Windows XP SP2 malware removal help


Recommended Posts


Howdy and welcome to BestTechie !!!  

My name is flashh4 (Chuck) and i will be assisting you with the cleaning/help of your computer.

Can you tell me what the processes are ??

 

 

=========================================

 

If you are wanting to clean your computer please run these programs & post the logs !!

Run these 1 at a time & post each log as you get it ! Work them as your time permits you to !!

If you don't understand something, please don't hesitate to ask for clarification before proceeding !!! You can PM me if you need to !!

Perform all actions in the order given.

Please stay with us until we give you the "All Clean Speech"! Just because the problem has stopped it may still need some clean-up !  

Do Not Remove anything or run any tools/programs until advised to do so !


Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections.  

If you think you have similar problems, please post a log in the Malware Removal forum and wait for help.  

 

===================================

 

AdwCleaner
       
Please download adwcleaner by Xplode onto your desktop.
Double click on AdwCleaner.exe to run the tool again.
       Windows XP : Double click on the icon to run it.

       Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"

    *Click on the Scan button.
    *AdwCleaner will begin to scan your computer like it did before.
    *After the scan has finished .......
    
    This time, click on the "Clean" button.
    
    *Press OK when asked to close all programs and follow the onscreen prompts.
    *Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    *After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
    *Copy and paste the contents of that logfile in your next reply.
    *A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

NEXT

thisisujrt-1.gif
    Please download Junkware Removal Tool and save to your desk top.

    Shut down your protection software now to avoid potential conflicts.

    * Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    * The tool will open and start scanning your system.
    * Please be patient as this can take a while to complete depending on your system's specifications.
    * On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    * Post the contents of JRT.txt into your next reply !

Re-Boot your computer now !!

 

Thanks

Chuck

 

Link to post
Share on other sites

Hi Chuck,

The processes i do not recognize are nvsvc32.exe, rundll32.exe and tw_w32.exe. In addition, there is a videobeach program I can not uninstall from "add and remove programs" in control panel. I have made an antivirus scan and it put in quarantine a video beach file. When the system is starting up, the system shows an error because could not find videobeach.dll.

I have run adwcleaner and jrt.exe. I still cannot open firefox and the system still freezes.

Next, the logs:

Adwcleaner

# AdwCleaner v5.026 - Registro generado 23/12/2015 en 16:27:48
# Actualizado 21/12/2015 por Xplode
# Base de datos : 2015-12-23.1 [Servidor]
# Sistema operativo : Microsoft Windows XP Service Pack 2 (x86)
# Nombre de usuario : DynoPos - CAJA1
# Ejecutado desde : E:\Luigis\adwcleaner_5.026.exe
# Opción : Limpiar
# Apoyo : http://toolslib.net/forum

***** [ Servicios ] *****

[-]  Eliminar : globalUpdate
[-]  Eliminar : globalUpdatem

***** [ Carpetas ] *****

[-] Carpeta Eliminar : C:\Archivos de programa\globalUpdate
[-] Carpeta Eliminar : C:\Documents and Settings\DynoPos\Configuración local\Datos de programa\globalUpdate

***** [ Archivos ] *****


***** [ DLLs ] *****


***** [ Accesos directos ] *****


***** [ Tareas programadas ] *****

[-] Tarea Eliminar : globalUpdateUpdateTaskMachineCore
[-] Tarea Eliminar : globalUpdateUpdateTaskMachineUA
[-] Tarea Eliminar : c9d77c59-0ff5-4036-8806-71115fd01f45-1
[-] Tarea Eliminar : c9d77c59-0ff5-4036-8806-71115fd01f45-11
[-] Tarea Eliminar : c9d77c59-0ff5-4036-8806-71115fd01f45-2
[-] Tarea Eliminar : c9d77c59-0ff5-4036-8806-71115fd01f45-3
[-] Tarea Eliminar : c9d77c59-0ff5-4036-8806-71115fd01f45-4
[-] Tarea Eliminar : c9d77c59-0ff5-4036-8806-71115fd01f45-5
[-] Tarea Eliminar : globalUpdateUpdateTaskMachineCore
[-] Tarea Eliminar : globalUpdateUpdateTaskMachineUA

***** [ Registro ] *****

[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdate.OneClickCtrl.10
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdate.OneClickProcessLauncherMachine.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdate.Update3WebControl.4
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoCreateAsync.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreClass.1
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CoreMachineClass.1
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.CredentialDialogMachine.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachine.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassMachineFallback.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.OnDemandCOMClassSvc.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.ProcessLauncher.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3COMClassService.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachine.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebMachineFallback.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\globalUpdateUpdate.Update3WebSvc.1.0
[-] Llave Eliminar : HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=10
[-] Llave Eliminar : HKLM\SOFTWARE\MozillaPlugins\@staging.google.com/globalUpdate Update;version=4
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CrossriderApp0059570.BHO
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CrossriderApp0059570.BHO.1
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CrossriderApp0059570.Sandbox
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CrossriderApp0059570.Sandbox.1
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{02A96331-0CA6-40E2-A87D-C224601985EB}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{A8F7D0A5-7074-40B8-9BDC-1174BDD0A132}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{D14D64BC-A0E4-42E3-BB72-FB41EA43C198}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{DD1F043F-ABC8-4643-8B95-D2C5B22BB019}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{E3F3E8F9-F747-4DD6-BA6B-82A6CE1E0860}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{ED0B64D4-BF27-4521-AD27-190F49BF5EA7}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{023E9EC8-B147-40EB-B0B3-DF90618FB371}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{0522D9A4-4D57-437D-978D-E5B3B6C9005D}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{07F41522-AF7D-4F26-B394-094F059FDB8A}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{0C40F472-7407-4467-8914-1DEA7C326972}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{212E6D43-6062-492A-B8CC-144669FF11ED}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{224FE662-1E6D-4BC0-AEBB-9E2FB4057BE9}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{3A807417-B46D-4D37-8C9A-19AC6DE204F9}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{3CC60715-D6C5-429D-830E-43FA3F86C61D}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{4517D94C-19BA-46FA-BE66-2A30CEAC4A85}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{555D7146-94A8-4C94-AE76-C39CDC7F7705}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{59D188FA-757A-424E-8C93-F58FFD896BD7}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{8120D9D6-785C-4413-9C0C-DF2028C56FAD}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{823AE2EB-E62C-4847-B192-C99B91B92416}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{9B4F7CFE-987D-410E-A8E4-20182E0B3C24}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{9B9A45F4-18FC-484A-BACA-076D78273D8E}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{A6D54287-7939-466A-8579-92546D946C8C}
[-] Llave Eliminar : HKLM\SOFTWARE\Classes\Interface\{A78EDAFB-926F-4D93-AB13-8232D7378EB1}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
[-] Llave Eliminar : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7b68a327-e387-497f-88c4-10cba8eb048d}
[-] Llave Eliminar : HKCU\Software\Crossrider
[-] Llave Eliminar : HKCU\Software\GlobalUpdate
[-] Llave Eliminar : HKCU\Software\Iminent
[-] Llave Eliminar : HKCU\Software\InstalledBrowserExtensions
[-] Llave Eliminar : HKCU\Software\Softonic
[-] Llave Eliminar : HKLM\SOFTWARE\Description
[-] Llave Eliminar : HKLM\SOFTWARE\GlobalUpdate
[-] Llave Eliminar : HKLM\SOFTWARE\InstalledBrowserExtensions
[-] Llave Eliminar : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9563BC59-9556-4805-8CD4-886781779D8D}

***** [ Navegadores Web ] *****

[-] [C:\Documents and Settings\DynoPos\Datos de programa\Mozilla\Firefox\Profiles\9pqeunus.default\prefs.js] [Preference] Eliminar : user_pref("extensions.a0b105cbff1eb40b89bca7dae371d7ead239035fb4613ab38efcom61762.61762.internaldb.__ICM_LITE__blacklist_domain.value", "%7B%22SLIDERS%22%3A%5B%226pm.com%22%2C%22amazon.co.uk%22%2C%22a[...]
[-] [C:\Documents and Settings\DynoPos\Datos de programa\Mozilla\Firefox\Profiles\9pqeunus.default\prefs.js] [Preference] Eliminar : user_pref("extensions.a0b105cbff1eb40b89bca7dae371d7ead239035fb4613ab38efcom61762.61762.internaldb.monetization_plugin_bundledUrls.value", "%7B%22dealply_s%22%3A%7B%22urls%22%3A%5B%22ssfiles.com%22%5D[...]
[-] [C:\Documents and Settings\DynoPos\Datos de programa\Mozilla\Firefox\Profiles\9pqeunus.default\prefs.js] [Preference] Eliminar : user_pref("extensions.a3446275a54774d33bd0d44b466c519cd4bf28e2458334fb888c3cd8403bb6141com59570.59570.internaldb.__ICM_LITE__blacklist_domain.value", "%7B%22SLIDERS%22%3A%5B%226pm.com%22%2C%22amazon.c[...]
[-] [C:\Documents and Settings\DynoPos\Datos de programa\Mozilla\Firefox\Profiles\9pqeunus.default\prefs.js] [Preference] Eliminar : user_pref("extensions.a3446275a54774d33bd0d44b466c519cd4bf28e2458334fb888c3cd8403bb6141com59570.59570.internaldb.monetization_plugin_bundledUrls.value", "%7B%22dealply_s%22%3A%7B%22urls%22%3A%5B%22ssf[...]
[-] [C:\Documents and Settings\DynoPos\Datos de programa\Mozilla\Firefox\Profiles\9pqeunus.default\prefs.js] [Preference] Eliminar : user_pref("extensions.crossrider.bic", "147364b33ba1326439f98ec2b3161117");

*************************

:: Llaves "Tracing" removidas
:: Winsock Configuración borrada

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [11315 bytes] ##########

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Microsoft Windows XP x86
Ran by DynoPos (Administrator) on 23/12/2015 at 16:36:48,93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 


File System: 5

Successfully deleted: C:\Documents and Settings\DynoPos\Datos de programa\Mozilla\Firefox\Profiles\9pqeunus.default\extensions\staged (Folder)
Successfully deleted: C:\WINDOWS\Tasks\At1.job (Task)
Successfully deleted: C:\WINDOWS\Tasks\At2.job (Task)
Successfully deleted: C:\WINDOWS\Tasks\At3.job (Task)
Successfully deleted: C:\WINDOWS\Tasks\At4.job (Task)

Deleted the following from C:\Documents and Settings\DynoPos\Datos de programa\Mozilla\Firefox\Profiles\9pqeunus.default\prefs.js
user_pref(extensions.a0b105cbff1eb40b89bca7dae371d7ead239035fb4613ab38efcom61762.61762.internaldb.__ICM_LITE__fifty_test_rules.value, %7B%22DE%22%3A%7B%22ALL%22%3A%5B%22ana

 

Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)

 


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 23/12/2015 at 16:38:01,81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Best regards

 

Link to post
Share on other sites

Hi, i do not speak spanish so this may be a bit difficult !

The processes nvsvc32.exe, rundll32.exe are legit from Microsoft ! Leave them alone !

The process tw_w32.exe i am pretty sure belongs to Team Viewer !

Your logs look good ! You can delete the programs & their logs !

Do you still have the video beach program installed, if so you can download this program to remove it >>> Revo Uninstaller Free >>> http://www.revouninstaller.com/start_freeware_download.html 

Since you are running XP i hope you are aware it is no longer supported by Microsoft, it is open to hackers so be very careful !

You are clean as far as i can tell !

Hope i have helped you !

 

Thanks

Chuck

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.