Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by .VBS virus from a USB Stick


  • This topic is locked This topic is locked
10 replies to this topic

#1 Roger2016

Roger2016

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 26 July 2016 - 02:46 AM

Hi

My computer is infected with .VBS Virus as reported by AvastAV. Here are the FRST Logs and Addition.txt file as well.

 

any help in disinfecting my PC would be welcome...

==============================================================================


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-07-2016
Ran by ASUS (administrator) on YOUR-UE4MT33WYC (26-07-2016 12:36:47)
Running from C:\Documents and Settings\ASUS\Desktop
Loaded Profiles: ASUS (Available Profiles: ASUS)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
() C:\Program Files\ZTEMT UI\bin\MonServiceUDisk.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
(ASUSTeK Computer Inc.) C:\Program Files\EeePC\ACPI\AsTray.exe
(ASUSTeK Computer Inc.) C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
(ASUSTeK Computer Inc.) C:\Program Files\EeePC\ACPI\AsEPCMon.exe
(Intel Corporation) C:\WINDOWS\system32\igfxext.exe
(ELANTECH Devices Corp.) C:\Program Files\Elantech\ETDCTRL.EXE
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
() C:\Program Files\BSNL 3G Data Card\Resource\MCtlSuc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(ASUSTeK Computer Inc.) C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
(Microsoft Corporation) C:\WINDOWS\system32\wbem\unsecapp.exe
(Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AsusTray] => C:\Program Files\EeePC\ACPI\AsTray.exe [114688 2008-12-05] (ASUSTeK Computer Inc.)
HKLM\...\Run: [AsusACPIServer] => C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe [622592 2008-12-18] (ASUSTeK Computer Inc.)
HKLM\...\Run: [AsusEPCMonitor] => C:\Program Files\EeePC\ACPI\AsEPCMon.exe [94208 2008-05-21] (ASUSTeK Computer Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252136 2011-05-04] (Sun Microsystems, Inc.)
HKLM\...\Run: [ETDWare] => C:\Program Files\Elantech\ETDCtrl.exe [329728 2008-11-24] (ELANTECH Devices Corp.)
HKLM\...\Run: [IMJPMIG8.1] => C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [208952 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [MSPY2002] => C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [59392 2008-04-14] ()
HKLM\...\Run: [PHIME2002ASync] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [PHIME2002A] => C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [455168 2008-04-14] (Microsoft Corporation)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16855040 2008-09-18] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [57344 2008-06-19] (Realtek Semiconductor Corp.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [MCtlSuc] => C:\Program Files\BSNL 3G Data Card\Resource\MCtlSuc.exe [93184 2010-08-06] ()
HKLM\...\Run: [googletalk] => C:\Program Files\Google\Google Talk\googletalk.exe [3739648 2007-01-02] (Google)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [8900328 2016-07-20] (AVAST Software)
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\...\Run: [MICROS~1] => wscript.exe //B "C:\DOCUME~1\ASUS\LOCALS~1\Temp\MICROS~1.VBS" <===== ATTENTION
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\...\MountPoints2: {f39102b6-2a79-11e2-8d48-806d6172696f} - E:\.\Bin\ASSETUP.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-07-20] (AVAST Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk [2009-01-08]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk [2009-01-08]
ShortcutTarget: SuperHybridEngine.lnk -> C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
Startup: C:\Documents and Settings\ASUS\Start Menu\Programs\Startup\MICROS~1.VBS [2013-09-25] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{B93D357B-5232-490F-BB07-F70DECC290FE}: [NameServer] 203.153.41.28 8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.co.in/
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23] (Adobe Systems Incorporated)
BHO: No Name -> {7E853D72-626A-48EC-A868-BA8D5E23E045} -> No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-07-20] (AVAST Software)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17] (Microsoft Corporation)
BHO: Windows Live Toolbar Helper -> {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -> C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-01-07] (Oracle Corporation)
Toolbar: HKLM - Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-1164573532-2673912113-1224111812-1006 -> Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19] (Microsoft Corporation)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll [2007-10-18] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll [2007-10-18] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\ASUS\Application Data\Mozilla\Firefox\Profiles\n2hzf281.default-1468996520453
FF Homepage: hxxps://www.google.co.in
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-20] ()
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll [2013-01-07] (Oracle Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll [2013-01-07] (Oracle Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npdjvu.dll [2012-01-18] (Caminova, Inc.)
FF Extension: NoScript - C:\Documents and Settings\ASUS\Application Data\Mozilla\Firefox\Profiles\n2hzf281.default-1468996520453\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-07-21]
FF Extension: Adblock Plus - C:\Documents and Settings\ASUS\Application Data\Mozilla\Firefox\Profiles\n2hzf281.default-1468996520453\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-07-21]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-07-20]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-07-20]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 aspnet_state; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [32768 2004-07-15] (Microsoft Corporation) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-07-20] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [223600 2016-07-20] (AVAST Software)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [161664 2013-01-07] (Oracle Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 UDisk Monitor; C:\Program Files\ZTEMT UI\bin\MonServiceUDisk.exe [512000 2009-12-21] () [File not signed]
S3 usnjsvc; C:\Program Files\Windows Live\Messenger\usnsvc.exe [98328 2007-10-18] (Microsoft Corporation)
S3 WLSetupSvc; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [266240 2007-10-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AR5416; C:\WINDOWS\System32\DRIVERS\athw.sys [1582624 2009-08-11] (Atheros Communications, Inc.)
R3 AsusACPI; C:\WINDOWS\System32\DRIVERS\ASUSACPI.sys [10752 2008-04-09] (ASUSTeK Computer Inc.)
R2 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [34008 2016-07-20] (AVAST Software)
R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [35096 2016-07-20] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [91680 2016-07-20] (AVAST Software)
R0 aswNdis; C:\WINDOWS\System32\DRIVERS\aswNdis.sys [12112 2016-07-20] (ALWIL Software)
R0 aswNdis2; C:\WINDOWS\system32\Drivers\aswNdis2.sys [299992 2016-07-20] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-07-20] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [60424 2016-07-20] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [816304 2016-07-20] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [438296 2016-07-20] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [184592 2016-07-20] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [66688 2016-07-20] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [222056 2016-07-20] (AVAST Software)
S3 btaudio; C:\WINDOWS\System32\drivers\btaudio.sys [534568 2008-05-30] (Broadcom Corporation.)
R3 BTDriver; C:\WINDOWS\System32\DRIVERS\btport.sys [37160 2008-02-04] (Broadcom Corporation.)
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [991656 2008-08-19] (Broadcom Corporation.)
S3 BTWDNDIS; C:\WINDOWS\System32\DRIVERS\btwdndis.sys [156816 2008-07-24] (Broadcom Corporation.)
S3 btwhid; C:\WINDOWS\System32\DRIVERS\btwhid.sys [57384 2008-03-10] (Broadcom Corporation.)
S3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [47272 2008-08-19] (Broadcom Corporation.)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R3 Ktp; C:\WINDOWS\System32\DRIVERS\ETD.sys [25216 2008-11-27] (ELANTECH Devices Corp.)
R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [44032 2009-07-27] (Atheros Communications, Inc.)
S3 L1e; C:\WINDOWS\System32\DRIVERS\l1e51x86.sys [38400 2008-09-23] (Atheros Communications, Inc.)
R2 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [123264 2016-03-10] (Malwarebytes)
S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [24448 2016-03-10] (Malwarebytes)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
S3 u302bus; C:\WINDOWS\System32\DRIVERS\u302bus.sys [119112 2010-07-30] (MCCI Corporation)
S3 u302mdfl; C:\WINDOWS\System32\DRIVERS\u302mdfl.sys [14920 2010-07-30] (MCCI Corporation)
S3 u302mdm; C:\WINDOWS\System32\DRIVERS\u302mdm.sys [135880 2010-07-30] (MCCI Corporation)
S3 u302mgmt; C:\WINDOWS\System32\DRIVERS\u302mgmt.sys [129992 2010-07-30] (MCCI Corporation)
S3 ztemtusbser; C:\WINDOWS\System32\DRIVERS\CT_ZTEMT_U_USBSER.sys [104704 2009-11-25] (ZTEMT Incorporated)
S4 IntelIde; no ImagePath
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-26 12:36 - 2016-07-26 12:37 - 00013933 _____ C:\Documents and Settings\ASUS\Desktop\FRST.txt
2016-07-26 12:35 - 2016-07-26 12:36 - 00000000 ____D C:\FRST
2016-07-26 12:35 - 2016-07-26 12:35 - 01744384 _____ (Farbar) C:\Documents and Settings\ASUS\Desktop\FRST.exe
2016-07-22 15:21 - 2016-07-26 12:25 - 00000000 ____D C:\Backup
2016-07-20 11:32 - 2016-07-20 12:17 - 00000000 ____D C:\AdwCleaner
2016-07-20 11:07 - 2016-07-22 15:47 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-07-20 11:07 - 2016-07-20 11:11 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2016-07-20 11:07 - 2016-07-20 11:11 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-07-20 11:07 - 2016-07-20 11:11 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-07-20 11:07 - 2016-07-20 11:07 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2016-07-20 11:07 - 2016-03-10 14:09 - 00123264 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-07-20 11:07 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-07-20 09:55 - 2016-07-20 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVAST Software
2016-07-20 09:51 - 2016-07-20 09:49 - 00299992 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswNdis2.sys
2016-07-20 09:50 - 2016-07-20 08:14 - 00319248 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-07-20 09:49 - 2016-07-20 09:49 - 00012112 _____ (ALWIL Software) C:\WINDOWS\system32\Drivers\aswNdis.sys
2016-07-20 08:31 - 2016-07-20 08:31 - 00000000 ____D C:\Program Files\Common Files\Skype
2016-07-20 08:31 - 2016-07-20 08:31 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
2016-07-20 08:31 - 2016-07-20 08:31 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Skype
2016-07-20 08:30 - 2016-07-20 08:31 - 00000000 ___RD C:\Program Files\Skype
2016-07-20 08:30 - 2016-07-20 08:30 - 00000000 ____D C:\Documents and Settings\ASUS\Local Settings\Application Data\Temp
2016-07-20 08:21 - 2016-07-20 08:21 - 00035096 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2016-07-20 08:21 - 2016-07-20 08:21 - 00000000 ____D C:\Documents and Settings\ASUS\Local Settings\Application Data\CEF
2016-07-20 08:18 - 2016-07-20 08:18 - 00000000 ____D C:\Documents and Settings\ASUS\Application Data\AVAST Software
2016-07-20 08:17 - 2008-11-07 18:55 - 00016928 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsgXP_2k3.dll
2016-07-20 08:16 - 2016-07-22 20:23 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-07-20 08:16 - 2016-07-20 08:16 - 00000000 __HDC C:\WINDOWS\$NtUninstallWdf01009$
2016-07-20 08:15 - 2016-07-20 08:16 - 00438296 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-07-20 08:15 - 2016-07-20 08:15 - 00222056 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2016-07-20 08:15 - 2016-07-20 08:15 - 00184592 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
2016-07-20 08:15 - 2016-07-20 08:15 - 00091680 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-07-20 08:15 - 2016-07-20 08:15 - 00066688 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2016-07-20 08:15 - 2016-07-20 08:15 - 00064272 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2016-07-20 08:15 - 2016-07-20 08:15 - 00060424 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-07-20 08:15 - 2016-07-20 08:15 - 00034008 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-07-20 08:15 - 2016-07-20 08:14 - 00921280 _____ (Microsoft Corporation) C:\WINDOWS\ucrtbase.dll
2016-07-20 08:15 - 2016-07-20 08:14 - 00816304 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2016-07-20 08:14 - 2016-07-20 08:14 - 00053208 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-07-20 08:12 - 2016-07-20 08:20 - 00000000 ____D C:\Program Files\AVAST Software
2016-07-20 08:11 - 2016-07-20 08:21 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2016-07-20 07:24 - 2016-07-22 15:21 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-07-19 19:26 - 2016-07-19 19:26 - 00000000 __SHD C:\Documents and Settings\NetworkService\IETldCache
2016-07-19 19:25 - 2016-07-19 19:38 - 00000375 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-07-26 12:37 - 2012-11-09 20:07 - 00000000 ____D C:\Documents and Settings\ASUS\Local Settings\Temp
2016-07-22 21:20 - 2013-02-25 10:34 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-07-22 16:18 - 2009-01-09 12:21 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-07-22 16:18 - 2009-01-09 11:01 - 00001158 _____ C:\WINDOWS\system32\wpa.dbl
2016-07-22 16:11 - 2012-11-09 20:07 - 00000178 ___SH C:\Documents and Settings\ASUS\ntuser.ini
2016-07-22 16:11 - 2009-01-09 12:21 - 00032650 _____ C:\WINDOWS\SchedLgU.Txt
2016-07-20 14:34 - 2012-11-09 20:07 - 00000000 ____D C:\Documents and Settings\ASUS
2016-07-20 14:31 - 2013-01-04 23:07 - 00000000 ____D C:\Documents and Settings\ASUS\Application Data\vlc
2016-07-20 14:26 - 2012-11-09 20:07 - 00000000 ___RD C:\Documents and Settings\ASUS\My Documents
2016-07-20 13:23 - 2012-11-09 20:51 - 00065536 _____ C:\WINDOWS\system32\config\ODiag.evt
2016-07-20 11:42 - 2009-01-09 04:02 - 00000000 ____D C:\WINDOWS\security
2016-07-20 10:57 - 2013-01-04 23:06 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
2016-07-20 10:14 - 2013-01-04 23:09 - 00000000 ____D C:\Program Files\7-Zip
2016-07-20 09:55 - 2009-01-09 04:07 - 00000000 ____D C:\Documents and Settings\All Users
2016-07-20 09:53 - 2009-01-09 04:02 - 00000000 ___HD C:\WINDOWS\inf
2016-07-20 08:35 - 2012-11-09 20:07 - 00000000 ____D C:\Documents and Settings\ASUS\Application Data\Skype
2016-07-20 08:30 - 2009-01-08 14:20 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Skype
2016-07-20 08:23 - 2013-01-04 15:48 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-07-20 07:20 - 2013-01-04 16:47 - 00796352 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-07-20 07:20 - 2013-01-04 16:47 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-07-20 07:20 - 2009-01-09 12:15 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-07-20 06:57 - 2014-05-19 16:53 - 00347786 _____ C:\WINDOWS\ntbtlog.txt
2016-07-19 20:02 - 2009-01-09 12:15 - 00000000 ____D C:\WINDOWS\Registration
2016-07-19 19:26 - 2009-01-09 12:21 - 00000000 __SHD C:\Documents and Settings\NetworkService

==================== Files in the root of some directories =======

2009-01-08 14:17 - 2008-05-07 14:04 - 15523560 _____ (Macrovision Corporation) C:\Program Files\U1 Setup.exe
2012-11-09 20:07 - 2012-11-09 20:19 - 0000127 _____ () C:\Documents and Settings\ASUS\Local Settings\Application Data\fusioncache.dat

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 25-07-2016
Ran by ASUS (2016-07-26 12:38:46)
Running from C:\Documents and Settings\ASUS\Desktop
Microsoft Windows XP Home Edition Service Pack 3 (X86) (2012-11-09 14:36:13)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1164573532-2673912113-1224111812-500 - Administrator - Enabled)
ASPNET (S-1-5-21-1164573532-2673912113-1224111812-1004 - Limited - Enabled)
ASUS (S-1-5-21-1164573532-2673912113-1224111812-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\ASUS
Guest (S-1-5-21-1164573532-2673912113-1224111812-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1164573532-2673912113-1224111812-1005 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1164573532-2673912113-1224111812-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus (Disabled) {7591DB91-41F0-48A3-B128-1A293FD8233D}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.02 (HKLM\...\{23170F69-40C1-2701-1602-000001000000}) (Version: 16.02.00.0 - Igor Pavlov)
7-Zip 9.15 beta (HKLM\...\7-Zip) (Version:  - )
Adabas D 13.01.00 (HKLM\...\{5C52CED3-D45C-4DA9-932F-B91BD44BB461}) (Version: 13.0100.8895 - Sun Microsystems)
Adobe Flash Player 22 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 9.0.151.0 - Adobe Systems Incorporated)
Adobe Reader 8.1.1 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A81100000003}) (Version: 8.1.1 - Adobe Systems Incorporated)
Asus ACPI Driver (HKLM\...\{19F5658D-92E8-4A08-8657-D38ABB1574B2}) (Version: 4.00.0010 - ASUSTek Computer)
ASUSUpdate for Eee PC (HKLM\...\{587178E7-B1DF-494E-9838-FA4DD36E873C}) (Version:  - )
Atheros Client Installation Program (HKLM\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 7.0 - Atheros)
Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver (HKLM\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.23 - Atheros Communications Inc.)
Avast Internet Security (HKLM\...\Avast) (Version: 12.1.2272 - AVAST Software)
Azurewave Wireless LAN (HKLM\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 1.00.0000 - RaLink)
BSNL 3G (HKLM\...\{E28BEA23-CD2F-4724-B406-A95C44355FD3}) (Version: 1.00.0000 - BSNL)
Document Express DjVu Plug-in (HKLM\...\{C98876CB-9847-4DCB-96F6-98CD5D66D2E2}) (Version: 6.1.27999 - Caminova, Inc.)
Eee Instant Key (HKLM\...\{6E4DAE31-7CF3-441A-B6E5-B014D63C80CD}) (Version: 1.08 - ASUS)
Eee Storage 1.2.16.309 (HKLM\...\Eee Storage) (Version: 1.2.16.309 - ECAREME)
ETDWare PS/2-x86 7.0.3.12 For WinXP (HKLM\...\Elantech) (Version:  - )
Google Talk (remove only) (HKLM\...\{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk) (Version:  - )
HSPADataCard Software Package (HKLM\...\{51216487-9A5D-4A0E-882E-50FEC6132C16}) (Version: 1.0.0.0 - ST-Ericsson)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
InterVideo Register Manager (Version: 1.0.4.0 - InterVideo Inc.) Hidden
InterVideo WinDVD (HKLM\...\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}) (Version: 5.0-B11.1244 - InterVideo Inc.)
Jagannatha Hora 7.64 (HKLM\...\Jagannatha Hora_is1) (Version: 7.64 - PVR Narasimha Rao)
Java™ 6 Update 3 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160030}) (Version: 1.6.0.30 - Sun Microsystems, Inc.)
Java™ 7 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217000FF}) (Version: 7.0.0 - Oracle)
Java™ SE Development Kit 7 (HKLM\...\{32A3A4F4-B792-11D6-A78A-00B0D0170000}) (Version: 1.7.0.0 - Oracle)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2742597) (HKLM\...\M2742597) (Version:  - )
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Mozilla Firefox 47.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 47.0.1 (x86 en-US)) (Version: 47.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 43.0.1 - Mozilla)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.5704 - Realtek Semiconductor Corp.)
Skype™ 7.25 (HKLM\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.25.106 - Skype Technologies S.A.)
StarOffice 8 ASUS Edition (HKLM\...\{9510AB97-A36C-4352-8725-E72E5528FA1B}) (Version: 8.00.9251 - Sun Microsystems)
Super Hybrid Engine (HKLM\...\{88F08F98-12BC-4613-81A2-8F9B88CFC73E}) (Version: 1.16 - ASUS)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.4 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
WIDCOMM Bluetooth Software (HKLM\...\{84814E6B-2581-46EC-926A-823BD1C670F6}) (Version: 5.5.0.4400 -  )
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.8.0031.0 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live installer (HKLM\...\{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}) (Version: 12.0.1471.1025 - Microsoft Corporation)
Windows Live Mail (HKLM\...\{184E7118-0295-43C4-B72C-1D54AA75AAF7}) (Version: 12.0.1606.1023 - Microsoft Corporation)
Windows Live Messenger (HKLM\...\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}) (Version: 8.5.1302.1018 - Microsoft Corporation)
Windows Live Photo Gallery (HKLM\...\{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}) (Version: 12.0.1329.0201 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM\...\{9422C8EA-B0C6-4197-B8FC-DC797658CA00}) (Version: 5.000.818.6 - Microsoft Corporation)
Windows Live Toolbar (HKLM\...\Windows Live Toolbar) (Version: 03.01.0146 - Microsoft Corporation)
Windows Live Writer (HKLM\...\{9176251A-4CC1-4DDB-B343-B487195EB397}) (Version: 12.0.1370.0325 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
ZTEMT UI (HKLM\...\ZTEWireless-101_is1) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1164573532-2673912113-1224111812-1006_Classes\CLSID\{0507EEDE-3AE7-49c7-BF37-0EB4A62D8638}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-1164573532-2673912113-1224111812-1006_Classes\CLSID\{33b07fd4-5917-43e1-968d-4c79231836bf}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-1164573532-2673912113-1224111812-1006_Classes\CLSID\{A8F086C3-2497-4229-82FE-586F2D326F95}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)
CustomCLSID: HKU\S-1-5-21-1164573532-2673912113-1224111812-1006_Classes\CLSID\{d33f3ced-d7d5-44f1-a9fe-6927dabb1934}\localserver32 -> C:\Program Files\Google\Google Talk\googletalk.exe (Google)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\avast! Emergency Update.job => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2008-09-02 17:53 - 2008-09-02 17:53 - 00040960 _____ () C:\Program Files\WIDCOMM\Bluetooth Software\btkeyind.dll
2013-01-22 18:24 - 2013-01-22 18:24 - 03391488 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_c0746bb5\mscorlib.dll
2013-01-22 18:24 - 2013-01-22 18:24 - 02088960 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_f805a0b5\system.xml.dll
2013-01-22 18:24 - 2013-01-22 18:24 - 03035136 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_3fd1ab21\system.windows.forms.dll
2013-01-22 18:24 - 2013-01-22 18:24 - 01966080 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_572b4fcb\system.dll
2016-07-20 08:14 - 2016-07-20 08:14 - 00146232 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-07-20 08:14 - 2016-07-20 08:14 - 00479288 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-07-26 12:25 - 2016-07-26 12:25 - 03001344 _____ () C:\Program Files\AVAST Software\Avast\defs\16072501\algo.dll
2013-01-07 12:00 - 2009-12-21 09:53 - 00512000 _____ () C:\Program Files\ZTEMT UI\bin\MonServiceUDisk.exe
2010-08-06 17:44 - 2010-08-06 17:44 - 00093184 _____ () C:\Program Files\BSNL 3G Data Card\Resource\MCtlSuc.exe
2016-07-20 08:15 - 2016-07-20 08:15 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2008-09-02 17:55 - 2008-09-02 17:55 - 02854912 _____ () C:\WINDOWS\system32\btwicons.dll
2009-01-09 11:01 - 2013-01-02 12:19 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-01-09 11:01 - 2008-04-14 17:30 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\EeePC_ocean.bmp
DNS Servers: 203.153.41.28 - 8.8.8.8
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: Alcmtr => ALCMTR.EXE
MSCONFIG\startupreg: MsnMsgr => "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

StandardProfile\AuthorizedApplications: [C:\WINDOWS\system32\sessmgr.exe] => Disabled:@xpsp2res.dll,-22019
StandardProfile\AuthorizedApplications: [C:\Program Files\Skype\Phone\Skype.exe] => Enabled:Skype
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008

==================== Restore Points =========================

20-05-2014 06:26:12 System Checkpoint
31-07-2014 12:46:09 System Checkpoint
20-07-2016 08:17:03 Installed Windows XP Wdf01009.
20-07-2016 09:53:43 Installed Windows XP Wdf01009.

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/26/2016 12:31:41 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 47.0.1.6018, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/22/2016 03:13:03 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application wscript.exe, version 5.7.0.18066, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/21/2016 07:22:42 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 43.0.1.5828, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/20/2016 01:22:20 PM) (Source: Microsoft Office 12) (EventID: 5000) (User: )
Description: EventType offdiag12, P1 e021ad2b-eca9-4618-980f-2b61869341bbbd99deae-8cc2-431a-bb88-eb043cba4e58, P2 NIL, P3 NIL, P4 NIL, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 offdiag120, P10 offdiag121.

Error: (07/20/2016 09:51:06 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application notepad.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (07/20/2016 08:11:44 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (07/20/2016 08:11:44 AM) (Source: crypt32) (EventID: 11) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (06/02/2014 08:41:25 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application notepad.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/02/2014 08:41:20 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application notepad.exe, version 5.1.2600.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (06/26/2013 08:46:21 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application BSNL 3G.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (07/26/2016 12:20:54 PM) (Source: Windows Update Agent) (EventID: 16) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (07/26/2016 12:20:41 PM) (Source: 0) (EventID: 14103) (User: )
Description: {D2E19D27-8748-46FD-B3D0-A982F3F34BA3}

Error: (07/22/2016 04:19:26 PM) (Source: Windows Update Agent) (EventID: 16) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (07/22/2016 04:18:29 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2 = The system cannot find the file specified.


Error: (07/22/2016 04:18:29 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2 = The system cannot find the file specified.


Error: (07/22/2016 03:47:37 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2 = The system cannot find the file specified.


Error: (07/22/2016 03:47:37 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2 = The system cannot find the file specified.


Error: (07/22/2016 03:12:25 PM) (Source: 0) (EventID: 14103) (User: )
Description: {D2E19D27-8748-46FD-B3D0-A982F3F34BA3}

Error: (07/21/2016 06:39:20 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2 = The system cannot find the file specified.


Error: (07/21/2016 06:39:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2 = The system cannot find the file specified.



==================== Memory info ===========================

Processor:  Intel® Atom™ CPU N280 @ 1.66GHz
Percentage of memory in use: 72%
Total physical RAM: 1015.17 MB
Available physical RAM: 284.18 MB
Total Virtual: 2441.97 MB
Available Virtual: 1693.33 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:393.01 GB) (Free:369.38 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 698.6 GB) (Disk ID: D65316E1)
Partition 1: (Active) - (Size=393 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=4.9 GB) - (Type=1C)
Partition 3: (Not Active) - (Size=39 MB) - (Type=EF)

==================== End of Addition.txt ============================



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:39 PM

Posted 26 July 2016 - 10:10 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You have the latest version of Java available for Windows XP
https://www.java.com/en/download/faq/winxp.xml

Remove this version of Java
Java 6 Update 3 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160030}) (Version: 1.6.0.30 - Sun Microsystems, Inc.)

Keep the Version 7 as described in the Article above.

You may consider this.
How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\...\Run: [MICROS~1] => wscript.exe //B "C:\DOCUME~1\ASUS\LOCALS~1\Temp\MICROS~1.VBS" <===== ATTENTION
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\...\MountPoints2: {f39102b6-2a79-11e2-8d48-806d6172696f} - E:\.\Bin\ASSETUP.exe
BHO: No Name -> {7E853D72-626A-48EC-A868-BA8D5E23E045} -> No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
S4 IntelIde; no ImagePath
U1 WS2IFSL; no ImagePath
C:\DOCUME~1\ASUS\LOCALS~1\Temp\MICROS~1.VBS

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

Download and Run FlashDisinfector


If your flash drive has been compromised run this tool.
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Please post the log and let me know what problem persists.

#3 Roger2016

Roger2016
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 26 July 2016 - 09:48 PM

Hi Nasdaq.

 

I have done the steps as you asked me to do.

 

1. Removed Java 6 Update 3

2. created fixlist.txt  and ran FRST.exe.

 

Result:

The FRST.exe ran for about a minute and then it crashed. There was a dialog box asking me to send a error report to microsoft and I clicked dont send.

 

Problems with this computer:

1. CPU usage is ok so far after running FRST.exe with your commands. Before it was 100% and was not allowing me to use any other program.

2. Now when I open MS- Word it automatically opens up "find and replace" dialog box and Im unable to close that box. I have to kill the Ms-word from taskmanager. MS-Word is unusable.

3. When I open Notepad it automatically inserts the current timestamp whereever the cursor is and keeps on doing it and I have kill the process to stop the insertions.

4. When I open Firefox it automatically keeps on refreshing what ever the current page is and CPU shoots to 100%. after about 5 -10 mins it dies down and cpu resumes to normal. when I move the cursor it again starts. I can barely use firefox.

 

 

I am posting this message from another laptop since It takes a while to open any site in my infected laptop.

I will relogin in a few minutes later and try to email the file from my infected laptop and post it to this topic from my other laptop.



#4 Roger2016

Roger2016
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 26 July 2016 - 09:52 PM

And Oh. I threw away that infected USB stick in to garbage after breaking it up. So didnt run the Flash_disinfector.exe.

 

In the meantime I bought a new USB stick but I havent used it so far. I will only use it after the Laptop is clear of the viruses.

 

Thanks


Edited by Roger2016, 26 July 2016 - 11:33 PM.


#5 Roger2016

Roger2016
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 27 July 2016 - 04:14 AM

Here is the fixlog.txt file
 

Fix result of Farbar Recovery Scan Tool (x86) Version: 25-07-2016
Ran by ASUS (2016-07-27 07:40:15) Run:1
Running from C:\Documents and Settings\ASUS\Desktop
Loaded Profiles: ASUS (Available Profiles: ASUS)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] =>
[X]
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\...\Run: [MICROS~1] => wscript.exe //B "C:\DOCUME~1\ASUS\LOCALS~1\Temp\MICROS~1.VBS" <===== ATTENTION
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\...\MountPoints2: {f39102b6-2a79-11e2-8d48-806d6172696f} - E:\.\Bin\ASSETUP.exe
BHO: No Name -> {7E853D72-626A-48EC-A868-BA8D5E23E045} -> No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
S4 IntelIde; no ImagePath
U1 WS2IFSL; no ImagePath
C:\DOCUME~1\ASUS\LOCALS~1\Temp\MICROS~1.VBS

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
[X] => Error: No automatic fix found for this entry.
HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\Software\Microsoft\Windows\CurrentVersion\Run\\MICROS~1 => value removed successfully.
"HKU\S-1-5-21-1164573532-2673912113-1224111812-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f39102b6-2a79-11e2-8d48-806d6172696f}" => key removed successfully.
HKCR\CLSID\{f39102b6-2a79-11e2-8d48-806d6172696f} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}" => key removed successfully.
HKCR\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}" => key removed successfully.
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:39 PM

Posted 27 July 2016 - 08:37 AM

Any remaining issues with the computer?

#7 Roger2016

Roger2016
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 27 July 2016 - 08:49 AM

Hi Nasdaq.

 

All the issues are still there.

 

1. CPU usage is 100% for 10 mins then it dies down if I move the mouse pointer the CPU shoots up to 100%. When I looked at task manager it explorer.exe and some other processes jumping up and down in CPU usage.

2. When I open MS- Word it automatically opens up "find and replace" dialog box and Im unable to close that box. I have to kill the Ms-word from taskmanager. MS-Word is unusable.

3. When I open Notepad it automatically inserts the current timestamp whereever the cursor is and keeps on doing it and I have kill the process to stop the insertions.

4. When I open Firefox it automatically keeps on refreshing what ever the current page is and CPU shoots to 100%. after about 5 -10 mins it dies down and cpu resumes to normal. when I move the cursor it again starts. I can barely use firefox.

 

I had none of these issues before the infection. :(



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:39 PM

Posted 27 July 2016 - 08:58 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#9 Roger2016

Roger2016
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 AM

Posted 27 July 2016 - 08:27 PM

Hi

 

I noticed that there was option among the bios post messages to press F9 to start recovery. I did that and the bios transitioned to something called symantec ghost and it gave me a progress bar recovering the system. After 8-10 mins it restored XP completely.

 

I tried to do a restore just after it got infected but couldn't find it under XP control panel, computer management and I even searched the help but no luck. But When I was messing around in BIOS to make my Boot USB stick to recognize I found this one bios message.

 

Thanks Nasdaq for your suggestions in disinfecting this machine.

 

I am planning to load XUbuntu in another partition of this machine to get some experience with ubuntu. we will see how that goes...

 

Thanks again



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:39 PM

Posted 28 July 2016 - 07:59 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:39 PM

Posted 03 August 2016 - 07:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users