My computer was running slow, taking a long time to restart or shut down, when clicking on links I was being redirected, was having errors in outlook express. I run xp sp 3 professional and had never been in safe mode, but managed to get there and run several scans. Super anti spyware found 5 critical registry items called rogue.component/trace and my norton's found a trojan.gen.2. After removing these I ended up with a computer with a LOT of problems. After rebooting, my desktop files, folders, etc had disappeared ( and I had a lot of stuff on there), my menu bar at the bottom was all different, my desktop picture was not the same and I had lost EVERY BIT of email (which makes me sick to my stomach)............as a matter of fact outlook express is 100% totally empty like it was a new computer, no address book or anything (what a mess). I've been reading a lot and running various scans since then including kaspersky TDSS Killer (anti-rootkit utility) which found -0-. I then ran Comodo cleaning essentials which found 1 item ABNORMAL SYSTEM SETTINGS MODIFIED HOSTS which I DID NOT remove as they say Comodo gives fales positives so I was afraid to delete. I'd like to know if I can remove that!! I ran malwarebytes anti rootkit and it's companion program fixdamage.exe (which found -0-) . I just finished running rogue killer.exe and it found a lot of stuff. Not being knowlegeable to know what is what I'm posting the result of the scan and begging for help in determining what is good and should stay and what is nasty stuff. I use my computer to earn money so after 5 full days of scanning and crying and praying I'm hoping to get this cleared up quickly. Thank you so much for whoever takes on this task for me!
Feedback :
http://forum.adlice.comWebsite :
http://www.adlice.com/softwares/roguekiller/Blog :
http://www.adlice.comOperating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Administrator [Administrator]
Mode : Scan -- Date : 12/08/2014 17:09:21
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 17 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839} -> Found
[PUP] HKEY_CLASSES_ROOT\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F} -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | CCE : "C:\Documents and Settings\TEMP\Desktop\CCE\CCE.exe" -showlog -> Found
[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:2883;https=127.0.0.1:2883; -> Found
[PUM.Proxy] HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:2883;https=127.0.0.1:2883; -> Found
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.hp.com -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.hp.com -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.hp.com -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-2423455794-1845874516-3463538204-500\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.hp.com -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.hp.com -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-2423455794-1845874516-3463538204-500\Software\Microsoft\Internet Explorer\Main | Search Page :
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[12] : Unknown @ 0x8a071ae8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[13] : Unknown @ 0x8a071b80
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[17] : Unknown @ 0x8a082290
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[19] : Unknown @ 0x8a0a2750
[SSDT:Addr(Hook.SSDT)] NtConnectPort[31] : Unknown @ 0x8a18ca48
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[43] : Unknown @ 0x8a0d2b10
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[52] : Unknown @ 0x8a0a2600
[SSDT:Addr(Hook.SSDT)] NtCreateThread[53] : Unknown @ 0x8a0832e8
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[57] : Unknown @ 0x8a0d47f0
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[68] : Unknown @ 0x8a144850
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[83] : Unknown @ 0x8a0cc2c8
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[89] : Unknown @ 0x8a0719f8
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[91] : Unknown @ 0x8a071a50
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[97] : Unknown @ 0x8a18d330
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[108] : Unknown @ 0x8a060c88
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[114] : Unknown @ 0x8a0d2a78
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[122] : Unknown @ 0x8a0a22f8
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[123] : Unknown @ 0x8a082338
[SSDT:Addr(Hook.SSDT)] NtOpenSection[125] : Unknown @ 0x8a0d4940
[SSDT:Addr(Hook.SSDT)] NtOpenThread[128] : Unknown @ 0x8a1448d8
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[137] : Unknown @ 0x8a0a26a8
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[180] : Unknown @ 0x8a050d58
[SSDT:Addr(Hook.SSDT)] NtResumeThread[206] : Unknown @ 0x8a144328
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[213] : Unknown @ 0x8a060af0
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[228] : Unknown @ 0x8a060b88
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[240] : Unknown @ 0x8a0d4888
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[253] : Unknown @ 0x8a0d49b8
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[254] : Unknown @ 0x8a1443c0
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[257] : Unknown @ 0x8a0a2220
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[258] : Unknown @ 0x8a144458
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[267] : Unknown @ 0x8a060c10
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[277] : Unknown @ 0x8a0cc350
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[307] : Unknown @ 0x8a0464e8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[383] : Unknown @ 0x8a6f4768
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[414] : Unknown @ 0x8a077260
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[416] : Unknown @ 0x8a050a80
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[428] : Unknown @ 0x8a050a38
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[460] : Unknown @ 0x8a0764c0
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[475] : Unknown @ 0x8a155370
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[476] : Unknown @ 0x8a0e6cc8
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[549] : Unknown @ 0x8a084308
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[552] : Unknown @ 0x8a046410
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\pfc @ Unknown (\SystemRoot\system32\drivers\pfc.sys)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \FileSystem\DLACDBHM @ Unknown (\SystemRoot\System32\Drivers\DLACDBHM.SYS)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKS-60YGA1 +++++
--- User ---
[MBR] c7c87535219689c94c1db173bbb61bec
[BSP] 5552c0dc4191488df4a64307c8144b31 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 466677 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 955771110 | Size: 10244 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive1: Lexmark USB Mass Storage USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )