post log as per caintry_boy instruction

[ekih]

I have tried many times using Malware removal, Malwarebytes Anti-Malware, SUPERAntiSpyware Free Edition and a few more.
They say they find and fix but nothing seems to change.
I keep getting many pop up adds.

Also get many redirects and word on pages that display as links.
I went into add and remove programs and got rid of anything I didn't recognize.

On the bottom of some adds, (Ad by browser extension / close)

When clicking on the ad by browser extension a new window pops up, as below telling me how to disable extensions.

I tried to disable an extension, but could not find anything, as seen below.

Any ideas?
Thanks
James

 

http://download.blee...om/sUBs/dds.com

Download DDS from the link above and save it to your desktop. Disable any script blocking protection (How to Disable your Security Programs)
Vista/Win7 right click on the DDS icon and select "Run as Administrator" to run the tool (may take up to 3 minutes to run). XP just double click the icon to run the tool.
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.
Please post the contents of the DDS.txt and Attach.txt logs in a new thread that you start here > http://forums.pcpits...-been-hijacked/

dds.txt

attach.txt

[Juliet]

Seems like it's been a long time since I tried to work on an XP system.

 

We need to reset browsers first.

 

 

Open Internet Explorer, click on the gear icon in the upper right part of your browser, then click again on Internet Options.

In the Internet Options dialog box, click on the Advanced tab, then click on the Reset button.

In the Reset Internet Explorer settings section, select the Delete personal settings check box, then click on Reset button.

When Internet Explorer has completed its task, click on the Close button in the confirmation dialogue box. You will now need to close your browser,

 

 

If youre having problems with Firefox, resetting it can help. The reset feature fixes many issues by restoring Firefox to its factory default state while saving your essential information like bookmarks, passwords, web form auto-fill information, browsing history and open tabs.

 

In the upper-right corner of the Firefox window, click the Firefox menu button (3 thin lines), then click on the Help (light blue question mark) button.

From the Help menu, choose Troubleshooting Information.

If youre unable to access the Help menu, type about:support in your address bar to bring up the Troubleshooting information page.

Click the Reset Firefox button in the upper-right corner of the Troubleshooting Information page.

To continue, click on the Reset Firefox button in the new confirmation window that opens.

Firefox will close itself and will revert to its default settings. When its done, a window will list the information that was imported. Click on the Finish.

 

Note: Your old Firefox profile will be placed on your desktop in a folder named Old Firefox Data. If the reset didnt fix your problem you can restore some of the information not saved by copying files to the new profile that was created. If you dont need this folder any longer, you should delete it as it contains sensitive information.

 

 

 

 

lets set Chome back to factory defaults

• Click the Chrome menu on the browser toolbar.
• Select Settings.
• Scroll down to Show advanced settings...
• Down on the bottom you will see an option for RESET BROWSER SETTINGS
• Click on it and it will set Chome back to defaults

Click on Chromes main menu button, represented by three horizontal lines ( Chrome's main menu button) .When the drop-down menu appears, select the option labeled Settings.

Chromes Settings should now be displayed in a new tab or window, depending on your configuration. Next, scroll to the bottom of the page and click on the Show advanced settings link

Chromes advanced Settings should now be displayed. Scroll down until the Reset browser settings section is visible, as shown in the example below. Next, click on the Reset browser settings button.

A confirmation dialog should now be displayed, detailing the components that will be restored to their default state should you continue on with the reset process. To complete the restoration process, click on the Reset button.

 

 

~~~~~~~~~~~~~~~~~~~~~

 

Scan with FRST in normal mode

 

Please download Farbar's Recovery Scan Tool to your desktop:

 

FRST 32bit or FRST 64bit (If not sure which version: Start --> Computer (right click) --> properties)

(To use correct version for your system.....Which system am I using?)

• Run FRST

• Don´t change the checkboxes just click on Scan.
• Logfiles are created on your desktop.
• Post the FRST.txt
• The first time the tool is run it generates another log Addition.txt - Please also paste that along with the FRST.txt into your reply.

[ekih]

After reseting Mozzilla and restarting I havn't seen any pop up etc. at least going to this site for my repy.

The files are attached as asked.

 

FRST.txt

Addition.txt

[Juliet]

After reseting Mozzilla and restarting I havn't seen any pop up etc

Good deal.

 

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 6 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

• rkill.exe
• rkill.com
• rkill.scr
• rkill.pif
• WiNlOgOn.exe
• uSeRiNiT.exe

•  

   

  Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.

  Paste this into the open notepad. save it to the Desktop as fixlist.txt

  NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

  It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

   

  start

  CloseProcesses:

  HKU\S-1-5-21-4142387912-4139637370-1198486558-1005\...\Run: [] => [X]

  Toolbar: HKCU - No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

  Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No File

  Task: C:\WINDOWS\Tasks\Express FilesUpdate.job => D:\Program Files\ExpressFiles\EFUpdater.exe <==== ATTENTION

  EmptyTemp:

  Hosts:

  End

  Open FRST/FRST64 and press the Fix button just once and wait.

  If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

  When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

   

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   

  -AdwCleaner-by Xplode

   

  Click on this link to download : ADWCleaner

  Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

   

  Do not click on any links in the top Advertisment.

   

   

  

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.
• NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.
• ~~~~~~~~~~~~

   

  Please post

  RKill log

  Fixlog.txt

  C:\AdwCleaner.txt

Edited October 10, 2014 by Juliet

[ekih]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-10-2014 01
Ran by NCC at 2014-10-10 20:04:25 Run:1
Running from C:\Documents and Settings\NCC\Desktop\Downloads
Loaded Profile: NCC (Available profiles: NCC & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-21-4142387912-4139637370-1198486558-1005\...\Run: [] => [X]
Toolbar: HKCU - No Name - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
Toolbar: HKCU - No Name - {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
Task: C:\WINDOWS\Tasks\Express FilesUpdate.job => D:\Program Files\ExpressFiles\EFUpdater.exe <==== ATTENTION
EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
HKU\S-1-5-21-4142387912-4139637370-1198486558-1005\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} => value deleted successfully.
"HKCR\CLSID\{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EEE6C35B-6118-11DC-9C72-001320C79847} => value deleted successfully.
"HKCR\CLSID\{EEE6C35B-6118-11DC-9C72-001320C79847}" => Key not found.
C:\WINDOWS\Tasks\Express FilesUpdate.job => Moved successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 150.8 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

[ekih]

# AdwCleaner v3.311 - Report created 10/10/2014 at 20:34:00
# Updated 30/09/2014 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : NCC - GOSS-CONTROL
# Running from : C:\Documents and Settings\NCC\Desktop\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\NCH Software
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer
Folder Deleted : C:\Program Files\ExpressFiles
Folder Deleted : C:\Program Files\NCH Software
Folder Deleted : C:\Program Files\SweetIM
Folder Deleted : C:\Program Files\vGrabber-software
Folder Deleted : C:\Documents and Settings\NCC\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\NCC\Application Data\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Documents and Settings\NCC\Application Data\ExpressFiles
Folder Deleted : C:\Documents and Settings\NCC\Start Menu\Programs\Video downloader
File Deleted : C:\END
File Deleted : C:\WINDOWS\system32\conduitEngine.tmp

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{987D9269-F8A1-408F-BF62-4397D2F5363E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E0722BEB-FDA1-4AA1-A2A8-15A74A5B3F70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F1963E76-845B-474C-8C7F-D69A96D8AA34}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E00DE9B9-B128-4C39-B732-B5D85013FA48}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEE6C35B-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\eSupport.com
Key Deleted : HKCU\Software\ExpressFiles
Key Deleted : HKCU\Software\SmartBar
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\ExpressFiles
Key Deleted : HKLM\SOFTWARE\Tarma Installer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Video downloader
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Wajam

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v32.0.3 (x86 en-US)

[ File : C:\Documents and Settings\NCC\Application Data\Mozilla\Firefox\Profiles\xncka1lv.default-1412820786984\prefs.js ]


*************************

AdwCleaner[R0].txt - [5675 octets] - [10/10/2014 20:32:55]
AdwCleaner[s0].txt - [5726 octets] - [10/10/2014 20:34:00]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [5786 octets] ##########

[ekih]

At the end of your last post there is this text.

Was I to post some more info.

 

Please post
RKill log
Fixlog.txt
C:\AdwCleaner.txt

[Juliet]

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 6 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

• rkill.exe
• rkill.com
• rkill.scr
• rkill.pif
• WiNlOgOn.exe
• uSeRiNiT.exe

~~~~~~~~~~~~~~~

 

 

Please run a Threat Scan with Malwarebytes' Anti-Malware. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x

When reinstalling the program please try the latest version.

 

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

 

 

Please post

RKill log

Malwarebytes log

 

Tell me what your computer is doing now?

[ekih]

Malware log was clear, computer seems to be just great.

Since you directed me to the Malwarebytes Anti-Malware app. I take it this is a good program for keeping?

Thanks very much for your help.

James

 

RKILL-LOG

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/12/2014 05:00:55 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* wuauserv [Missing Service]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 10/12/2014 05:01:21 PM
Execution time: 0 hours(s), 0 minute(s), and 27 seconds(s)

 

 

MALWAREBYTES-LOG

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/12/2014
Scan Time: 5:03:52 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.12.08
Rootkit Database: v2014.10.11.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: NCC

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 320537
Time Elapsed: 5 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[Juliet]

Malware log was clear, computer seems to be just great.

Since you directed me to the Malwarebytes Anti-Malware app. I take it this is a good program for keeping?

Thanks very much for your help.

James

Glad to hear the computer is working good. MBAM (Malwarebytes Anti-Malware) is highly recommended to everyone.

 

We're glad to help.

 

~~~~~~~~~~~~~~~~~~~~~~~~

 

Download

 

Farbar service scanner

 

Checkmark all the boxes

 

Click on "Scan".

Please copy and paste the log to your reply.

 

~~~~~~~~~~~~~~~~~~~~

 

What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.

Most reliable and thorough.

The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.

This scanner can take quite a bit of time to run, depending of course how full your computer is.

 

 

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note:

  For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

• Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
• Click the blue Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
• Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
• Click on Advanced Settings
• Make sure that the option Remove found threats is unticked.
• Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Click Start
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
• Close the ESET online scan.

*************************************

 

Please post these 2 logs.

[ekih]

doing online scannner from ESET now.

 

Farbar Service Scanner Version: 21-07-2014
Ran by NCC (administrator) on 12-10-2014 at 20:15:29
Running from "C:\Documents and Settings\NCC\Desktop\Downloads\Malware"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Disabled. The default start type is Auto.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking LEGACY_wuauserv: ATTENTION!=====> Unable to open LEGACY_wuauserv\0000 registry key. The key does not exist.


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed

Extra List:
=======
Gpc(6) IPSec(4) kl2(8) NetBT(5) PSched(7) Tcpip(3)
0x080000000800000004000000010000000200000003000000050000000600000007000000


**** End of log ****

[Juliet]

 

doing online scannner from ESET now.

[ekih]

Here it is.

C:\ is my main drive

D:\ is the same drive but used for my data

F & G are my backup drive.

 

C:\AdwCleaner\Quarantine\C\Program Files\ExpressFiles\EFUpdater.exe.vir a variant of Win32/YourFileDownloader.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\ExpressFiles\ExpressFiles.exe.vir a variant of Win32/ExpressFiles.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\ExpressFiles\uninstall.exe.vir a variant of Win32/ExpressFiles.B potentially unwanted application
C:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe Win32/DownloadAdmin.G potentially unwanted application
C:\Documents and Settings\NCC\Desktop\Downloads\Player.exe a variant of Win32/SoftPulse.H potentially unwanted application
C:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected] JS/Adware.Agent.H application
C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected]\uninstall.exe Win32/Toolbar.Montiera.B potentially unwanted application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe Win32/Toolbar.Montiera.B potentially unwanted application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll a variant of Win32/Toolbar.Montiera.F potentially unwanted application
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll a variant of Win32/Toolbar.Escort.A potentially unwanted application
C:\Program Files\CheckPoint\Install\CUninstallerZA.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Program Files\CheckPoint\Install\zatb.exe Win32/Toolbar.Montiera.I potentially unwanted application
C:\Program Files\Vuze\bunndle.zip a variant of Win32/Bunndle potentially unsafe application
C:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dll a variant of Win32/Bunndle potentially unsafe application
C:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\UBCD4Win\UBCD4WinBuilder.iso a variant of Win32/Toolbar.Conduit.I potentially unwanted application
C:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
C:\UBCD4Win\BartPE\PROGRAMS\sdfix\SDFix.exe Win32/PrcView potentially unsafe application
C:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7z a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application
C:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe Win32/PrcView potentially unsafe application
C:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z a variant of Win32/RemoteAdmin.RemoteExec.AA potentially unsafe application
D:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar Win32/CMDOW.143 potentially unsafe application
D:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv multiple threats
D:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcv multiple threats
D:\Program Files\ExpressFiles\ExpressFiles.exe a variant of Win32/ExpressFiles.A potentially unwanted application
D:\Program Files\ExpressFiles\uninstall.exe a variant of Win32/ExpressFiles.B potentially unwanted application
F:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll Win32/Toolbar.Conduit.Y potentially unwanted application
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuze.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dll Win32/Toolbar.Montiera.J potentially unwanted application
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted application
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dll a variant of Win32/Toolbar.Montiera.A potentially unwanted application
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exe a variant of Win32/Toolbar.Montiera.A potentially unwanted application
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dll a variant of Win32/Toolbar.Escort.A potentially unwanted application
F:\Program Files\Conduit\Community Alerts\Alert.dll Win32/Toolbar.Conduit.Y potentially unwanted application
F:\Program Files\Conduit\Community Alerts\Alert0.dll Win32/Toolbar.Conduit.Y potentially unwanted application
F:\Program Files\ConduitEngine\ConduitEngin0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Program Files\ConduitEngine\ConduitEngine.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Program Files\Vuze_Remote\tbVuz0.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\Program Files\Vuze_Remote\tbVuze.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application
F:\WINDOWS\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
G:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar Win32/CMDOW.143 potentially unsafe application
G:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv multiple threats
G:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exe a variant of Win32/ExpressFiles.A potentially unwanted application
G:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exe a variant of Win32/ExpressFiles.B potentially unwanted application
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe Win32/DownloadAdmin.G potentially unwanted application
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exe a variant of Win32/SoftPulse.H potentially unwanted application
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe Win32/Toolbar.Conduit potentially unwanted application
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exe Win32/Toolbar.Conduit potentially unwanted application
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe Win32/Toolbar.Conduit potentially unwanted application
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe Win32/Toolbar.Conduit potentially unwanted application
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe Win32/Toolbar.Conduit potentially unwanted application
G:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar Win32/CMDOW.143 potentially unsafe application
G:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv multiple threats
G:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exe a variant of Win32/ExpressFiles.A potentially unwanted application
G:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exe a variant of Win32/ExpressFiles.B potentially unwanted application

[Juliet]

Is this a genuine, validated copy of Windows XP?

[ekih]

I had to think about that for a sec.

Yes it is, it was an old computer that was no longer needed from a site.

I have been using it for at least 3 years now.

It would have had a valid copy of Win XP come installed.

I would have cloned the drive it came with and installed a new larger HD.

Why do you ask?

Edited October 14, 2014 by ekih

[Juliet]

APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar

The above comes from mostly torrents sites which if I'm not wrong are pirated copies made available for download.

 

You had infected backups, a clean one can be made when we're done.

 

~~~~~

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.

Paste this into the open notepad. save it to the Desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

 

start

CloseProcesses:

C:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe

C:\Documents and Settings\NCC\Desktop\Downloads\Player.exe

C:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe

C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe

C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe

C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe

C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected]

C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected]\uninstall.exe

C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe

C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll

C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll

C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe

C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll

C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll

C:\Program Files\CheckPoint\Install\CUninstallerZA.exe

C:\Program Files\CheckPoint\Install\zatb.exe

C:\Program Files\Vuze\bunndle.zip

C:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dll

C:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exe

C:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exe

C:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7z

C:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe

C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe

C:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z

D:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar

D:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv

D:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcv

D:\Program Files\ExpressFiles\ExpressFiles.exe

D:\Program Files\ExpressFiles\uninstall.exe

F:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe

F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dll

F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll

F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll

F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll

F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote

F:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dll

F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dll

F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dll

F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dll

F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exe

F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dll

F:\Program Files\Conduit\Community Alerts\Alert.dll

F:\Program Files\Conduit\Community Alerts\Alert0.dll

F:\Program Files\ConduitEngine\ConduitEngin0.dll

F:\Program Files\ConduitEngine\ConduitEngine.dll

F:\Program Files\Vuze_Remote\tbVuz0.dll

F:\Program Files\Vuze_Remote\tbVuze.dll

F:\WINDOWS\Temp\AskSLib.dll

G:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar

G:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv

G:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exe

G:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exe

G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe

G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exe

G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe

G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exe

G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe

G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe

G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe

G:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar

G:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv

G:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exe

G:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exe

EmptyTemp:

End

Open FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

[ekih]

Here it is.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-10-2014
Ran by NCC at 2014-10-14 20:19:40 Run:2
Running from C:\Documents and Settings\NCC\Desktop\Downloads\Malware
Loaded Profiles: NCC & (Available profiles: NCC & Administrator)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe
C:\Documents and Settings\NCC\Desktop\Downloads\Player.exe
C:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe
C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected]
C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected]\uninstall.exe
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll
C:\Program Files\CheckPoint\Install\CUninstallerZA.exe
C:\Program Files\CheckPoint\Install\zatb.exe
C:\Program Files\Vuze\bunndle.zip
C:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dll
C:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exe
C:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exe
C:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7z
C:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe
C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe
C:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z
D:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar
D:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv
D:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcv
D:\Program Files\ExpressFiles\ExpressFiles.exe
D:\Program Files\ExpressFiles\uninstall.exe
F:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe
F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dll
F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote
F:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dll
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dll
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dll
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dll
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exe
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dll
F:\Program Files\Conduit\Community Alerts\Alert.dll
F:\Program Files\Conduit\Community Alerts\Alert0.dll
F:\Program Files\ConduitEngine\ConduitEngin0.dll
F:\Program Files\ConduitEngine\ConduitEngine.dll
F:\Program Files\Vuze_Remote\tbVuz0.dll
F:\Program Files\Vuze_Remote\tbVuze.dll
F:\WINDOWS\Temp\AskSLib.dll
G:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar
G:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv
G:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exe
G:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exe
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exe
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exe
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe
G:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar
G:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv
G:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exe
G:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exe
EmptyTemp:
End
*****************

Processes closed successfully.
C:\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe => Moved successfully.
C:\Documents and Settings\NCC\Desktop\Downloads\Player.exe => Moved successfully.
C:\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe => Moved successfully.
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe => Moved successfully.
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe => Moved successfully.
C:\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe => Moved successfully.
C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected] => Moved successfully.
C:\Documents and Settings\NCC\Desktop\Old Firefox Data\0u3x6nll.default\extensions\[email protected]\uninstall.exe => Moved successfully.
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\uninstall.exe => Moved successfully.
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmApp.dll => Moved successfully.
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmEng.dll => Moved successfully.
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmsrv.exe => Moved successfully.
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\zonealarmTlbr.dll => Moved successfully.
C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.22.0\bh\zonealarm.dll => Moved successfully.
C:\Program Files\CheckPoint\Install\CUninstallerZA.exe => Moved successfully.
C:\Program Files\CheckPoint\Install\zatb.exe => Moved successfully.
C:\Program Files\Vuze\bunndle.zip => Moved successfully.
C:\Program Files\Vuze\.install4j\user\BunndleOfferManager.dll => Moved successfully.
C:\Program Files\Vuze\.install4j\user\VuzeToolbar-stub-1.exe => Moved successfully.
C:\UBCD4Win\BartPE\PROGRAMS\ExpressBurn\expressburn.exe => Moved successfully.
C:\UBCD4Win\BartPE\PROGRAMS\SysInfo\sysinfo.7z => Moved successfully.
C:\UBCD4Win\plugin\CDBurning\ExpressBurn\expressburn.exe => Moved successfully.
C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe => Moved successfully.
C:\UBCD4Win\plugin\System-Info\Information\SysInfo\sysinfo.7z => Moved successfully.
D:\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar => Moved successfully.
D:\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv => Moved successfully.
D:\Backup\Firefox and Thunderbird\firefox\Firefox 32.0.3 (x86 en-US) - 2014-10-08.pcv => Moved successfully.
D:\Program Files\ExpressFiles\ExpressFiles.exe => Moved successfully.
D:\Program Files\ExpressFiles\uninstall.exe => Moved successfully.
F:\Documents and Settings\NCC\Local Settings\Application Data\Conduit\CT2504091\Vuze_RemoteAutoUpdateHelper.exe => Moved successfully.
F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngin0.dll => Moved successfully.
F:\Documents and Settings\NCC\Local Settings\Application Data\ConduitEngine\ConduitEngine.dll => Moved successfully.
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz0.dll => Moved successfully.
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote\tbVuz1.dll => Moved successfully.
F:\Documents and Settings\NCC\Local Settings\Application Data\Vuze_Remote => Moved successfully.
F:\Documents and Settings\NCC\Local Settings\Temp\AskSLib.dll => Moved successfully.
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\escortShld.dll => Moved successfully.
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmApp.dll => Moved successfully.
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmEng.dll => Moved successfully.
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\zonealarmsrv.exe => Moved successfully.
F:\Program Files\Check Point Software Technologies LTD\zonealarm\1.5.23.8\bh\zonealarm.dll => Moved successfully.
F:\Program Files\Conduit\Community Alerts\Alert.dll => Moved successfully.
F:\Program Files\Conduit\Community Alerts\Alert0.dll => Moved successfully.
F:\Program Files\ConduitEngine\ConduitEngin0.dll => Moved successfully.
F:\Program Files\ConduitEngine\ConduitEngine.dll => Moved successfully.
F:\Program Files\Vuze_Remote\tbVuz0.dll => Moved successfully.
F:\Program Files\Vuze_Remote\tbVuze.dll => Moved successfully.
F:\WINDOWS\Temp\AskSLib.dll => Moved successfully.
G:\Jan. 20-13\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar => Moved successfully.
G:\Jan. 20-13\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv => Moved successfully.
G:\Jan. 20-13\D\Program Files\ExpressFiles\ExpressFiles.exe => Moved successfully.
G:\Jan. 20-13\D\Program Files\ExpressFiles\uninstall.exe => Moved successfully.
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\imgburn-setup.exe => Moved successfully.
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\Player.exe => Moved successfully.
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zafwSetupWeb_133_052_000.exe => Moved successfully.
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_110_780_000.exe => Moved successfully.
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_120_118_000.exe => Moved successfully.
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_131_211_000.exe => Moved successfully.
G:\MyBackup 10\C\Documents and Settings\NCC\Desktop\Downloads\zaSetupWeb_133_042_000.exe => Moved successfully.
G:\MyBackup 10\D\APPs\Windows Xp Pro + SP3 + Extras BOOTABLE\WXPOEM_EN.part01.rar => Moved successfully.
G:\MyBackup 10\D\Backup\Firefox and Thunderbird\firefox\Firefox 31.0 (x86 en-US) - 2014-08-24.pcv => Moved successfully.
G:\MyBackup 10\D\Program Files\ExpressFiles\ExpressFiles.exe => Moved successfully.
G:\MyBackup 10\D\Program Files\ExpressFiles\uninstall.exe => Moved successfully.
EmptyTemp: => Removed 20.1 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

[Juliet]

How's the computer?

[ekih]

Asides from it being very old and out of date.

All seems to be ok, even before I did the last fix it was running normal as far as I could tell.

No pop ups etc.

Click on a link and go there and no re-directs.

 

We just started using Win7 at work a few months ago, it seems to run very well and quick.

Would Win7 run on this old machine?

[Juliet]

Myself I like Windows 7......

 

If you are running Windows XP, please take the time to read the information provided at these links.

• Windows XP - The Elephant In The Room
• Windows XP - The end of the road
• The above links supply a wealth of information.

   

  Glad the issues of infection are gone.

   

  We need to remove the tools and quarantine folders.

• Download Delfix from here
• Ensure Remove disinfection tools is ticked

  Also tick:

• Create registry backup
• Click Run
• Purge system restore

  

• Any other tools and files found can simply be deleted or uninstall via Add/Remove Programs in the Control Panel etc.

•  

  ~~~~~~~~~~~~~~

   

  Your good to go, good job!

   

  Please take the time to read over a few of my preventive tips.

   

  Computer Security

  http://malwareremoval.com/forum/viewtopic.php?p=557960#p557960

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   

  Be prepared for CryptoLocker:

   

  Cryptolocker Ransomware: What You Need To Know

   

  CryptoLocker Ransomware Information Guide and FAQ

   

  to help protect your computer in the future I recommend that you get the following free programmes:

   

  CryptoPrevent install this programme to lock down and prevent crypto ransome ware

   

  

   

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

   

   

  Firefox 3

  The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

  *NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

   

  AdblockPlus

• AdblockPlus, Surf the web without annoying ads!
• Blocks banners, pop-ups and video ads - even on Facebook and YouTube
• Protects your online privacy
• Two-click installation, It's free!
• click the icon that corresponds to your browser and download.
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

• Green should be good to go
• Yellow for caution
• Red to stop
• ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   

   

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  How to prevent Malware: Created by Miekiemoes

   

   

  WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java

  See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/

  and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755

   

  I would recommend that you completely uninstall Java unless you need it to run an important software.

  In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))

   

   

  Avoid P2P

   

  P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

   

  Please read these short reports on the dangers of peer-2-peer programs and file sharing.

• FBI Cyber Education Letter

  USAToday

  infoworld

• *********************************************

  Please read the following safe computing articles..

   

  Secure My Computer: A Layered Approach

   

   

  Free Antivirus-AntiSpyware-Firewall SoftwareKeep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

   

   

• It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
• Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
• You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC

[ekih]

I am away for work right now, but will go over the new info you have supplied and do the removals when I get back.

Plus I will do a clean backup before anything else.

 

Over the years I have run into problems of various difficulty and have dealt with many people to help correct the problems.

You by far have been the most helpful, most direct and precise that I have dealt with.

I thank you for your patience and cooperation with helping me.

James

 

I must also thank Caintry_boy for starting me out with some help.

[caintry_boy]

 

 

 

 

[Juliet]

James, thank you so much for the compliment.

 

We're glad to help

[ekih]

It is done.

I am going to start looking at getting something else, I probly could get win7 on this machine but I know it would be a hassle in the long run.

 

 

 

# DelFix v10.8 - Logfile created 20/10/2014 at 19:09:33
# Updated 29/07/2014 by Xplode
# Username : NCC - GOSS-CONTROL
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...


~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #159 [system Checkpoint | 10/21/2014 01:53:55]
Deleted : RP #160 [system Checkpoint | 10/21/2014 01:53:55]
Deleted : RP #161 [system Checkpoint | 10/21/2014 01:53:55]
Deleted : RP #162 [system Checkpoint | 10/21/2014 01:53:56]
Deleted : RP #163 [system Checkpoint | 10/21/2014 01:53:56]
Deleted : RP #164 [system Checkpoint | 10/21/2014 01:53:56]
Deleted : RP #165 [system Checkpoint | 10/21/2014 01:53:56]
Deleted : RP #166 [system Checkpoint | 10/21/2014 01:53:56]
Deleted : RP #167 [system Checkpoint | 10/21/2014 01:53:56]
Deleted : RP #168 [system Checkpoint | 10/21/2014 01:53:56]
Deleted : RP #169 [system Checkpoint | 10/21/2014 01:53:57]
Deleted : RP #170 [system Checkpoint | 10/21/2014 01:53:57]
Deleted : RP #171 [system Checkpoint | 10/21/2014 01:53:57]
Deleted : RP #172 [system Checkpoint | 10/21/2014 01:53:57]
Deleted : RP #173 [Removed Google+ Auto Backup | 10/21/2014 01:53:57]
Deleted : RP #174 [Removed PC Connectivity Solution | 10/21/2014 01:53:57]
Deleted : RP #175 [system Checkpoint | 10/21/2014 01:53:58]
Deleted : RP #176 [system Checkpoint | 10/21/2014 01:53:58]
Deleted : RP #177 [installed Windows 7 Upgrade Advisor | 10/21/2014 01:53:58]
Deleted : RP #178 [End of disinfection | 10/21/2014 01:54:00]

New restore point created !

########## - EOF - ##########

[Juliet]

Your good to go, safe surfing!