Possible Trojan infection - FakeMoz.ED

**lather** · 2014-11-14, 17:48

Hit a problem with one of the family laptops that looks like it could be a Trojan.FakeMoz.ED infection. When the computer booted up, we got a security message saying that the firewall wasn't running. So I reactivated the firewall manually and all seemed well. Next boot-up, not only did it say that the firewall wasn't running, it also reported a problem with AVG. The firewall apparently activated manually again and checking AVG showed that Resident Shield wasn't running and couldn't be activated manually (the box at the bottom of the screen was greyed out).

Suspecting a malware issue, I ran Mbam and it located and quarantined an infection - below is the extract from the log detailing what it found:

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32, Quarantined, [81cb3ffca3d94bebc848c8948f75916f],

Registry Values: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32|ImagePath, "C:\WINDOWS\Installer\{86EF14D4-A6DF-EBFD-96D2-93387672418F}\syshost.exe" /service, Quarantined, [81cb3ffca3d94bebc848c8948f75916f]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.FakeMoz.ED, C:\WINDOWS\Installer\{86EF14D4-A6DF-EBFD-96D2-93387672418F}\syshost.exe, Quarantined, [3517b685572542f4a06b81601be6ed13],

Physical Sectors: 0
(No malicious items detected)

Running Mbam seemed to fix the firewall issue, as two subsequent reboots have reported no issue with it, but the problem with AVG is still there. Apart from the AVG issue, the machine seems to be running fine, as I'm using it to do this post, but obviously not having AVG running properly does leave it vulnerable.

So I've followed the instructions and run the required scans - although I did hit one issue as, because this was a second-hand ex-business machine, we've never had any admin password, so couldn't run the scans as the admin. However, the only user profile on the machine has always been able to do all admin-level tasks OK in the past, so I'm hoping that it won't have made any difference.

(Also, I know that some programs are a little out-of-date, but the machine is so old and low spec that it can't run the newer versions...)

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01
Ran by IBM (administrator) on THINKPAD on 14-11-2014 15:33:55
Running from C:\Documents and Settings\IBM\Desktop
Loaded Profile: IBM (Available profiles: IBM & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 7
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\ibmpmsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgchsvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
() C:\WINDOWS\system32\ati2evxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgwdsvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\WINDOWS\system32\QCONSVC.EXE
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(IBM Corporation) C:\WINDOWS\system32\tp4serv.exe
(IBM Corp.) C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
() C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
() C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
() C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
(Agere Systems) C:\WINDOWS\AGRSMMSG.exe
(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG9\avgtray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgemc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATIModeChange] => C:\WINDOWS\system32\Ati2mdxx.exe [28672 2002-06-12] (ATI Technologies, Inc.)
HKLM\...\Run: [TrackPointSrv] => C:\WINDOWS\system32\tp4serv.exe [179200 2002-03-20] (IBM Corporation)
HKLM\...\Run: [TPTRAY] => C:\Program Files\ThinkPad\Utilities\TP98TRAY.EXE [48128 2002-03-26] (IBM Corp.)
HKLM\...\Run: [BMMGAG] => RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
HKLM\...\Run: [QCTRAY] => C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE [491520 2002-07-15] ()
HKLM\...\Run: [QCWLICON] => C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE [49152 2002-07-15] ()
HKLM\...\Run: [TP4EX] => C:\WINDOWS\system32\tp4ex.exe [40960 2002-02-22] (IBM Corporation)
HKLM\...\Run: [TPHOTKEY] => C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe [69632 2002-05-30] ()
HKLM\...\Run: [UC_SMB] => [X]
HKLM\...\Run: [Tgcmd] => C:\Program Files\Support.com\bin\tgcmd.exe [1519616 2001-11-07] (Support.com, Inc.)
HKLM\...\Run: [AGRSMMSG] => C:\WINDOWS\AGRSMMSG.exe [88363 2003-06-27] (Agere Systems)
HKLM\...\Run: [NeroCheck] => C:\WINDOWS\system32\\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG9_TRAY] => C:\Program Files\AVG\AVG9\avgtray.exe [2077536 2012-01-26] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
Winlogon\Notify\avgrsstarter: C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-247674877-3848448594-3852255402-1004\...\Run: [updateMgr] => "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
HKU\S-1-5-21-247674877-3848448594-3852255402-1004\...\MountPoints2: {9e452150-6d2a-11dd-b2de-0018e7297566} - E:\LaunchU3.exe -a
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
ShortcutTarget: Microsoft Find Fast.lnk -> C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.15.lnk
ShortcutTarget: Wireless Configuration Utility HW.15.lnk -> C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe ()
Startup: C:\Documents and Settings\IBM\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk
ShortcutTarget: Microsoft Office Fast Start.lnk -> C:\MSOffice\Office\FASTBOOT.EXE ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents/Links_07.htm
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
SearchScopes: HKCU - DefaultScope {2737D436-02AF-442D-87F4-70874E2A19E8} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
SearchScopes: HKCU - {2737D436-02AF-442D-87F4-70874E2A19E8} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer211.dll (Copernic Technologies Inc.)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite....x/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsu...?1166184064923
DPF: {74FFE28D-2378-11D5-990C-006094235084} https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/...Uploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab
DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} https://www-307.ibm.com/pc/support/a...AcpControl.cab
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default
FF Homepage: file:///C:/Documents/Links_07.htm
FF NetworkProxy: "no_proxies_on", "localhost,127.0.0.1"
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npnul32.dll (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: British English Dictionary - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\en-GB@dictionaries.addons.mozilla.org [2010-12-10]
FF Extension: external IP - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\externalip@erik.morlin [2010-01-25]
FF Extension: printpdf - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\printpdf@pavlov.net [2010-08-10]
FF Extension: YouTube Unblocker - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\youtubeunblocker@unblocker.yt [2013-06-09]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-04-28]
FF Extension: Media Converter - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18} [2009-04-07]
FF Extension: DownloadHelper - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-03-25]
FF Extension: RightToClick - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e} [2012-01-23]
FF Extension: Adblock Plus - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2012-01-06]
FF Extension: Block site - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2013-08-12]
FF Extension: DownThemAll! - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8} [2013-04-03]
FF Extension: Web2PDF converter - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{e8f509f0-b677-11de-8a39-0800200c9a66} [2011-07-07]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [2009-03-06]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [2009-04-01]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2009-06-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [2009-08-04]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [2009-11-04]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-04-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010-08-14]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010-10-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011-01-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011-02-16]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-06-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-20]
FF HKLM\...\Firefox\Extensions: [{3f963a5b-e555-4543-90e2-c3908898db71}] - C:\Program Files\AVG\AVG9\Firefox
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG9\Firefox [2009-11-05]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-22]

Chrome:
=======
CHR HomePage: Default -> file:///C:/Documents/Links_07.htm
CHR StartupUrls: Default -> "file:///C:/Documents/Links_07.htm"
CHR Profile: C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2012-12-12]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (YouTube) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-12-12]
CHR Extension: (Google Search) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-12-12]
CHR Extension: (Google Wallet) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]
CHR Extension: (Adblock Pro) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch [2014-01-19]
CHR Extension: (Gmail) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-12-12]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

Locked "13c0aa386e2175ba" service could not be unlocked. <===== ATTENTION

R2 Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [131072 2002-06-12] ()
R2 avg9emc; C:\Program Files\AVG\AVG9\avgemc.exe [921952 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 IBMPMSVC; C:\WINDOWS\system32\ibmpmsvc.exe [57344 2003-07-03] ()
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-18] (Oracle Corporation)
R2 QCONSVC; C:\WINDOWS\System32\QCONSVC.EXE [40960 2002-07-15] () [File not signed]
S4 NMIndexingService; "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21419 2007-10-22] (Meetinghouse Data Communications) [File not signed]
R1 AvgLdx86; C:\WINDOWS\System32\Drivers\avgldx86.sys [226016 2013-01-15] (AVG Technologies CZ, s.r.o.)
S1 AvgMfx86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [29712 2011-09-13] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\WINDOWS\System32\Drivers\avgtdix.sys [243152 2011-05-06] (AVG Technologies CZ, s.r.o.)
R1 DSMBATT; C:\WINDOWS\System32\drivers\DSMBATT.SYS [9888 2002-04-05] () [File not signed]
R2 EGATHDRV; C:\WINDOWS\system32\EGATHDRV.SYS [11712 2006-06-29] (IBM Corporation)
R3 IBMPMDRV; C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys [11344 2003-07-03] (IBM Corp.)
R1 IBMTPCHK; C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2295 2002-07-15] () [File not signed]
R2 PMEM; C:\WINDOWS\system32\drivers\PMEMNT.SYS [7012 2001-09-13] (Microsoft Corporation) [File not signed]
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 rtl8185; C:\WINDOWS\System32\DRIVERS\rtl8185.sys [306304 2007-01-29] (Realtek Semiconductor Corporation ) [File not signed]
R1 Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [13824 2002-03-26] (Microsoft Corporation) [File not signed]
R1 TDSMAPI; C:\WINDOWS\System32\Drivers\TDSMAPI.SYS [7168 2002-03-26] () [File not signed]
R3 Tp4Track; C:\WINDOWS\System32\DRIVERS\tp4track.sys [14175 2002-03-20] (IBM Corporation)
R1 TPHKDRV; C:\WINDOWS\system32\Drivers\TPHKDRV.sys [11550 2002-01-28] (IBM Corporation) [File not signed]
R1 TPPWR; C:\WINDOWS\System32\drivers\Tppwr.sys [12288 2002-03-26] (IBM Corp.) [File not signed]
R1 TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [7168 2002-03-26] () [File not signed]
U5 13c0aa386e2175ba; C:\Windows\System32\Drivers\13c0aa386e2175ba.sys [70528 2014-11-13] () <===== ATTENTION Necurs Rootkit?
S4 hpt3xx; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-14 15:33 - 2014-11-14 15:34 - 00019360 _____ () C:\Documents and Settings\IBM\Desktop\FRST.txt
2014-11-14 15:33 - 2014-11-14 15:34 - 00000000 ____D () C:\FRST
2014-11-14 15:28 - 2014-11-14 15:28 - 00000000 ____D () C:\RegBackup
2014-11-14 15:26 - 2014-11-14 15:26 - 00001887 _____ () C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
2014-11-14 15:26 - 2014-11-14 15:26 - 00000000 ____D () C:\Program Files\Tweaking.com
2014-11-14 15:26 - 2014-11-14 15:26 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
2014-11-14 15:15 - 2014-11-14 15:15 - 05198336 _____ (AVAST Software) C:\Documents and Settings\IBM\Desktop\aswMBR.exe
2014-11-14 15:15 - 2014-11-14 15:15 - 01108480 _____ (Farbar) C:\Documents and Settings\IBM\Desktop\FRST.exe
2014-11-14 15:14 - 2014-11-14 15:14 - 04215584 _____ () C:\Documents and Settings\IBM\Desktop\tweaking.com_registry_backup_setup.exe
2014-11-14 03:04 - 2014-11-14 03:04 - 00001434 _____ () C:\Documents and Settings\IBM\Desktop\mbam_scan.txt
2014-11-14 03:01 - 2014-11-14 03:01 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\46EE46CA.sys
2014-11-14 00:27 - 2014-11-14 00:27 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\34C750CB.sys
2014-11-13 20:19 - 2014-11-13 20:19 - 00070528 _____ () C:\WINDOWS\system32\Drivers\13c0aa386e2175ba.sys
2014-11-10 16:36 - 2014-11-10 16:36 - 00242592 _____ () C:\Documents and Settings\IBM\Desktop\separate+-0.5.7.zip
2014-10-24 23:32 - 2014-10-24 23:33 - 00000000 ____D () C:\Program Files\GUMF.tmp
2014-10-19 00:19 - 2014-11-13 00:45 - 00016896 _____ () C:\Documents and Settings\IBM\Desktop\2015 Tour.xls
2014-10-18 16:36 - 2014-10-18 16:36 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-10-18 16:35 - 2014-10-18 16:35 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-10-18 16:35 - 2014-10-18 16:34 - 00272808 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-10-18 16:35 - 2014-10-18 16:34 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-14 15:34 - 2006-12-15 18:03 - 00000000 ____D () C:\Documents and Settings\IBM\Local Settings\Temp
2014-11-14 15:29 - 2010-01-14 11:19 - 00256041 _____ () C:\WINDOWS\setupapi.log
2014-11-14 15:28 - 2006-12-04 23:46 - 00000000 ____D () C:\WINDOWS\Registration
2014-11-14 15:28 - 2006-12-04 23:37 - 00000000 ____D () C:\WINDOWS\repair
2014-11-14 15:25 - 2009-11-15 02:09 - 00000000 _____ () C:\Documents and Settings\IBM\Local Settings\Application Data\prvlcl.dat
2014-11-14 15:20 - 2008-06-22 14:05 - 00000000 ____D () C:\WINDOWS\system32\Drivers\Avg
2014-11-14 15:11 - 2007-10-22 13:22 - 00007356 _____ () C:\WINDOWS\RTacDbg.txt
2014-11-14 15:08 - 2012-12-12 16:25 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-14 15:08 - 2006-12-04 23:50 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-11-14 15:08 - 2006-12-04 23:44 - 00000157 _____ () C:\WINDOWS\wiadebug.log
2014-11-14 15:08 - 2006-12-04 23:44 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-11-14 15:08 - 1980-01-01 08:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-11-14 03:17 - 2006-12-15 19:17 - 01076008 _____ () C:\WINDOWS\WindowsUpdate.log
2014-11-14 03:17 - 2006-12-15 18:03 - 00000178 ___SH () C:\Documents and Settings\IBM\ntuser.ini
2014-11-14 03:17 - 2006-12-05 00:15 - 00031988 _____ () C:\WINDOWS\SchedLgU.Txt
2014-11-14 03:13 - 2006-12-05 00:21 - 00000314 _____ () C:\WINDOWS\Tasks\BMMTask.job
2014-11-14 02:43 - 2012-12-12 16:25 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-14 01:34 - 2012-01-11 17:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2646524$
2014-11-13 20:25 - 2014-08-06 14:25 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-11-13 20:24 - 2014-08-06 14:24 - 00000788 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-13 20:24 - 2014-08-06 14:24 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-13 20:24 - 2014-08-06 14:24 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-13 02:15 - 2007-12-02 16:46 - 00000551 _____ () C:\WINDOWS\IBM.xlb
2014-11-08 18:23 - 2013-06-02 14:26 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\Derbyshire Heritage Walks
2014-11-08 00:12 - 2010-07-30 07:13 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\Desktop cleanup
2014-11-08 00:11 - 2014-08-17 12:54 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\2014
2014-10-27 15:49 - 2007-09-24 10:58 - 00131584 _____ () C:\Documents and Settings\IBM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-10-26 13:54 - 2006-12-04 23:40 - 00509652 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-25 22:40 - 2010-07-30 07:51 - 00000000 ____D () C:\Documents and Settings\IBM\Application Data\vlc
2014-10-25 21:53 - 2011-01-14 01:00 - 00000000 ____D () C:\Documents and Settings\IBM\Application Data\dvdcss
2014-10-18 16:34 - 2007-09-24 13:27 - 00000000 ____D () C:\Program Files\Java

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\hhupd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ntfsfix.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Shockwave_Installer_Full-8-5.exe
C:\Documents and Settings\Default User\Local Settings\Temp\hhupd.exe
C:\Documents and Settings\Default User\Local Settings\Temp\ntfsfix.exe
C:\Documents and Settings\Default User\Local Settings\Temp\Shockwave_Installer_Full-8-5.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u65-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\{1ACB7F4D-5850-43BD-917E-D317FFF39891}-37.0.2062.124_37.0.2062.120_chrome_updater.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-11-2014 01
Ran by IBM at 2014-11-14 15:36:08
Running from C:\Documents and Settings\IBM\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG Anti-Virus Free (Disabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

802.11g Wireless Adapter HW.15 V.1.00 (HKLM\...\InstallShield_{F266A90C-3F4A-4F65-9901-3DBBB0D77D80}) (Version: 1.00.0000 - )
802.11g Wireless Adapter HW.15 V.1.00 (Version: 1.00.0000 - ) Hidden
Access ThinkPad (HKLM\...\{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}) (Version: 3.5 - IBM Corporation)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.6.602.180 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.44 - Adobe Systems Incorporated)
Adobe Reader 8.1.7 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A81300000003}) (Version: 8.1.7 - Adobe Systems Incorporated)
Agere Systems AC'97 Modem (HKLM\...\Agere Systems Soft Modem) (Version: 2.1.31 - )
ArcSoft PhotoStudio 5 (HKLM\...\{03F1CC67-5BD8-4C36-8394-76311B2AE69A}) (Version: - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: - )
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version: - )
AVG Free 9.0 (HKLM\...\AVG9Uninstall) (Version: - AVG Technologies)
Bullzip PDF Printer 10.3.0.2191 (HKLM\...\Bullzip PDF Printer_is1) (Version: 10.3.0.2191 - Bullzip)
Canon CanoScan Toolbox 4.1 (HKLM\...\{BCE46757-7674-4416-BEDB-68205A60409E}) (Version: - )
CanoScan LiDE20,30 Manual (HKLM\...\{B360A8E5-C171-4AAE-9777-65B3CDB0072C}) (Version: - )
Critical Update for Windows Media Player 11 (KB959772) (HKLM\...\KB959772_WM11) (Version: - Microsoft Corporation)
dBpoweramp FLAC Codec (HKLM\...\dBpoweramp FLAC Codec) (Version: Release 10 (FLAC 1.2.0) - Illustrate)
dBpoweramp m4a Codec (HKLM\...\dBpoweramp m4a Codec) (Version: Release 9 - Illustrate)
dBpoweramp Music Converter (HKLM\...\dBpoweramp Music Converter) (Version: Release 12.3 - )
dBpoweramp Shorten Codec (HKLM\...\dBpoweramp Shorten Codec) (Version: - )
dBpoweramp Windows Media Audio 10 Codec (HKLM\...\dBpoweramp Windows Media Audio 10 Codec) (Version: - )
DOOM Collector's Edition (HKLM\...\DOOM Collector's Edition) (Version: - )
FileZilla (remove only) (HKLM\...\FileZilla) (Version: - )
FLV Player (HKLM\...\FLV Player2.0 ) (Version: 2.0 - Applian Technologies Inc.)
FLV Player 2.0 (build 25) (HKLM\...\FLV Player) (Version: 2.0 (build 25) - Martijn de Visser)
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
IBM Access Connections (HKLM\...\{22B71A00-4DED-11D4-A5E5-0004AC564F43}) (Version: - )
IBM Rapid Restore PC Setup (HKLM\...\{3B7B3B4A-AF8C-4671-A92E-3E7E9ABCB22B}) (Version: 1.00.1100 - IBM Corporation)
IBM ThinkPad Access Support (HKLM\...\IBM Access Support) (Version: - )
IBM ThinkPad Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.25.01 - )
IBM TrackPoint Accessibility Features (HKLM\...\{EA664480-3844-11D5-8C25-444553540000}) (Version: - )
IBM TrackPoint Support (HKLM\...\TrackPoint) (Version: - )
Intel(R) PRO Ethernet Adapter and Software (HKLM\...\PROSet) (Version: - )
InterVideo WinDVD (HKLM\...\{C1939820-A945-11D4-86F6-0001031E5712}) (Version: - InterVideo Inc.)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
LightScribe 1.6.43.1 (Version: 1.6.43.1 - http://www.lightscribe.com) Hidden
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Excel 7.0 (HKLM\...\Excel) (Version: - )
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Word 97 (HKLM\...\Word8.0) (Version: - )
Mozilla Firefox (3.6.28) (HKLM\...\Mozilla Firefox (3.6.28)) (Version: 3.6.28 (en-US) - Mozilla)
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
Nero - Burning Rom (HKLM\...\{A4D7B764-4140-11D4-88EB-0050DA3579C0}) (Version: 5.5.9 - ahead software gmbh)
Orange Siemens Router (HKLM\...\OrangeSiemens) (Version: - )
Orange Toolbar (HKLM\...\OrangeToolbarUK) (Version: 1.0 - France Telecom SA)
PhotoFinish® 4.1 (HKLM\...\pfinish41) (Version: - )
Replay Converter 3 (HKLM\...\Replay Converter 3) (Version: 3.20 - Applian Technologies Inc.)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
Support.com Software (HKLM\...\Support.com) (Version: - )
ThinkPad Configuration (HKLM\...\ThinkPad Configuration) (Version: - )
ThinkPad FullScreen Magnifier (HKLM\...\ThinkPad FullScreen Magnifier) (Version: - )
ThinkPad Software Installer (HKLM\...\ThinkPadSoftwareInstaller) (Version: - )
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 1.10.1 - Tweaking.com)
Uninstall PC-Doctor (HKLM\...\PC-Doctor) (Version: - )
VLC media player 1.0.1 (HKLM\...\VLC media player) (Version: 1.0.1 - VideoLAN Team)
WebFldrs XP (Version: 9.50.5318 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 7 (HKLM\...\ie7) (Version: 20061107.210142 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
Windows Rights Management Client Backwards Compatibility SP2 (HKLM\...\{EC905264-BCFE-423B-9C42-C3A106266790}) (Version: 5.2.70 - Microsoft)
Windows Rights Management Client with Service Pack 2 (HKLM\...\{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}) (Version: 5.2.70 - Microsoft)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
xp-AntiSpy 3.92 (HKLM\...\xp-AntiSpy) (Version: 3.92 - Christian Taubenheim)
Xvid Video Codec (HKLM\...\Xvid Video Codec 1.3.2) (Version: 1.3.2 - Xvid Team)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

07-10-2014 22:22:27 System Checkpoint
10-10-2014 10:23:40 System Checkpoint
14-10-2014 16:56:13 System Checkpoint
17-10-2014 15:02:43 System Checkpoint
18-10-2014 16:32:57 Removed Java 7 Update 67
18-10-2014 16:34:15 Installed Java 7 Update 71
19-10-2014 17:18:02 System Checkpoint
21-10-2014 17:16:15 System Checkpoint
23-10-2014 17:02:34 System Checkpoint
25-10-2014 17:18:25 System Checkpoint
27-10-2014 18:08:20 System Checkpoint
28-10-2014 18:16:45 System Checkpoint
30-10-2014 18:02:37 System Checkpoint
02-11-2014 18:47:01 System Checkpoint
05-11-2014 14:49:57 Avg Update
06-11-2014 18:00:06 System Checkpoint
07-11-2014 18:44:35 System Checkpoint
11-11-2014 18:30:56 System Checkpoint
12-11-2014 18:35:17 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

1980-01-01 08:00 - 2014-05-29 16:41 - 00453965 ____R C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
127.0.0.1 www.139mm.com
127.0.0.1 139mm.com
127.0.0.1 www.163ns.com
127.0.0.1 163ns.com

There are 1000 more lines.

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\BMMTask.job => C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

1980-01-01 08:00 - 2003-07-03 09:25 - 00057344 _____ () C:\WINDOWS\system32\ibmpmsvc.exe
1980-01-01 08:00 - 2002-06-12 21:27 - 00131072 _____ () C:\WINDOWS\System32\Ati2evxx.exe
2006-12-05 00:21 - 2002-07-15 10:20 - 00040960 _____ () C:\WINDOWS\System32\QCONSVC.EXE
1980-01-01 08:00 - 2002-03-20 11:05 - 00114688 _____ () C:\WINDOWS\system32\tp4uires.dll
2006-12-05 00:21 - 2002-07-15 10:20 - 00491520 _____ () C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
2006-12-05 00:21 - 2002-07-15 10:20 - 00376832 _____ () C:\Program Files\ThinkPad\ConnectUtilities\QCON.dll
2006-12-05 00:21 - 2002-07-15 10:20 - 00049152 _____ () C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
1980-01-01 08:00 - 2002-05-30 05:01 - 00069632 _____ () C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
1980-01-01 08:00 - 2001-11-14 01:16 - 00024576 _____ () C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll
2006-11-19 22:04 - 2006-11-19 22:04 - 00634880 _____ () C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
2007-10-22 13:20 - 2006-11-19 22:02 - 00049152 _____ () C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanDll.dll
2007-10-22 13:20 - 2006-07-29 03:05 - 00979035 _____ () C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\acAuth.dll
1980-01-01 08:00 - 2008-04-14 00:11 - 00059904 _____ () C:\WINDOWS\System32\devenum.dll
1980-01-01 08:00 - 2008-04-14 00:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2014-10-28 19:45 - 2014-10-22 04:04 - 08910664 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\pdf.dll
2014-10-28 19:45 - 2014-10-22 04:04 - 01681224 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\ffmpegsumo.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-247674877-3848448594-3852255402-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-247674877-3848448594-3852255402-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-247674877-3848448594-3852255402-1003 - Limited - Disabled)
IBM (S-1-5-21-247674877-3848448594-3852255402-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\IBM
SUPPORT_388945a0 (S-1-5-21-247674877-3848448594-3852255402-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (11/08/2014 07:42:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.111, faulting module chrome.dll, version 38.0.2125.111, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (11/04/2014 05:56:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.111, faulting module chrome.dll, version 38.0.2125.111, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (10/27/2014 03:49:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module avisplitter.ax, version 1.0.0.7, fault address 0x000234e8.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/20/2014 04:11:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.104, faulting module chrome.dll, version 38.0.2125.104, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (10/19/2014 00:17:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.104, faulting module chrome.dll, version 38.0.2125.104, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (10/04/2014 03:25:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 37.0.2062.124, faulting module chrome.dll, version 37.0.2062.124, fault address 0x00007f75.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/23/2014 06:00:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 37.0.2062.120, faulting module chrome.dll, version 37.0.2062.120, fault address 0x00008ad8.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/07/2014 03:30:18 PM) (Source: Application Error) (EventID: 1001) (User: )
Description: Fault bucket 478813462.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (09/07/2014 03:17:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 37.0.2062.103, faulting module chrome.dll, version 37.0.2062.103, fault address 0x002f07ed.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/01/2014 11:33:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 36.0.1985.143, faulting module chrome.dll, version 36.0.1985.143, fault address 0x00007c31.
Processing media-specific event for [chrome.exe!ws!]

System errors:
=============
Error: (11/14/2014 03:11:10 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/14/2014 03:08:39 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 02:59:20 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 02:53:58 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/14/2014 01:36:07 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 00:23:56 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/14/2014 00:23:53 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 00:18:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/13/2014 08:36:54 PM) (Source: 0) (EventID: 1) (User: )
Description: \Device\ACPIEC

Error: (11/13/2014 08:19:57 PM) (Source: Service Control Manager) (EventID: 7028) (User: )
Description: The wuauserv Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

Microsoft Office Sessions:
=========================
Error: (11/08/2014 07:42:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.111chrome.dll38.0.2125.11100007d42

Error: (11/04/2014 05:56:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.111chrome.dll38.0.2125.11100007d42

Error: (10/27/2014 03:49:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512avisplitter.ax1.0.0.7000234e8

Error: (10/20/2014 04:11:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.104chrome.dll38.0.2125.10400007d42

Error: (10/19/2014 00:17:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.104chrome.dll38.0.2125.10400007d42

Error: (10/04/2014 03:25:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe37.0.2062.124chrome.dll37.0.2062.12400007f75

Error: (09/23/2014 06:00:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe37.0.2062.120chrome.dll37.0.2062.12000008ad8

Error: (09/07/2014 03:30:18 PM) (Source: Application Error) (EventID: 1001) (User: )
Description: 478813462

Error: (09/07/2014 03:17:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe37.0.2062.103chrome.dll37.0.2062.103002f07ed

Error: (09/01/2014 11:33:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe36.0.1985.143chrome.dll36.0.1985.14300007c31

==================== Memory info ===========================

Processor: Mobile Intel(R) Pentium(R) 4 - M CPU 1.70GHz
Percentage of memory in use: 50%
Total physical RAM: 1022.98 MB
Available physical RAM: 504.39 MB
Total Pagefile: 1311.25 MB
Available Pagefile: 555.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1916.28 MB

==================== Drives ================================

Drive c: (IBM_PRELOAD) (Fixed) (Total:17.22 GB) (Free:1.17 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 18.6 GB) (Disk ID: A266A266)
Partition 1: (Active) - (Size=17.2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1.4 GB) - (Type=1C)

==================== End Of Log ============================

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2014-11-14 15:37:49
-----------------------------
15:37:49.903 OS Version: Windows 5.1.2600 Service Pack 3
15:37:49.903 Number of processors: 1 586 0x207
15:37:49.903 ComputerName: THINKPAD UserName: IBM
15:37:50.744 Initialze error C0000001 - driver not loaded
15:43:41.990 AVAST engine defs: 14111301
15:44:14.897 Service scanning
15:44:21.837 Service 13c0aa386e2175ba C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys **HIDDEN**
15:44:23.499 Service 13c0aa386e2175ba C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys **LOCKED**
15:45:21.953 Modules scanning
15:45:21.953 Disk 0 trace - called modules:
15:45:21.963
15:45:24.217 AVAST engine scan C:\WINDOWS
15:46:16.271 AVAST engine scan C:\WINDOWS\system32
15:51:00.610 AVAST engine scan C:\WINDOWS\system32\drivers
15:51:25.246 AVAST engine scan C:\Documents and Settings\IBM
16:11:53.502 AVAST engine scan C:\Documents and Settings\All Users
16:16:24.732 Scan finished successfully
16:17:03.818 The log file has been saved successfully to "C:\Documents and Settings\IBM\Desktop\aswMBR.txt"

Hope you can help with this one as, while it may be an old and fairly slow machine, it is by far the most reliable computer I've ever had!!

Thread: Possible Trojan infection - FakeMoz.ED

Thread Tools

Display

Threaded View

Possible Trojan infection - FakeMoz.ED

Posting Permissions