicationC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted applicationC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe a variant of Win32/Toolbar.Montiera.A potentially unwanted applicationC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll a variant of Win32/Toolbar.Montiera.F potentially unwanted applicationC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll a variant of Win32/Toolbar.Escort.A potentially unwanted applicationC:\Program Files\CheckPoint\Install\CUninstallerZA.exe Win32/Toolbar.Conduit potentially unwanted applicationC:\Program Files\CheckPoint\Install\zatb.exe Win32/Toolbar.Montiera.I potentially unwanted applicationC:\Program Files\Vuze\bunndle.zip a variant of Win32/Bunndle potentially unsafe applicationC:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dll a variant of Win32/Bunndle potentially unsafe applicationC:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted applicationC:\UBCD4Win\UBCD4WinBuilder.iso a variant of Win32/Toolbar.Conduit.I potentially unwanted applicationC:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted applicationC:\UBCD4Win\BartPE\PROGRAMS\sdfix\SDFix.exe Win32/PrcView potentially unsafe applicationC:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7z a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe applicationC:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted applicationC:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe Win32/PrcView potentially unsafe applicationC:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe applicationD:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar Win32/CMDOW.143 potentially unsafe applicationD:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv multiple threatsD:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcv multiple threatsD:\Program Files\ExpressFiles\ExpressFiles.exe a variant of Win32/ExpressFiles.A potentially unwanted applicationD:\Program Files\ExpressFiles\uninstall.exe a variant of Win32/ExpressFiles.B potentially unwanted applicationF:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll Win32/Toolbar.Conduit.Y potentially unwanted applicationF:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuze.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe applicationF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dll Win32/Toolbar.Montiera.J potentially unwanted applicationF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted applicationF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted applicationF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exe a variant of Win32/Toolbar.Montiera.A potentially unwanted applicationF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dll a variant of Win32/Toolbar.Escort.A potentially unwanted applicationF:\Program Files\Conduit\Community Alerts\Alert.dll Win32/Toolbar.Conduit.Y potentially unwanted applicationF:\Program Files\Conduit\Community Alerts\Alert0.dll Win32/Toolbar.Conduit.Y potentially unwanted applicationF:\Program Files\ConduitEngine\ConduitEngin0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Program Files\ConduitEngine\ConduitEngine.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Program Files\Vuze_Remote\tbVuz0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\Program Files\Vuze_Remote\tbVuze.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted applicationF:\WINDOWS\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe applicationG:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar Win32/CMDOW.143 potentially unsafe applicationG:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv multiple threatsG:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exe a variant of Win32/ExpressFiles.A potentially unwanted applicationG:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exe a variant of Win32/ExpressFiles.B potentially unwanted applicationG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe Win32/DownloadAdmin.G potentially unwanted applicationG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exe a variant of Win32/SoftPulse.H potentially unwanted applicationG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe Win32/Toolbar.Conduit potentially unwanted applicationG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exe Win32/Toolbar.Conduit potentially unwanted applicationG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe Win32/Toolbar.Conduit potentially unwanted applicationG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe Win32/Toolbar.Conduit potentially unwanted applicationG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe Win32/Toolbar.Conduit potentially unwanted applicationG:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar Win32/CMDOW.143 potentially unsafe applicationG:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv multiple threatsG:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exe a variant of Win32/ExpressFiles.A potentially unwanted applicationG:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exe a variant of Win32/ExpressFiles.B potentially unwanted application Link to comment Share on other sites More sharing options...
Juliet Posted October 13, 2014 Share Posted October 13, 2014 Is this a genuine, validated copy of Windows XP? Link to comment Share on other sites More sharing options...
ekih Posted October 14, 2014 Author Share Posted October 14, 2014 (edited) I had to think about that for a sec. Yes it is, it was an old computer that was no longer needed from a site. I have been using it for at least 3 years now. It would have had a valid copy of Win XP come installed. I would have cloned the drive it came with and installed a new larger HD. Why do you ask? Edited October 14, 2014 by ekih Link to comment Share on other sites More sharing options...
Juliet Posted October 14, 2014 Share Posted October 14, 2014 APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar The above comes from mostly torrents sites which if I'm not wrong are pirated copies made available for download. You had infected backups, a clean one can be made when we're done. ~~~~~ Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. save it to the Desktop as fixlist.txt NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow) start CloseProcesses: C:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe C:\Documents and Settings\NCC\Desktop\Downloads\Player.exe C:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\M1uwW0@47z8gRpK8sULXXLivB.com.xpi C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\ffxtlbr@zonealarm.com\uninstall.exe C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll C:\Program Files\CheckPoint\Install\CUninstallerZA.exe C:\Program Files\CheckPoint\Install\zatb.exe C:\Program Files\Vuze\bunndle.zip C:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dll C:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exe C:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exe C:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7z C:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe C:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z D:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar D:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv D:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcv D:\Program Files\ExpressFiles\ExpressFiles.exe D:\Program Files\ExpressFiles\uninstall.exe F:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dll F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote F:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dll F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dll F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dll F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dll F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exe F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dll F:\Program Files\Conduit\Community Alerts\Alert.dll F:\Program Files\Conduit\Community Alerts\Alert0.dll F:\Program Files\ConduitEngine\ConduitEngin0.dll F:\Program Files\ConduitEngine\ConduitEngine.dll F:\Program Files\Vuze_Remote\tbVuz0.dll F:\Program Files\Vuze_Remote\tbVuze.dll F:\WINDOWS\Temp\AskSLib.dll G:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar G:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv G:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exe G:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exe G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exe G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exe G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe G:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar G:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv G:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exe G:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exe EmptyTemp: End Open FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. Link to comment Share on other sites More sharing options...
ekih Posted October 15, 2014 Author Share Posted October 15, 2014 Here it is. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-10-2014Ran by NCC at 2014-10-14 20:19:40 Run:2Running from C:\Documents and Settings\NCC\Desktop\Downloads\MalwareLoaded Profiles: NCC & (Available profiles: NCC & Administrator)Boot Mode: Normal==============================================Content of fixlist:*****************startCloseProcesses:C:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exeC:\Documents and Settings\NCC\Desktop\Downloads\Player.exeC:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exeC:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exeC:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exeC:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exeC:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\M1uwW0@47z8gRpK8sULXXLivB.com.xpiC:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\ffxtlbr@zonealarm.com\uninstall.exeC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exeC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dllC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dllC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exeC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dllC:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dllC:\Program Files\CheckPoint\Install\CUninstallerZA.exeC:\Program Files\CheckPoint\Install\zatb.exeC:\Program Files\Vuze\bunndle.zipC:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dllC:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exeC:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exeC:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7zC:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exeC:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exeC:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7zD:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rarD:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcvD:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcvD:\Program Files\ExpressFiles\ExpressFiles.exeD:\Program Files\ExpressFiles\uninstall.exeF:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exeF:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dllF:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dllF:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dllF:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dllF:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_RemoteF:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dllF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dllF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dllF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dllF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exeF:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dllF:\Program Files\Conduit\Community Alerts\Alert.dllF:\Program Files\Conduit\Community Alerts\Alert0.dllF:\Program Files\ConduitEngine\ConduitEngin0.dllF:\Program Files\ConduitEngine\ConduitEngine.dllF:\Program Files\Vuze_Remote\tbVuz0.dllF:\Program Files\Vuze_Remote\tbVuze.dllF:\WINDOWS\Temp\AskSLib.dllG:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rarG:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcvG:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exeG:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exeG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exeG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exeG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exeG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exeG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exeG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exeG:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exeG:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rarG:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcvG:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exeG:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exeEmptyTemp:End*****************Processes closed successfully.C:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe => Moved successfully.C:\Documents and Settings\NCC\Desktop\Downloads\Player.exe => Moved successfully.C:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe => Moved successfully.C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe => Moved successfully.C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe => Moved successfully.C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe => Moved successfully.C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\M1uwW0@47z8gRpK8sULXXLivB.com.xpi => Moved successfully.C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\ffxtlbr@zonealarm.com\uninstall.exe => Moved successfully.C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe => Moved successfully.C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll => Moved successfully.C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll => Moved successfully.C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe => Moved successfully.C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll => Moved successfully.C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll => Moved successfully.C:\Program Files\CheckPoint\Install\CUninstallerZA.exe => Moved successfully.C:\Program Files\CheckPoint\Install\zatb.exe => Moved successfully.C:\Program Files\Vuze\bunndle.zip => Moved successfully.C:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dll => Moved successfully.C:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exe => Moved successfully.C:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exe => Moved successfully.C:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7z => Moved successfully.C:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe => Moved successfully.C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe => Moved successfully.C:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z => Moved successfully.D:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar => Moved successfully.D:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv => Moved successfully.D:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcv => Moved successfully.D:\Program Files\ExpressFiles\ExpressFiles.exe => Moved successfully.D:\Program Files\ExpressFiles\uninstall.exe => Moved successfully.F:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Moved successfully.F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dll => Moved successfully.F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll => Moved successfully.F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll => Moved successfully.F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll => Moved successfully.F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote => Moved successfully.F:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dll => Moved successfully.F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dll => Moved successfully.F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dll => Moved successfully.F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dll => Moved successfully.F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exe => Moved successfully.F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dll => Moved successfully.F:\Program Files\Conduit\Community Alerts\Alert.dll => Moved successfully.F:\Program Files\Conduit\Community Alerts\Alert0.dll => Moved successfully.F:\Program Files\ConduitEngine\ConduitEngin0.dll => Moved successfully.F:\Program Files\ConduitEngine\ConduitEngine.dll => Moved successfully.F:\Program Files\Vuze_Remote\tbVuz0.dll => Moved successfully.F:\Program Files\Vuze_Remote\tbVuze.dll => Moved successfully.F:\WINDOWS\Temp\AskSLib.dll => Moved successfully.G:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar => Moved successfully.G:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv => Moved successfully.G:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exe => Moved successfully.G:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exe => Moved successfully.G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe => Moved successfully.G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exe => Moved successfully.G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe => Moved successfully.G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exe => Moved successfully.G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe => Moved successfully.G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe => Moved successfully.G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe => Moved successfully.G:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar => Moved successfully.G:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv => Moved successfully.G:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exe => Moved successfully.G:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exe => Moved successfully.EmptyTemp: => Removed 20.1 MB temporary data.The system needed a reboot.==== End of Fixlog ==== Link to comment Share on other sites More sharing options...
Juliet Posted October 15, 2014 Share Posted October 15, 2014 How's the computer? Link to comment Share on other sites More sharing options...
ekih Posted October 16, 2014 Author Share Posted October 16, 2014 Asides from it being very old and out of date. All seems to be ok, even before I did the last fix it was running normal as far as I could tell. No pop ups etc. Click on a link and go there and no re-directs. We just started using Win7 at work a few months ago, it seems to run very well and quick. Would Win7 run on this old machine? Link to comment Share on other sites More sharing options...
Juliet Posted October 17, 2014 Share Posted October 17, 2014 Myself I like Windows 7...... If you are running Windows XP, please take the time to read the information provided at these links. Windows XP - The Elephant In The Room Windows XP - The end of the road The above links supply a wealth of information. Glad the issues of infection are gone. We need to remove the tools and quarantine folders. Download Delfix from here Ensure Remove disinfection tools is ticked Also tick: Create registry backup Click Run Purge system restore Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc. ~~~~~~~~~~~~~~ Your good to go, good job! Please take the time to read over a few of my preventive tips. Computer Security http://malwareremoval.com/forum/viewtopic.php?p=557960#p557960 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Be prepared for CryptoLocker: Cryptolocker Ransomware: What You Need To Know CryptoLocker Ransomware Information Guide and FAQ to help protect your computer in the future I recommend that you get the following free programmes: CryptoPrevent install this programme to lock down and prevent crypto ransome ware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows. Firefox 3 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both. *NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points. AdblockPlus AdblockPlus, Surf the web without annoying ads! Blocks banners, pop-ups and video ads - even on Facebook and YouTube Protects your online privacy Two-click installation, It's free! click the icon that corresponds to your browser and download. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE. Green should be good to go Yellow for caution Red to stop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ How to prevent Malware: Created by Miekiemoes WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/ and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755 I would recommend that you completely uninstall Java unless you need it to run an important software. In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/)) Avoid P2P P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. Please read these short reports on the dangers of peer-2-peer programs and file sharing. FBI Cyber Education Letter USAToday infoworld ********************************************* Please read the following safe computing articles.. Secure My Computer: A Layered Approach Free Antivirus-AntiSpyware-Firewall SoftwareKeep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions. It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC Link to comment Share on other sites More sharing options...
ekih Posted October 17, 2014 Author Share Posted October 17, 2014 I am away for work right now, but will go over the new info you have supplied and do the removals when I get back. Plus I will do a clean backup before anything else. Over the years I have run into problems of various difficulty and have dealt with many people to help correct the problems. You by far have been the most helpful, most direct and precise that I have dealt with. I thank you for your patience and cooperation with helping me. James I must also thank Caintry_boy for starting me out with some help. Link to comment Share on other sites More sharing options...
caintry_boy Posted October 17, 2014 Share Posted October 17, 2014 Link to comment Share on other sites More sharing options...
Juliet Posted October 17, 2014 Share Posted October 17, 2014 James, thank you so much for the compliment. We're glad to help Link to comment Share on other sites More sharing options...
ekih Posted October 21, 2014 Author Share Posted October 21, 2014 It is done. I am going to start looking at getting something else, I probly could get win7 on this machine but I know it would be a hassle in the long run. # DelFix v10.8 - Logfile created 20/10/2014 at 19:09:33# Updated 29/07/2014 by Xplode# Username : NCC - GOSS-CONTROL# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)~ Removing disinfection tools ...~ Creating registry backup ... OK~ Cleaning system restore ...Deleted : RP #159 [system Checkpoint | 10/21/2014 01:53:55]Deleted : RP #160 [system Checkpoint | 10/21/2014 01:53:55]Deleted : RP #161 [system Checkpoint | 10/21/2014 01:53:55]Deleted : RP #162 [system Checkpoint | 10/21/2014 01:53:56]Deleted : RP #163 [system Checkpoint | 10/21/2014 01:53:56]Deleted : RP #164 [system Checkpoint | 10/21/2014 01:53:56]Deleted : RP #165 [system Checkpoint | 10/21/2014 01:53:56]Deleted : RP #166 [system Checkpoint | 10/21/2014 01:53:56]Deleted : RP #167 [system Checkpoint | 10/21/2014 01:53:56]Deleted : RP #168 [system Checkpoint | 10/21/2014 01:53:56]Deleted : RP #169 [system Checkpoint | 10/21/2014 01:53:57]Deleted : RP #170 [system Checkpoint | 10/21/2014 01:53:57]Deleted : RP #171 [system Checkpoint | 10/21/2014 01:53:57]Deleted : RP #172 [system Checkpoint | 10/21/2014 01:53:57]Deleted : RP #173 [Removed Google+ Auto Backup | 10/21/2014 01:53:57]Deleted : RP #174 [Removed PC Connectivity Solution | 10/21/2014 01:53:57]Deleted : RP #175 [system Checkpoint | 10/21/2014 01:53:58]Deleted : RP #176 [system Checkpoint | 10/21/2014 01:53:58]Deleted : RP #177 [installed Windows 7 Upgrade Advisor | 10/21/2014 01:53:58]Deleted : RP #178 [End of disinfection | 10/21/2014 01:54:00]New restore point created !########## - EOF - ########## Link to comment Share on other sites More sharing options...
Juliet Posted October 21, 2014 Share Posted October 21, 2014 Your good to go, safe surfing! Link to comment Share on other sites More sharing options...
Recommended Posts