Solved WIN XP won't boot

elcajongunsfan · 2017/04/23

Hi Broni, per our conversation, here's the issue

Win XP Pro (mobo is an ASUS A7N8X Deluxe) when booting up, it goes through the mem test, disk test, and after the bios dump, the audio POST message says 'Now booting from operating system"

and I get this:

Windows could not start because the following file is missing or corrupt:

\WINDOWS\SYSTEM32\CONFIG\SYSTEM

I do have an install disk, but the weird thing is the hard drive setup is RAID 1, so when putting in the install disk, it doesnt see the HDs because there is no RAID driver installed.. The hard drives are good because I can re-sync them in the bios and they are mirroring each other perfectly.. Also, I booted up with a live linux CD and was able to mount both HDs and view their files. I do have two DVD drives and I do have the mobo setup disk including the RAID drivers. SATA is onboard and not a PCI plugin

As I am a fan of yours ( :{D ) and read this forum regularly, I thought I read that one can fix the registry with Farber

Thanks

broni · 2017/04/23

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=================================================================

Using another working computer....

Download Farbar Recovery Scan Tool and save it to a flash drive.

Download OTLPENet.exe to your Desktop

Ensure that you have a blank CD in the drive

Double click OTLPENet.exe and this will then open ImgBurn to burn the file to CD

Boot your BAD computer using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

Your system should now display a Reatogo desktop.

Insert the flash drive with FRST on it

Open My Computer to locate the flash drive and run FRST

The tool will start to run.

When the tool opens click Yes to disclaimer.

Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

elcajongunsfan · 2017/04/24

Tried three times but after clicking on the disclaimer, the system freezes.. Reatogo is a neat looking program, though!

elcajongunsfan · 2017/04/24

changed to a smaller flash drive and it started scanning and froze at \\shellexecutehooks.. I'm gonna leave it alone for a ½ hour and see if it unfreezes and completes its run

elcajongunsfan · 2017/04/24

YAY!!! It unfroze and is running! Looks like it will complete

elcajongunsfan · 2017/04/24

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-04-2017 01
Ran by SYSTEM on REATOGO (24-04-2017 21:37:54)
Running from H:\
Platform: Microsoft Windows XP (X86) Language: English (United States)
Internet Explorer Version 8
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [nForce Tray Options] => sstray.exe /r
HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [NetTime] => C:\Program Files\NetTime\NetTime.exe [772096 2012-05-12] ()
HKLM\...\Run: [PSUAMain] => C:\Program Files\Panda Security\Panda Security Protection\PSUAMain.exe [54520 2015-10-22] (Panda Security, S.L.)
HKLM\...\RunOnce: [XP_EOS] => C:\WINDOWS\system32\xp_eos.exe [13312 2014-02-25] (Microsoft Corporation)
Lsa: [Notification Packages] scecli scecli scecli

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 InCDsrv; C:\Program Files\Ahead\InCD\InCDsrv.exe [770100 2003-06-03] ()
S2 NanoServiceMain; C:\Program Files\Panda Security\Panda Security Protection\PSANHost.exe [142072 2015-10-18] (Panda Security, S.L.)
S2 NetTimeSvc; C:\Program Files\NetTime\NetTimeService.exe [473088 2012-05-12] ()
S2 PandaAgent; C:\Program Files\Panda Security\Panda Devices Agent\AgentSvc.exe [73176 2016-02-22] (Panda Security, S.L.)
S4 PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [75064 2009-03-28] ()
S4 PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [215128 2009-12-19] ()
S2 PSUAService; C:\Program Files\Panda Security\Panda Security Protection\PSUAService.exe [38136 2015-10-22] (Panda Security, S.L.)
S4 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 EL90Xbc; C:\Windows\System32\DRIVERS\el90Xbc5.SYS [74338 2002-08-13] (3Com Corporation)
S3 ENTECH; C:\WINDOWS\System32\DRIVERS\ENTECH.SYS [20400 1999-10-21] (EnTech Taiwan)
S3 gameenum; C:\Windows\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
S4 InCDfs; C:\Windows\System32\Drivers\InCDfs.sys [85360 2003-06-03] ()
S1 InCDPass; C:\Windows\System32\DRIVERS\InCDPass.sys [26816 2003-06-03] (Ahead Software)
S1 InCDrec; C:\Windows\System32\Drivers\InCDrec.sys [4976 2003-06-03] (Ahead Software AG)
S3 Intels51; C:\Windows\System32\DRIVERS\Intels51.sys [670203 2003-05-22] (Intel Corporation)
S3 mf; C:\Windows\System32\DRIVERS\mf.sys [63744 2008-04-13] (Microsoft Corporation)
S3 ms_mpu401; C:\Windows\System32\drivers\msmpu401.sys [2944 2001-08-17] (Microsoft Corporation)
S3 MxlW2k; C:\Windows\System32\Drivers\MxlW2k.sys [28164 2003-12-09] (MusicMatch, Inc.)
S3 nm; C:\Windows\System32\DRIVERS\NMnt.sys [40320 2008-04-13] (Microsoft Corporation)
S1 nmserial; C:\Windows\System32\DRIVERS\nmserial.sys [62080 2007-04-18] (Windows (R) 2000 DDK provider)
S1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [87032 2015-07-09] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202104 2015-07-09] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [109688 2015-07-09] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [121720 2015-07-09] (Panda Security, S.L.)
S3 NNSNAHS; C:\Windows\System32\DRIVERS\NNSNAHS.sys [55216 2015-05-20] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [102264 2015-07-09] (Panda Security, S.L.)
S1 NNSPIHS; C:\Windows\System32\DRIVERS\NNSPihs.sys [52088 2015-07-09] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [120568 2015-07-09] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [281720 2015-07-09] (Panda Security, S.L.)
S1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [209016 2015-07-09] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [108408 2015-07-09] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [240376 2015-07-09] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [94968 2015-07-09] (Panda Security, S.L.)
S2 NPF; C:\Windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
S3 nvax; C:\Windows\System32\drivers\nvax.sys [36864 2003-08-13] (NVIDIA Corporation)
S3 NVENET; C:\Windows\System32\DRIVERS\NVENET.sys [80896 2002-09-22] (NVIDIA Corporation)
S3 nvnforce; C:\Windows\System32\drivers\nvapu.sys [311552 2003-08-13] (NVIDIA Corporation)
S0 nv_agp; C:\Windows\System32\DRIVERS\nv_agp.sys [13568 2002-09-05] (NVIDIA Corporation)
S2 NwlnkIpx; C:\Windows\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-13] (Microsoft Corporation)
S2 NwlnkNb; C:\Windows\System32\DRIVERS\nwlnknb.sys [63232 2001-08-23] (Microsoft Corporation)
S2 NwlnkSpx; C:\Windows\System32\DRIVERS\nwlnkspx.sys [55936 2001-08-23] (Microsoft Corporation)
S3 PnkBstrK; C:\WINDOWS\system32\drivers\PnkBstrK.sys [138384 2009-12-19] ()
S2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [140792 2015-07-19] (Panda Security, S.L.)
S2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [103288 2015-07-19] (Panda Security, S.L.)
S1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [172792 2015-07-19] (Panda Security, S.L.)
S2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [114680 2015-07-19] (Panda Security, S.L.)
S2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [125176 2015-07-19] (Panda Security, S.L.)
S2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [100600 2015-07-19] (Panda Security, S.L.)
S3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [50832 2015-05-22] (Panda Security, S.L.)
S0 si3112r; C:\Windows\System32\drivers\si3112r.sys [102528 2006-01-12] (Silicon Image, Inc)
S0 SiFilter; C:\Windows\System32\DRIVERS\SiWinAcc.sys [10368 2004-11-01] (Silicon Image, Inc.)
S2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [76560 2006-10-07] (Trend Micro Inc.)
S3 TVICHW32; C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS [23600 2006-02-05] (EnTech Taiwan)
S3 UfasoftSnifDriver4; C:\Program Files\Ufasoft\Sniffer\usft_sn4.sys [15728 2006-06-15] (Ufasoft)
S3 admload; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\admload.sys [X]
S3 ctunmp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\ctunmp.sys [X]
S3 edmboot; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\edmboot.sys [X]
S3 fmountmg; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\fmountmg.sys [X]
S3 hnvmcp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\hnvmcp.sys [X]
S3 hrasl2tp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\hrasl2tp.sys [X]
S3 htunmp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\htunmp.sys [X]
S4 IntelIde; no ImagePath
S0 IPVNMon; no ImagePath
S3 iredbook; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\iredbook.sys [X]
S3 jnpfs; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\jnpfs.sys [X]
S3 kpartmgr; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\kpartmgr.sys [X]
S3 latapi; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\latapi.sys [X]
S3 lcinemst; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\lcinemst.sys [X]
S3 mhsfdpsp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\mhsfdpsp.sys [X]
S3 nipsec; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\nipsec.sys [X]
S3 PCAMPR5; \??\C:\WINDOWS\system32\PCAMPR5.SYS [X]
S3 pipfltdr; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\pipfltdr.sys [X]
S3 pwadv11n; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\pwadv11n.sys [X]
S3 qtiau5bt; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\qtiau5bt.sys [X]
S3 rsymlcbr; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\rsymlcbr.sys [X]
S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 sparvdm; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\sparvdm.sys [X]
S3 ssymndis; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\ssymndis.sys [X]
S3 TIAu5Bt; System32\Drivers\tiau5bt.sys [X]
S3 TIAU5LN; System32\DRIVERS\TIAU5LN.sys [X]
S3 TSP; \??\C:\WINDOWS\system32\drivers\klif.sys [X]
S3 tvolsnap; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\tvolsnap.sys [X]
S3 ubthport; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\ubthport.sys [X]
S3 usrv; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\usrv.sys [X]
S3 uusb8023; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\uusb8023.sys [X]
S4 vsdatant; [X]
S3 wanatw; System32\DRIVERS\wanatw4.sys [X]
S3 xsysaudi; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\xsysaudi.sys [X]
S3 yati2mta; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\yati2mta.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

NETSVC: Ip6FwHlp -> no filepath.

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-24 20:16 - 2017-04-24 20:16 - 00000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

Files to move or delete:
====================
C:\Documents and Settings\Golden State\key.dat

==================== Known DLLs (Whitelisted) =========================

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\dnsapi.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Association (Whitelisted) =============

==================== Restore Points (XP) =====================

RP: -> 2016-11-27 12:24 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1026

RP: -> 2016-10-08 13:55 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1022

RP: -> 2016-09-30 19:59 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1021

RP: -> 2016-09-13 19:12 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1020

RP: -> 2016-09-13 17:48 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1019

RP: -> 2016-09-13 17:37 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1018

RP: -> 2016-09-04 13:25 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1017

RP: -> 2016-11-18 19:57 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1025

RP: -> 2016-11-06 15:01 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1024

RP: -> 2016-11-06 14:24 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1023

RP: -> 2016-11-27 18:18 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1028

RP: -> 2016-11-27 16:24 - 028672 _restore{263D062F-BEE9-484B-B2BA-5DD05044FA08}\RP1027

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 1791.48 MB
Available physical RAM: 1522.22 MB
Total Virtual: 1623.66 MB
Available Virtual: 1557.25 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: (DSK1_VOL1) (Fixed) (Total:50.01 GB) (Free:13.87 GB) FAT32 ==>[drive with boot components (Windows XP)]
Drive d: (DSK1_VOL1) (Fixed) (Total:50.01 GB) (Free:13.92 GB) FAT32 ==>[drive with boot components (Windows XP)]
Drive e: (DSK1_VOL2) (Fixed) (Total:26.29 GB) (Free:24.53 GB) FAT32
Drive f: (DSK1_VOL2) (Fixed) (Total:26.29 GB) (Free:24.53 GB) FAT32
Drive h: (USB20FD) (Removable) (Total:14.92 GB) (Free:14.86 GB) FAT32
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 76.3 GB) (Disk ID: E695E695)
Partition 1: (Active) - (Size=50 GB) - (Type=0C)
Partition 2: (Not Active) - (Size=26.3 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: EE2DBFAE)
Partition 1: (Active) - (Size=50 GB) - (Type=0C)
Partition 2: (Not Active) - (Size=26.3 GB) - (Type=OF Extended)

========================================================
Disk: 2 (Size: 14.9 GB) (Disk ID: 04030201)
Partition 1: (Not Active) - (Size=14.9 GB) - (Type=0C)

==================== End of FRST.txt ============================

broni · 2017/04/24

It looks like this system is severely infected.
We'll see if cleaning the infection itself will help.

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7/8/10: Now please enter System Recovery Options.
On Windows XP: Now please boot into the OTLPE CD.
Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if you can boot normally.

elcajongunsfan · 2017/04/25

I'll run the fixlist when I get home tonite but I was wondering why did you include a microsoft file in the fixlist

S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

Thanks

broni · 2017/04/25

Good point. My bad.
Attached is new file.

elcajongunsfan · 2017/04/25

****.. It's working

Good job, Sir!! I thought it was a registry issue. The only use for this computer is to console into Cisco devices because it has four COM PORTS on the back. I wonder where the infection(s) came from. Can we run your full routine on this?

Thanks

Fix result of Farbar Recovery Scan Tool (x86) Version: 23-04-2017 01
Ran by SYSTEM (25-04-2017 23:19:00) Run:1
Running from F:\
Boot Mode: Recovery

==============================================

fixlist content:
*****************
S4 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]
S3 admload; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\admload.sys [X]
S3 ctunmp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\ctunmp.sys [X]
S3 edmboot; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\edmboot.sys [X]
S3 fmountmg; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\fmountmg.sys [X]
S3 hnvmcp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\hnvmcp.sys [X]
S3 hrasl2tp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\hrasl2tp.sys [X]
S3 htunmp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\htunmp.sys [X]
S4 IntelIde; no ImagePath
S0 IPVNMon; no ImagePath
S3 iredbook; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\iredbook.sys [X]
S3 jnpfs; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\jnpfs.sys [X]
S3 kpartmgr; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\kpartmgr.sys [X]
S3 latapi; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\latapi.sys [X]
S3 lcinemst; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\lcinemst.sys [X]
S3 mhsfdpsp; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\mhsfdpsp.sys [X]
S3 nipsec; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\nipsec.sys [X]
S3 PCAMPR5; \??\C:\WINDOWS\system32\PCAMPR5.SYS [X]
S3 pipfltdr; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\pipfltdr.sys [X]
S3 pwadv11n; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\pwadv11n.sys [X]
S3 qtiau5bt; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\qtiau5bt.sys [X]
S3 rsymlcbr; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\rsymlcbr.sys [X]
S3 sparvdm; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\sparvdm.sys [X]
S3 ssymndis; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\ssymndis.sys [X]
S3 TIAu5Bt; System32\Drivers\tiau5bt.sys [X]
S3 TIAU5LN; System32\DRIVERS\TIAU5LN.sys [X]
S3 TSP; \??\C:\WINDOWS\system32\drivers\klif.sys [X]
S3 tvolsnap; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\tvolsnap.sys [X]
S3 ubthport; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\ubthport.sys [X]
S3 usrv; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\usrv.sys [X]
S3 uusb8023; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\uusb8023.sys [X]
S4 vsdatant; [X]
S3 wanatw; System32\DRIVERS\wanatw4.sys [X]
S3 xsysaudi; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\xsysaudi.sys [X]
S3 yati2mta; \??\C:\DOCUME~1\GOLDEN~1\LOCALS~1\Temp\yati2mta.sys [X]
NETSVC: Ip6FwHlp -> no filepath.
C:\Documents and Settings\Golden State\key.dat

*****************

HKLM\System\ControlSet001\Services\rpcapd => key removed successfully.
rpcapd => service removed successfully.
HKLM\System\ControlSet001\Services\admload => key removed successfully.
admload => service removed successfully.
HKLM\System\ControlSet001\Services\ctunmp => key removed successfully.
ctunmp => service removed successfully.
HKLM\System\ControlSet001\Services\edmboot => key removed successfully.
edmboot => service removed successfully.
HKLM\System\ControlSet001\Services\fmountmg => key removed successfully.
fmountmg => service removed successfully.
HKLM\System\ControlSet001\Services\hnvmcp => key removed successfully.
hnvmcp => service removed successfully.
HKLM\System\ControlSet001\Services\hrasl2tp => key removed successfully.
hrasl2tp => service removed successfully.
HKLM\System\ControlSet001\Services\htunmp => key removed successfully.
htunmp => service removed successfully.
HKLM\System\ControlSet001\Services\IntelIde => key removed successfully.
IntelIde => service removed successfully.
HKLM\System\ControlSet001\Services\IPVNMon => key removed successfully.
IPVNMon => service removed successfully.
HKLM\System\ControlSet001\Services\iredbook => key removed successfully.
iredbook => service removed successfully.
HKLM\System\ControlSet001\Services\jnpfs => key removed successfully.
jnpfs => service removed successfully.
HKLM\System\ControlSet001\Services\kpartmgr => key removed successfully.
kpartmgr => service removed successfully.
HKLM\System\ControlSet001\Services\latapi => key removed successfully.
latapi => service removed successfully.
HKLM\System\ControlSet001\Services\lcinemst => key removed successfully.
lcinemst => service removed successfully.
HKLM\System\ControlSet001\Services\mhsfdpsp => key removed successfully.
mhsfdpsp => service removed successfully.
HKLM\System\ControlSet001\Services\nipsec => key removed successfully.
nipsec => service removed successfully.
HKLM\System\ControlSet001\Services\PCAMPR5 => key removed successfully.
PCAMPR5 => service removed successfully.
HKLM\System\ControlSet001\Services\pipfltdr => key removed successfully.
pipfltdr => service removed successfully.
HKLM\System\ControlSet001\Services\pwadv11n => key removed successfully.
pwadv11n => service removed successfully.
HKLM\System\ControlSet001\Services\qtiau5bt => key removed successfully.
qtiau5bt => service removed successfully.
HKLM\System\ControlSet001\Services\rsymlcbr => key removed successfully.
rsymlcbr => service removed successfully.
HKLM\System\ControlSet001\Services\sparvdm => key removed successfully.
sparvdm => service removed successfully.
HKLM\System\ControlSet001\Services\ssymndis => key removed successfully.
ssymndis => service removed successfully.
HKLM\System\ControlSet001\Services\TIAu5Bt => key removed successfully.
TIAu5Bt => service removed successfully.
HKLM\System\ControlSet001\Services\TIAU5LN => key removed successfully.
TIAU5LN => service removed successfully.
HKLM\System\ControlSet001\Services\TSP => key removed successfully.
TSP => service removed successfully.
HKLM\System\ControlSet001\Services\tvolsnap => key removed successfully.
tvolsnap => service removed successfully.
HKLM\System\ControlSet001\Services\ubthport => key removed successfully.
ubthport => service removed successfully.
HKLM\System\ControlSet001\Services\usrv => key removed successfully.
usrv => service removed successfully.
HKLM\System\ControlSet001\Services\uusb8023 => key removed successfully.
uusb8023 => service removed successfully.
HKLM\System\ControlSet001\Services\vsdatant => key removed successfully.
vsdatant => service removed successfully.
HKLM\System\ControlSet001\Services\wanatw => key removed successfully.
wanatw => service removed successfully.
HKLM\System\ControlSet001\Services\xsysaudi => key removed successfully.
xsysaudi => service removed successfully.
HKLM\System\ControlSet001\Services\yati2mta => key removed successfully.
yati2mta => service removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs Ip6FwHlp => value removed successfully.
C:\Documents and Settings\Golden State\key.dat => moved successfully

==== End of Fixlog 23:19:03 ====

broni · 2017/04/25

I'm assuming it boots fine now?
Where the infection came from -there is no answer to such question.

Please, complete all steps listed HERE

elcajongunsfan · 2017/04/25

Yes, it's running a windows update right now and I'll get to the steps later

thanks

broni · 2017/04/25

...

elcajongunsfan · 2017/04/26

Ugh... looks like there is damage. See the gibberish on the menu flyout

Here's the scans

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-04-2017
Ran by Golden State (administrator) on MIKE (26-04-2017 16:40:29)
Running from C:\Documents and Settings\Golden State\Desktop
Loaded Profiles: Golden State (Available Profiles: Golden State & Administrator)
Platform: Microsoft Windows XP Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Malware Removal Guides and Tutorials

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\Program Files\NetTime\NetTime.exe
(Panda Security, S.L.) C:\Program Files\Panda Security\Panda Security Protection\PSUAMain.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSCORSVW.EXE
(Panda Security, S.L.) C:\Program Files\Panda Security\Panda Security Protection\PSANHost.exe
() C:\Program Files\NetTime\NetTimeService.exe
(NVIDIA Corporation) C:\WINDOWS\System32\NVSVC32.EXE
(Panda Security, S.L.) C:\Program Files\Panda Security\Panda Devices Agent\AgentSvc.exe
(Panda Security, S.L.) C:\Program Files\Panda Security\Panda Security Protection\PSUAService.exe
(Microsoft Corporation) C:\WINDOWS\System32\taskmgr.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [nForce Tray Options] => sstray.exe /r
HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [NetTime] => C:\Program Files\NetTime\NetTime.exe [772096 2012-05-12] ()
HKLM\...\Run: [PSUAMain] => C:\Program Files\Panda Security\Panda Security Protection\PSUAMain.exe [54520 2015-10-22] (Panda Security, S.L.)
HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\MountPoints2: {c9c95b8c-db96-11de-9c7e-00038a000015} - G:\LaunchU3.exe -a
HKU\S-1-5-18\...\RunOnce: [RunNarrator] => C:\WINDOWS\system32\Narrator.exe [53760 2008-04-13] (Microsoft Corporation)
Lsa: [Notification Packages] scecli scecli scecli
GroupPolicy: Restriction ? <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{57F9450A-3FC4-4DFA-973D-BB768F15CD6D}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{57F9450A-3FC4-4DFA-973D-BB768F15CD6D}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://yahoo.sbc.com/dsl
HKU\S-1-5-21-1935655697-1417001333-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.foxnews.com/
SearchScopes: HKU\S-1-5-21-1935655697-1417001333-839522115-1003 -> {38C48195-A606-46D1-BBFB-55B67FD72449} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-01-03] (Adobe Systems Incorporated)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-20] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-20] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1935655697-1417001333-839522115-1003 -> No Name - {C4069E3A-68F1-403E-B40E-20066696354B} - No File
DPF: {01113300-3E00-11D2-8470-0060089874ED} hxxp://support.cox.com/sdccommon/download/tgctlcm.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5852F5ED-8BF4-11D4-A245-0080C6F74284} hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_1-windows-i586.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093663370015
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} hxxp://128.125.198.170/activex/AxisCamControl.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} hxxp://www.pandasoftware.com/activescan/as5/asinst.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA}
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} hxxp://www.live365.com/players/play365.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} hxxp://ccon.futuremark.com/global/msc34.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} hxxp://76.253.32.98/activex/AMC.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} hxxps://lawson.sharp.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} hxxp://driveragent.com/files/driveragent.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)

FireFox:
========
FF DefaultProfile: vscdqdnb.Default User
FF ProfilePath: C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\tki20kmd.default [2004-12-21]
FF SelectedSearchEngine: C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\tki20kmd.default -> Google
FF Homepage: C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\tki20kmd.default -> hxxp://www.aol.com
FF Extension: (PrivDog) - C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\tki20kmd.default\Extensions\PrivDog@AdTrustMedia.com.xpi [2014-04-24] [not signed]
FF ProfilePath: C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\vscdqdnb.Default User [2005-06-17]
FF SelectedSearchEngine: C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\vscdqdnb.Default User -> Google
FF Homepage: C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\vscdqdnb.Default User -> hxxps://www.google.com/?gws_rd=ssl
FF Extension: (Microsoft .NET Framework Assistant) - C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\vscdqdnb.Default User\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-02-19] [not signed]
FF Extension: (Firefox Hotfix) - C:\Documents and Settings\Golden State\Application Data\Mozilla\Firefox\Profiles\vscdqdnb.Default User\Extensions\firefox-hotfix@mozilla.org.xpi [2016-10-16]
FF Extension: (Kaspersky URL Advisor) - C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak [2016-11-27] [not signed]
FF Extension: (Java Console) - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2016-11-27] [not signed]
FF Extension: (Java Console) - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2016-11-27] [not signed]
FF Extension: (Java Console) - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2016-11-27] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-06-11] [not signed]
FF HKLM\...\Firefox\Extensions: [virtualKeyboard@kaspersky.ru] - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\virtualKeyboard@kaspersky.ru => not found
FF HKLM\...\Firefox\Extensions: [linkfilter@kaspersky.ru] - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\linkfilter@kaspersky.ru => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-30] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-20] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-20] (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2008-11-20] (Yahoo! Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-04-25] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-04-25] (Google Inc.)
FF Plugin: @yverinfo.yahoo.com/YahooVersionInfoPlugin;version=1.0.0.1 -> C:\Program Files\Yahoo!\Shared\npYVerInfo.dll [No File]
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-01-03] (Adobe Systems Inc.)
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Yahoo!\Common\npyaxmpb.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npmozax.dll [2004-12-22] ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npunagi2.dll [2007-08-21] (America Online, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\np32dsw.dll [2008-03-19] (Adobe Systems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL [2007-03-22] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll [2009-02-06] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2012-01-03] (Adobe Systems Inc.)
FF ExtraCheck: C:\Program Files\mozilla firefox\defaults\pref\activex.js [2005-05-13]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cmaiofennmphjldldcpphcechfnnohja] - C:\Program Files\AdTrustMedia\PrivDog\PrivDog_chrome.crx <not found>

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ATTENTION: => Could not perform signature verification. Cryptographic Service is not running.

S4 InCDsrv; C:\Program Files\Ahead\InCD\InCDsrv.exe [770100 2003-06-03] ()
R2 NanoServiceMain; C:\Program Files\Panda Security\Panda Security Protection\PSANHost.exe [142072 2015-10-18] (Panda Security, S.L.)
R2 NetTimeSvc; C:\Program Files\NetTime\NetTimeService.exe [473088 2012-05-12] ()
R2 PandaAgent; C:\Program Files\Panda Security\Panda Devices Agent\AgentSvc.exe [73176 2016-02-22] (Panda Security, S.L.)
S4 PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [75064 2009-03-28] ()
S4 PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [215128 2009-12-19] ()
R2 PSUAService; C:\Program Files\Panda Security\Panda Security Protection\PSUAService.exe [38136 2015-10-22] (Panda Security, S.L.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 EL90Xbc; C:\WINDOWS\System32\DRIVERS\el90Xbc5.SYS [74338 2002-08-13] (3Com Corporation)
S3 ENTECH; C:\WINDOWS\System32\DRIVERS\ENTECH.SYS [20400 1999-10-21] (EnTech Taiwan)
R3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
R4 InCDfs; C:\WINDOWS\system32\Drivers\InCDfs.sys [85360 2003-06-03] ()
R1 InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [26816 2003-06-03] (Ahead Software)
U1 InCDrec; C:\WINDOWS\system32\Drivers\InCDrec.sys [4976 2003-06-03] (Ahead Software AG)
S3 Intels51; C:\WINDOWS\System32\DRIVERS\Intels51.sys [670203 2003-05-22] (Intel Corporation)
R3 mf; C:\WINDOWS\System32\DRIVERS\mf.sys [63744 2008-04-13] (Microsoft Corporation)
R3 ms_mpu401; C:\WINDOWS\System32\drivers\msmpu401.sys [2944 2001-08-17] (Microsoft Corporation)
S3 MxlW2k; C:\WINDOWS\system32\Drivers\MxlW2k.sys [28164 2003-12-09] (MusicMatch, Inc.)
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2008-04-13] (Microsoft Corporation)
R1 nmserial; C:\WINDOWS\System32\DRIVERS\nmserial.sys [62080 2007-04-18] (Windows (R) 2000 DDK provider)
R1 NNSALPC; C:\WINDOWS\System32\DRIVERS\NNSAlpc.sys [87032 2015-07-09] (Panda Security, S.L.)
R1 NNSHTTP; C:\WINDOWS\System32\DRIVERS\NNSHttp.sys [202104 2015-07-09] (Panda Security, S.L.)
R1 NNSHTTPS; C:\WINDOWS\System32\DRIVERS\NNSHttps.sys [109688 2015-07-09] (Panda Security, S.L.)
R1 NNSIDS; C:\WINDOWS\System32\DRIVERS\NNSIds.sys [121720 2015-07-09] (Panda Security, S.L.)
R3 NNSNAHS; C:\WINDOWS\System32\DRIVERS\NNSNAHS.sys [55216 2015-05-20] (Panda Security, S.L.)
R1 NNSPICC; C:\WINDOWS\System32\DRIVERS\NNSPicc.sys [102264 2015-07-09] (Panda Security, S.L.)
R1 NNSPIHS; C:\WINDOWS\System32\DRIVERS\NNSPihs.sys [52088 2015-07-09] (Panda Security, S.L.)
R1 NNSPOP3; C:\WINDOWS\System32\DRIVERS\NNSPop3.sys [120568 2015-07-09] (Panda Security, S.L.)
R1 NNSPROT; C:\WINDOWS\System32\DRIVERS\NNSProt.sys [281720 2015-07-09] (Panda Security, S.L.)
R1 NNSPRV; C:\WINDOWS\System32\DRIVERS\NNSPrv.sys [209016 2015-07-09] (Panda Security, S.L.)
R1 NNSSMTP; C:\WINDOWS\System32\DRIVERS\NNSSmtp.sys [108408 2015-07-09] (Panda Security, S.L.)
R1 NNSSTRM; C:\WINDOWS\System32\DRIVERS\NNSStrm.sys [240376 2015-07-09] (Panda Security, S.L.)
R1 NNSTLSC; C:\WINDOWS\System32\DRIVERS\NNSTlsc.sys [94968 2015-07-09] (Panda Security, S.L.)
R2 NPF; C:\WINDOWS\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
R3 nvax; C:\WINDOWS\System32\drivers\nvax.sys [36864 2003-08-13] (NVIDIA Corporation)
R3 NVENET; C:\WINDOWS\System32\DRIVERS\NVENET.sys [80896 2002-09-22] (NVIDIA Corporation)
R3 nvnforce; C:\WINDOWS\System32\drivers\nvapu.sys [311552 2003-08-13] (NVIDIA Corporation)
R0 nv_agp; C:\WINDOWS\System32\DRIVERS\nv_agp.sys [13568 2002-09-05] (NVIDIA Corporation)
R2 NwlnkIpx; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [88320 2008-04-13] (Microsoft Corporation)
R2 NwlnkNb; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [63232 2001-08-23] (Microsoft Corporation)
R2 NwlnkSpx; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [55936 2001-08-23] (Microsoft Corporation)
S3 PnkBstrK; C:\WINDOWS\system32\drivers\PnkBstrK.sys [138384 2009-12-19] ()
R2 PSINAflt; C:\WINDOWS\System32\DRIVERS\PSINAflt.sys [140792 2015-07-19] (Panda Security, S.L.)
R2 PSINFile; C:\WINDOWS\System32\DRIVERS\PSINFile.sys [103288 2015-07-19] (Panda Security, S.L.)
R1 PSINKNC; C:\WINDOWS\System32\DRIVERS\psinknc.sys [172792 2015-07-19] (Panda Security, S.L.)
R2 PSINProc; C:\WINDOWS\System32\DRIVERS\PSINProc.sys [114680 2015-07-19] (Panda Security, S.L.)
R2 PSINProt; C:\WINDOWS\System32\DRIVERS\PSINProt.sys [125176 2015-07-19] (Panda Security, S.L.)
R2 PSINReg; C:\WINDOWS\System32\DRIVERS\PSINReg.sys [100600 2015-07-19] (Panda Security, S.L.)
U3 PSKMAD; C:\WINDOWS\System32\DRIVERS\PSKMAD.sys [50832 2015-05-22] (Panda Security, S.L.)
R0 si3112r; C:\WINDOWS\System32\drivers\si3112r.sys [102528 2006-01-12] (Silicon Image, Inc)
R0 SiFilter; C:\WINDOWS\System32\DRIVERS\SiWinAcc.sys [10368 2004-11-01] (Silicon Image, Inc.)
R2 tmcomm; C:\WINDOWS\system32\drivers\tmcomm.sys [76560 2006-10-07] (Trend Micro Inc.)
S3 TVICHW32; C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS [23600 2006-02-05] (EnTech Taiwan)
S3 UfasoftSnifDriver4; C:\Program Files\Ufasoft\Sniffer\usft_sn4.sys [15728 2006-06-15] (Ufasoft)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-26 16:40 - 2017-04-26 16:40 - 00017575 _____ C:\Documents and Settings\Golden State\Desktop\FRST.txt
2017-04-26 16:36 - 2017-04-26 16:36 - 01768448 _____ (Farbar) C:\Documents and Settings\Golden State\Desktop\FRST.exe
2017-04-26 16:25 - 2015-05-22 00:45 - 00050832 _____ (Panda Security, S.L.) C:\WINDOWS\system32\Drivers\PSKMAD.sys
2017-04-26 00:22 - 2017-04-26 16:24 - 00000236 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-04-26 00:22 - 2017-04-25 21:23 - 00000230 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2017-04-24 20:16 - 2017-04-24 20:16 - 00000000 ____D C:\FRST

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-26 16:40 - 2007-06-18 22:24 - 00032616 _____ C:\WINDOWS\SchedLgU.Txt
2017-04-26 16:40 - 2005-07-24 13:47 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-26 16:25 - 2010-01-07 17:43 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2017-04-26 16:25 - 2006-09-10 17:01 - 00000008 _____ C:\WINDOWS\system32\nvapps.xml
2017-04-26 00:22 - 2003-12-09 13:43 - 00313968 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-04-25 21:26 - 2015-04-25 21:01 - 02097152 _____ C:\WINDOWS\system32\config\Nano.evt
2017-04-25 21:26 - 2003-12-09 14:17 - 00000278 ___SH C:\Documents and Settings\Golden State\ntuser.ini
2017-04-25 21:23 - 2001-08-23 12:00 - 00002184 _____ C:\WINDOWS\system32\wpa.dbl
2017-04-25 20:24 - 2010-01-07 17:43 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job

==================== Files in the root of some directories =======

2004-01-28 19:06 - 2004-01-28 19:06 - 0000135 ____N () C:\Documents and Settings\Golden State\Local Settings\Application Data\fusioncache.dat
2004-03-24 13:06 - 2016-08-21 15:03 - 0028672 _____ () C:\Documents and Settings\Golden State\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-08-24 22:46 - 2015-06-24 20:12 - 0000600 _____ () C:\Documents and Settings\Golden State\Local Settings\Application Data\PUTTY.RND

Some zero byte size files/folders:
==========================
C:\Windows\System32\Ultra.dll
C:\Windows\System32\pdc32hlisysb.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => MD5 is legit
C:\WINDOWS\system32\winlogon.exe => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
C:\WINDOWS\system32\User32.dll => MD5 is legit
C:\WINDOWS\system32\userinit.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\dnsapi.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\volsnap.sys => MD5 is legit

==================== End of FRST.txt ============================

elcajongunsfan · 2017/04/26

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 26-04-2017
Ran by Golden State (26-04-2017 16:41:48)
Running from C:\Documents and Settings\Golden State\Desktop
Microsoft Windows XP Service Pack 3 (X86) (2003-12-09 21:55:06)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1935655697-1417001333-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1935655697-1417001333-839522115-1008 - Limited - Enabled)
Golden State (S-1-5-21-1935655697-1417001333-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Golden State
Guest (S-1-5-21-1935655697-1417001333-839522115-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-1935655697-1417001333-839522115-1000 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1935655697-1417001333-839522115-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Panda Free Antivirus (Disabled - Up to date) {5AD27692-540A-464E-B625-78275FA38393}
FW: Panda Firewall (Disabled) {1337562C-110A-4AF8-B12B-750C0B30E802}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ACDSee 5.0 PowerPack (HKLM\...\{5058B085-AA79-41E5-A726-681B4C4B846E}) (Version: 5.0.0 - ACD Systems Ltd)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.7.1.19610 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Adobe Reader X (10.1.2) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.2 - Adobe Systems Incorporated)
Adobe Shockwave Player (HKLM\...\Adobe Shockwave Player) (Version: 11 - Adobe Systems, Inc.)
Ahead InCD (HKLM\...\InCD!UninstallKey) (Version: - )
ATI Control Panel (HKLM\...\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}) (Version: - )
AXIS Media Control Embedded (HKLM\...\AXIS Media Control Embedded) (Version: - )
Battlefield 2(TM) (HKLM\...\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}) (Version: - )
Boson Exam Environment (HKLM\...\{12F69331-DCBB-46D5-B475-6BFD0F9048B3}) (Version: 1.4.2 - Boson Software, LLC)
Canon i560 (HKLM\...\CANONBJ_Deinstall_CNMCP58.DLL) (Version: - )
Canon Utilities Easy-PhotoPrint (HKLM\...\Easy-PhotoPrint) (Version: - )
Canon Utilities Easy-PhotoPrint Plus (HKLM\...\Easy-PhotoPrint Plus) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 3.17 - Piriform)
Cisco Packet Tracer 5.2.1 (HKLM\...\Cisco Packet Tracer_is1) (Version: - Cisco Systems, Inc.)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conflict Desert Storm II (HKLM\...\{190CB499-261D-43EB-BB7F-1C5A33E1DDDE}) (Version: - )
Critical Update for Windows Media Player 11 (KB959772) (HKLM\...\KB959772_WM11) (Version: - Microsoft Corporation)
Debugging Tools for Windows (HKLM\...\{5C741A01-05D6-4306-BA6A-DC8401285AE8}) (Version: 6.6.7.5 - Microsoft Corporation)
Desert Storm (HKLM\...\{EA7D60ED-9ED3-48F5-8F18-5B5B6663B229}) (Version: - )
DrawPlus 3.0 (HKLM\...\DrawPlus 3.0) (Version: - )
EVEREST Home Edition v2.20 (HKLM\...\EVEREST Home Edition_is1) (Version: 2.20 - Lavalys Inc)
e-Watch Camera Viewer (HKLM\...\{88EFC79A-2079-41B5-9FB7-EB0CA7463936}) (Version: - )
Fluke Networks Training: Version 2.1 (HKLM\...\Fluke Networks Training) (Version: - )
FTPShell Client 3.5 (HKLM\...\ROBOTFTP2002PRO_is1) (Version: 3.0 - FTPShell Software)
Futuremark Measurement Services Client (HKLM\...\Measurement Services Client) (Version: - )
GCalc 3 (HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\GCalc 3) (Version: - gcalc.net)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden
HighMAT Extension to Microsoft Windows XP CD Writing Wizard (HKLM\...\{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}) (Version: 1.1.1905.1 - Microsoft Corporation)
HijackThis 2.0.2 (HKLM\...\HijackThis) (Version: 2.0.2 - TrendMicro)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.32 - Irfan Skiljan)
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Java SATARaid (HKLM\...\{BB533746-CF08-11D7-BCF1-005004748D87}) (Version: - )
Java Web Start (HKLM\...\Java Web Start) (Version: - )
JCreator LE 3.10 (HKLM\...\JCreator LE_is1) (Version: - Xinox Software)
Jing (HKLM\...\{7AB01508-C2B2-43C8-8B44-514801E7CCC9}) (Version: 2.6.12032.1 - TechSmith Corporation)
Juniper Networks Cache Cleaner 6.3.0 (HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\Juniper_Networks_Cache_Cleaner 6.3.0) (Version: 6.3.0.13881 - Juniper Networks)
Kiwi Syslog Server 9.2.1 (Standard Edition) (HKLM\...\Kiwi Syslog Server) (Version: 9.2.1 (Standard Edition) - hxxp://www.kiwisyslog.com)
Learn2 Player (Uninstall Only) (HKLM\...\StreetPlugin) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Data Access Components KB870669 (HKLM\...\KB870669) (Version: - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{91110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Web Publishing Wizard 1.52 (HKLM\...\WebPost) (Version: - )
Microsoft Windows Journal Viewer (HKLM\...\{43DCF766-6838-4F9A-8C91-D92DA586DFA7}) (Version: 1.5.2315.3 - Microsoft)
MosChip Multi-IO Controller (HKLM\...\MosChip Technology) (Version: - )
Mozilla Firefox 48.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 48.0.2 (x86 en-US)) (Version: 48.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 48.0.2.6079 - Mozilla)
MUSICMATCH Jukebox (HKLM\...\MUSICMATCH Jukebox) (Version: - )
Nero - Burning Rom (HKLM\...\{A4D7B764-4140-11D4-88EB-0050DA3579C0}) (Version: 5.5.9 - ahead software gmbh)
NetMos Multi-IO Controller (HKLM\...\NetMos Technology) (Version: - )
NetTime (HKLM\...\NetTime_is1) (Version: - Mark Griffiths)
Nmap 6.25 (HKLM\...\Nmap) (Version: - )
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: - )
NVIDIA nForce Utilities (HKLM\...\SSUtils) (Version: - )
NVIDIA Windows 2000/XP nForce Drivers (HKLM\...\NVIDIAnForce) (Version: - )
Oracle VM VirtualBox 4.2.10 (HKLM\...\{08FD61E2-0BCC-424D-8F26-4FC4864B0440}) (Version: 4.2.10 - Oracle Corporation)
Panda Devices Agent (Version: 1.03.07 - Panda Security) Hidden
Panda Devices Agent (Version: 1.06.00 - Panda Security) Hidden
Panda Free Antivirus (HKLM\...\Panda Universal Agent Endpoint) (Version: 16.0.2 - Panda Security)
Panda Free Antivirus (Version: 8.04.00.0000 - Panda Security) Hidden
Pinball Master (HKLM\...\Pinball Master) (Version: - )
SeaTools for Windows 1.4.0.4 (HKLM\...\SeaTools for Windows) (Version: 1.4.0.4 - Seagate Technology)
Shockwave (HKLM\...\Shockwave) (Version: - )
Spelling Dictionaries Support For Adobe Reader 8 (HKLM\...\{AC76BA86-7AD7-5464-3428-800000000003}) (Version: 8.0.0 - Adobe Systems)
SpywareBlaster 5.4 (HKLM\...\SpywareBlaster_is1) (Version: 5.4.0 - BrightFort LLC)
System Requirements Lab (HKLM\...\SystemRequirementsLab) (Version: - )
Tera Term 4.85 (HKLM\...\Tera Term_is1) (Version: - )
Tweaking.com - Windows Repair (HKLM\...\Tweaking.com - Windows Repair) (Version: 3.8.6 - Tweaking.com)
Ufasoft Snif 4.1.116 (HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\UfasoftSniffer) (Version: - )
WebFldrs XP (Version: 9.50.6513 - Microsoft Corporation) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0036.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )
WinZip (HKLM\...\WinZip) (Version: 9.0 (6028) - WinZip Computing, Inc.)
Wireshark 1.10.13 (32-bit) (HKLM\...\Wireshark) (Version: 1.10.13 - The Wireshark developer community, hxxp://www.wireshark.org)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\WGASetup.job => C:\WINDOWS\system32\KB905474\wgasetup.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Tweaking.com - Windows Repair Tray Icon.job => C:\Program Files\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe C:\Program Files\Tweaking.com\Windows Repair (All in One) Tweaking.com - Windows Repair )Created By Tweaking.com
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2003-12-09 09:18 - 2002-05-14 18:22 - 00122880 _____ () C:\Program Files\WinRAR\rarext.dll
2006-08-11 21:43 - 2006-08-11 21:43 - 00196608 _____ () C:\WINDOWS\system32\nvapi.dll
2006-08-11 21:43 - 2006-08-11 21:43 - 00466944 _____ () C:\WINDOWS\system32\nvshell.dll
2014-12-31 19:34 - 2012-05-12 09:28 - 00772096 _____ () C:\Program Files\NetTime\NetTime.exe
2013-04-12 09:23 - 2013-04-12 09:23 - 00612664 _____ () C:\Program Files\Panda Security\Panda Security Protection\SQLite3.dll
2014-12-31 19:34 - 2012-05-12 01:27 - 00473088 _____ () C:\Program Files\NetTime\NetTimeService.exe

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NanoServiceMain => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\nm.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PSUAService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-1935655697-1417001333-839522115-1003\...\1001movie.com -> 1001movie.com

There are 6091 more sites.

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2001-08-23 12:00 - 2015-05-01 21:16 - 00000855 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1935655697-1417001333-839522115-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Golden State\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 8.8.8.8
sharedaccess => Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk => C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk => C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk => C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk => C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Java SATARaid.lnk => C:\WINDOWS\pss\Java SATARaid.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SATARaid.lnk => C:\WINDOWS\pss\SATARaid.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk => C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup
MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start GeekBuddy.lnk => C:\WINDOWS\pss\Start GeekBuddy.lnkCommon Startup
MSCONFIG\startupfolder: C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk => C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Photo Downloader => "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: ATIPTA => C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSCONFIG\startupreg: gbrspcontrol => "C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe" -controlservice -slave
MSCONFIG\startupreg: HostManager => C:\Program Files\Common Files\AOL\1104710211\ee\AOLSoftware.exe
MSCONFIG\startupreg: InCD => C:\Program Files\Ahead\InCD\InCD.exe
MSCONFIG\startupreg: Logitech Utility => Logi_MwX.Exe
MSCONFIG\startupreg: Messenger (Yahoo!) => "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
MSCONFIG\startupreg: NeroCheck => C:\WINDOWS\system32\NeroCheck.exe
MSCONFIG\startupreg: PrivDogService => "C:\Program Files\AdTrustMedia\PrivDog\1.8.0.15\trustedadssvc.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\qttask.exe" -atboottime
MSCONFIG\startupreg: ROBOTFTPSCHED => C:\Program Files\FTPShell\botsched.exe
MSCONFIG\startupreg: TCASUTIEXE => TCAUDIAG.exe -on
MSCONFIG\startupreg: Tekx => C:\WINDOWS\System32\lоgonui.exe
MSCONFIG\startupreg: Yahoo! Pager => 1
MSCONFIG\startupreg: YOP => C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE] => Enabled:Yahoo! Messenger
StandardProfile\AuthorizedApplications: [C:\PROGRA~1\YAHOO!\MESSEN~1\yserver.exe] => Enabled:Yahoo! FT Server
StandardProfile\AuthorizedApplications: [C:\Program Files\Packet Tracer 5.2\bin\PacketTracer5.exe] => EnabledacketTracer5
StandardProfile\AuthorizedApplications: [C:\WINDOWS\Temp\CMC_DRAGON\restart_helper.exe] => Disabled:restart_helper.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Nmap\nmap.exe] => Enabled:Nmap
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\Golden State\Local Settings\Temp\RarSFX0\x32\PcSfTool.exe] => EnabledcSfTool
StandardProfile\AuthorizedApplications: [C:\Program Files\Silicon Image\Java SATARaid\SiITray.exe] => Enabled:SiITray
StandardProfile\AuthorizedApplications: [C:\Program Files\Java\jre1.8.0_31\bin\javaw.exe] => Enabled:Java(TM) Platform SE binary
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabledxpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabledxpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabledxpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabledxpsp2res.dll,-22002
DomainProfile\GloballyOpenPorts: [3389:TCP] => Disabledxpsp2res.dll,-22009
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabledxpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabledxpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabledxpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabledxpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabledxpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabledxpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [3389:TCP] => Disabledxpsp2res.dll,-22009

==================== Restore Points =========================

Check "winmgmt" service or repair WMI.

==================== Faulty Device Manager Devices =============

Name: 1394 Net Adapter #2
Description: 1394 Net Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: NIC1394
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: VirtualBox Host-Only Ethernet Adapter
Description: VirtualBox Host-Only Ethernet Adapter
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: Oracle Corporation
Service: VBoxNetAdp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (04/26/2017 12:22:33 AM) (Source: Windows Product Activation) (EventID: 1010) (User: )
Description: The Windows license was restored due to a system error. You might need to reactivate your Windows product.

Error: (11/27/2016 05:31:55 PM) (Source: ESENT) (EventID: 413) (User: )
Description: wuauclt (2412) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1811.

Error: (11/27/2016 05:31:55 PM) (Source: ESENT) (EventID: 429) (User: )
Description: wuaueng.dll (2412) SUS20ClientDataStore: The database engine log disk is full. Deleting logfiles to recover disk space may make your database unstartable if the database file(s) are Inconsistent. Numbered logfiles may be moved, but not deleted, if and only if the database file(s) are Consistent. Do not move edb.log.

Error: (11/27/2016 05:31:55 PM) (Source: ESENT) (EventID: 486) (User: )
Description: wuauclt (2412) An attempt to move the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\res1.log" to "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log" failed with system error 2 (0x00000002): "The system cannot find the file specified. ". The move file operation will fail with error -1811 (0xfffff8ed).

Error: (11/27/2016 05:31:55 PM) (Source: ESENT) (EventID: 428) (User: )
Description: wuauclt (2412) The database engine is rejecting update operations due to low free disk space on the log disk.

Error: (11/27/2016 05:31:55 PM) (Source: ESENT) (EventID: 486) (User: )
Description: wuauclt (2412) An attempt to move the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\res2.log" to "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log" failed with system error 2 (0x00000002): "The system cannot find the file specified. ". The move file operation will fail with error -1811 (0xfffff8ed).

Error: (11/27/2016 05:31:55 PM) (Source: ESENT) (EventID: 488) (User: )
Description: wuauclt (2412) An attempt to create the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edbtmp.log" failed with system error 1392 (0x00000570): "The file or directory is corrupted and unreadable. ". The create file operation will fail with error -1022 (0xfffffc02).

Error: (11/27/2016 12:31:51 PM) (Source: ESENT) (EventID: 481) (User: )
Description: wuauclt (3008) An attempt to read from the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" at offset 11591680 (0x0000000000b0e000) for 200704 (0x00031000) bytes failed with system error 23 (0x00000017): "Data error (cyclic redundancy check). ". The read operation will fail with error -1022 (0xfffffc02). If this error persists then the file may be damaged and may need to be restored from a previous backup.

Error: (11/18/2016 08:20:21 PM) (Source: ESENT) (EventID: 481) (User: )
Description: wuauclt (3104) An attempt to read from the file "C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb" at offset 3035136 (0x00000000002e5000) for 4096 (0x00001000) bytes failed with system error 23 (0x00000017): "Data error (cyclic redundancy check). ". The read operation will fail with error -1022 (0xfffffc02). If this error persists then the file may be damaged and may need to be restored from a previous backup.

Error: (11/06/2016 03:35:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application flashplayer23_ha_install.exe, version 2.0.0.125, faulting module flashplayer23_ha_install.exe, version 2.0.0.125, fault address 0x00005ccb.
Processing media-specific event for [flashplayer23_ha_install.exe!ws!]

System errors:
=============
Error: (04/26/2017 04:42:18 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
Access is denied.

Error: (04/26/2017 04:33:26 PM) (Source: DCOM) (EventID: 10005) (User: MIKE)
Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error: (04/26/2017 04:32:18 PM) (Source: DCOM) (EventID: 10005) (User: MIKE)
Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error: (04/26/2017 04:25:03 PM) (Source: 0) (EventID: 4311) (User: )
Description: Event-ID 4311

Error: (04/26/2017 04:24:58 PM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (04/25/2017 09:23:29 PM) (Source: 0) (EventID: 4311) (User: )
Description: Event-ID 4311

Error: (04/25/2017 09:23:27 PM) (Source: NETLOGON) (EventID: 3095) (User: )
Description: This computer is configured as a member of a workgroup, not as
a member of a domain. The Netlogon service does not need to run in this
configuration.

Error: (04/25/2017 07:22:43 PM) (Source: DCOM) (EventID: 10005) (User: MIKE)
Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error: (04/25/2017 07:21:58 PM) (Source: DCOM) (EventID: 10005) (User: MIKE)
Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Error: (04/25/2017 07:14:46 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "%%1058 = The service cannot be started, either because it is disabled or because it has no enabled devices associated with it." attempting to start the service gupdate with arguments "/comsvc"
in order to run the server:
{4EB61BAC-A3B6-4760-9581-655041EF4D69}

==================== Memory info ===========================

Processor: AMD Athlon(tm) XP 3200+
Percentage of memory in use: 21%
Total physical RAM: 1791.48 MB
Available physical RAM: 1398.74 MB
Total Virtual: 5226.71 MB
Available Virtual: 4891.59 MB

==================== Drives ================================

Drive c: (DSK1_VOL1) (Fixed) (Total:50.01 GB) (Free:13.94 GB) FAT32 ==>[drive with boot components (Windows XP)]
Drive d: (DSK1_VOL2) (Fixed) (Total:26.29 GB) (Free:24.53 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 76.3 GB) (Disk ID: E695E695)
Partition 1: (Active) - (Size=50 GB) - (Type=0C)
Partition 2: (Not Active) - (Size=26.3 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

broni · 2017/04/26

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

Close all the running programs

Double click on downloaded setup.exe file to install the program.

Click on Start Scan button.

Click on another Start Scan button.

Wait until the Status box shows Scan Finished

Click on Delete.

Wait until the Status box shows Deleting Finished.

Click on Report and copy/paste the content of the Notepad into your next reply.

RKreport.txt could also be found on your desktop.

If more than one log is produced post all logs.

Please download Malwarebytes to your desktop.

Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.

Then click Finish.

Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.

If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.

When the scan is complete, make sure that all Threats are selected, and click Remove Selected.

Restart your computer when prompted to do so.

The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator

The tool will start to update the database if one is required.

Click on the Scan button.

AdwCleaner will begin...be patient as the scan may take some time to complete.

After the scan has finished, click on the Logfile button.

A window will open which lists the logs of your scans.

Click on the Scan tab.

Double-click the most recent scan which will be at the top of the list....the log will appear.

Review the results...see note below

After reviewing the log, click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.

Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).

To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.

Copy and paste the contents of AdwCleaner[CX].txt in your next reply.

A copy of all logfiles are saved to C:\AdwCleaner.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

elcajongunsfan · 2017/04/26

Roguekiller won't run..Message sez "encountered a problem and needs to close" etc. etc

I'm trying the command line roguekillercmd -scan and I think it's running. a lot of blinking

I'll be back tomorrow and report

Thanks

broni · 2017/04/26

Try to run it from safe mode.
How to start Windows in Safe Mode
If same problem continue with other steps.

elcajongunsfan · 2017/04/27

Rogue killer wont run in safe mode either--same message. Malwarebytes exited with some floating point error, but the other two tools did run.

As I said last night, RKs commandline did run succesfully and put out this report with the options to clean them. I just exited the program

Detections: 11
Last Detection: Firefox|Config|browser.startup.homepage --> Malicious ...
[-] Found [REGVAL] : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVe
rsion\Svchost|bdx [PUP.Gen0]
[-] Found [REGVAL] : HKEY_USERS\S-1-5-21-1935655697-1417001333-839522115-1003\S
oftware\Microsoft\Internet Explorer\Main|Start Page [PUM.HomePage]
[-] Found [REGVAL] : HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Ma
in|Search Bar [PUM.SearchPage]
[-] Found [REGVAL] : HKEY_USERS\S-1-5-21-1935655697-1417001333-839522115-1003\S
oftware\Microsoft\Internet Explorer\Main|Search Bar [PUM.SearchPage]
[-] Found [REGVAL] : HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center|Anti
VirusDisableNotify [PUM.SecurityCenter]
[-] Found [REGVAL] : HKEY_USERS\S-1-5-21-1935655697-1417001333-839522115-1003\S
oftware\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer
[PUM.StartMenu]
[-] Found [REGVAL] : HKEY_USERS\S-1-5-21-1935655697-1417001333-839522115-1003\S
oftware\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyMusic [PU
M.StartMenu]
[-] Found [REGVAL] : HKEY_USERS\S-1-5-21-1935655697-1417001333-839522115-1003\S
oftware\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRecentDocs
[PUM.StartMenu]
[-] Found [REGVAL] : HKEY_USERS\S-1-5-21-1935655697-1417001333-839522115-1003\S
oftware\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSetProgramA
ccessAndDefaults [PUM.StartMenu]
[X] Found [FILE/FOLDER] : C:\Documents and Settings\Golden State\Application Da
ta\Yahoo!\Companion [PUP.Gen1]
[-] Found : [Firefox:Config]: http://www.aol.com"); [PUM.HomePage]
And here is JRT and Adware cleaner:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Microsoft Windows XP x86
Ran by Golden State (Administrator) on Thu 04/27/2017 at 17:04:54.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 2
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KA9B0G3W (Temporary Internet Files Folder)
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KA9B0G3W (Temporary Internet Files Folder)
Registry: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 04/27/2017 at 17:06:48.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# AdwCleaner v6.045 - Logfile created 27/04/2017 at 17:10:16
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-28.2 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : Golden State - MIKE
# Running from : C:\Documents and Settings\Golden State\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : Customer Support & Help Center
***** [ Services ] *****
***** [ Folders ] *****
***** [ Files ] *****
***** [ DLL ] *****
***** [ WMI ] *****
***** [ Shortcuts ] *****
***** [ Scheduled Tasks ] *****
***** [ Registry ] *****
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\geekbuddyrsp
[-] Key deleted: HKLM\SOFTWARE\Classes\AolCalSvr.ACToolBarCtrl
[-] Key deleted: HKLM\SOFTWARE\Classes\AolCalSvr.ACToolBarCtrl.4
[-] Key deleted: HKLM\SOFTWARE\Classes\AolCalSvr.ACToolBarCtrl.5
[-] Key deleted: HKLM\SOFTWARE\Classes\YMERemote.YMERemoteCtl
[-] Key deleted: HKLM\SOFTWARE\Classes\YMERemote.YMERemoteCtl.1
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{11D5E9EA-3117-4389-8E58-742F0975C980}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{2FCB4E7E-E5C7-4D07-BB2C-78DF2DA867AD}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{A310B105-FB7D-4497-A7E8-E046462B012F}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{DF522774-8CA0-4B15-A93A-5F61AB95DA1C}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{8A1AB044-787D-4309-8410-709768E484AB}
[-] Key deleted: HKLM\SOFTWARE\Yahoo\YFriendsBar

***** [ Web browsers ] *****
*************************
:: "Tracing" keys deleted
:: Winsock settings cleared
*************************
C:\AdwCleaner\AdwCleaner[R0].txt - [5033 Bytes] - [29/10/2014 17:07:52]
C:\AdwCleaner\AdwCleaner[S0].txt - [5206 Bytes] - [29/10/2014 17:10:11]
C:\AdwCleaner\AdwCleaner[R1].txt - [975 Bytes] - [26/11/2014 23:43:01]
C:\AdwCleaner\AdwCleaner[R2].txt - [960 Bytes] - [26/12/2014 15:53:26]
C:\AdwCleaner\AdwCleaner[S1].txt - [2281 Bytes] - [27/04/2017 17:09:28]
C:\AdwCleaner\AdwCleaner[C0].txt - [2060 Bytes] - [27/04/2017 17:10:16]
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2133 Bytes] ##########

There is really high CPU usage and I cant find the culprit

Thanks

broni · 2017/04/27

Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

Double click to run it.

Make sure you checkmark Addition.txt box.

Press Scan button.

Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.

Log in or Sign up

Solved WIN XP won't boot

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved WIN XP won't boot

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

Attached Files:

fixlist.txt

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

elcajongunsfan Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches