lotsss offfffffftroj

[ozgur1318]

hi , after i formatted my laptop ,i have been deleting malicious stuff but they keep coming ,and my Mozilla firefox is ruined !
i think i am heavily infected with trojans-malawares -hijackers tons of stuff for the last 2 days using the programs
: Malwarebytes -anti-Malware and SUPERantispyware , CCleaner ,spybot and etc..

i did backup my registry with tweaking.com. btw i Use Windows XP !! . so i hope that isnt a problem for my registry back up

i downloaded the Farbar, but by mistake i didnt run it on my desktop but run it from inside my documents folder !!
and the aswMBR log is too short -after it updated the avast virus definiton did it scan so fast?
i dont know maybe i dit something wrong . here the 1 log. pls help ! btw all my logs dıdntt fit in here and craashes my opera browser ! !!
aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2017-04-12 22:24:11
-----------------------------
22:24:11.782 OS Version: Windows 5.1.2600 Service Pack 3
22:24:11.782 Number of processors: 1 586 0xD08
22:24:11.792 ComputerName: PC UserName:
22:24:12.143 Initialize success
22:24:12.173 VM: initialized successfully
22:24:12.173 VM: Intel CPU virtualization not supported
22:35:10.900 AVAST engine defs: 17030301
22:35:44.919 The log file has been saved successfully to "C:\Documents and Settings\ozg\Desktop\aswMBR.txt"

[Juliet]

i downloaded the Farbar, but by mistake i didnt run it on my desktop but run it from inside my documents folder !!

can you go to your documents folder, locate FRST.txt & Addition.txt
if you can, try to copy and paste each one into this topic or you can try to attach each file in your next post?

[Juliet]

let me know if you have any error messages.

[ozgur1318]

now i tried to attach it but it doesnt let me to attach .it says it exceeds the limit !!
what shall i do ?
thanks

[ozgur1318]

when i try to copy paste FRST.it gives an error saying : 413 Request Entity Too Large"
cuz its like 500 kb but the limit is 50 kb something.
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by ozg (12-04-2017 22:17:17)
Running from C:\Documents and Settings\ozg\My Documents
Microsoft Windows XP Professional Service Pack 3 (X86) (2017-04-11 18:41:16)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1214440339-1343024091-1202660629-500 - Administrator - Enabled)
Guest (S-1-5-21-1214440339-1343024091-1202660629-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1214440339-1343024091-1202660629-1000 - Limited - Disabled)
ozg (S-1-5-21-1214440339-1343024091-1202660629-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\ozg
SUPPORT_388945a0 (S-1-5-21-1214440339-1343024091-1202660629-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1214440339-1343024091-1202660629-1003\...\uTorrent) (Version: 3.5.0.43580 - BitTorrent Inc.)
1.0.0.1 (HKLM\...\YeaDesktop) (Version: 1.0.0.1 - )
7-Zip 16.04 (HKLM\...\7-Zip) (Version: 16.04 - Igor Pavlov)
Adobe Flash Player 25 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 25.0.0.148 - Adobe Systems Incorporated)
AIDA64 Engineer v4.30 (HKLM\...\AIDA64 Engineer_is1) (Version: 4.30 - FinalWire Ltd.)
Alarmlý Sayýsal Saat Kaldýr (HKLM\...\Alarmli Sayisal Saat 2.11) (Version: - )
ATI - Yazýlým Kaldýr Yardýmcý Programý (HKLM\...\All ATI Software) (Version: 6.14.10.1012 - )
ATI Catalyst Control Center (HKLM\...\{C18F4235-BF97-4284-8318-7EFF20B0D07B}) (Version: 1.2.2044.226 - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: 8.162-050803a2-025790C-NEC CI - )
Autorun Virus Remover 3.2 (HKLM\...\Autorun Virus Remover_is1) (Version: - Autorun Remover)
Barbarian Invasion (HKLM\...\{FD69C8CB-6964-432C-98AB-A5A09ED50EEA}) (Version: 1.4 - )
BrainWave Generator (HKLM\...\BrainWave Generator) (Version: - )
CCleaner (HKLM\...\CCleaner) (Version: 5.28 - Piriform)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.0.024.439 - CDBurnerXP)
ChessBase Reader (HKLM\...\{9664C520-5725-4885-B286-A4EC43A6B738}) (Version: 12.32.0.0 - ChessBase)
ConvertHelper 2.2 (HKLM\...\{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1) (Version: - DownloadHelper)
EB Documentation 1.1 (HKLM\...\EB Documentation_is1) (Version: - Europa Barbarorum)
EB Trivial Script 0.125 (HKLM\...\EB Trivial Script_is1) (Version: - EuropaBarbarorum)
Europa Barbarorum 1.1 (HKLM\...\{9BCAC864-84C0-409F-8D12-364109622D18}_is1) (Version: - Europa Barbarorum)
Europa Barbarorum 1.2 (HKLM\...\{AD3E68F5-D141-49C0-B002-28B48030B902}_is1) (Version: - Europa Barbarorum)
Foxit Cloud (HKLM\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 1.3.99.311 - Foxit Corporation)
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 6.2.0.429 - Foxit Corporation)
GOM Player (HKLM\...\GOM Player) (Version: 2.2.77.5240 - Gretech Corporation)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.18.284 - SurfRight B.V.)
initialsite123 - Uninstall (HKLM\...\{4383DD91-4E0D-4C2C-9D78-96DA4E7753E5}) (Version: - ) <==== ATTENTION
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
KMPlayer (remove only) (HKLM\...\The KMPlayer) (Version: 4.0.5.3 - PandoraTV)
Logitech SetPoint 6.65 (HKLM\...\sp6) (Version: 6.65.62 - Logitech)
Malwarebytes Anti-Malware version 2.0.1.1004 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.1.1004 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft Office Excel Viewer (HKLM\...\{95120000-003F-041F-0000-0000000FF1CE}) (Version: 12.0.6334.5000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 52.0.2 ESR (x86 tr) (HKLM\...\Mozilla Firefox 52.0.2 ESR (x86 tr)) (Version: 52.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.0.2 - Mozilla)
OpenOffice 4.1.1 (HKLM\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
Opera Stable 36.0.2130.80 (HKLM\...\Opera 36.0.2130.80) (Version: 36.0.2130.80 - Opera Software)
PlayChess (HKLM\...\PlayChess) (Version: - ChessBase GmbH)
Potplayer (HKLM\...\PotPlayer) (Version: - Kakao Corp.)
PowerISO (HKLM\...\PowerISO) (Version: 6.8 - Power Software Ltd)
REALTEK Gigabit and Fast Ethernet NIC Driver (HKLM\...\{94FB906A-CF42-4128-A509-D353026A607E}) (Version: 1.70 - REALTEK Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 1.87 - Realtek Semiconductor Corp.)
Recruitment Viewer 0.9 (HKLM\...\Recruitment Viewer_is1) (Version: - EuropaBarbarorum)
Rome - Total War(TM) (HKLM\...\InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}) (Version: 1.0 - Activision)
Rome - Total War(TM) (Version: 1.0 - Activision) Hidden
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.3.39 - Safer-Networking Ltd.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1240 - SUPERAntiSpyware.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 8.0.13.0 - Synaptics)
Texas Instruments PCIxx21/x515 drivers. (HKLM\...\InstallShield_{406A5ABF-CA65-4E11-95C7-52228FE48F58}) (Version: 1.11.0000 - Texas Instruments Inc.)
TIxx21 (Version: 1.11.0000 - Texas Instruments Inc.) Hidden
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.5.3 - Tweaking.com)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Winamp (HKLM\...\Winamp) (Version: 5.666 - Nullsoft, Inc)
Windows Driver Package - Intel (NETw4x32) net (09/26/2007 11.5.0.32) (HKLM\...\5D81FBED6E61194F43FF1556F43BD8309BA44634) (Version: 09/26/2007 11.5.0.32 - Intel)
Windows Driver Package - Intel (w29n51) net (07/25/2007 9.0.4.37) (HKLM\...\EFD65E7CD7A28D00217941F33C5CA55964F96136) (Version: 07/25/2007 9.0.4.37 - Intel)
Windows Driver Package - Intel net (09/26/2007 11.5.0.32) (HKLM\...\0BF49E9448DA0DFB69DB9D673379652AB9087171) (Version: 09/26/2007 11.5.0.32 - Intel)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: C:\WINDOWS\Tasks\defrag.job => C:\WINDOWS\system32\defrag.exe
Task: C:\WINDOWS\Tasks\Ghocacultreererle Renew.job => C:\Program Files\Aretther\zascult.exe
Task: C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1491967284.job => C:\Program Files\Opera\launcher.exe
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION

Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Europa Barbarorum\Validate Install.lnk -> D:\Program Files\Activision\Rome - Total War\validateInstall.bat ()
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\Europa Barbarorum\Validate Installation.lnk -> D:\Program Files\Activision\Rome - Total War\validateInstall.bat ()
Shortcut: C:\Documents and Settings\All Users\Start Menu\Programs\AutorunRemover\AutorunRemover on the Web.lnk -> hxxp://www.autorunremover.com

ShortcutWithArgument: C:\Documents and Settings\ozg\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Documents and Settings\ozg\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/

==================== Loaded Modules (Whitelisted) ==============

2017-04-12 20:34 - 2017-04-12 20:34 - 00129024 _____ () C:\Documents and Settings\ozg\Application Data\Rersertainthigert\Shehipyrmether.dll
2005-04-19 19:02 - 2005-04-19 19:02 - 00069632 _____ () C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll
2017-04-12 00:48 - 2014-04-25 14:11 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2017-04-12 00:48 - 2014-04-25 14:11 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2017-04-12 20:34 - 2017-04-12 20:34 - 00274432 _____ () C:\Program Files\Ghocacultreererle Renew\local32spl.dll
2017-04-12 06:48 - 2008-03-09 11:20 - 00071096 _____ () C:\Program Files\CDBurnerXP\NMSAccessU.exe
2017-04-12 00:48 - 2014-04-25 14:11 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2017-04-12 00:48 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2017-04-12 00:48 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2017-04-12 00:38 - 2013-03-28 17:27 - 01929216 _____ () C:\Program Files\AutorunRemover\AutorunRemover.exe
2017-04-11 21:09 - 2017-04-11 21:09 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2017-04-12 06:23 - 2016-08-05 15:29 - 63846920 _____ () C:\Program Files\Opera\36.0.2130.80\opera.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2017-04-11 21:07 - 2017-04-12 20:53 - 00000798 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 v1.ff.avast.com
127.0.0.1 vlcproxy.ff.avast.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1214440339-1343024091-1202660629-1003\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp
DNS Servers: 192.168.2.1
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk => C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
MSCONFIG\startupreg: Alcmtr => ALCMTR.EXE
MSCONFIG\startupreg: ATICCC => "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
MSCONFIG\startupreg: CTFMON.EXE => C:\WINDOWS\system32\ctfmon.exe
MSCONFIG\startupreg: RTHDCPL => RTHDCPL.EXE
MSCONFIG\startupreg: SDTray => "C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe"
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: SynTPEnh => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Winamp\winamp.exe] => Enabled:Winamp
StandardProfile\AuthorizedApplications: [C:\Program Files\Winamp\winamp.exe] => Enabled:Winamp
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\ozg\Application Data\uTorrent\uTorrent.exe] => Enabled:μTorrent

==================== Restore Points =========================

11-04-2017 21:45:11 System Checkpoint
11-04-2017 22:52:35 REALTEK Gigabit and Fast Ethernet NIC Driver
11-04-2017 22:53:39 Installed ATI Catalyst Control Center
11-04-2017 23:01:17 Installed Realtek High Definition Audio Driver
11-04-2017 23:03:45 Installed TIxx21
11-04-2017 23:06:59 REALTEK Gigabit and Fast Ethernet NIC Driver
12-04-2017 00:10:16 Installed Windows XP Wdf01009.
12-04-2017 00:14:40 Installed DirectX
12-04-2017 00:15:31 Microsoft Office Excel Viewer Yüklendi
12-04-2017 00:20:08 Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
12-04-2017 00:21:20 Installed OpenOffice 4.1.1
12-04-2017 00:22:57 Installed Windows Media Player 9 Series
12-04-2017 00:47:19 Printer Driver Foxit Reader PDF Printer Driver Installed
12-04-2017 01:14:50 Installed Java 7 Update 67
12-04-2017 01:25:59 Removed Java 8 Update 25
12-04-2017 04:58:46 Installed ChessBase Reader
12-04-2017 06:49:59 Installed Rome - Total War(TM)
12-04-2017 08:11:56 Installed Barbarian Invasion
12-04-2017 08:15:27 Installed Rome - Total War - Barbarian Invasion - patch 1.6
12-04-2017 19:43:15 HitmanPro Kontrol Noktası
12-04-2017 19:43:38 HitmanPro Kontrol Noktası
12-04-2017 20:02:22 HitmanPro Kontrol Noktası

==================== Faulty Device Manager Devices =============

Name: Modem Device on High Definition Audio Bus
Description: Modem Device on High Definition Audio Bus
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/12/2017 08:35:19 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application kube.exe, version 1.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/12/2017 08:35:13 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application Bestziper.tmp, version 51.52.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/12/2017 08:33:52 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application codecfixdivx.exe, version 0.0.0.0, faulting module shell32.dll, version 6.0.2900.6242, fault address 0x0002ecae.
Processing media-specific event for [codecfixdivx.exe!ws!]

Error: (04/12/2017 06:26:53 PM) (Source: Application Hang) (EventID: 1001) (User: )
Description: Fault bucket 219665503.

Error: (04/12/2017 06:26:39 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application SDUpdate.exe, version 2.3.39.94, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (04/12/2017 06:20:52 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application icedragonsetup.exe, version 50.0.0.2, faulting module icedragonplugin.dll, version 0.0.0.0, fault address 0x00019ffc.
Processing media-specific event for [icedragonsetup.exe!ws!]

Error: (04/12/2017 12:31:46 AM) (Source: PerfNet) (EventID: 2004) (User: )
Description: Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Error: (04/12/2017 12:31:45 AM) (Source: PerfNet) (EventID: 2004) (User: )
Description: Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Error: (04/12/2017 12:16:37 AM) (Source: MsiInstaller) (EventID: 1023) (User: PC)
Description: Product: Microsoft Office Excel Viewer - Update '{5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}' could not be installed. Error code 1642. Additional information is available in the log file C:\DOCUME~1\ozg\LOCALS~1\Temp\Microsoft Office Excel Viewer (0).log.

Error: (04/12/2017 12:16:37 AM) (Source: MsiInstaller) (EventID: 1023) (User: PC)
Description: Product: Microsoft Office Excel Viewer - Update '{47637B5E-81E0-4ECA-82F9-13FE9B204BE3}' could not be installed. Error code 1642. Additional information is available in the log file C:\DOCUME~1\ozg\LOCALS~1\Temp\Microsoft Office Excel Viewer (0).log.


System errors:
=============
Error: (04/12/2017 09:27:22 PM) (Source: 0) (EventID: 1) (User: )
Description: Event-ID 1

Error: (04/12/2017 09:27:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Security Center Service service failed to start due to the following error:
Spybot-S&D 2 Security Center Service is not a valid Win32 application.

Error: (04/12/2017 09:16:58 PM) (Source: 0) (EventID: 7) (User: )
Description: Event-ID 7

Error: (04/12/2017 08:39:02 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NMSAccessU service terminated unexpectedly. It has done this 1 time(s).

Error: (04/12/2017 08:37:49 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The HitmanPro Scheduler service terminated unexpectedly. It has done this 1 time(s).

Error: (04/12/2017 08:37:44 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Installer service terminated unexpectedly. It has done this 1 time(s).

Error: (04/12/2017 07:51:28 PM) (Source: 0) (EventID: 7) (User: )
Description: Event-ID 7

Error: (04/12/2017 07:51:25 PM) (Source: 0) (EventID: 7) (User: )
Description: Event-ID 7

Error: (04/12/2017 07:51:23 PM) (Source: 0) (EventID: 7) (User: )
Description: Event-ID 7

Error: (04/12/2017 06:33:51 PM) (Source: 0) (EventID: 7) (User: )
Description: Event-ID 7


==================== Memory info ===========================

Processor: Intel(R) Pentium(R) M processor 1.86GHz
Percentage of memory in use: 42%
Total physical RAM: 2046.05 MB
Available physical RAM: 1174.77 MB
Total Virtual: 3938.68 MB
Available Virtual: 3037.39 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:29.29 GB) (Free:18.95 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive d: () (Fixed) (Total:45.23 GB) (Free:39.7 GB) NTFS
Drive f: (Salih_500) (Fixed) (Total:465.11 GB) (Free:9.9 GB) NTFS
Drive g: (ROMETWBI) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 501C7C50)
Partition 1: (Active) - (Size=29.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=45.2 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 465.1 GB) (Disk ID: 2FF82EFB)
Partition 1: (Active) - (Size=465.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

[Juliet]

when i try to copy paste FRST.it gives an error saying

Did you try to attach the file?

Let's proceed.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

• rkill.exe
• rkill.com
• rkill.scr
• rkill.pif
• WiNlOgOn.exe
• uSeRiNiT.exe

After you run the tool do not reboot, just continue with the fix.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please go to add remove programs, uninstall/delete the below
initialsite123 - Uninstall (HKLM\...\{4383DD91-4E0D-4C2C-9D78-96DA4E7753E5}) (Version: - ) <==== ATTENTION

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Running from C:\Documents and Settings\ozg\My Documents

It's best we move Farbar's to desktop.

Please go to your My Documents folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.

~~~~~~~~~~~~~~~~~~~`
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Or use this method Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
Task: C:\WINDOWS\Tasks\Ghocacultreererle Renew.job => C:\Program Files\Aretther\zascult.exe
C:\Program Files\Aretther\zascult.exe
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
ShortcutWithArgument: C:\Documents and Settings\ozg\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Documents and Settings\ozg\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
EmptyTemp:
Hosts:
End

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.
  In order to use AdwCleaner, you have to agree the Eula:
• Right-click AdwCleaner.exe and select Run as administrator to run the programme.
• Follow the prompts.
• Click Scan.
• Upon completion, click Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
• Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
• Click Clean.
• Follow the prompts and allow your computer to reboot.
• After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Zemana AntiMalware Free

download it from here:


Double-click on the file named “Zemana.AntiMalware.Portable” to perform a system scan with Zemana AntiMalware Free.


You may be presented with a User Account Control dialog asking you if you want to run this program. If this happens, you should click “Yes” to allow Zemana AntiMalware to run.

When Zemana AntiMalware starts, click on the “Scan” button to perform a system scan.
without changing any options, press Scan


When Zemana has finished finished scanning it will show a screen that displays any malware that has been detected. To remove all the malicious files, click on the “Next” button.

Zemana AntiMalware will now start to remove all the malicious programs from your computer.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

• open Zemana AntiMalware again and locate the latest report
• please paste the contents into your reply

When the process is complete, you can close Zemana AntiMalware
~~~~~~~~~~~~~~~~~~~~~`

Please post:
fixlist.txt
AdwCleaner[C1].txt
Zemana AntiMalware
~~
Now if you can, can you try to either copy and paste the FRST log into your next reply or can you try to attach it in your next reply.

[ozgur1318]

yes i tried attaching the file but it didnt worked and ( yes i use only notepad).
i did install rkill.exe and run it. its log is on my desktop? do u need that ?

step2: i couldn' uninstall te initialsite123 thing .when i open my addremove programs and i
choose it and click change/remove button. but nothing happens ( here is my short guess it may help: yesterday while i was installing a suspicous programm it turned about to be a bundel of malwares cuz
it opened cmd and suddenly i saw lots of exe. fiels on my windows task manager so i pannicked and cut the installation process . i think those shitty stuff get partially installed ! but i dont know what to do about it)

step3:i cut & paste farbar on desktop and did the fixlist.txt .run fix .here's my fixlog.txt and adwcleaner(c1).txt
Fix result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by ozg (13-04-2017 21:40:26) Run:1
Running from C:\Documents and Settings\ozg\Desktop
Loaded Profiles: ozg (Available Profiles: ozg)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
Task: C:\WINDOWS\Tasks\Ghocacultreererle Renew.job => C:\Program Files\Aretther\zascult.exe
C:\Program Files\Aretther\zascult.exe
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
ShortcutWithArgument: C:\Documents and Settings\ozg\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Documents and Settings\ozg\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
ShortcutWithArgument: C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://qtipr.com/
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
EmptyTemp:
Hosts:
End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\WINDOWS\Tasks\Ghocacultreererle Renew.job => moved successfully
C:\Program Files\Aretther\zascult.exe => moved successfully
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION => removed successfully.
C:\Documents and Settings\ozg\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully..
C:\Documents and Settings\ozg\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox (2).lnk => Shortcut argument removed successfully..
C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully..

========= ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========


========= netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.


========= End of CMD: =========


========= netsh int ipv4 reset =========

The following command was not found: int ipv4 reset.

========= End of CMD: =========


========= netsh int ipv6 reset =========

IPv6 is not installed.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========

'bitsadmin' is not recognized as an internal or external command,
operable program or batch file.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8878 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 210843 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/dllcache/drivers => 1428422 B
Edge => 0 B
Chrome => 0 B
Firefox => 95564272 B
Opera => 26780351 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 66228 B
All Users => 0 B
systemprofile => 144834786 B
LocalService => 692 B
NetworkService => 66228 B
ozg => 209271730 B

RecycleBin => 2041 B
EmptyTemp: => 456.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:41:17 ====

# AdwCleaner v6.045 - Logfile created 13/04/2017 at 22:11:31
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-03-28.2 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : ozg - PC
# Running from : C:\Documents and Settings\ozg\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****

[-] Shortcut disinfected: C:\Documents and Settings\All Users\Start Menu\Microsoft Update Catalog.lnk


***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKU\.DEFAULT\Software\jhdbca
[-] Key deleted: HKU\.DEFAULT\Software\UpgSvr
[-] Key deleted: HKU\S-1-5-21-1214440339-1343024091-1202660629-1003\Software\Installer
[#] Key deleted on reboot: HKU\S-1-5-18\Software\jhdbca
[#] Key deleted on reboot: HKU\S-1-5-18\Software\UpgSvr
[#] Key deleted on reboot: HKCU\Software\Installer
[-] Key deleted: HKLM\SOFTWARE\jhdbca


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1259 Bytes] - [13/04/2017 22:11:31]
C:\AdwCleaner\AdwCleaner[S0].txt - [1535 Bytes] - [13/04/2017 22:05:11]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1405 Bytes] ##########

[ozgur1318]

btw i downloaded Zemana Anti malware. but the file name is "Zemana.AntiMalware.setup " so it doesn't contain the word portable as u say !
shall i run it anyway ?

[Juliet]

Yes, if that one doesn't work try the below link

http://dl12.zemana.com/AntiMalware/2...e.Portable.exe

[ozgur1318]

ok .it cleaned some stuff .(and my cpu usage which was stuck at 100%- for the last hour- started to normalize !now its back to %5-16.. i think we are starting to make good progress! ) thanks
fact 2: i did try to remove "the program" that i couldnt erase before . (initialsite123 - Uninstall). now when i clicked it said its already uninstalled and removed it so easily from my list ..thanks again..
now what shall i do about the FRST that i couldnt send u?

here's the log
Zemana AntiMalware 2.72.2.388 (Installed)

-------------------------------------------------------
Scan Result : Completed
Scan Date : 2017.4.13
Operating System : Windows XP 32-bit
Processor : 1X Intel(R) Pentium(R) M processor 1.86GHz
BIOS Mode : Legacy
CUID : 128E656003EAA19DBAB230
Scan Type : System Scan
Duration : 10m 44s
Scanned Objects : 57154
Detected Objects : 7
Excluded Objects : 0
Read Level : SCSI
Auto Upload : Enabled
Detect All Extensions : Disabled
Scan Documents : Disabled
Domain Info : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

Shehipyrmether.dll
Status : Scanned
Object : %appdata%\rersertainthigert\shehipyrmether.dll
MD5 : D2236A06B906A6A525F84071AC904AE2
Publisher : -
Size : 129024
Version : -
Detection : Adware:Win32/BrowserHijack.Gen
Cleaning Action : Delete
Related Objects :
Registry Entry - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{0A767F30-1B4A-11E7-9EAE-64006A5CFC23} = C:\Documents and Settings\ozg\Application Data\Rersertainthigert\Shehipyrmether.dll
File - %appdata%\rersertainthigert\shehipyrmether.dll
DLL - 1676 - C:\WINDOWS\Explorer.EXE
Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{0A767F30-1B4A-11E7-9EAE-64006A5CFC23}\InprocServer32\@ = C:\Documents and Settings\ozg\Application Data\Rersertainthigert\Shehipyrmether.dll

local32spl.dll
Status : Scanned
Object : %programfiles%\ghocacultreererle renew\local32spl.dll
MD5 : 2264013F87D1ECD1379991547A169E45
Publisher : -
Size : 274432
Version : -
Detection : Adware:Win32/BrowserHijack.Gen
Cleaning Action : Quarantine
Related Objects :
File - %programfiles%\ghocacultreererle renew\local32spl.dll
DLL - 1964 - C:\WINDOWS\system32\spoolsv.exe

pbdpajcdgknpendpmecafmopknefafha
Status : Scanned
Object : NE->c:\documents and settings\ozg\application data\opera software\opera stable\extensions\pbdpajcdgknpendpmecafmopknefafha
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/FastSearch.OPR.A!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

buesppuccult.default
Status : Scanned
Object : NE->c:\documents and settings\ozg\application data\profiles\buesppuccult.default
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/Trotux.FakeProfile!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

shehipyrmether.dll
Status : Scanned
Object : NE->c:\documents and settings\ozg\application data\rersertainthigert\shehipyrmether.dll
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/Trotux.K!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

local32spl.dll
Status : Scanned
Object : NE->c:\program files\ghocacultreererle renew\local32spl.dll
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/ELEX.PA!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)

local32spl.dll.ini
Status : Scanned
Object : NE->c:\program files\ghocacultreererle renew\local32spl.dll.ini
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Adware:Win32/ELEX.PB!Neng
Cleaning Action : Quarantine
Related Objects :
(null) - (null)


Cleaning Result
-------------------------------------------------------
Cleaned : 7
Reported as safe : 0
Failed : 0