Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TR/Trash.gen with abnormal FRST behavior


  • This topic is locked This topic is locked
12 replies to this topic

#1 tekhelpr

tekhelpr

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 14 April 2017 - 10:21 PM

Hello, support volunteer.  I'm helping to clean a slow Dell Inspiron Mini 1011 computer infected with TR/Trash.gen that was discovered by an Avira antivirus scan with updated definition file.  When I ran the FRST scan, the program terminated before finishing the FRST.txt file and without producing the Addition.txt file.  I have included the partial FRST.txt file inline with this message as I had a problem attaching the file.

 

Please let me know how to proceed to get you a full scan so we know what we're dealing with.

 

Thanks in advance.

 

tekhelpr

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017
Ran by JUDITH NATALUCCI (administrator) on D33GQ6J1 (14-04-2017 22:27:52)
Running from C:\Documents and Settings\JUDITH NATALUCCI\My Documents\Downloads
Loaded Profiles: JUDITH NATALUCCI (Available Profiles: JUDITH NATALUCCI)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Creative Technology Ltd.) C:\WINDOWS\OA012Mon.exe
(Dell Inc.) C:\WINDOWS\system32\WLTRAY.EXE
(Dell) C:\Program Files\WSED\WSED.exe
(Dell) C:\Program Files\Battery Meter\BTMeter.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(Secunia) C:\Program Files\Secunia\PSI\psi_tray.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Microsoft Corporation) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
(Secunia) C:\Program Files\Secunia\PSI\psia.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1434920 2009-03-15] (Synaptics Incorporated)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [17529856 2009-03-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [57344 2009-03-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [OA012Mon] => C:\WINDOWS\OA012Mon.exe [24576 2009-05-11] (Creative Technology Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [2289664 2009-01-06] (Dell Inc.)
HKLM\...\Run: [WSED] => C:\Program Files\WSED\WSED.exe [251176 2009-03-31] (Dell)
HKLM\...\Run: [BTMeter] => C:\Program Files\Battery Meter\BTMeter.exe [623912 2008-11-04] (Dell)
HKLM\...\Run: [ROC_roc_dec12] => "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [831576 2016-10-27] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [67840 2016-07-11] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-06-20] (Google Inc.)
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\ssmyst.scr [18944 2008-04-14] (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2011-06-23] ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2011-06-22]
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog9 01 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [507984 2015-01-30] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 02 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [507984 2015-01-30] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 18 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [507984 2015-01-30] (Avira Operations GmbH & Co. KG)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{73202239-1CCF-4586-825B-A882E5306E13}: [DhcpNameServer] 192.168.254.254

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USCON/1
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/USCON/1
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/USCON/1
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.live.com
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USCON/1
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Avira SearchFree Toolbar -> {41564952-412D-5637-00A7-7A786E7484D7} -> "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" => No File
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-30] (Oracle Corporation)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-07-07] (Microsoft Corporation.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-30] (Oracle Corporation)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-07-07] (Microsoft Corporation.)
Toolbar: HKLM - Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll [2008-12-02] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-11-27] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll [2008-12-02] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\JUDITH NATALUCCI\Application Data\Mozilla\Firefox\Profiles\p0q2qs67.default-1478664970312 [2017-04-14]
FF Extension: (Site Deployment Checker) - C:\Program Files\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-04-12] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-12-01] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-27] ()
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-30] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-30] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8051.1204 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2008-12-04] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-12] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-12] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-3046310982-4142589957-1606324544-1006: @unity3d.com/UnityPlayer,version=1.0 -> C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies ApS)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-12-09] (SUPERAntiSpyware.com) [File not signed]
S2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc.exe [970632 2016-10-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [470600 2016-10-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [470600 2016-10-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1253352 2016-10-27] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [309384 2016-07-11] (Avira Operations GmbH & Co. KG)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-04-19] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-04-19] (Secunia)
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [2039808 2009-01-06] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1684736 2009-03-15] (Creative)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [115600 2016-10-27] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [140272 2016-10-27] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\System32\DRIVERS\avkmgr.sys [37896 2015-07-16] (Avira Operations GmbH & Co. KG)
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [1391104 2009-01-06] (Broadcom Corporation)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R0 EMSC; C:\WINDOWS\System32\DRIVERS\EMSC.SYS [14248 2008-11-04] (Windows ® Codename Longhorn DDK provider)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1389056 2009-03-15] (Creative Technology Ltd.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R3 OA012Afx; C:\WINDOWS\system32\Drivers\OA012Afx.sys [135168 2009-05-11] (Creative Technology Ltd.)
R3 OA012Ufd; C:\WINDOWS\System32\DRIVERS\OA012Ufd.sys [133632 2009-05-11] (Creative Technology Ltd.)
R3 OA012Vid; C:\WINDOWS\System32\DRIVERS\OA012Vid.sys [272032 2009-05-11] (Creative Technology Ltd.)
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
S1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [X]
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-14 22:15 - 2017-04-14 22:16 - 00000000 ____D C:\FRST
2017-04-12 13:14 - 2017-04-12 13:14 - 00069127 _____ C:\Documents and Settings\JUDITH NATALUCCI\Desktop\Test Event Logs - Microsoft ACPI-Compliant Control Method Battery.html
2017-04-12 12:27 - 2017-04-12 12:27 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB958655-v2$
2017-04-12 12:25 - 2017-04-12 12:26 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB942288-v3$
2017-04-12 10:22 - 2017-04-12 10:22 - 00000000 ____D C:\Avenger
2017-04-12 10:18 - 2017-04-12 10:18 - 00001076 _____ C:\mbamlog04122017.txt
2017-04-12 00:34 - 2017-04-12 10:22 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-14 22:28 - 2009-11-24 22:22 - 00000000 ____D C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp
2017-04-14 22:00 - 2014-05-22 19:43 - 00000244 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-04-14 22:00 - 2011-06-20 20:02 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2017-04-14 22:00 - 2008-04-25 21:48 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-14 21:58 - 2009-11-24 22:22 - 00000178 ___SH C:\Documents and Settings\JUDITH NATALUCCI\ntuser.ini
2017-04-14 21:58 - 2009-11-24 22:22 - 00000000 ____D C:\Documents and Settings\JUDITH NATALUCCI
2017-04-14 21:58 - 2008-04-25 21:48 - 00032554 _____ C:\WINDOWS\SchedLgU.Txt
2017-04-14 21:41 - 2008-04-25 16:33 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-04-13 11:05 - 2013-10-18 14:07 - 00318088 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2017-04-13 10:33 - 2014-01-02 19:59 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-04-13 10:30 - 2011-06-20 20:02 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2017-04-12 12:47 - 2010-12-09 21:24 - 00000000 ____D C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\Deployment
2017-04-12 12:43 - 2008-04-25 09:34 - 00000000 ____D C:\WINDOWS\inf
2017-04-12 12:34 - 2008-04-25 09:39 - 00555608 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-04-12 12:27 - 2008-04-25 09:34 - 00000000 RSHDC C:\WINDOWS\system32\dllcache
2017-04-12 12:26 - 2008-04-25 09:39 - 00001374 _____ C:\WINDOWS\imsins.BAK
2017-04-12 12:26 - 2008-04-25 09:34 - 00000000 ____D C:\WINDOWS\system32\mui
2017-04-12 10:22 - 2015-01-30 20:49 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Package Cache
2017-04-12 10:22 - 2013-02-28 19:30 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-04-12 10:22 - 2010-08-12 16:12 - 00000000 ___DC C:\WINDOWS\$NtUninstallKB982214$
2017-04-12 10:19 - 2013-10-19 13:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\APN
2017-04-12 09:33 - 2014-05-22 22:11 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-04-12 03:02 - 2008-04-25 21:43 - 00000000 ____D C:\WINDOWS\Registration
2017-04-12 00:00 - 2011-05-30 19:58 - 00000564 _____ C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

==================== Files in the root of some directories =======

2013-02-13 14:48 - 2013-02-13 14:48 - 0002023 _____ () C:\Program Files\changelog.txt
2011-11-11 16:54 - 2011-11-11 16:54 - 0002977 _____ () C:\Program Files\license.txt
2013-02-16 10:31 - 2013-02-16 10:31 - 14045839 _____ (Davide Costa) C:\Program Files\Setup.exe
2010-04-24 21:53 - 2012-01-14 18:16 - 0001376 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Application Data\wklnhst.dat
2012-06-24 08:24 - 2012-06-24 08:24 - 0033758 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\dt.dat
2010-01-22 19:19 - 2011-10-24 21:30 - 0000000 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\prvlcl.dat
 



BC AdBot (Login to Remove)

 


#2 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 14 April 2017 - 10:38 PM

P.s. The partial FRST.txt file was created the first time I ran the FRST.exe.  When I attempted to run the program again, it failed abrupted before producing any logfiles.  However, a later attempt did result in complete logfiles (attached).
 
Also, I am corresponding from an uninfected Macbook because the infected Windows machine will not allow me to log into BleepingComputer.com.
 
Thanks.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017
Ran by JUDITH NATALUCCI (administrator) on D33GQ6J1 (14-04-2017 23:27:05)
Running from C:\Documents and Settings\JUDITH NATALUCCI\My Documents\Downloads
Loaded Profiles: JUDITH NATALUCCI (Available Profiles: JUDITH NATALUCCI)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\sched.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Creative Technology Ltd.) C:\WINDOWS\OA012Mon.exe
(Dell Inc.) C:\WINDOWS\system32\WLTRAY.EXE
(Dell) C:\Program Files\WSED\WSED.exe
(Dell) C:\Program Files\Battery Meter\BTMeter.exe
(Intel Corporation) C:\WINDOWS\system32\igfxsrvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
(Secunia) C:\Program Files\Secunia\PSI\psi_tray.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
(Microsoft Corporation) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
(Secunia) C:\Program Files\Secunia\PSI\psia.exe
(Secunia) C:\Program Files\Secunia\PSI\sua.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files\Avira\Launcher\Avira.Systray.exe
(Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1434920 2009-03-15] (Synaptics Incorporated)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [17529856 2009-03-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [57344 2009-03-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [OA012Mon] => C:\WINDOWS\OA012Mon.exe [24576 2009-05-11] (Creative Technology Ltd.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [2289664 2009-01-06] (Dell Inc.)
HKLM\...\Run: [WSED] => C:\Program Files\WSED\WSED.exe [251176 2009-03-31] (Dell)
HKLM\...\Run: [BTMeter] => C:\Program Files\Battery Meter\BTMeter.exe [623912 2008-11-04] (Dell)
HKLM\...\Run: [ROC_roc_dec12] => "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
HKLM\...\Run: [avgnt] => C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [831576 2016-10-27] (Avira Operations GmbH & Co. KG)
HKLM\...\Run: [Avira SystrayStartTrigger] => C:\Program Files\Avira\Launcher\Avira.SystrayStartTrigger.exe [67840 2016-07-11] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-06-20] (Google Inc.)
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\WINDOWS\system32\ssmyst.scr [18944 2008-04-14] (Microsoft Corporation)
ShellExecuteHooks: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [304128 2009-05-24] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2011-06-23] ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk [2011-06-22]
ShortcutTarget: Secunia PSI Tray.lnk -> C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog9 01 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [507984 2015-01-30] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 02 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [507984 2015-01-30] (Avira Operations GmbH & Co. KG)
Winsock: Catalog9 18 C:\Program Files\Avira\AntiVir Desktop\avsda.dll [507984 2015-01-30] (Avira Operations GmbH & Co. KG)
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{73202239-1CCF-4586-825B-A882E5306E13}: [DhcpNameServer] 192.168.254.254

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USCON/1
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/USCON/1
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/USCON/1
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.live.com
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/USCON/1
SearchScopes: HKU\.DEFAULT -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Avira SearchFree Toolbar -> {41564952-412D-5637-00A7-7A786E7484D7} -> "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" => No File
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-30] (Oracle Corporation)
BHO: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
BHO: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-07-07] (Microsoft Corporation.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-30] (Oracle Corporation)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll [2011-07-07] (Microsoft Corporation.)
Toolbar: HKLM - Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2016-01-15] (Google Inc.)
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll [2008-12-02] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-11-27] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll [2008-12-02] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2013-02-26] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\JUDITH NATALUCCI\Application Data\Mozilla\Firefox\Profiles\p0q2qs67.default-1478664970312 [2017-04-14]
FF Extension: (NoScript) - C:\Documents and Settings\JUDITH NATALUCCI\Application Data\Mozilla\Firefox\Profiles\p0q2qs67.default-1478664970312\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-04-14]
FF Extension: (Site Deployment Checker) - C:\Program Files\Mozilla Firefox\browser\features\deployment-checker@mozilla.org.xpi [2017-04-12] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-12-01] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-27] ()
FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-30] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-30] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-14] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8051.1204 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2008-12-04] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-12] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.3\npGoogleUpdate3.dll [2017-04-12] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin HKU\S-1-5-21-3046310982-4142589957-1606324544-1006: @unity3d.com/UnityPlayer,version=1.0 -> C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-08] (Unity Technologies ApS)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2012-12-09] (SUPERAntiSpyware.com) [File not signed]
S2 AntiVirMailService; C:\Program Files\Avira\AntiVir Desktop\avmailc.exe [970632 2016-10-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files\Avira\AntiVir Desktop\sched.exe [470600 2016-10-27] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [470600 2016-10-27] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE [1253352 2016-10-27] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files\Avira\Launcher\Avira.ServiceHost.exe [309384 2016-07-11] (Avira Operations GmbH & Co. KG)
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [993848 2011-04-19] (Secunia)
R2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [399416 2011-04-19] (Secunia)
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [2039808 2009-01-06] (Dell Inc.) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1684736 2009-03-15] (Creative)
R2 avgntflt; C:\WINDOWS\System32\DRIVERS\avgntflt.sys [115600 2016-10-27] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [140272 2016-10-27] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\WINDOWS\System32\DRIVERS\avkmgr.sys [37896 2015-07-16] (Avira Operations GmbH & Co. KG)
R3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [1391104 2009-01-06] (Broadcom Corporation)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation)
R0 EMSC; C:\WINDOWS\System32\DRIVERS\EMSC.SYS [14248 2008-11-04] (Windows ® Codename Longhorn DDK provider)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1389056 2009-03-15] (Creative Technology Ltd.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation)
R3 OA012Afx; C:\WINDOWS\system32\Drivers\OA012Afx.sys [135168 2009-05-11] (Creative Technology Ltd.)
R3 OA012Ufd; C:\WINDOWS\System32\DRIVERS\OA012Ufd.sys [133632 2009-05-11] (Creative Technology Ltd.)
R3 OA012Vid; C:\WINDOWS\System32\DRIVERS\OA012Vid.sys [272032 2009-05-11] (Creative Technology Ltd.)
S3 PSI; C:\WINDOWS\System32\DRIVERS\psi_mf.sys [15544 2010-09-01] (Secunia)
S1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [X]
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-14 22:15 - 2017-04-14 22:16 - 00000000 ____D C:\FRST
2017-04-12 13:14 - 2017-04-12 13:14 - 00069127 _____ C:\Documents and Settings\JUDITH NATALUCCI\Desktop\Test Event Logs - Microsoft ACPI-Compliant Control Method Battery.html
2017-04-12 12:27 - 2017-04-12 12:27 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB958655-v2$
2017-04-12 12:25 - 2017-04-12 12:26 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB942288-v3$
2017-04-12 10:22 - 2017-04-12 10:22 - 00000000 ____D C:\Avenger
2017-04-12 10:18 - 2017-04-12 10:18 - 00001076 _____ C:\mbamlog04122017.txt
2017-04-12 00:34 - 2017-04-12 10:22 - 00000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-04-14 23:27 - 2009-11-24 22:22 - 00000000 ____D C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp
2017-04-14 22:33 - 2014-01-02 19:59 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-04-14 22:30 - 2011-06-20 20:02 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2017-04-14 22:00 - 2014-05-22 19:43 - 00000244 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-04-14 22:00 - 2011-06-20 20:02 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2017-04-14 22:00 - 2008-04-25 21:48 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-14 21:58 - 2009-11-24 22:22 - 00000178 ___SH C:\Documents and Settings\JUDITH NATALUCCI\ntuser.ini
2017-04-14 21:58 - 2009-11-24 22:22 - 00000000 ____D C:\Documents and Settings\JUDITH NATALUCCI
2017-04-14 21:58 - 2008-04-25 21:48 - 00032554 _____ C:\WINDOWS\SchedLgU.Txt
2017-04-14 21:41 - 2008-04-25 16:33 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-04-13 11:05 - 2013-10-18 14:07 - 00318088 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2017-04-12 12:47 - 2010-12-09 21:24 - 00000000 ____D C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\Deployment
2017-04-12 12:43 - 2008-04-25 09:34 - 00000000 ____D C:\WINDOWS\inf
2017-04-12 12:34 - 2008-04-25 09:39 - 00555608 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-04-12 12:27 - 2008-04-25 09:34 - 00000000 RSHDC C:\WINDOWS\system32\dllcache
2017-04-12 12:26 - 2008-04-25 09:39 - 00001374 _____ C:\WINDOWS\imsins.BAK
2017-04-12 12:26 - 2008-04-25 09:34 - 00000000 ____D C:\WINDOWS\system32\mui
2017-04-12 10:22 - 2015-01-30 20:49 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Package Cache
2017-04-12 10:22 - 2013-02-28 19:30 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-04-12 10:22 - 2010-08-12 16:12 - 00000000 ___DC C:\WINDOWS\$NtUninstallKB982214$
2017-04-12 10:19 - 2013-10-19 13:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\APN
2017-04-12 09:33 - 2014-05-22 22:11 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-04-12 03:02 - 2008-04-25 21:43 - 00000000 ____D C:\WINDOWS\Registration
2017-04-12 00:00 - 2011-05-30 19:58 - 00000564 _____ C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job

==================== Files in the root of some directories =======

2013-02-13 14:48 - 2013-02-13 14:48 - 0002023 _____ () C:\Program Files\changelog.txt
2011-11-11 16:54 - 2011-11-11 16:54 - 0002977 _____ () C:\Program Files\license.txt
2013-02-16 10:31 - 2013-02-16 10:31 - 14045839 _____ (Davide Costa) C:\Program Files\Setup.exe
2010-04-24 21:53 - 2012-01-14 18:16 - 0001376 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Application Data\wklnhst.dat
2012-06-24 08:24 - 2012-06-24 08:24 - 0033758 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\dt.dat
2010-01-22 19:19 - 2011-10-24 21:30 - 0000000 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\prvlcl.dat

Some files in TEMP:
====================
2013-01-28 18:20 - 2013-01-28 18:20 - 0248008 _____ (Ask.com) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\AskSLib.dll
2014-01-02 19:33 - 2015-01-31 02:56 - 0000000 ____D () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\avgnt.exe
2011-10-11 20:35 - 2012-04-30 19:03 - 0247808 _____ (AVG Technologies CZ, s.r.o.) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\avguidx.dll
2011-10-11 20:35 - 2012-06-14 10:37 - 2726968 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\CommonInstaller.exe
2011-10-11 20:34 - 2012-04-30 19:03 - 0692224 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\iGearedHelper.dll
2009-11-18 22:36 - 2009-11-18 22:36 - 0800544 _____ (Sun Microsystems, Inc.) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-6u17-windows-i586-iftw-rv.exe
2010-04-13 03:02 - 2010-04-13 03:02 - 0922400 _____ (Sun Microsystems, Inc.) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-6u20-windows-i586-iftw-rv.exe
2010-08-04 20:14 - 2010-08-04 20:14 - 0875296 _____ (Sun Microsystems, Inc.) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-6u21-windows-i586-iftw-rv.exe
2010-11-20 22:49 - 2010-11-20 22:49 - 0875296 _____ (Sun Microsystems, Inc.) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-6u22-windows-i586-iftw-rv.exe
2011-05-05 11:18 - 2011-05-05 11:18 - 0901408 _____ (Sun Microsystems, Inc.) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-6u26-windows-i586-iftw-rv.exe
2013-03-01 16:00 - 2013-03-01 16:00 - 0897448 _____ (Oracle Corporation) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-7u17-windows-i586-iftw.exe
2013-06-21 21:58 - 2013-06-21 21:58 - 0903080 _____ (Oracle Corporation) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-7u25-windows-i586-iftw.exe
2014-04-15 16:50 - 2014-04-15 16:50 - 0921512 _____ (Oracle Corporation) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-7u55-windows-i586-iftw.exe
2014-12-18 13:29 - 2014-12-18 13:29 - 0641448 _____ (Oracle Corporation) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\jre-8u31-windows-au.exe
2011-10-11 20:35 - 2012-04-30 19:03 - 0162176 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\MachineIdCreator.exe
2013-10-18 15:12 - 2013-10-18 15:12 - 4670488 _____ (AVG Technologies) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\oi_{82835969-1E99-4E27-8D99-DC31F603BF7E}.exe
2013-07-18 19:51 - 2013-09-05 11:22 - 31954536 _____ (Skype Technologies S.A.) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\SkypeSetup.exe
2010-01-01 13:22 - 2011-10-10 19:44 - 0386944 _____ (SUPERAntiSpyware.com) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\SSUPDATE.EXE
2011-10-11 20:35 - 2012-04-30 19:03 - 7040896 _____ () C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\ToolbarInstaller.exe
2012-07-12 18:48 - 2013-10-18 15:12 - 1959960 _____ (AVG Technologies) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\UNINSTALL.EXE
2013-10-18 12:39 - 2009-07-22 10:43 - 0455600 _____ (Macrovision Corporation) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\_is178.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017
Ran by JUDITH NATALUCCI (14-04-2017 23:28:05)
Running from C:\Documents and Settings\JUDITH NATALUCCI\My Documents\Downloads
Microsoft Windows XP Home Edition Service Pack 3 (X86) (2009-11-25 02:21:52)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3046310982-4142589957-1606324544-500 - Administrator - Enabled)
Guest (S-1-5-21-3046310982-4142589957-1606324544-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-3046310982-4142589957-1606324544-1005 - Limited - Disabled)
JUDITH NATALUCCI (S-1-5-21-3046310982-4142589957-1606324544-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\JUDITH NATALUCCI
SUPPORT_388945a0 (S-1-5-21-3046310982-4142589957-1606324544-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG Internet Security 2012 (Enabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avira Antivirus (Enabled - Up to date) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: AVG Internet Security 2012 (Disabled) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 15.14 (HKLM\...\7-Zip) (Version: 15.14 - Igor Pavlov)
Adobe Flash Player 23 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 23.0.0.205 - Adobe Systems Incorporated)
Advanced Audio FX Engine (HKLM\...\Advanced Audio FX Engine) (Version: 1.12.05 - Creative Technology Ltd)
Avira Antivirus (HKLM\...\Avira Antivirus) (Version: 15.0.19.164 - Avira Operations GmbH & Co. KG)
Avira Launcher (HKLM\...\{92a7fd6b-31e5-472f-862e-79214c5032ef}) (Version: 1.1.67.18988 - Avira Operations GmbH & Co. KG)
Avira Launcher (Version: 1.1.67.18988 - Avira Operations GmbH & Co. KG) Hidden
Battery Meter (HKLM\...\InstallShield_{543A4F31-9590-416A-A621-42CEB4C6A694}) (Version: 0.0.0.7C - )
Battery Meter (Version: 0.0.0.7C - ) Hidden
Bing Bar (HKLM\...\{16D0F2D2-242C-4885-BEF1-4B1655C141AE}) (Version: 7.0.822.0 - Microsoft Corporation)
BitPim 1.0.7 (HKLM\...\{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1) (Version: 1.0.7 - Joe Pham <djpham@bitpim.org>)
Choice Guard (Version: 1.2.87.0 - Microsoft Corporation) Hidden
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Dell Box.net Launcher (HKLM\...\{B840FAB0-0E67-4DD9-A93C-A92BA7DF9625}) (Version: 1.0.0 - box.net)
Dell Driver Download Manager (HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\...\f031ef6ac137efc5) (Version: 2.1.0.0 - Dell Inc.)
Dell Support Center (HKLM\...\Dell Support Center) (Version: 3.1.5830.10 - Dell Inc.)
Dell Support Center (Version: 3.1.5830.10 - PC-Doctor, Inc.) Hidden
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 12.2.8.0 - Synaptics Incorporated)
Dell Video Chat (HKLM\...\Dell Video Chat) (Version: 6.0 (6567) - SightSpeed Inc.)
Dell Webcam Central (HKLM\...\Dell Webcam Central) (Version: 1.03.04 - Creative Technology Ltd)
Dell Wireless WLAN Card Utility (HKLM\...\Broadcom 802.11 Application) (Version: 5.10.38.30 - Dell Inc.)
EMSC (Version: 0.0.0.10 - Compal Electronics, Inc.) Hidden
Function Keys (Version: 0.1.0.3 - Dell) Hidden
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7210.1528 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.33.3 - Google Inc.) Hidden
Integrated Webcam Driver (1.02.02.0403) (HKLM\...\Creative OA012) (Version: 1.02.02.0403 - Creative Technology Ltd.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - )
Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Junk Mail filter update (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version: - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version: - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Works (HKLM\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
Mozilla Firefox 52.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 52.0.2 (x86 en-US)) (Version: 52.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.0.2.6291 - Mozilla)
MSXML 6.0 Parser (KB927977) (HKLM\...\{5A710547-B58E-488B-828D-CA9A25A0533C}) (Version: 6.00.3890.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: - Realtek Semiconductor Corp.)
SARDU 2.0.6.5 (HKLM\...\SARDU) (Version: 2.0.6.5 - Davide Costa)
Secunia PSI (2.0.0.3003) (HKLM\...\Secunia PSI) (Version: - )
Segoe UI (Version: 14.0.4327.805 - Microsoft Corp) Hidden
Skype™ 6.11 (HKLM\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
Unity Web Player (HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\...\UnityWebPlayer) (Version: 5.0.3f2 - Unity Technologies ApS)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8050.1202 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM\...\{9422C8EA-B0C6-4197-B8FC-DC797658CA00}) (Version: 5.000.818.6 - Microsoft Corporation)
Windows Live Sync (HKLM\...\{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}) (Version: 14.0.8050.1202 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Media Format Runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Search 4.0 (HKLM\...\KB940157) (Version: 04.00.6001.503 - Microsoft Corporation)
WSED (Version: 0.1.0.10 - ) Hidden
XML Paper Specification Shared Components Pack 1.0 (Version: - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Application Data\Unity\WebPlayer\loader\UnityWebPluginAX.ocx (Unity Technologies ApS)
CustomCLSID: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006_Classes\CLSID\{97090E2F-3062-4459-855B-014F0D3CDBB1}\InprocServer32 -> C:\Program Files\Windows Desktop Search\deskbar.dll (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\PCDoctorBackgroundMonitorTask.job => C:\Program Files\Dell Support Center\uaclauncher.exe o-backgroundmon scripts\defaultscan.xml
Task: C:\WINDOWS\Tasks\SystemToolsDailyTest.job => C:\Program Files\Dell Support Center
PC-Doctor 0 ߛ ଠ


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2009-07-22 10:31 - 2009-01-06 19:53 - 00024576 _____ () C:\WINDOWS\System32\WLTRYSVC.EXE
2009-07-22 10:31 - 2009-01-06 19:52 - 00753664 _____ () C:\WINDOWS\System32\bcm1xsup.dll
2009-07-22 10:31 - 2009-01-06 19:53 - 00143360 _____ () C:\WINDOWS\system32\preflib.dll
2009-07-22 10:33 - 2007-04-19 16:21 - 00266240 _____ () C:\WINDOWS\system32\EMSC.DLL
2009-07-22 10:33 - 2007-04-19 16:21 - 00266240 _____ () C:\WINDOWS\system32\EMSC.dll
2016-07-11 12:04 - 2016-07-11 12:04 - 00254440 _____ () C:\Program Files\Avira\Launcher\System.ComponentModel.Composition.dll
2008-04-25 16:33 - 2013-01-02 02:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2008-04-25 16:33 - 2008-04-14 08:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.254.254
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\wlcsdk.exe] => Enabled:Windows Live Call
DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
DomainProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe] => Enabled:Windows Live Sync
StandardProfile\AuthorizedApplications: [C:\Program Files\Dell Video Chat\DellVideoChat.exe] => Enabled:Dell Video Chat
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\wlcsdk.exe] => Enabled:Windows Live Call
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Messenger\msnmsgr.exe] => Enabled:Windows Live Messenger
StandardProfile\AuthorizedApplications: [C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe] => Enabled:Windows Live Sync
StandardProfile\AuthorizedApplications: [C:\Program Files\Skype\Phone\Skype.exe] => Enabled:Skype
StandardProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Disabled:@xpsp2res.dll,-22008

==================== Restore Points =========================

12-04-2017 08:24:38 System Checkpoint
12-04-2017 09:28:48 Software Distribution Service 3.0
12-04-2017 12:26:15 Installed Windows XP KB942288-v3.
12-04-2017 12:27:44 Installed Windows XP KB958655-v2.

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (04/14/2017 10:29:39 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 15.3.2017.0, faulting module frst.exe, version 15.3.2017.0, fault address 0x0002151e.
Processing media-specific event for [frst.exe!ws!]

Error: (04/14/2017 10:25:11 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application frst.exe, version 15.3.2017.0, faulting module frst.exe, version 15.3.2017.0, fault address 0x00021545.
Processing media-specific event for [frst.exe!ws!]

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).

Error: (04/14/2017 10:00:20 PM) (Source: ESENT) (EventID: 489) (User: )
Description: avguard (1324) An attempt to open the file "C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\EVENTDB\gavi3.db" for read only access failed with system error 3 (0x00000003): "The system cannot find the path specified. ". The open file operation will fail with error -1023 (0xfffffc01).


System errors:
=============
Error: (04/14/2017 10:22:15 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the Avira.ServiceHost service.

Error: (04/14/2017 10:22:07 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the Avira.ServiceHost service.

Error: (04/14/2017 10:02:32 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error: (04/14/2017 09:55:55 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error: (04/12/2017 12:31:51 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error: (04/12/2017 10:25:01 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error: (11/09/2016 02:21:48 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error: (11/09/2016 12:29:11 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SASKUTIL

Error: (11/09/2016 12:10:52 AM) (Source: Dhcp) (EventID: 1002) (User: )
Description: The IP address lease 192.168.24.119 for the Network Card with network address 002556A09AC4 has been
denied by the DHCP server 192.168.24.1 (The DHCP Server sent a DHCPNACK message).

Error: (11/07/2016 02:10:38 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 milliseconds) waiting for the Avira Service Host service to connect.



= = = = = = = = = = = = = = = = = = = = M e m o r y i n f o = = = = = = = = = = = = = = = = = = = = = = = = = = =



P r o c e s s o r : I n t e l ( R ) A t o m ( T M ) C P U N 2 7 0 @ 1 . 6 0 G H z

P e r c e n t a g e o f m e m o r y i n u s e : 6 0 %

T o t a l p h y s i c a l R A M : 1 0 1 4 . 3 6 M B

A v a i l a b l e p h y s i c a l R A M : 3 9 9 . 3 5 M B

T o t a l V i r t u a l : 2 4 4 1 . 6 8 M B

A v a i l a b l e V i r t u a l : 1 3 2 9 . 6 1 M B



= = = = = = = = = = = = = = = = = = = = D r i v e s = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =



Drive c: (OS) (Fixed) (Total:149.01 GB) (Free:127.48 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 149.1 GB) (Disk ID: A42D04A3)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 18 April 2017 - 08:37 AM.


#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:38 AM

Posted 18 April 2017 - 08:36 AM

Greetings tekhelpr and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me just a bit of time to review what you have posted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:38 AM

Posted 18 April 2017 - 08:57 AM

Thank you for your patience.

We have some antivirus program issues in addition to some entries I would like to remove. Although we are going to uninstall all antivirus programs from the computer, we will be reinstalling one shortly.

Please do this.

===================================================

Download and run AVG Remover 2012 for 32 bit systems.

===================================================

Uninstalling a Program using Add/Remove Program

--------------------

I recommend the uninstalling of the below listed program(s). If you desire to keep the program I would ask that you reinstall it following our efforts here.
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

Avira Antivirus

  • Reboot your computer
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CreateRestorePoint:
CloseProcesses:
BHO: Avira SearchFree Toolbar -> {41564952-412D-5637-00A7-7A786E7484D7} -> "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" => No File
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKLM - Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
2017-04-12 10:19 - 2013-10-19 13:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\APN
2013-01-28 18:20 - 2013-01-28 18:20 - 0248008 _____ (Ask.com) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\AskSLib.dll
cmd: type "C:\mbamlog04122017.txt"
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Antivirus programs removed?
  • Fixlog
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 18 April 2017 - 11:53 AM

Thank you for responding, Gary.  Please call me Cesar.  Before I continue, I can clarify the behavior I'm seeing on this laptop.

RESULTS:

1.  The link you provided to remove AVG resulted in this error page:

An error occurred while processing your request.
Reference #132.f8eedcc.1492526993.f31cd68

Instead, I went to this page at the AVG website:
https://support.avg.com/SupportArticleView?l=en&urlName=How-to-uninstall-AVG&q=how+to+uninstall+avg

Downloaded AVG Remover and ran it. Then rebooted.

2. Uninstalled Avira Antivirus and Avira Launcher from the Control Panel.  Then rebooted.

3. Created the fixlist.txt and used FRST.exe to run the fix.  When rebooting this time, the shutdown process did not happen normally, getting stuck in the "Windows shutting down" screen for an hour.  I held the power button to force the shutdown and restarted.

4.  After checking Control Panel, the Avira Toolbar item is still there.

 

BACKGROUND DETAILS:

The problem was Avira kept finding and preventing an infection of TR/Trash.gen about once an hour.  The suspicious file is in a particular restore point and the file name is being named differently each time with an increasing number ending, e.g., A0126799.dll, A0126800.exe, A0126801.dll, etc.  I suspect something in the system is generating the filenames, which Avira then detected.

 

 

The logfile follows.

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 17-04-2017 01
Ran by JUDITH NATALUCCI (18-04-2017 11:50:59) Run:1
Running from C:\Documents and Settings\JUDITH NATALUCCI\My Documents\Downloads
Loaded Profiles: JUDITH NATALUCCI (Available Profiles: JUDITH NATALUCCI)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
BHO: Avira SearchFree Toolbar -> {41564952-412D-5637-00A7-7A786E7484D7} -> "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" => No File
BHO: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKLM - Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-3046310982-4142589957-1606324544-1006 -> Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
2017-04-12 10:19 - 2013-10-19 13:08 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\APN
2013-01-28 18:20 - 2013-01-28 18:20 - 0248008 _____ (Ask.com) C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\AskSLib.dll
cmd: type "C:\mbamlog04122017.txt"
emptytemp:
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41564952-412D-5637-00A7-7A786E7484D7} => key removed successfully.
HKCR\CLSID\{41564952-412D-5637-00A7-7A786E7484D7} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => key removed successfully.
HKCR\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{41564952-412D-5637-00A7-7A786E7484D7} => value removed successfully.
HKCR\CLSID\{41564952-412D-5637-00A7-7A786E7484D7} => key not found.
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => value removed successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => key not found.
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value removed successfully.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => key not found.
HKU\S-1-5-21-3046310982-4142589957-1606324544-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{41564952-412D-5637-00A7-7A786E7484D7} => value removed successfully.
HKCR\CLSID\{41564952-412D-5637-00A7-7A786E7484D7} => key not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key removed successfully.
C:\Documents and Settings\All Users\Application Data\APN => moved successfully
C:\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\AskSLib.dll => moved successfully

========= type "C:\mbamlog04122017.txt" =========

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/12/2017
Scan Time: 9:33:22 AM
Logfile: mbamlog04122017.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2017.04.12.05
Rootkit Database: v2017.04.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: JUDITH NATALUCCI

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 234919
Time Elapsed: 40 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 124498 B
Java, Flash, Steam htmlcache => 357918 B
Windows/system/dllcache/drivers => 182232889 B
Edge => 0 B
Chrome => 0 B
Firefox => 104724385 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 82497 B
All Users => 0 B
systemprofile => 396093173 B
LocalService => 1507200 B
NetworkService => 82674 B
JUDITH NATALUCCI => 881401816 B

RecycleBin => 0 B
EmptyTemp: => 1.5 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:52:28 ====



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:38 AM

Posted 18 April 2017 - 07:36 PM

Greetings Cesar.

Thank you for the detailed reply.

Did you computer hang on shutdown just one time?

Please do this.

===================================================

Delfix by Xplode

--------------------
  • Download Delfix and save it to your Desktop
  • Double click the icon
  • Place checkmark in:

Purge system restore

  • Click Run
===================================================

ComboFix Windows XP

--------------------
  • Please download Combofix and save it to your desktop:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Note: If after disabling Combofix warns you an Antivirus program is still running ignore the warning and run Combofix.
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista/Windows 7, ComboFix will skip the below Recovery Console pop ups and continue its malware removal procedure.

Query_RC.gif

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware
  • When finished copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Delfix run?
  • Combofix log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 19 April 2017 - 12:17 AM

Delfix ran successfully.

 

# DelFix v1.010 - Logfile created 19/04/2017 at 00:55:55
# Updated 26/04/2015 by Xplode
# Username : JUDITH NATALUCCI - D33GQ6J1
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Cleaning system restore ...

Deleted : RP #783 [System Checkpoint | 04/12/2017 12:24:38]
Deleted : RP #784 [Software Distribution Service 3.0 | 04/12/2017 13:28:48]
Deleted : RP #785 [Installed Windows XP KB942288-v3. | 04/12/2017 16:26:15]
Deleted : RP #786 [Installed Windows XP KB958655-v2. | 04/12/2017 16:27:44]
Deleted : RP #787 [System Checkpoint | 04/15/2017 04:37:00]
Deleted : RP #788 [System Checkpoint | 04/16/2017 23:39:50]
Deleted : RP #789 [Restore Point Created by FRST | 04/18/2017 15:51:04]

New restore point created !

########## - EOF - ##########
 

 

ComboFix was unable to detect that my wifi connection was working, so the Recovery Console installation failed.  (Does it require a wired connection?)

 

Log file follows.

 

ComboFix 17-04-16.01 - JUDITH NATALUCCI 04/19/2017   1:03.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.340 [GMT -4:00]
Running from: c:\documents and settings\JUDITH NATALUCCI\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\4254f33a25c8573d.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\857d2c45a68f8f14.fb
c:\windows\system32\Cache\8d959a75f57de761.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c6318f9acb79c970.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d4dc9a9e4eaa56e9.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
.
.
(((((((((((((((((((((((((   Files Created from 2017-03-19 to 2017-04-19  )))))))))))))))))))))))))))))))
.
.
2017-04-18 15:20 . 2017-04-18 15:20    --------    d-----w-    c:\documents and settings\JUDITH NATALUCCI\Local Settings\Application Data\Avg
2017-04-18 15:01 . 2017-04-18 15:23    --------    d-----w-    C:\AVG_Remover
2017-04-15 02:15 . 2017-04-18 16:25    --------    d-----w-    C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-04-17 03:22 . 2014-05-23 02:11    170200    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2013-02-16 14:31 . 2013-02-16 14:31    14045839    ----a-w-    c:\program files\Setup.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-03-31 251176]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [7/22/2009 10:33 AM 14248]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/1/2010 9:11 PM 116608]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 5:33 PM 249648]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 2:44 AM 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 2:44 AM 399416]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [7/22/2009 10:42 AM 143840]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [7/22/2009 1:11 PM 135168]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [7/22/2009 1:11 PM 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [7/22/2009 1:11 PM 272032]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [7/22/2009 1:11 PM 162816]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [10/23/2013 8:15 AM 172192]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/22/2009 1:10 PM 1684736]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 7:31 PM 195336]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544]
.
Contents of the 'Scheduled Tasks' folder
.
2017-04-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-01-02 23:32]
.
2017-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-21 23:14]
.
2017-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-21 23:14]
.
2017-04-18 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2014-05-23 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2017-04-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-05-16 22:16]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.254.254
FF - ProfilePath - c:\documents and settings\JUDITH NATALUCCI\Application Data\Mozilla\Firefox\Profiles\p0q2qs67.default-1478664970312\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2017-04-19 01:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e9,33,59,c3,a5,d0,c8,41,a4,43,2a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2017-04-19  01:12:51
ComboFix-quarantined-files.txt  2017-04-19 05:12
.
Pre-Run: 140,233,699,328 bytes free
Post-Run: 140,188,790,784 bytes free
.
- - End Of File - - 6E210ECAD316A5107DE7F0700825F8DC
CDB4DE4BBD714F152979DA2DCBEF57EB
 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:38 AM

Posted 19 April 2017 - 09:08 AM

Greetings,
 

(Does it require a wired connection?)

Yes. Don't worry about it, that is a backup step in case something goes wrong, which didn't happen.

Please do this.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 19 April 2017 - 01:55 PM

Gary,

 

To answer an earlier question, the laptop only shutdown abnormally that one time.  Since then, I have restarted it with no issues.

 

On the plus side, the startup seems faster, which I imagine is a result of the cleaning we've done and also the fact that there is no active antivirus at the moment.  Once we install the AV you recommend, I will verify that the hourly threat containment is no longer present.

 

Since I did not want to keep any of the ESET entries, I did delete quarantined files.

 

Also, after restarting and before sending this message, I could not locate the Security Check log.  Should I rerun it?

 

Regards,

Cesar

 

 

C:\Documents and Settings\JUDITH NATALUCCI\Desktop\Old Firefox Data\rdyn59lk.default\extensions\toolbar_AVIRA-V7@apn.ask.com.xpi    Win32/Bundled.Toolbar.Ask.P potentially unsafe application    deleted
C:\Documents and Settings\JUDITH NATALUCCI\My Documents\Downloads\avira_free_antivirus_en.exe    a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    deleted
C:\Documents and Settings\JUDITH NATALUCCI\My Documents\Downloads\SARDU_2.0.6.5.zip    Win32/InstallMonetizer.AN potentially unwanted application    deleted
C:\FRST\Quarantine\C\Documents and Settings\JUDITH NATALUCCI\Local Settings\Temp\AskSLib.dll.xBAD    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting
C:\Program Files\Setup.exe    Win32/InstallMonetizer.AN potentially unwanted application    cleaned by deleting
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP784\A0126812.msi    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP784\A0126813.msi    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    deleted
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP784\A0126814.msi    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    deleted
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP784\A0126815.msi    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    deleted
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP784\A0126816.msi    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    deleted
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP784\A0126849.exe    Win32/InstallMonetizer.AN potentially unwanted application    cleaned by deleting
C:\WINDOWS\Installer\38396261.msi    a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application    deleted
 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:38 AM

Posted 19 April 2017 - 02:44 PM

Greetings Cesar.

 

Don't worry about running the Security Check again.

 

Now it is time to install an antivirus of your choice. Following that let me know how the computer is performing.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 19 April 2017 - 05:58 PM

I installed AVG Free Edition and ran a scan that detected no problems.  The laptop seems much more responsive than it was.

 

If there are further steps we should take, please let me know.

 

Otherwise, thank you very much for your expert assistance.

 

Best,

Cesar



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:38 AM

Posted 19 April 2017 - 07:41 PM

I think we are all done sir.

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and we will now remove the tools used and logs created during our steps. Please do this.

===================================================

Delfix by Xplode

--------------------
  • Download Delfix and save it to your Desktop
  • Double click the icon
  • Place checkmarks in:

Remove disinfection tools
Create registry backup
Purge system restore

  • Click Run
===================================================

You may delete any additional programs or logs on your computer which were not automatically removed by Delfix. Simply delete the log files or desktop icons. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:38 AM

Posted 21 April 2017 - 09:07 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users