Jump to content


Photo

Rootkit releteds BSODs


  • Please log in to reply
6 replies to this topic

#1 i4004

i4004

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 November 2016 - 01:37 PM

peculiar case, worth documenting:


out of nowhere, i got STOP: c000021a {Fatal system error} Windows subsystem system process terminated unexpectedlywith a status of 0x0000005......


this shows once and after that it becomes STOP:0x000000F4 BSOD

it appears shortly after windows reaches desktop.

 

after this i did combofix and it finds 'logongui.exe' and 'msgsvc.dll' (system32 folder) as infected, on top of few weird files that FRST indicates too (files with ? mark, i can't see these files via windows explorer or total commander...tried erasing them via CFScript.txt and combofix, but to no avail), combofix says it can fix msgsvc (by copying it from another location in windows directory) but not the logongui.exe, so i copied that file from working machine, after this pc boots, but not for long, as error sequence repeats (with one and then (after reboot) another BSOD). probably worth mentioning that combofix is bleeping about avast being active, but i can't turn it off because i don't see it in safe mode. and i can't remove it via avastclear.exe. it is also bleeping about lacking recovery console, but tough luck there too, seems xp server for that purpose is down, and the version on xp cd seems too old (?)


did all sorts of different things too, checked for rootkits with rkill, tdsskiller and others, checked MBR etc. checked BSOD minudump (nir sofer's BlueScreenView says ntoskrnl.exe most of the time, windows debugging tools say csrss.exe...), swapped RAM sticks, reinstalled VGA driver, HDtune tested hdd etc.

probably the most interesting thing is that i restored hdd image from the time windows was working ok, and soon after BSOD reappears (i didn't use sector-by-sector mode of acronis true image to restore it, though). also at the time of that restoration i had 3 more hdds connected in the system..i dunno if rootkits like to skip from drive to drive...



i'm now writing this from safe mode which works ok. also, it's dual boot system, windows2000 is working too.

 

here are logs (regarding flash player version was 23 when BSOD appeared, this is a bit older disk image i restored, so it's still on flash 21):

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 31.10.2016
Scan Time: 1:58:23
Logfile: mbam.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.31.01
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: izi-2

Scan Type: Custom Scan
Result: Completed
Objects Scanned: 313308
Time Elapsed: 32 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 9
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{D4027C7F-154A-4066-A1AD-4243D8127440}, , [833a4c53722865d10e2f545718ec0000],
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D4027C7F-154A-4066-A1AD-4243D8127440}, , [833a4c53722865d10e2f545718ec0000],
PUP.Optional.Conduit, HKLM\SOFTWARE\CLASSES\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}, , [25986f30d2c813234181f11c7d839868],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\CLASSES\Toolbar.CT3072253, , [9f1e8a15d5c53105560b1f7254afbc44],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PACGPKGADGMIBNHPDIDCNFAFLLNMEOMC, , [9a23fda25446181e395886530af8df21],
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\synsend, , [bb02366956441e18c13089b8a85b6b95],
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PACGPKGADGMIBNHPDIDCNFAFLLNMEOMC, , [dce1603f8218191d147e1abf49b9867a],
PUP.Optional.Conduit, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}, , [24998d12e7b35fd71068198312f10af6],
PUP.Optional.SmartBar, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\SMARTBAR, , [427b425d87131323c12a7341d3306997],

Registry Values: 8
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{D4027C7F-154A-4066-A1AD-4243D8127440},  | ÔJ f@ˇ­BCŘ t@, , [833a4c53722865d10e2f545718ec0000]
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{D4027C7F-154A-4066-A1AD-4243D8127440}, , [c5f8a2fd0397b87e82bb109b659fe020],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pacgpkgadgmibnhpdidcnfafllnmeomc|path, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx, , [9a23fda25446181e395886530af8df21]
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pacgpkgadgmibnhpdidcnfafllnmeomc|path, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx, , [dce1603f8218191d147e1abf49b9867a]
PUP.Optional.Conduit, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|URL, http://search.condui...&ctid=CT3072253, , [24998d12e7b35fd71068198312f10af6]
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LowRiskFileTypes, .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;, , [833ad4cbcbcf86b08364567fae55768a]
Hijack.ControlPanelStyle, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel, 1, , [7d40910e950535012e6ea18fdd26c63a]
PUP.Optional.SmartBar, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\SMARTBAR|GlobalUserId, 6F7137A2-AB07-4939-83B9-C7EF7A034D54, , [427b425d87131323c12a7341d3306997]

Registry Data: 0
(No malicious items detected)

Folders: 6
PUP.Optional.ConduitTB.Gen, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE, , [f8c579260199b5812e625485788a867a],
PUP.Optional.ConduitTB.Gen, C:\Program Files\Conduit\Community Alerts, , [0faeb5ea6c2ee254feac6a456a98d62a],
PUP.Optional.uTorrentTB, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc, , [36870e91d5c5082ecfa7289746bcf20e],
PUP.Optional.Conduit, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Conduit, , [2d909f001e7c6bcbd804972f8e742ed2],
PUP.Optional.Conduit, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Conduit\Community Alerts, , [2d909f001e7c6bcbd804972f8e742ed2],
PUP.Optional.Conduit, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Conduit\Community Alerts\Log, , [2d909f001e7c6bcbd804972f8e742ed2],

Files: 4
PUP.Optional.Conduit, C:\Program Files\Conduit\Community Alerts\Alert.dll, , [25986f30d2c813234181f11c7d839868],
PUP.Optional.ConduitTB.Gen, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx, , [f8c579260199b5812e625485788a867a],
Rogue.Link, C:\Documents and Settings\Administrator.UNIMATRIX001\Favorites\Free Pornstars @ Pornstar Pile.url, , [5667faa5ecae90a6228e5dafe221f10f],
Rootkit.Agent, C:\WINDOWS\system32\drivers\str.sys, , ,

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by izi-2 at 19:19:26 on 2016-11-01
Microsoft Windows XP Professional  5.1.2600.2.1250.385.1033.18.3062.2358 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Firefox40\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: FGCatchUrl: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - e:\program files\avastxp\aswWebRepIE.dll
BHO: FlashGet GetFlash Class: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [mouseElf] c:\progra~1\scroll~1\MouseElf.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Malwarebytes Anti-Exploit] c:\program files\malwarebytes anti-exploit\mbae.exe
mRun: [AvastUI.exe] "e:\program files\avastxp\AvastUI.exe" /nogui
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\filebo~1.lnk - c:\program files\filebx\FileBX.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: Interfaces\{755DDF4B-EB2F-4494-9B33-2930EC276CD9} : NameServer = 195.29.166.116,195.29.166.117
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.unimatrix001\application data\mozilla\firefox\profiles\naef66wq.default-1454634362109\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gfe_rd=cr&ei=lPezVsjnIMGH8QfyvZ-4DQ&gws_rd=ssl,cr&fg=1
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_21_0_0_182.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\nporbit.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-1-12 38656]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2009-7-11 6656]
S0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2016-3-22 58776]
S0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswvmm.sys [2016-3-22 224616]
S0 wgptk;wgptk;c:\windows\system32\drivers\nfqida.sys --> c:\windows\system32\drivers\nfqida.sys [?]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2016-3-23 35096]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2016-3-22 815792]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2016-3-22 449640]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\malwarebytes anti-exploit\mbae.sys [2015-12-27 59976]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2016-3-22 32792]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2016-3-22 91168]
S2 avast! Antivirus;Avast Antivirus;e:\program files\avastxp\AvastSvc.exe [2016-10-31 243296]
S2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.sys [2010-3-11 3584]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\malwarebytes anti-exploit\mbae-svc.exe [2015-12-27 155088]
S2 RadPciNT;RadPciNT;c:\windows\system32\drivers\RadPciNT.sys [2000-4-24 9417]
S2 zmatfkbg;zmatfkbg;\??\c:\windows\system32\drivers\wwqca.sys --> c:\windows\system32\drivers\wwqca.sys [?]
S3 aswStmXP;Avast StreamFilter Driver;c:\windows\system32\drivers\aswStmXP.sys [2016-3-22 187208]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2015-7-2 14944]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2015-7-2 10208]
S3 FlyPCI;FlyPCI;e:\progra~1\slydiman\slycon~1\FlyPCI.sys [2003-10-10 4134]
S3 IT9135BDA;IT9135 BDA Devices;c:\windows\system32\drivers\IT9135BDA.sys [2013-3-31 145280]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2014-12-29 15688]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2014-12-29 10320]
S3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [2008-1-11 349184]
S3 SliceDisk5;SliceDisk5;c:\program files\a-ff find and mount\slicedisk.sys [2015-10-9 26192]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2015-7-9 123448]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
.
=============== Created Last 30 ================
.
2027-11-27 03:34:00    --------    d-----w-    C:\My Music
2027-11-27 02:14:33    --------    d-----w-    C:\My PixAround
2027-11-27 01:49:16    --------    d-----w-    C:\My Documents
2016-10-31 23:27:47    --------    d-----w-    C:\FRST
2016-10-31 19:35:35    52184    ----a-w-    c:\windows\avastSS.scr
2016-10-31 05:26:43    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2016-10-31 01:51:54    98816    ----a-w-    c:\windows\sed.exe
2016-10-31 01:51:54    256000    ----a-w-    c:\windows\PEV.exe
2016-10-31 01:51:54    208896    ----a-w-    c:\windows\MBR.exe
2016-10-31 00:56:32    170200    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-10-31 00:56:10    24448    ----a-w-    c:\windows\system32\drivers\mbam.sys
2016-10-31 00:56:10    121560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2016-10-31 00:56:10    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2016-10-31 00:56:10    --------    d-----w-    c:\documents and settings\all users\application data\Malwarebytes
.
==================== Find3M  ====================
.
2016-10-31 19:36:36    224616    ----a-w-    c:\windows\system32\drivers\aswvmm.sys
2016-10-31 19:35:42    91168    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2016-10-31 19:35:42    58776    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2016-10-31 19:35:42    32792    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2016-10-31 19:35:42    187208    ----a-w-    c:\windows\system32\drivers\aswStmXP.sys
2016-10-31 19:35:24    815792    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-02-27 02:16:39    0    ----a-w-    c:\program files\GUT3A7.tmp
.
============= FINISH: 19:20:09,93 ===============
 

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows XP Service Pack 2 x86   
 Out of date service pack!!
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
a
v
a
s
t
!
ECHO is off.
A
n
t
i
v
i
r
u
s
ECHO is off.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player     21.0.0.182  
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (44.0)
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 30% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

Edit: Please read the Instructions and post the requested logs (MBAM, FRST, Security Analysis). We need the information in order to help you.


Edited by Rocket Grannie, 02 November 2016 - 12:35 AM.


#2 i4004

i4004

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 02 November 2016 - 02:32 PM

Edit: Please read the Instructions and post the requested logs (MBAM, FRST, Security Analysis). We need the information in order to help you.

 

look at the top of this forum, it states:

 

We need to see the logs in order to help you.

Required logs are Malwarebytes Anti-Malware log, DDS.txt, and checkup.txt.  Use separate replies.

Please copy/paste your logs into your post.  Do not attach unless specifically asked to attach a file. 

Please stay with your original topic when replying.  Don't start more than one topic for your problem.

If you do not have spyware or another parasite and just want a check for anything suspicious,  Click here.

 

 

 

 

but no problem, here is frst:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2016
Ran by izi-2 (administrator) on ASUS (02-11-2016 02:05:43)
Running from C:\MyDokumenta2
Loaded Profiles: izi-2 (Available Profiles: izi-2)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) E:\Program Files\AvAstXP\AvastSvc.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
() C:\PROGRA~1\SCROLL~1\MouseElf.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(AVAST Software) E:\Program Files\AvAstXP\avastui.exe
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Hyperionics Technology LLC) C:\Program Files\FileBX\FileBX.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Mozilla Corporation) E:\Firefox40\firefox.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(Mozilla Corporation) E:\Firefox40\plugin-container.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [18077696 2008-12-23] (Realtek Semiconductor Corp.)
HKLM\...\Run: [mouseElf] => C:\Program Files\Scroll Mouse\MouseElf.exe [438364 2005-12-16] ()
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2508104 2009-11-02] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-04] (CANON INC.)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2651088 2016-10-28] (Malwarebytes Corporation)
HKLM\...\Run: [AvastUI.exe] => E:\Program Files\AvAstXP\AvastUI.exe [7408312 2016-10-31] (AVAST Software)
HKLM\...\Run: [NvCplDaemon] => C:\WINDOWS\system32\NvCpl.dll [15517472 2013-01-31] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] => C:\WINDOWS\system32\NvMcTray.dll [108832 2013-01-31] (NVIDIA Corporation)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1982312 2013-01-31] ()
HKLM\...\Policies\Explorer: [NoSharedDocuments] 1
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [CDRAutoRun] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => E:\Program Files\AvAstXP\ashShell.dll [2016-10-31] (AVAST Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FileBox eXtender.lnk [2008-09-19]
ShortcutTarget: FileBox eXtender.lnk -> C:\Program Files\FileBX\FileBX.exe (Hyperionics Technology LLC)
BootExecute: autocheck autochk /p \??\O:autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{755DDF4B-EB2F-4494-9B33-2930EC276CD9}: [NameServer] 195.29.166.116,195.29.166.117

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2000478354-73586283-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: FGCatchUrl -> {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -> C:\Program Files\FlashGet\jccatch.dll [2007-08-06] (www.flashget.com)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> E:\Program Files\AvAstXP\aswWebRepIE.dll [2016-10-31] (AVAST Software)
BHO: FlashGet GetFlash Class -> {F156768E-81EF-470C-9057-481BA8380DBA} -> C:\Program Files\FlashGet\getflash.dll [2007-05-18] (www.flashget.com)
Toolbar: HKU\S-1-5-21-2000478354-73586283-725345543-500 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 [2016-11-02]
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> hxxps://www.google.com/?gfe_rd=cr&ei=lPezVsjnIMGH8QfyvZ-4DQ&gws_rd=ssl,cr&fg=1
FF NetworkProxy: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> type", 0
FF Extension: (YouTube™ Flash® Player) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\jid1-HAV2inXAnQPIeA@jetpack.xpi [2016-11-01]
FF Extension: (FlashGot) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2016-03-18]
FF Extension: (Video DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-10-31]
FF Extension: (Adblock Plus) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-10-31]
FF Extension: (DownThemAll!) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2016-04-24]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default [2016-10-31]
FF DefaultSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF SelectedSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> www.google.com
FF Extension: (Adblock Latitude) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{016acf6d-e5c0-4768-9376-3763d1ad1978}.xpi [2016-02-08] [not signed]
FF Extension: (DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2015-07-15]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Broad Intelligence\XULPlayer\Profiles\xulplayer [2009-08-01]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - E:\Program Files\AvAstXP\WebRep\FF
FF Extension: (Avast Online Security) - E:\Program Files\AvAstXP\WebRep\FF [2016-10-31]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-18] ()
FF Plugin: @java.com/DTPlugin,version=10.4.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-04-04] (Oracle Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2008-06-11] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
StartMenuInternet: FIREFOX.EXE - E:\Firefox40\firefox.exe

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avast! Antivirus; E:\Program Files\AvAstXP\AvastSvc.exe [243296 2016-10-31] (AVAST Software)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2016-10-28] (Malwarebytes Corporation)
S2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12664 2006-10-18] ()
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [32792 2016-10-31] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [35096 2016-03-23] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [91168 2016-10-31] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-10-31] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [58776 2016-10-31] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [815792 2016-10-31] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [449640 2016-10-31] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [187208 2016-10-31] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [67216 2016-10-31] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [224616 2016-10-31] (AVAST Software)
R3 AtcL001; C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [38656 2007-03-14] (Attansic Technology corporation.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
R2 DLPortIO; C:\WINDOWS\System32\DRIVERS\DLPortIO.sys [3584 1999-01-10] () [File not signed]
S3 DSDrv4; C:\Program Files\DScaler\DSDrv4.sys [8801 2005-12-18] () [File not signed]
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [14944 2014-11-18] ()
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [59976 2016-10-28] ()
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [10208 2014-11-18] ()
S3 EverestDriver; E:\Tech\Programi\NON-VIDEO\EverestUltim_4.60.1562.B\kerneld.wnt [23664 2008-11-14] ()
S3 FlyPCI; E:\Program Files\SlyDiman\SlyControl2\FlyPCI.sys [4134 2003-10-10] () [File not signed]
R3 genmcmnUSB; C:\WINDOWS\System32\DRIVERS\gflmouhid.sys [6656 2004-04-19] ()
R0 giveio; C:\WINDOWS\System32\giveio.sys [5248 1996-04-03] () [File not signed]
S3 IT9135BDA; C:\WINDOWS\System32\Drivers\IT9135BDA.sys [145280 2011-10-19] (ITE                      )
R3 LVCap138; C:\WINDOWS\System32\DRIVERS\tvcap.sys [301568 2004-10-27] (Philips) [File not signed]
R3 lvtuner; C:\WINDOWS\System32\DRIVERS\lvtuner.sys [14464 2004-10-20] (Animation Technologies Inc.) [File not signed]
R1 MagicTune; C:\WINDOWS\system32\drivers\MTictwl.sys [12062 2004-10-11] () [File not signed]
S3 MEMSWEEP2; C:\WINDOWS\system32\43.tmp [6144 2011-08-25] (Sophos Plc) [File not signed]
S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15360 2004-08-03] (Microsoft Corporation)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2002-12-31] (Microsoft Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20640 2005-03-11] (Sonic Solutions) [File not signed]
S2 RadPciNT; C:\WINDOWS\system32\Drivers\RadPciNT.sys [9417 2000-04-24] (MediaForte Products Pte. Ltd.) [File not signed]
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2002-12-31] ()
S3 SKYNET; C:\WINDOWS\System32\DRIVERS\SkyNET.SYS [349184 2006-03-13] (B2C2, Inc.) [File not signed]
S3 SliceDisk5; C:\Program Files\A-FF Find and Mount\slicedisk.sys [26192 2011-02-25] (Atola) [File not signed]
R0 speedfan; C:\WINDOWS\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider) [File not signed]
R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [359040 2009-06-28] (Microsoft Corporation) [File not signed]
R0 viamraid; C:\WINDOWS\System32\DRIVERS\viamraid.sys [60672 2004-07-06] (VIA Technologies inc,.ltd)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 CrystalSysInfo; \??\C:\Program Files\MediaCoder\SysInfo.sys [X]
S4 IntelIde; no ImagePath
S3 MFE_RR; \??\C:\DOCUME~1\ADMINI~1.UNI\LOCALS~1\Temp\mfe_rr.sys [X]
U3 SCardDrv; no ImagePath
U4 uploadmgr; no ImagePath
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S0 wgptk; System32\drivers\nfqida.sys [X]
S2 zmatfkbg; \??\C:\WINDOWS\system32\drivers\wwqca.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2027-11-27 04:34 - 2027-11-27 04:34 - 00000000 ____D C:\My Music
2027-11-27 03:14 - 2027-11-27 03:14 - 00000000 ____D C:\My PixAround
2027-11-27 03:12 - 2007-11-20 22:56 - 00000324 ____H C:\Config.sys
2027-11-27 02:57 - 2027-11-27 02:57 - 00000244 _____ C:\Config.ctl
2027-11-27 02:49 - 2027-11-27 02:49 - 00000000 ____D C:\My Documents
2027-11-27 02:47 - 2027-11-27 02:47 - 00140676 ___SH C:\SETUPLOG.OLD
2027-11-27 02:47 - 2027-11-27 02:47 - 00011195 ___SH C:\NETLOG.TXT
2016-11-02 01:39 - 2016-11-02 01:40 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-11-02 01:39 - 2016-11-02 01:39 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-11-02 01:39 - 2016-11-02 01:39 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-11-02 01:39 - 2016-03-10 14:09 - 00123264 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-11-02 01:39 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-11-02 01:13 - 2016-11-02 01:13 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
2016-11-02 01:13 - 2013-01-31 10:06 - 00335872 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrshe.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00335872 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsar.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00286720 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsfr.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00282624 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsit.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00282624 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrses.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00282624 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsel.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00278528 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsde.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00274432 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrspt.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00274432 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsnl.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00274432 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsja.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00274432 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsesm.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00270336 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsru.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00270336 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsptb.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00266240 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsko.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00262144 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrshu.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00258048 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrstr.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00258048 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrssl.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00258048 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrssk.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00258048 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrspl.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00253952 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsth.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00253952 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrssv.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00253952 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsno.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00253952 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsda.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00249856 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrsfi.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00249856 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrseng.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00249856 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrscs.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00229376 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrszhc.dll
2016-11-02 01:13 - 2013-01-31 10:06 - 00126976 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvrszht.dll
2016-11-02 01:13 - 2013-01-31 10:02 - 15517472 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcpl.dll
2016-11-02 01:13 - 2013-01-31 10:02 - 00156448 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
2016-11-02 01:13 - 2013-01-31 10:02 - 00144160 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcolor.exe
2016-11-02 01:13 - 2013-01-31 10:02 - 00108832 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvmctray.dll
2016-11-02 01:13 - 2013-01-31 10:02 - 00054272 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvwddi.dll
2016-11-02 01:12 - 2016-11-02 01:12 - 01072544 _____ C:\WINDOWS\system32\nvdrsdb1.bin
2016-11-02 01:12 - 2016-11-02 01:12 - 01072544 _____ C:\WINDOWS\system32\nvdrsdb0.bin
2016-11-02 01:12 - 2016-11-02 01:12 - 00000001 _____ C:\WINDOWS\system32\nvdrssel.bin
2016-11-02 01:12 - 2016-11-02 01:12 - 00000000 _____ C:\WINDOWS\system32\nvdrswr.lk
2016-11-02 01:12 - 2013-01-31 12:22 - 00065536 _____ (Khronos Group) C:\WINDOWS\system32\OpenCL.dll
2016-11-02 01:11 - 2016-11-02 01:13 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-11-02 01:11 - 2013-01-31 12:22 - 19189760 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvoglnt.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 17551360 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcompiler.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 07536640 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuda.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 05967872 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvopencl.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 02816504 _____ C:\WINDOWS\system32\nvdata.data
2016-11-02 01:11 - 2013-01-31 12:22 - 02581792 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvid.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 02389504 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvapi.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 01869088 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvcuvenc.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 01010464 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispco32.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 00892704 _____ (NVIDIA Corporation) C:\WINDOWS\system32\nvdispgenco32.dll
2016-11-02 01:11 - 2013-01-31 12:22 - 00015449 _____ C:\WINDOWS\system32\nvinfo.pb
2016-11-02 00:05 - 2016-11-02 00:05 - 00000000 _____ C:\Documents and Settings\Administrator.UNIMATRIX001\last.dump
2016-11-01 20:55 - 2011-08-25 09:33 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\43.tmp
2016-11-01 20:54 - 2011-08-25 09:33 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\42.tmp
2016-11-01 20:54 - 2011-08-25 09:33 - 00006144 ____N (Sophos Plc) C:\WINDOWS\system32\41.tmp
2016-11-01 20:53 - 2016-11-01 20:53 - 00000000 ____D C:\Program Files\Sophos
2016-11-01 20:37 - 2016-11-01 20:37 - 79384424 _____ C:\Documents and Settings\Administrator.UNIMATRIX001\My Documents\pinknoise15min.wav
2016-11-01 00:27 - 2016-11-02 02:05 - 00000000 ____D C:\FRST
2016-10-31 23:49 - 2016-10-31 23:48 - 00098304 _____ C:\WINDOWS\Minidump\Mini103116-04.dmp
2016-10-31 23:36 - 2016-11-02 02:06 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\temp
2016-10-31 23:36 - 2016-10-31 23:36 - 00014138 _____ C:\ComboFix2.txt
2016-10-31 23:36 - 2016-10-31 23:36 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2016-10-31 23:32 - 2016-10-31 23:34 - 00000000 _____ C:\WINDOWS\system32\last.dump
2016-10-31 20:36 - 2016-11-02 01:33 - 00000288 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-10-31 20:35 - 2016-10-31 20:35 - 00334280 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-10-31 20:35 - 2016-10-31 20:35 - 00052184 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-10-31 19:23 - 2016-10-31 19:29 - 00129566 _____ C:\TDSSKiller.3.1.0.11_31.10.2016_19.23.19_log.txt
2016-10-31 19:19 - 2016-10-31 19:19 - 00012273 _____ C:\ComboFix1.txt
2016-10-31 06:26 - 2016-10-31 06:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2016-10-31 06:24 - 2016-10-31 06:29 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Desktop\mbar
2016-10-31 02:51 - 2016-10-31 23:36 - 00000000 ____D C:\Qoobox
2016-10-31 02:51 - 2016-10-31 23:30 - 00000000 ____D C:\WINDOWS\erdnt
2016-10-31 02:51 - 2011-06-26 07:45 - 00256000 _____ C:\WINDOWS\PEV.exe
2016-10-31 02:51 - 2010-11-07 18:20 - 00208896 _____ C:\WINDOWS\MBR.exe
2016-10-31 02:51 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00098816 _____ C:\WINDOWS\sed.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00080412 _____ C:\WINDOWS\grep.exe
2016-10-31 02:51 - 2000-08-31 01:00 - 00068096 _____ C:\WINDOWS\zip.exe
2016-10-31 02:42 - 2016-10-31 02:42 - 00081920 _____ C:\WINDOWS\Minidump\Mini103116-03.dmp
2016-10-31 01:56 - 2016-10-31 01:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-10-31 01:18 - 2016-10-31 01:18 - 00081920 _____ C:\WINDOWS\Minidump\Mini103116-02.dmp
2016-10-31 01:07 - 2016-10-31 01:07 - 00081920 _____ C:\WINDOWS\Minidump\Mini103116-01.dmp
2016-10-30 21:57 - 2016-10-30 21:57 - 00000000 __SHD C:\WINDOWS\CSC

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-02 01:43 - 2008-12-29 20:43 - 00001697 _____ C:\WINDOWS\I_VIEW32.INI
2016-11-02 01:38 - 2008-08-30 07:15 - 00000000 ____D C:\MyDokumenta2
2016-11-02 01:35 - 2015-12-27 19:59 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes Anti-Exploit
2016-11-02 01:35 - 2009-07-18 21:33 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Temp
2016-11-02 01:33 - 2008-01-12 02:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-11-02 01:32 - 2008-01-12 02:05 - 00032442 _____ C:\WINDOWS\SchedLgU.Txt
2016-11-02 01:32 - 2008-01-12 02:05 - 00000178 ___SH C:\Documents and Settings\Administrator.UNIMATRIX001\ntuser.ini
2016-11-02 01:32 - 2008-01-12 02:05 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001
2016-11-02 01:18 - 2008-01-12 01:29 - 00000000 ___HD C:\WINDOWS\inf
2016-11-02 01:13 - 2008-01-12 01:29 - 00000000 ____D C:\WINDOWS\Help
2016-11-02 01:12 - 2001-12-01 02:10 - 00000000 ____D C:\TEMP
2016-11-02 00:55 - 2013-12-19 23:19 - 01350104 _____ C:\WINDOWS\ntbtlog.txt
2016-11-02 00:23 - 2008-01-12 02:05 - 00000178 __SHC C:\Documents and Settings\LocalService\ntuser.ini
2016-11-01 20:37 - 2008-01-12 02:05 - 00000000 ___RD C:\Documents and Settings\Administrator.UNIMATRIX001\My Documents
2016-11-01 20:32 - 2011-04-03 22:40 - 00001324 _____ C:\WINDOWS\system32\d3d9caps.dat
2016-11-01 01:05 - 2008-01-18 17:09 - 00000524 _____ C:\RTHDCPL_Dump.txt
2016-10-31 23:49 - 2008-11-09 06:03 - 00000000 ____D C:\WINDOWS\Minidump
2016-10-31 23:33 - 2008-01-12 01:49 - 00458340 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2016-10-31 23:30 - 2008-01-12 02:05 - 00000000 __SHD C:\Documents and Settings\NetworkService
2016-10-31 23:30 - 2008-01-12 02:05 - 00000000 __SHD C:\Documents and Settings\LocalService
2016-10-31 23:30 - 2002-12-31 11:00 - 00000227 _____ C:\WINDOWS\system.ini
2016-10-31 20:36 - 2016-03-22 04:02 - 00224616 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00815792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00449640 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00187208 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00091168 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00067216 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00064272 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00058776 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-10-31 20:35 - 2016-03-22 04:02 - 00032792 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-10-31 20:32 - 2016-03-23 00:48 - 00000000 ____D C:\Program Files\AVAST Software
2016-10-31 19:59 - 2008-12-29 20:40 - 01037821 _____ C:\WINDOWS\setupapi.log.0.old
2016-10-31 03:05 - 2008-01-12 01:45 - 00000000 ___HD C:\Documents and Settings\Default User
2016-10-31 02:59 - 2008-01-12 02:45 - 00262144 _____ C:\WINDOWS\system32\config\SECURITY.bak
2016-10-31 02:59 - 2008-01-12 02:45 - 00024576 _____ C:\WINDOWS\system32\config\SAM.bak
2016-10-31 02:59 - 2008-01-12 02:44 - 17825792 _____ C:\WINDOWS\system32\config\SOFTWARE.bak
2016-10-31 02:59 - 2008-01-12 02:44 - 06815744 _____ C:\WINDOWS\system32\config\SYSTEM.bak
2016-10-31 02:59 - 2008-01-12 02:44 - 00524288 _____ C:\WINDOWS\system32\config\DEFAULT.bak
2016-10-31 02:58 - 2008-12-29 18:34 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\IEPro
2016-10-31 02:40 - 2008-01-12 01:29 - 00000000 ____D C:\WINDOWS\PeerNet
2016-10-31 02:39 - 2012-07-07 18:42 - 00000000 ____D C:\Program Files\Conduit
2016-10-31 01:47 - 2009-09-29 23:15 - 00000000 ____D C:\Program Files\SpeedFan
2016-10-30 21:53 - 2015-12-27 19:59 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2016-10-30 21:52 - 2002-12-31 11:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl

==================== Files in the root of some directories =======

2008-01-12 21:19 - 2007-11-14 20:04 - 0037941 ____C () C:\Program Files\FLV_Extract.zip
2014-02-27 03:16 - 2014-02-27 03:16 - 0000000 _____ () C:\Program Files\GUT3A7.tmp
2008-12-30 17:40 - 2008-12-21 20:44 - 1379392 ____C () C:\Program Files\VirtualDub-1.8.7.zip
2009-08-01 16:57 - 2009-08-01 16:57 - 0000099 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\MPUI.ini
2009-06-16 19:48 - 2016-03-09 01:36 - 63358644 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Log
2009-06-24 22:32 - 2016-03-09 01:35 - 0000477 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Vprj
2008-01-12 21:20 - 2016-05-02 01:50 - 0034816 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-07-18 00:35 - 2010-07-28 23:49 - 0000334 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\magnifier.ini
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LmeUSB.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000425 _____ () C:\Documents and Settings\All Users\Application Data\LmeZJSW.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LSDmbTH.log
2009-08-04 05:03 - 2011-04-27 18:31 - 0001373 ____C () C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Some files in TEMP:
====================
C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\temp\tdxwsn.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

 

Result of Security Analysis by Rocket Grannie (x86) Updated: 21st October, 2016
Running from:C:\MyDokumenta2 (20:31:40 - 11/02/2016)
***---------------------------------------------------------***
Microsoft Windows XP Professional X86 Service Pack 2 *Service Pack is out of Date**WARNING* Windows XP is no longer supported
Internet Explorer 8
Default Browser: Internet Explorer
***-----------------Anti-Virus - Firewall-------------------***
avast! Antivirus Enabled - up to Date!
Windows Firewall (Enabled)
*No other Firewall Installed*
***----------------AntiSpyware - Miscellaneous---------------***
Adobe Flash Player Plugin (version 21.0.0.182) is *out of Date*
Malwarebytes Anti-Malware (version 2.2.1.1043)
Pale Moon (version 26)

Firefox (version 44.0) is *out of Date*
Malwarebytes Anti-Exploit version (version 1.8.1.1189) is *out of Date*
Opera (version 9.52) is *out of Date*

***----------------Analysis Complete-------------------------***

Attached Files


Edited by i4004, 02 November 2016 - 02:33 PM.


#3 i4004

i4004

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 02 November 2016 - 08:59 PM

ok, some new developments here: tried another video card, worked a bit, then BSODs returned. put service pack 3, BSOD changed (0x0000007E).

tried to zero fill hdd, no dice, seatools just says it "failed" (other than that hdd doesn't show any signs fo problems, no bad sectors, passes seatools other tests, passes hdd regenerator check, can eraseMBR etc.)

 

took another hdd, loaded above mentioned disk image, and got to desktop, but hourglass symbol is all that's working, adjusted BIOS (was in AHCI mode, probably it defaults to it for 'new' drive), disconnected optical drive, reboot, and i finally have a working OS again.

 

now for the interesting twist and my guesstimate what really happened here: there is a rootkit in that image i was restoring! ie same rootkit that mbam found few days ago.

 

acronis_2016-11-03_002805_zps3picpo6c.jp

 

but on it's own this rootkit it's not crashing the system (after all that's disk image from may this year and i used the pc whole time), but when something damaged avast (perhaps lack of xp sp3, perhaps rootkit itself, perhaps disk filesystem problems) the whole hell breaks loose and one can't remove avast (for example one event viewer event

Event Type:	Error
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7026
Date:		2.11.2016
Time:		21:05:13
User:		N/A
Computer:	ASUS
Description:
The following boot-start or system-start driver(s) failed to load: 
AsIO
aswRvrt
aswSnx
aswSP
aswVmm
ESProtectionDriver
Fips
intelppm

).

probably because half of avast was missing. tried "avastclear.exe" early on, just hangs.

 

avast is now not starting at all ("The Avast Antivirus service failed to start due to the following error:
The system cannot find the path specified.") so it's not partially damaged anymore, it's no more, so no BSODs. removed rootkit with MBAM (again <wink>), here's how frst looks now with a working system (i'll probably need to remove avast completely manually):

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2016
Ran by izi-2 (administrator) on ASUS (03-11-2016 01:06:21)
Running from C:\MyDokumenta2\rootkit adventures2
Loaded Profiles: izi-2 (Available Profiles: izi-2)
Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
() C:\PROGRA~1\SCROLL~1\MouseElf.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Wacom Technology, Corp.) C:\WINDOWS\system32\Tablet.exe
(Hyperionics Technology LLC) C:\Program Files\FileBX\FileBX.exe
(Wacom Technology, Corp.) C:\WINDOWS\system32\WTablet\TabUserW.exe
(Wacom Technology, Corp.) C:\WINDOWS\system32\Tablet.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(SAMSUNG) C:\Program Files\SEC\MagicTune 2.5\MagicTune.exe
(FastStone Soft) C:\Program Files\FastStone Capture\FSCapture.exe
(Mozilla Corporation) E:\Firefox40\firefox.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [KernelFaultCheck] => %systemroot%\system32\dumprep 0 -k
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [18077696 2008-12-23] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [57344 2008-06-19] (Realtek Semiconductor Corp.)
HKLM\...\Run: [mouseElf] => C:\Program Files\Scroll Mouse\MouseElf.exe [438364 2005-12-16] ()
HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2508104 2009-11-02] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-04] (CANON INC.)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2622432 2016-01-29] (Malwarebytes Corporation)
HKLM\...\Run: [vmware-tray] => D:\VMware\VMware Workstation\vmware-tray.exe
HKLM\...\Run: [AvastUI.exe] => "K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_SHITBIG\AvastUI.exe" /nogui
HKLM\...\Policies\Explorer: [NoSharedDocuments] 1
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoSaveSettings] 0
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [CDRAutoRun] 1
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\Policies\Explorer: [NoDriveAutoRun] 0x60000000
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\MountPoints2: C - AllwaySync'n'Go.exe -autorun
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\MountPoints2: {a1000fe5-6a54-11e2-947a-001d607096c7} - G:\setupSNK.exe
HKU\S-1-5-21-2000478354-73586283-725345543-500\...\MountPoints2: {b922aea4-79e8-11de-825d-00d0d70bba5b} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_SHITBIG\ashShell.dll No File
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\FileBox eXtender.lnk [2008-09-19]
ShortcutTarget: FileBox eXtender.lnk -> C:\Program Files\FileBX\FileBX.exe (Hyperionics Technology LLC)
BootExecute: autocheck autochk /p \??\O:autocheck autochk *

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{755DDF4B-EB2F-4494-9B33-2930EC276CD9}: [NameServer] 195.29.166.116,195.29.166.117

Internet Explorer:
==================
HKU\S-1-5-21-2000478354-73586283-725345543-500\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/ie
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: FGCatchUrl -> {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} -> C:\Program Files\FlashGet\jccatch.dll [2007-08-06] (www.flashget.com)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_SHITBIG\aswWebRepIE.dll => No File
BHO: FlashGet GetFlash Class -> {F156768E-81EF-470C-9057-481BA8380DBA} -> C:\Program Files\FlashGet\getflash.dll [2007-05-18] (www.flashget.com)
Toolbar: HKU\S-1-5-21-2000478354-73586283-725345543-500 -> No Name - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} -  No File
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 [2016-11-03]
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> hxxps://www.google.com/?gfe_rd=cr&ei=lPezVsjnIMGH8QfyvZ-4DQ&gws_rd=ssl,cr&fg=1
FF NetworkProxy: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109 -> type", 0
FF Extension: (YouTube™ Flash® Player) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\jid1-HAV2inXAnQPIeA@jetpack.xpi [2016-11-02]
FF Extension: (FlashGot) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2016-03-18]
FF Extension: (Video DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-11-02]
FF Extension: (Adblock Plus) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-02]
FF Extension: (DownThemAll!) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Mozilla\Firefox\Profiles\naef66wq.default-1454634362109\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2016-04-24]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default [2016-02-08]
FF DefaultSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF SelectedSearchEngine: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> Google
FF Homepage: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default -> www.google.com
FF Extension: (Adblock Latitude) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{016acf6d-e5c0-4768-9376-3763d1ad1978}.xpi [2016-02-08] [not signed]
FF Extension: (DownloadHelper) - C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Moonchild Productions\Pale Moon\Profiles\1fuz2iew.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2015-07-15]
FF ProfilePath: C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\Broad Intelligence\XULPlayer\Profiles\xulplayer [2009-08-01]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_SHITBIG\WebRep\FF => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-18] ()
FF Plugin: @java.com/DTPlugin,version=10.4.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-04-04] (Oracle Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll [No File]
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=3 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin HKU\S-1-5-21-2000478354-73586283-725345543-500: @tools.google.com/Google Update;version=9 -> C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll [No File]
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2008-06-11] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll [2010-06-05] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npyaxmpb.dll [2007-03-10] (Yahoo! Inc.)
StartMenuInternet: FIREFOX.EXE - E:\Firefox40\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_SHITBIG\WebRep\Chrome\aswWebRepChrome.crx <not found>

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [740832 2016-01-29] (Malwarebytes Corporation)
R2 TabletService; C:\WINDOWS\system32\Tablet.exe [942080 2006-09-05] (Wacom Technology, Corp.) [File not signed]
S2 avast! Antivirus; "K:\##_NON_WD320 BAK_NEW STUFF_\aVaST_SHITBIG\AvastSvc.exe" [X]
S2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 rpcapd; "%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini" [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12664 2006-10-18] ()
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [32792 2016-03-22] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [35096 2016-03-23] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [91168 2016-03-22] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-03-22] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [58776 2016-03-22] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [816304 2016-03-22] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [447848 2016-03-22] (AVAST Software)
S3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [171608 2016-03-22] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [67088 2016-03-22] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [221240 2016-03-22] (AVAST Software)
R3 AtcL001; C:\WINDOWS\System32\DRIVERS\atl01_xp.sys [38656 2007-03-14] (Attansic Technology corporation.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
R2 DLPortIO; C:\WINDOWS\System32\DRIVERS\DLPortIO.sys [3584 1999-01-10] () [File not signed]
S3 DSDrv4; C:\Program Files\DScaler\DSDrv4.sys [8801 2005-12-18] () [File not signed]
S3 epmntdrv; C:\WINDOWS\system32\epmntdrv.sys [14944 2014-11-18] ()
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [50016 2016-01-29] ()
S3 EuGdiDrv; C:\WINDOWS\system32\EuGdiDrv.sys [10208 2014-11-18] ()
S3 FlyPCI; E:\Program Files\SlyDiman\SlyControl2\FlyPCI.sys [4134 2003-10-10] () [File not signed]
R3 genmcmnUSB; C:\WINDOWS\System32\DRIVERS\gflmouhid.sys [6656 2004-04-19] ()
R0 giveio; C:\WINDOWS\System32\giveio.sys [5248 1996-04-03] () [File not signed]
S3 IT9135BDA; C:\WINDOWS\System32\Drivers\IT9135BDA.sys [145280 2011-10-19] (ITE                      )
R3 LVCap138; C:\WINDOWS\System32\DRIVERS\tvcap.sys [301568 2004-10-27] (Philips) [File not signed]
R3 lvtuner; C:\WINDOWS\System32\DRIVERS\lvtuner.sys [14464 2004-10-20] (Animation Technologies Inc.) [File not signed]
R1 MagicTune; C:\WINDOWS\system32\drivers\MTictwl.sys [12062 2004-10-11] () [File not signed]
S3 MPE; C:\WINDOWS\System32\DRIVERS\MPE.sys [15360 2004-08-03] (Microsoft Corporation)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
S3 nm; C:\WINDOWS\System32\DRIVERS\NMnt.sys [40320 2002-12-31] (Microsoft Corporation)
S3 NPF; C:\WINDOWS\System32\drivers\npf.sys [35088 2010-06-25] (CACE Technologies, Inc.)
S3 pwdrvio; C:\WINDOWS\system32\pwdrvio.sys [15688 2013-09-30] ()
S3 pwdspio; C:\WINDOWS\system32\pwdspio.sys [10320 2013-09-30] ()
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20640 2005-03-11] (Sonic Solutions) [File not signed]
S2 RadPciNT; C:\WINDOWS\system32\Drivers\RadPciNT.sys [9417 2000-04-24] (MediaForte Products Pte. Ltd.) [File not signed]
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2002-12-31] ()
S3 SKYNET; C:\WINDOWS\System32\DRIVERS\SkyNET.SYS [349184 2006-03-13] (B2C2, Inc.) [File not signed]
S3 SliceDisk5; C:\Program Files\A-FF Find and Mount\slicedisk.sys [26192 2011-02-25] (Atola) [File not signed]
R0 speedfan; C:\WINDOWS\System32\speedfan.sys [5248 2006-09-24] (Windows ® 2000 DDK provider) [File not signed]
R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [359040 2009-06-28] (Microsoft Corporation) [File not signed]
R0 viamraid; C:\WINDOWS\System32\DRIVERS\viamraid.sys [60672 2004-07-06] (VIA Technologies inc,.ltd)
S3 CrystalSysInfo; \??\C:\Program Files\MediaCoder\SysInfo.sys [X]
S4 IntelIde; no ImagePath
U4 NVSvc; no ImagePath
U3 SCardDrv; no ImagePath
U4 uploadmgr; no ImagePath
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
S2 zmatfkbg; \??\C:\WINDOWS\system32\drivers\wwqca.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2027-11-27 04:34 - 2027-11-27 04:34 - 00000000 ____D C:\My Music
2027-11-27 03:16 - 2027-11-27 03:16 - 00000000 __SHD C:\RECYCLED
2027-11-27 03:14 - 2027-11-27 03:14 - 00000000 ____D C:\My PixAround
2027-11-27 03:12 - 2007-11-20 22:56 - 00000324 ____H C:\Config.sys
2027-11-27 02:57 - 2027-11-27 02:57 - 00000244 _____ C:\Config.ctl
2027-11-27 02:49 - 2027-11-27 02:49 - 00000000 ____D C:\My Documents
2027-11-27 02:47 - 2027-11-27 02:47 - 00140676 ___SH C:\SETUPLOG.OLD
2027-11-27 02:47 - 2027-11-27 02:47 - 00011195 ___SH C:\NETLOG.TXT
2016-11-03 01:06 - 2016-11-03 01:06 - 00000000 ____D C:\FRST
2016-11-03 00:01 - 2016-11-03 00:01 - 00020230 _____ C:\Archive.rar
2016-11-02 23:44 - 2016-11-02 23:45 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-11-02 23:44 - 2016-11-02 23:44 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-11-02 23:44 - 2016-11-02 23:44 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-11-02 23:44 - 2016-11-02 23:44 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-11-02 23:44 - 2016-03-10 14:09 - 00123264 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-11-02 23:44 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-11-02 22:58 - 2016-11-02 22:58 - 00000000 __SHD C:\WINDOWS\CSC

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-03 01:06 - 2011-09-28 17:49 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Temp
2016-11-03 00:58 - 2008-08-30 07:15 - 00000000 ____D C:\MyDokumenta2
2016-11-03 00:29 - 2008-12-29 20:43 - 00001652 _____ C:\WINDOWS\I_VIEW32.INI
2016-11-03 00:23 - 2016-03-22 04:02 - 00000330 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-11-03 00:23 - 2008-01-12 02:13 - 00000000 ____D C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\WTablet
2016-11-03 00:23 - 2008-01-12 02:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-11-03 00:15 - 2008-01-12 02:05 - 00032442 _____ C:\WINDOWS\SchedLgU.Txt
2016-11-03 00:15 - 2008-01-12 02:05 - 00000178 ___SH C:\Documents and Settings\Administrator.UNIMATRIX001\ntuser.ini
2016-11-02 23:02 - 2013-12-19 23:19 - 00527856 _____ C:\WINDOWS\ntbtlog.txt
2016-11-02 22:49 - 2008-01-12 01:49 - 00458340 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2016-11-02 22:48 - 2015-12-27 19:59 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Exploit
2016-11-02 22:47 - 2002-12-31 11:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl

==================== Files in the root of some directories =======

2008-01-12 21:19 - 2007-11-14 20:04 - 0037941 ____C () C:\Program Files\FLV_Extract.zip
2014-02-27 03:16 - 2014-02-27 03:16 - 0000000 _____ () C:\Program Files\GUT3A7.tmp
2008-12-30 17:40 - 2008-12-21 20:44 - 1379392 ____C () C:\Program Files\VirtualDub-1.8.7.zip
2009-08-01 16:57 - 2009-08-01 16:57 - 0000099 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\MPUI.ini
2009-06-16 19:48 - 2016-03-09 01:36 - 63358644 ____C () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Log
2009-06-24 22:32 - 2016-03-09 01:35 - 0000477 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Application Data\VideoReDo.Vprj
2008-01-12 21:20 - 2016-05-02 01:50 - 0034816 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-07-18 00:35 - 2010-07-28 23:49 - 0000334 _____ () C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\magnifier.ini
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LmeUSB.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000425 _____ () C:\Documents and Settings\All Users\Application Data\LmeZJSW.log
2013-03-31 04:53 - 2013-05-02 03:19 - 0000436 _____ () C:\Documents and Settings\All Users\Application Data\LSDmbTH.log
2009-08-04 05:03 - 2011-04-27 18:31 - 0001373 ____C () C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

 

Attached Files



#4 i4004

i4004

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 03 November 2016 - 06:46 PM

to end this saga: i tried to zero-fill the old drive once again, this time succesfull with older version of seatools for dos, copied the disk image to it, and guess what, BSODs came back.

 

 

so scrap all of the above,  it was a failing hdd issue, purely hardware problem.

in all my time fixing pcs i've never seen anything like this case, usually one can recognize failing drive by event viewer in win, SMART parameters, hdd test programs, CHKDSK etc.

not so here. although STOP:0x000000F4 BSOD is usually connected to hdd subsystem of pc (ie cables, hdd or controller), i was also getting other BSODs (last one was C0000145) and old disk passed all tests without problems. i've left it (removed from machine) with STOP: c000021a BSOD, and that one has nothing to do with hardware at all.

 

but there you go, best test for hardware component is to swap it for known good piece.

 

this thread now belongs in hardware section of the forum.

 

cheers



#5 Rocket Grannie

Rocket Grannie

    SWI Australian Rebel

  • Administrators
  • PipPipPipPipPip
  • 7,812 posts

Posted 03 November 2016 - 09:07 PM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.


a95.gif


 
My help is free, but if you wish to help keep these forums running please consider a donation, see here for details.

#6 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,388 posts

Posted 18 November 2016 - 04:45 PM

Reopened at request of topic owner.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#7 i4004

i4004

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 November 2016 - 05:16 PM

BSOD originally mentioned ( STOP: c000021a {Fatal system error} Windows subsystem system process terminated unexpectedlywith a status of 0x0000005...... ) reapearred again  ( :mellow: ).

yeap, it did, and it was present at every boot. so i started reading about it again (mostly re-reading, frankly)....found a thread (on thg uk) that mentions faulty monitor as cause of 021a and 0F4 bsod's, both if which i originally had, but no dice, i have STOP: c000021a  with different monitor too.

so i revisited this

http://www.bleepingc...rror/?p=1301690

and i re-read this

http://www.updatexp....0xC0000005.html

namely this part:
 

    0xC0000005 - Resolution Suggestion Two:

    In Windows XP Service Pack 2 Microsoft introduced Data execution prevention (DEP), a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. In Windows XP SP2, DEP is enforced by both hardware and software.

    Some software/application behaviours are incompatible with DEP - data execution prevention. Applications which perform dynamic code generation (such as Just-In-Time code generation) and that do not explicitly mark generated code with Execute permission might have compatibility issues with data execution prevention. Applications which are not built with SafeSEH must have their exception handlers located in executable memory regions.

 


and i remembered i have "Malwarebytes Anti-Exploit" (MBAE) installed and some of its options mention DEP things. uninstalled it (from safe mode) and then pc booted normally.
now to try few explanations: windows 2000 is working because it doesn't have MBAE installed. safe mode is working because it doesn't load MBAE. if i was to install linux it would also probably work, because there would be no MBAE installed.
this program is set to update automatically so particular update probably has a bug that affects XP.

another thing: i have MBAE installed on another machine (XP, Home version) and there are no problems there. that machine doesn't have avast installed. i uninstalled avast from there because it was slowing internet traffic to a standstill. so i feel avast interacts in some way with MBAE.

i will probably now put back the old disk, and clone this one to it.

this will probably be the end of this BSOD, but if it reappears, i will reopen the thread again and troubleshoot it, the machine will not win, i will!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!