Jump to content


Photo

Computer getting glacially slow


  • Please log in to reply
56 replies to this topic

#1 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 12 October 2017 - 11:33 AM

Windows XP system.  After a fresh boot it runs fine for a while then gets extremely slow.  Other computers cannot access it because they time out.  The UI is so slow it's unusable.  Usually end up having to reboot three or four times a day to get any use out of it at all.

 

Malwarebytes seems to be a significant culprit.  When Malwarebytes is installed all the above problems are worse.  When we uninstalled it they were better but still troublesome.  Currently what I did was install malwarebytes to scan and get the log, then uninstall again so I could use the computer.

 

As part of the prep, I tried to run RGSA but it raised an error:

"Line 257 (File "C:\Documents and Settings\User\Desktop\Security\RGSA.exe")

Error:  The requested action with this object has failed"

 

Logs:

Malwarebytes

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 10/6/2017
Scan Time: 6:07:22 PM
Logfile: mbam-171006.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2017.10.06.07
Rootkit Database: v2017.09.13.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: User
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 251759
Time Elapsed: 11 min, 52 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
FRST:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-10-2017
Ran by User (administrator) on ASM12 (12-10-2017 12:46:47)
Running from C:\Documents and Settings\User\Desktop\Security
Loaded Profiles: User (Available Profiles: User)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 6 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(CMS Products™, Inc.) C:\Program Files\CMS Products\BounceBack Express\BBWatcherService.exe
(Intel Corporation) C:\WINDOWS\system32\IPROSetMonitor.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\n360.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
(Canon Inc.) C:\Program Files\Canon\CAL\CALMAIN.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\n360.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
(Intel Corporation) C:\WINDOWS\system32\igfxtray.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Microsoft Corporation) C:\Program Files\Messenger\msmsgs.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
(Insight Software Solutions) C:\PROGRA~1\KEYBOA~1\keyexp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office\1033\MSOFFICE.EXE
() C:\Program Files\CMS Products\BounceBack Express\BBLauncher.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [RemoteControl10] => C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe [87336 2010-02-03] (CyberLink Corp.)
HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [3776824 2015-02-27] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [20064872 2011-10-14] (Realtek Semiconductor Corp.)
HKLM\...\Run: [DVDUpgrade] => DVDUpgrd.exe /async
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\...\Run: [GoogleDriveSync] => "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk [2012-08-17]
ShortcutTarget: Acrobat Assistant.lnk -> C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Keyboard Express 3.lnk [2016-11-28]
ShortcutTarget: Keyboard Express 3.lnk -> C:\Program Files\Keyboard Express 3\keyexp.exe (Insight Software Solutions)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk [2012-08-14]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\ASM23.txt.lnk [2012-10-05]
ShortcutTarget: ASM23.txt.lnk -> C:\Documents and Settings\User\My Documents\ASM23.txt ()
Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\BounceBack Launcher.lnk [2014-08-29]
ShortcutTarget: BounceBack Launcher.lnk -> C:\Program Files\CMS Products\BounceBack Express\BBStartup.exe ()
GroupPolicy: Restriction ? <==== ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{CE68ADDF-E41F-46CB-AEA8-29F083998EEE}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.asmicro.com/applications/faq.htm
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2014-05-08] (Adobe Systems Incorporated)
BHO: Watch for Browser Events -> {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} -> C:\Program Files\Keyboard Express 3\kie.dll [2004-02-23] (Insight Software Solutions)
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\coIEPlg.dll [2017-10-03] (Symantec Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\coIEPlg.dll [2017-10-03] (Symantec Corporation)
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll [2016-06-01] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\WINDOWS\system32\mscoree.dll [2010-03-18] (Microsoft Corporation)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon
FF Extension: (Norton Security Toolbar) - C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon [2017-06-08]
FF Plugin: @canon.com/MycameraPlugin -> C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-08-03] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3680450723-4200196162-3786228007-1003: @citrixonline.com/appdetectorplugin -> C:\Documents and Settings\User\Local Settings\Application Data\Citrix\Plugins\104\npappdetector.dll [2014-05-15] (Citrix Online)
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Profile: C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default [2017-10-12]
CHR Extension: (Google Docs) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-06]
CHR Extension: (Google Drive) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-03]
CHR Extension: (YouTube) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (Norton Security Toolbar) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2017-06-15]
CHR Extension: (Google Search) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-03]
CHR Extension: (Google Docs Offline) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-26]
CHR Extension: (Norton Identity Safe) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2015-06-21]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2015-01-13]
CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-09-17]
CHR Extension: (Gmail) - C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-09]
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 BBWatcherService; C:\Program Files\CMS Products\BounceBack Express\BBWatcherService.exe [36864 2008-01-02] (CMS Products™, Inc.) [File not signed]
R2 CCALib8; C:\Program Files\Canon\CAL\CALMAIN.exe [96334 2009-09-08] (Canon Inc.) [File not signed]
R2 Intel® PROSet Monitoring Service; C:\WINDOWS\system32\IProsetMonitor.exe [117920 2011-08-15] (Intel Corporation)
R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\N360.exe [288504 2017-10-04] (Symantec Corporation)
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2015-02-27] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2015-02-27] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-12-06] (Intuit Inc.) [File not signed]
S2 EraserSvc11720; "C:\Program Files\Common Files\Symantec Shared\EENGINE\N360.exe" /h ccCommon [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R1 BHDrvx86; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\BASHDefs\20171010.001\BHDrvx86.sys [1367712 2017-09-07] (Symantec Corporation)
R1 ccSet_N360; C:\WINDOWS\system32\drivers\N360\160B000.029\ccSetx86.sys [147072 2017-10-03] (Symantec Corporation)
R3 e1qexpress; C:\WINDOWS\System32\DRIVERS\e1q5132.sys [192680 2011-06-21] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [393344 2017-06-28] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [126592 2017-06-28] (Symantec Corporation)
R2 Hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [685056 2005-07-28] (Aladdin Knowledge Systems Ltd.)
R3 IDSxpx86; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\IPSDefs\20171011.003\IDSxpx86.sys [759448 2017-09-01] (Symantec Corporation)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
S3 NAL; C:\WINDOWS\system32\Drivers\iqvw32.sys [30368 2011-08-15] (Intel Corporation )
R1 SRTSP; C:\WINDOWS\System32\Drivers\N360\160B000.029\SRTSP.SYS [662688 2017-10-03] (Symantec Corporation)
R1 SRTSPX; C:\WINDOWS\system32\drivers\N360\160B000.029\SRTSPX.SYS [41120 2017-10-03] (Symantec Corporation)
R0 SymEFASI; C:\WINDOWS\System32\drivers\N360\160B000.029\SYMEFASI.SYS [1393792 2017-10-03] (Symantec Corporation)
R3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [89264 2017-07-18] (Symantec Corporation)
R1 SymIRON; C:\WINDOWS\system32\drivers\N360\160B000.029\Ironx86.SYS [241888 2017-10-03] (Symantec Corporation)
R1 SYMTDI; C:\WINDOWS\System32\Drivers\N360\160B000.029\SYMTDI.SYS [382216 2017-10-03] (Symantec Corporation)
S4 IntelIde; no ImagePath
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160715.001\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160715.001\NAVEX15.SYS [X]
U2 V2iMount; no ImagePath
U1 WS2IFSL; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-10-03 15:59 - 2017-10-03 15:59 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Start-off
2017-10-03 11:15 - 2017-10-02 13:35 - 000000527 ____N C:\Documents and Settings\User\Desktop\ASM23.txt.lnk
2017-10-02 13:37 - 2017-10-02 13:37 - 000000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\CEF
2017-09-28 15:07 - 2017-09-28 15:07 - 000002070 ____N C:\Documents and Settings\User\Desktop\JRT-170928.txt
2017-09-28 15:00 - 2017-10-12 12:39 - 000000000 ____D C:\Documents and Settings\User\Desktop\Security
2017-09-26 17:07 - 2017-10-12 12:22 - 000000023 _____ C:\Documents and Settings\User\Desktop\mb-licenseinfo.txt
2017-09-14 12:34 - 2017-09-14 12:34 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\MB2Migration
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-10-12 12:47 - 2014-04-09 11:06 - 000000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-10-12 12:47 - 2011-12-05 11:44 - 000000000 ____D C:\Documents and Settings\User\Local Settings\Temp
2017-10-12 12:46 - 2017-07-31 10:54 - 000000000 ____D C:\FRST
2017-10-12 12:33 - 2017-08-18 17:27 - 000027700 _____ C:\Documents and Settings\User\Desktop\mb-clean-results.txt
2017-10-12 12:33 - 2016-11-28 14:05 - 000000000 ____D C:\Program Files\Keyboard Express 3
2017-10-12 12:33 - 2012-10-10 17:56 - 000000000 ____D C:\Shared docs
2017-10-12 12:30 - 2008-04-14 08:00 - 000012598 _____ C:\WINDOWS\system32\wpa.dbl
2017-10-12 12:29 - 2014-03-24 13:22 - 000000220 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-10-12 12:29 - 2013-06-06 12:21 - 000000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2017-10-12 12:28 - 2015-07-23 15:57 - 008405015 _____ C:\WINDOWS\TempFile
2017-10-12 12:28 - 2011-12-05 11:44 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-10-12 12:25 - 2011-12-05 11:44 - 000032580 _____ C:\WINDOWS\SchedLgU.Txt
2017-10-12 12:25 - 2011-12-05 11:44 - 000000178 ___SH C:\Documents and Settings\User\ntuser.ini
2017-10-12 11:26 - 2013-06-06 12:21 - 000000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2017-10-12 07:05 - 2015-06-04 13:04 - 000000000 ____D C:\WINDOWS\system32\Drivers\N360
2017-10-12 07:02 - 2015-08-11 16:27 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Suite
2017-10-12 07:02 - 2015-06-04 13:05 - 000001994 _____ C:\Documents and Settings\All Users\Desktop\Norton Security Suite.LNK
2017-10-09 23:11 - 2014-08-29 13:34 - 000000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\BounceBack Express
2017-10-08 15:00 - 2014-03-24 13:22 - 000000214 ____N C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2017-10-05 16:13 - 2016-10-05 11:26 - 000830736 ____N C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2017-10-04 17:20 - 2013-07-02 09:42 - 000000000 ____D C:\Documents and Settings\User\My Documents\My PSP8 Files
2017-10-04 17:01 - 2012-10-05 15:47 - 000004896 ____N C:\Documents and Settings\User\My Documents\ASM23.txt
2017-10-04 16:49 - 2012-10-06 19:33 - 001024165 ____N C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-3680450723-4200196162-3786228007-1003-0.dat
2017-10-04 16:49 - 2012-10-06 19:33 - 000164638 ____N C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2017-10-03 15:56 - 2014-05-15 13:39 - 000000000 ____D C:\Documents and Settings\User\Local Settings\Application Data\Citrix
2017-10-03 13:45 - 2012-08-14 10:43 - 000002477 ____N C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
2017-10-02 20:09 - 2012-08-14 10:43 - 000002465 ____N C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft PowerPoint.lnk
2017-09-30 16:18 - 2013-06-06 12:38 - 000000000 ___RD C:\Documents and Settings\User\My Documents\Google Drive
 
==================== Files in the root of some directories =======
 
2017-07-25 22:04 - 2017-07-25 23:36 - 008111467 ____N () C:\Documents and Settings\User\Local Settings\Application Data\12C backup - 20140829133210-3281.BB
2008-02-05 15:28 - 2008-02-05 15:28 - 000000051 ____N () C:\Documents and Settings\User\Local Settings\Application Data\setup.txt
 
Some files in TEMP:
====================
2014-04-20 01:48 - 2014-04-20 01:48 - 089581848 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-1144e10b.exe
2014-04-30 17:48 - 2014-04-30 17:49 - 090833176 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-38e4a304.exe
2014-04-27 01:48 - 2014-04-27 01:49 - 090412824 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-8585e208.exe
2014-04-17 12:20 - 2014-04-17 12:21 - 089407256 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-a521472f.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== End of FRST.txt ============================
 
 
 

Addition.txt would not attach:  too big to upload.



#2 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 12 October 2017 - 05:48 PM

Hello dburkhead and welcome back!

 

 

Addition.txt would not attach:  too big to upload.

Okay, please copy and paste the entire contents of the Addition.txt log in your next reply. If the log is too extensive, you can divide it into several parts and post it in additional replies. I would like to see that log.

 

In your last topic you stated that you had problems with the updates of the version 3.1.2.1733 of Malwarebytes.

Please tell me, have you tried to install and run the latest version of Malwarebytes (3.2.2.) and check if the updates issue is already fixed or not?

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#3 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 13 October 2017 - 07:37 AM

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-10-2017
Ran by User (12-10-2017 12:47:22)
Running from C:\Documents and Settings\User\Desktop\Security
Microsoft Windows XP Professional Service Pack 3 (X86) (2017-05-11 18:55:48)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3680450723-4200196162-3786228007-500 - Administrator - Enabled)
ASPNET (S-1-5-21-3680450723-4200196162-3786228007-1004 - Limited - Enabled)
Guest (S-1-5-21-3680450723-4200196162-3786228007-501 - Limited - Enabled)
HelpAssistant (S-1-5-21-3680450723-4200196162-3786228007-1005 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-3680450723-4200196162-3786228007-1002 - Limited - Disabled)
User (S-1-5-21-3680450723-4200196162-3786228007-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\User
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Norton Security Suite (Enabled - Up to date) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite (Disabled) {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
ACT! (HKLM\...\ACT!) (Version:  - )
Adobe Acrobat 5.0 (HKLM\...\Adobe Acrobat 5.0) (Version: 5.0 - Adobe Systems, Inc.)
Adobe Flash Player 22 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Reader X (10.1.11) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.11 - Adobe Systems Incorporated)
Advertising Center (HKLM\...\{9F3523F8-DAD7-AE52-6DA7-45CDDDF33726}) (Version: 0.0.0.1 - Nero AG) Hidden
AJC Directory Synchronizer v1.16.6 (HKLM\...\AJC Directory Synchronizer_is1) (Version:  - AJC Software)
BounceBack Express (HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\...\{95632566-071E-4A02-92C1-4BD907065736}) (Version: 8.0 - CMS Products)
Canon Camera Access Library (HKLM\...\CAL) (Version: 8.5.0.2 - Canon Inc.)
Canon DIGITAL CAMERA Solution Disk Software Guide (HKLM\...\Software Guide) (Version: 1.6.0.1 - Canon Inc.)
CANON iMAGE GATEWAY MyCamera Download Plugin (HKLM\...\MyCamera Download Plugin) (Version: 3.1.1.2 - Canon Inc.)
Canon MOV Decoder (HKLM\...\Canon MOV Decoder) (Version: 1.9.0.8 - Canon Inc.)
Canon PowerShot SX150 IS Camera User Guide (HKLM\...\CameraUserGuide-PSSX150IS) (Version: 1.0.0.1 - Canon Inc.)
Canon Utilities CameraWindow DC 8 (HKLM\...\CameraWindowDC8) (Version: 8.6.0.11 - Canon Inc.)
Canon Utilities CameraWindow Launcher (HKLM\...\CameraWindowLauncher) (Version: 7.6.0.1 - Canon Inc.)
Canon Utilities Movie Uploader for YouTube (HKLM\...\MovieUploaderForYouTube) (Version: 1.3.0.3 - Canon Inc.)
Canon Utilities MyCamera (HKLM\...\MyCamera) (Version: 7.5.0.1 - Canon Inc.)
Canon Utilities PhotoStitch (HKLM\...\PhotoStitch) (Version: 3.1.22.46 - Canon Inc.)
CD Catalog Expert 9.30.807.11 (HKLM\...\CD Catalog Expert_is1) (Version:  - eTeSoft)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CyberLink PowerDVD 10 (HKLM\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.2312.02 - CyberLink Corp.)
DiscTrack Plus (HKLM\...\DiscTrack Plus) (Version:  - )
DolbyFiles (HKLM\...\{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}) (Version: 0.1 - Nero AG) Hidden
Dropbox (HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\...\Dropbox) (Version: 2.0.26 - Dropbox, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 7.16.0.4800 (HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\...\GoToMeeting) (Version: 7.16.0.4800 - CitrixOnline)
Hardlock Device Drivers (HKLM\...\Hardlock Device Drivers) (Version:  - )
Image Importer Wizard (HKLM\...\{20EDB9A7-887F-47ED-B1E6-E2831FAD276F}) (Version: 3.0 - )
ImagXpress (HKLM\...\{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}) (Version: 7.0.74.0 - Nero AG) Hidden
Intel® Network Connections 16.6.126.0 (HKLM\...\{357A82F9-B5FF-46C8-ABA2-104695E0F1D1}) (Version: 16.6.126.0 - Intel)
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.10.5387 - Intel Corporation)
Jasc Paint Shop Pro 8 (HKLM\...\{81A34902-9D0B-4920-A25C-4CDC5D14B328}) (Version: 8.00.0000 - Jasc Software Inc)
Jasc Paint Shop Pro 8.10 Update Patch (HKLM\...\Jasc Paint Shop Pro 8.10 Update Patch) (Version:  - )
Keyboard Express 3 (HKLM\...\Keyboard Express 3) (Version: 3.0 - Insight Software Solutions, Inc.)
Menu Templates - Starter Kit (HKLM\...\{B78120A0-CF84-4366-A393-4D0A59BC546C}) (Version: 9.4.2.0 - Nero AG) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2000 Premium (HKLM\...\{00000409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nanoscope 5.31r1 (HKLM\...\Nanoscope 5.31r1) (Version:  - )
Nero 9 Essentials (HKLM\...\{a01dd7e5-ef6c-43b7-aa39-be7be987539f}) (Version:  - Nero AG)
Network ScanGear Ver.1.4 (HKLM\...\{16EFC313-F083-4C16-AEB7-1FF1A4343540}) (Version:  - )
Norton Security Suite (HKLM\...\N360) (Version: 22.11.0.41 - Symantec Corporation)
QuickBooks (HKLM\...\{25E202D1-D8E7-46AF-B4B0-157D9993A93E}) (Version: 22.0.4016.2206 - Intuit Inc.) Hidden
QuickBooks Pro 2012 (HKLM\...\{22057D8D-7CC8-46FF-AD8C-9BD24F9014F3}) (Version: 22.0.4016.2206 - Intuit Inc.)
QuickBooks Pro Timer (HKLM\...\{6D49994F-2E35-4932-B9ED-D2F4EEBF91A2}) (Version: 8.00.0000 - )
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 5.10.0.6482 - Realtek Semiconductor Corp.)
Solid Edge Viewer ST4 (HKLM\...\{F2658C51-8FB6-4DAD-AF6E-71ECE035FBA4}) (Version: 104.00.00082 - Siemens)
TinyCAD 2.80.03 (HKLM\...\TinyCAD) (Version: 2.80.03 - TinyCAD)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
WinDirStat 1.1.2 (HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\...\WinDirStat) (Version:  - )
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version:  - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
WinRAR 5.40 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{4CA41277-032D-4a20-B225-371EBA96ABF2}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2012\qbw32.exe (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1350\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2012\qbw32.exe (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E69341A3-E6D2-4175-B60C-C9D3D6FA40F6}\localserver32 -> C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2012\qbw32.exe (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\buShell.dll [2017-10-03] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\buShell.dll [2017-10-03] (Symantec Corporation)
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\buShell.dll [2017-10-03] (Symantec Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll [2013-06-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll [2013-06-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll [2013-06-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll [2013-06-05] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
ContextMenuHandlers1: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\buShell.dll [2017-10-03] (Symantec Corporation)
ContextMenuHandlers1: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\NavShExt.dll [2017-10-04] (Symantec Corporation)
ContextMenuHandlers1: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers2: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\NavShExt.dll [2017-10-04] (Symantec Corporation)
ContextMenuHandlers3: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2011-09-30] (Intel Corporation)
ContextMenuHandlers6: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\buShell.dll [2017-10-03] (Symantec Corporation)
ContextMenuHandlers6: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\NavShExt.dll [2017-10-04] (Symantec Corporation)
ContextMenuHandlers6: [WinRAR] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} => C:\Program Files\WinRAR\rarext.dll [2016-08-15] (Alexander Roshal)
ContextMenuHandlers1_S-1-5-21-3680450723-4200196162-3786228007-1003: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll [2013-06-05] (Dropbox, Inc.)
ContextMenuHandlers4_S-1-5-21-3680450723-4200196162-3786228007-1003: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll [2013-06-05] (Dropbox, Inc.)
ContextMenuHandlers5_S-1-5-21-3680450723-4200196162-3786228007-1003: [DropboxExt] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\User\Application Data\Dropbox\bin\DropboxExt.19.dll [2013-06-05] (Dropbox, Inc.)
 
==================== Scheduled Tasks=============================
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\Documents and Settings\User\NetHood\www.asmicro.com\target.lnk -> hxxp://www.asmicro.co
 
==================== Loaded Modules (Whitelisted) ==============
 
2012-08-17 16:38 - 2001-10-11 17:34 - 000077824 _____ () C:\Program Files\Adobe\Acrobat 5.0\Distillr\adistres.dll
2014-08-29 13:29 - 2008-01-02 14:17 - 000107832 ____N () C:\Program Files\CMS Products\BounceBack Express\BBLauncher.exe
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2008-04-14 08:00 - 2008-04-14 08:00 - 000000734 ____N C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1       localhost
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
DNS Servers: 192.168.1.1
Windows Firewall is disabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
DomainProfile\AuthorizedApplications: [C:\Program Files\CyberLink\PowerDVD10\PowerDVD10.exe] => Enabled:CyberLink PowerDVD 10.0
StandardProfile\AuthorizedApplications: [C:\Program Files\CyberLink\PowerDVD10\PowerDVD10.exe] => Enabled:CyberLink PowerDVD 10.0
StandardProfile\AuthorizedApplications: [C:\Program Files\AJC Software\AJC Directory Synchronizer\AJCDirS.exe] => Enabled:AJC Directory Synchronizer
StandardProfile\AuthorizedApplications: [C:\Program Files\Intuit\QuickBooks 2012\QBDBMgrN.exe] => Enabled:QuickBooks 2012 Data Manager
StandardProfile\AuthorizedApplications: [C:\Documents and Settings\User\Application Data\Dropbox\bin\Dropbox.exe] => Enabled:Dropbox
StandardProfile\AuthorizedApplications: [C:\WINDOWS\explorer.exe] => Enabled:Windows Explorer
StandardProfile\AuthorizedApplications: [C:\Program Files\Google\Chrome\Application\chrome.exe] => Enabled:Google Chrome
DomainProfile\GloballyOpenPorts: [139:TCP] => Enabled:@xpsp2res.dll,-22004
DomainProfile\GloballyOpenPorts: [445:TCP] => Enabled:@xpsp2res.dll,-22005
DomainProfile\GloballyOpenPorts: [137:UDP] => Enabled:@xpsp2res.dll,-22001
DomainProfile\GloballyOpenPorts: [138:UDP] => Enabled:@xpsp2res.dll,-22002
StandardProfile\GloballyOpenPorts: [1900:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22007
StandardProfile\GloballyOpenPorts: [2869:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22008
StandardProfile\GloballyOpenPorts: [139:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22004
StandardProfile\GloballyOpenPorts: [445:TCP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22005
StandardProfile\GloballyOpenPorts: [137:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22001
StandardProfile\GloballyOpenPorts: [138:UDP] => :LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
==================== Restore Points =========================
 
12-09-2017 12:08:51 System Checkpoint
13-09-2017 17:36:48 System Checkpoint
16-09-2017 02:57:22 System Checkpoint
17-09-2017 04:56:27 System Checkpoint
20-09-2017 20:24:34 System Checkpoint
22-09-2017 12:59:07 System Checkpoint
23-09-2017 13:05:00 System Checkpoint
25-09-2017 22:18:20 System Checkpoint
27-09-2017 14:26:45 System Checkpoint
28-09-2017 15:05:44 JRT Pre-Junkware Removal
01-10-2017 19:31:10 System Checkpoint
03-10-2017 08:42:43 System Checkpoint
03-10-2017 15:53:21 Removed Backup and Sync from Google
03-10-2017 15:56:05 Removed Citrix Online Launcher
05-10-2017 17:00:55 System Checkpoint
06-10-2017 17:21:04 System Checkpoint
 
==================== Faulty Device Manager Devices =============
 
Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (10/09/2017 09:32:11 AM) (Source: Userenv) (EventID: 1512) (User: NT AUTHORITY)
Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.  
 
 
DETAIL - Insufficient system resources exist to complete the requested service.
 
Error: (10/04/2017 03:18:05 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (10/04/2017 03:18:05 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (10/04/2017 03:18:05 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (10/03/2017 03:46:32 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (10/03/2017 03:46:32 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (10/03/2017 03:46:32 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
Error: (10/03/2017 02:50:30 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error: (10/03/2017 12:18:33 PM) (Source: Userenv) (EventID: 1512) (User: NT AUTHORITY)
Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.  
 
 
DETAIL - Insufficient system resources exist to complete the requested service.
 
Error: (09/30/2017 04:12:29 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle
 
 
System errors:
=============
Error: (10/12/2017 12:29:09 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (10/12/2017 11:38:56 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The QBIDPService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/12/2017 11:38:51 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The QBCFMonitorService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (10/12/2017 09:03:34 AM) (Source: 0) (EventID: 8003) (User: )
Description: Event-ID 8003
 
Error: (10/12/2017 07:02:33 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (10/10/2017 12:48:02 PM) (Source: 0) (EventID: 8003) (User: )
Description: Event-ID 8003
 
Error: (10/09/2017 01:14:19 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the MBAMService service.
 
Error: (10/09/2017 12:55:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (10/09/2017 09:35:54 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (10/09/2017 09:30:08 AM) (Source: 0) (EventID: 2020) (User: )
Description: Event-ID 2020
 
 
==================== Memory info =========================== 
 
Processor:  Intel® Core™ i5-2500K CPU @ 3.30GHz
Percentage of memory in use: 20%
Total physical RAM: 3488.02 MB
Available physical RAM: 2773.02 MB
Total Virtual: 5369.89 MB
Available Virtual: 4598.12 MB
 
==================== Drives ================================
 
Drive c: (WinXP) (Fixed) (Total:465.76 GB) (Free:357.27 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive d: (D) (Fixed) (Total:465.76 GB) (Free:277.37 GB) NTFS
Drive g: (ASM8123(WD)) (Fixed) (Total:1862.98 GB) (Free:1573.94 GB) NTFS
Drive r: (My Disc) (CDROM) (Total:0.08 GB) (Free:0 GB) CDFS
Drive t: (ASM8112) (Fixed) (Total:2794.45 GB) (Free:1336.66 GB) NTFS
Drive x: () (Network) (Total:465.76 GB) (Free:357.27 GB) 
Drive y: () (Network) (Total:465.76 GB) (Free:357.27 GB) 
Drive z: () (Network) (Total:465.76 GB) (Free:277.37 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 8FDF8FDF)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: 7FD359D6)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 2.
 
========================================================
Disk: 3 (Size: 1863 GB) (Disk ID: C4E192C5)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================


#4 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 13 October 2017 - 07:45 AM

Malwarebytes had originally recommended we roll back from an earlier version 3 to 2.2.  We let the software update to 3.2.2 recently and that seemed to work for the Malwarebytes related problem (database not updating) but it seemed to exacerbate the slowness issue.  Since the update was from within Malwarebytes I did not have an install set for that version ready to hand when I reinstalled to get the scan log to post here.  That was 2.2.



#5 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 13 October 2017 - 06:03 PM

Hello dburkhead and thank you for the MBAM information and for the logs.
 
You have either Windows Firewall and Norton Security Suite Firewall disabled. A firewall is a software or hardware that creates a protective barrier between your computer and potentially damaging content on the Internet. It helps guard your computer against malicious users and against many computer viruses and other threats. Browsing the Internet without a Firewall enabled is a high security risk.

 

Please enable your Norton Security Suite Firewall.

Now, please proceed with the following set of instructions:

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Open Notepad (Start > All Programs > Accessories > Notepad). Please copy the entire contents of the code box below.
To do this highlight the contents of the box below and right click on it and select Copy.
Paste this into the open Notepad.
 

Start
CreateRestorePoint:
CloseProcesses:
Folder: C:\WINDOWS\TempFile
GroupPolicy: Restriction ? <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.asmicro.com/applications/faq.htm
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
S2 EraserSvc11720; "C:\Program Files\Common Files\Symantec Shared\EENGINE\N360.exe" /h ccCommon [X]
S4 IntelIde; no ImagePath
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160715.001\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160715.001\NAVEX15.SYS [X]
U2 V2iMount; no ImagePath
U1 WS2IFSL; no ImagePath
2017-10-12 12:33 - 2017-08-18 17:27 - 000027700 _____ C:\Documents and Settings\User\Desktop\mb-clean-results.txt
2014-04-20 01:48 - 2014-04-20 01:48 - 089581848 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-1144e10b.exe
2014-04-30 17:48 - 2014-04-30 17:49 - 090833176 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-38e4a304.exe
2014-04-27 01:48 - 2014-04-27 01:49 - 090412824 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-8585e208.exe
2014-04-17 12:20 - 2014-04-17 12:21 - 089407256 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-a521472f.exe
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
ContextMenuHandlers3: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
CMD: ipconfig /flushdns
EmptyTemp:
End

Save the file as fixlist.txt in to the same location of FRST.
Run FRST and click Fix only once and wait.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post its contents to your next reply.

NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.


Next,

 

Download Junkware Removal Tool (JRT) and move it to your computer's Desktop;

Double-click on JRT.exe and accept the disclaimer to run the tool;

Press on any key to launch the scan and let it complete;

Once the scan is complete, a log will open. Please post the contents of that log in your next reply.

 

 

Next,

 

Download AdwCleaner and move it to your computer's Desktop;

Double-click on AdwCleaner.exe and accept the disclaimer to run the tool;

Let the database update, then click on Scan;

Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button.

Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;

After the restart, a log will open when logging in. Please post the contents of that log in your next reply.

 

 

Next,

 

Please download the right version of RogueKiller for your Windows version (32-bit);

Once done, move the executable file to your computer's Desktop, double-click on it to open RogueKiller;

Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner);

Wait for the scan to complete;

On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner);

This will open the report in Notepad. Please copy and paste its content in your next reply.

 

IMPORTANT: Please do not remove any entry, just do the scan and post the results.

 

 

To summarize, in your next reply please post the contents of:
Fixlog.txt
JRT.txt
AdwCleaner clean log
RKLog.txt

How is the computer behavior? Does it still slow? Can you access it from another computer now?

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#6 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 16 October 2017 - 10:03 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Microsoft Windows XP x86 
Ran by User (Administrator) on Mon 10/16/2017 at 10:43:01.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 8 
 
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\496F8HI3 (Temporary Internet Files Folder) 
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GCAEDZH2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GTODDTJT (Temporary Internet Files Folder) 
Successfully deleted: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\K0U1EIM1 (Temporary Internet Files Folder) 
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\496F8HI3 (Temporary Internet Files Folder) 
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GCAEDZH2 (Temporary Internet Files Folder) 
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTODDTJT (Temporary Internet Files Folder) 
Successfully deleted: C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\K0U1EIM1 (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 10/16/2017 at 10:45:36.73
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Attempting to run adwcleaner_7.0.3.1.exe gets an error "is not a valid Win32 application".
I have an earlier version available:  adwcleaner_6.047.exe.  Running that (best I can do at the moment pending further instructions) gets the following results:
 
# AdwCleaner v6.047 - Logfile created 16/10/2017 at 11:01:05
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-19.1 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : User - ASM12
# Running from : C:\Documents and Settings\User\Desktop\Security\adwcleaner_6.047.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1029 Bytes] - [16/10/2017 11:01:05]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1102 Bytes] ##########
 
 
When I click on the "RogueKiller" link I get that "This Site can't provide a secure connection".  I was, however, able to download it on a different PC/Browser combination.
 
Results:
(As instructed, I did not remove the item found)
RogueKiller V12.11.20.0 [Oct 16 2017] (Free) by Adlice Software
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : User [Administrator]
Started from : C:\Documents and Settings\User\Desktop\Security\RogueKiller_portable32.exe
Mode : Scan -- Date : 10/16/2017 11:21:15 (Duration : 00:28:03)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 1 ¤¤¤
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5002AALX-00J37A0 +++++
--- User ---
[MBR] 2c950d96bf3e7004c305190c65bb3941
[BSP] 20cb7d8659bb553fa310df9bd8cbb4e3 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: ST3500418AS +++++
--- User ---
[MBR] 9e461e4f2895378b1a8983bba4973cc0
[BSP] d8cbdfebf57b4e45cc50dc546b2090c3 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive2: WD My Book 1230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )
 
At present the computer is still extremely slow.


#7 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 16 October 2017 - 05:31 PM

Hello dburkhead.

 

Thank you for the logs.

 

Attempting to run adwcleaner_7.0.3.1.exe gets an error "is not a valid Win32 application".
I have an earlier version available:  adwcleaner_6.047.exe.  Running that (best I can do at the moment pending further instructions) gets the following results:

Yes, the latest version of AdwCleaner does not run on Windows XP anymore, only on Windows 7 and above. We are getting limited in running some updated tools on Windows XP.

 

You did not posted the Fixlog.txt. Did you ran the fixlist.txt script with FRST as instructed? If not, please run the fix and post the created log (Fixlog.txt).

 

 

Next,

 

Please download Zemana AntiMalware and save it to your computer's Desktop.

  • Right-click on the icon and select Run as administrator to install the program.
  • Click Yes to accept the UAC security warning that may appear.
  • Select the language and click the OK button.
  • Click the Next button, accept the EULA warning and follow the instructions to continue and install the program.
  • Once the installation is complete it will start automatically. Wait a few seconds until the update of signature database is complete.
  • Without changing any options, click Scan to begin.
  • After the short scan is finished, if threats are detected click Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
  • Click on the Back button.
  • On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
  • Now click File > Save As, then choose your computer's Desktop and click the Save button.

Please post the entire contents of the saved report in to your next reply.

 

 

Please post:

Fixlog.txt

Zemana AntiMalware log.

 

After performing the steps above, let me know how is the state of the computer.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#8 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 17 October 2017 - 10:00 AM

Sorry.  I just forgot to include the fixlog last time.  Here it is.

Fix result of Farbar Recovery Scan Tool (x86) Version: 15-10-2017
Ran by User (16-10-2017 10:17:59) Run:1
Running from C:\Documents and Settings\User\Desktop\Security
Loaded Profiles: User (Available Profiles: User)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
Folder: C:\WINDOWS\TempFile
GroupPolicy: Restriction ? <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.asmicro.com/applications/faq.htm
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
S2 EraserSvc11720; "C:\Program Files\Common Files\Symantec Shared\EENGINE\N360.exe" /h ccCommon [X]
S4 IntelIde; no ImagePath
S3 NAVENG; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160715.001\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\SDSDefs\20160715.001\NAVEX15.SYS [X]
U2 V2iMount; no ImagePath
U1 WS2IFSL; no ImagePath
2017-10-12 12:33 - 2017-08-18 17:27 - 000027700 _____ C:\Documents and Settings\User\Desktop\mb-clean-results.txt
2014-04-20 01:48 - 2014-04-20 01:48 - 089581848 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-1144e10b.exe
2014-04-30 17:48 - 2014-04-30 17:49 - 090833176 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-38e4a304.exe
2014-04-27 01:48 - 2014-04-27 01:49 - 090412824 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-8585e208.exe
2014-04-17 12:20 - 2014-04-17 12:21 - 089407256 ____N (Microsoft Corporation) C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-a521472f.exe
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll => No File
CustomCLSID: HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx => No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} =>  -> No File
ContextMenuHandlers3: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
CMD: ipconfig /flushdns
EmptyTemp:
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
========================= Folder: C:\WINDOWS\TempFile ========================
 
C:\WINDOWS\TempFile => File
 
====== End of Folder: ======
 
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe => key removed successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\hkhkiakolggnnicallabhkobalpeplpi => key removed successfully.
HKLM\System\CurrentControlSet\Services\EraserSvc11720 => key could not remove. Access Denied.
HKLM\System\CurrentControlSet\Services\IntelIde => key removed successfully.
IntelIde => service removed successfully.
HKLM\System\CurrentControlSet\Services\NAVENG => key could not remove. Access Denied.
HKLM\System\CurrentControlSet\Services\NAVEX15 => key could not remove. Access Denied.
HKLM\System\CurrentControlSet\Services\V2iMount => key removed successfully.
V2iMount => service removed successfully.
HKLM\System\CurrentControlSet\Services\WS2IFSL => key removed successfully.
WS2IFSL => service removed successfully.
C:\Documents and Settings\User\Desktop\mb-clean-results.txt => moved successfully
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-1144e10b.exe => moved successfully
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-38e4a304.exe => moved successfully
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-8585e208.exe => moved successfully
C:\Documents and Settings\NetworkService\Local Settings\Temp\mpam-a521472f.exe => moved successfully
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F} => key removed successfully.
HKU\S-1-5-21-3680450723-4200196162-3786228007-1003_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313} => key removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully.
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSharedOverlay => key removed successfully.
HKLM\Software\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => key not found. 
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\00avast => key removed successfully.
HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
 
========= ipconfig /flushdns =========
 
 
 
Windows IP Configuration
 
 
 
Successfully flushed the DNS Resolver Cache.
 
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 9773 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 835243 B
Java, Flash, Steam htmlcache => 5760 B
Windows/system/dllcache/drivers => 715515 B
Edge => 0 B
Chrome => 455589327 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 66228 B
All Users => 0 B
systemprofile => 388876390 B
LocalService => 360 B
NetworkService => 2113958 B
User => 61828079 B
 
RecycleBin => 631380301 B
EmptyTemp: => 1.4 GB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 16-10-2017 10:25:13)
 
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\EraserSvc11720 => key could not remove. Access Denied.
HKLM\System\CurrentControlSet\Services\NAVENG => key could not remove. Access Denied.
HKLM\System\CurrentControlSet\Services\NAVEX15 => key could not remove. Access Denied.
 
==== End of Fixlog 10:25:13 ====
 
 
Zemana found no threats:
Zemana AntiMalware 2.74.2.150 (Installed)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/10/17
Operating System       : Windows XP 32-bit
Processor              : 4X Intel® Core™ i5-2500K CPU @ 3.30GHz
BIOS Mode              : Legacy
CUID                   : 14E6AE83A031651B7246AE
Scan Type              : System Scan
Duration               : 55m 17s
Scanned Objects        : 241540
Detected Objects       : 0
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : LAB,0,2
 
Detected Objects
-------------------------------------------------------
 
No threats detected
 
The computer does not seem to be quite as bad as it was before but it is still painfully slow.  I can access files remotely (one of the main purposes of this computer is as a common file repository) but the lag is frustrating.


#9 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 17 October 2017 - 03:02 PM

Hi dburkhead and thanks for the logs.

Okay, perform the following scan with ESET Online Scanner.

  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers and disconnect any USB flash drives from the computer.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Click Yes to accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

Note: If nothing is found, it will not produce a log.

Re-enable your antivirus program.

In your next reply please post the entire contents of the ESET log (if it produced one).

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#10 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 20 October 2017 - 01:00 PM

Are you still with me dburkhead?


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#11 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 20 October 2017 - 01:26 PM

I'm still with you.  Eset has been an issue.  Specifically, first pass I forgot to disconnect the external USB hard drive (it's just used for backup purposes--we don't run anything on it).  20 hours into the scan and it wasn't done.  Also the "slow running" remains an issue.   I stopped the scan this morning, disconnected the external drive, and started it again.  That scan is still running.

 

I'm going to be travelling on business from Sunday evening.  Will be back Friday.  My boss will be handling things from this end in the meantime if that's all right.  I don't have his user ID to hand but expect him to check in soon.



#12 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 20 October 2017 - 04:23 PM

That's okay.

 

Just let me know the results of ESET in case you managed to complete the scan.

 

Thank you.

 

 


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#13 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 20 October 2017 - 06:30 PM

Eset finished.  No threats found.



#14 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 21 October 2017 - 03:30 PM

Hi dburkhead.

The good news are that your computer appears to be clean and malware free. Now let's look at what could be the cause of computer slowdowns.

Please download Zoek tool from here and save it to your computer's Desktop.
Next, temporarily disable your Security programs so it does not interfere with the scan.
Information on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

On the Desktop, right-click the Zoek.exe file and select Run as administrator to start the tool.
(Give it a few seconds to appear.)

Next, copy and paste the entire script inside the code box below to the input field of Zoek:
 

createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b

Close any open Internet Browsers.
Click the Run script button, and wait. It takes several minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the system drive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Note: Please re-enable your Security programs.

Please post the zoek-results.log in your next reply and note any errors encountered.

How is the computer behavior? Does it still lag?

Thank you.

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#15 don01

don01

    Member

  • Full Member
  • Pip
  • 57 posts

Posted 22 October 2017 - 11:41 AM

dburkhead asked me to continue work on this issue.

I ran Zoek

I noted the following anomalies:

-Norton flagged zoek.exe as threat “Trojan.Gen.2”.  I had to disable Norton before downloading

-During the Zoek run, After reaching Checking Input at 11:01:08, an error message popped up:

DaS21. “DaS21 has encountered a problem and needs to close. We are sorry for the inconvience.”

===

Zoek required a reboot.  After I re-enabled Norton, it flagged Zoek and moved it to quarantine.  2 hours after reboot, I find the PC can still be very sluggish. A short word document took 10 seconds to open. but other files (Excel, Powerpoint, Word) opened promptly.  In a subsequent post, I will give a further evaluation of how the pc is performing.

 

By the way, Zemana starts up with every reboot, but provides no realtime protection.  Is it ok to uninstall it now?

-------------------

zoek-results follow

===

 

Zoek.exe v5.0.0.1 Updated 27-09-2015

 

Tool run by User on Sun 10/22/2017 at 10:44:33.45.

 

Microsoft Windows XP Professional 5.1.2600 Service Pack 3 x86

 

Running in: Normal Mode No Internet Access Detected

 

Launched: C:\Documents and Settings\User\Desktop\Security\zoek.exe [Scan all users] [Script inserted] 

 

 

==== System Restore Info ======================

 

 

10/22/2017 11:01:04 AM Zoek.exe System Restore Point Created Successfully.

 

 

==== Empty Folders Check ======================

 

 

C:\Program Files\MSXML 4.0 deleted successfully

 

C:\Program Files\Common Files\SWF Studio deleted successfully

 

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nuance deleted successfully

 

C:\Documents and Settings\User\Local Settings\Application Data\Siemens deleted successfully

 

 

==== Deleting CLSID Registry Keys ======================

 

 

 

==== Deleting CLSID Registry Values ======================

 

 

 

==== Deleting Services ======================

 

 

 

==== Batch Command(s) Run By Tool======================

 

 

 

==== Deleting Files \ Folders ======================

 

 

C:\Program Files\ComPlus Applications deleted

 

C:\Program Files\WindowsUpdate deleted

 

C:\found.000 deleted

 

C:\DOCUME~1\ALLUSE~1\APPLIC~1\{1C6FDDD8-FC9E-4C12-9FA5-1AAD377097B3} deleted

 

C:\WINDOWS\SET12F.tmp deleted

 

C:\WINDOWS\SET132.tmp deleted

 

C:\WINDOWS\SET13E.tmp deleted

 

C:\WINDOWS\SET3.tmp deleted

 

C:\WINDOWS\SET4.tmp deleted

 

C:\WINDOWS\SET8.tmp deleted

 

C:\WINDOWS\system32\GroupPolicy\Adm deleted

 

C:\WINDOWS\system32\GroupPolicy\User deleted

 

 

==== Firefox Extensions Registry ======================

 

 

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

 

"{C1A2A613-35F1-4FCF-B27F-2840527B6556}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon" [06/08/2017 09:07 AM]

 

 

==== Chromium Look ======================

 

 

Google Chrome Version: 46.0.2490.86

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions

 

cjabmdjcfcfdmffimndhafhblfmpjdpe - C:\Program Files (x86)\Norton Security Suite\Engine\22.11.0.41\Exts\Chrome.crx[]

 

iikflkcanblccfahdhdonehdalibjnif - No path found[]

 

 

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions

 

lmjegmlicamnimmfhcmpkclmigmmcbeh - No path found[]

 

 

Norton Security Toolbar - User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe

 

Norton Identity Safe - User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif

 

Google Drive App Launcher - User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh

 

 

==== Chromium Fix ======================

 

 

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe deleted successfully

 

 

==== Set IE to Default ======================

 

 

Old Values:

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]

 

"Tabs"="res://ieframe.dll/tabswelcome.htm"

 

 

New Values:

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]

 

"Tabs"="about:newtab"

 

 

==== All HKCU SearchScopes ======================

 

 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes

 

"DefaultScope"="{15E7191B-1318-4249-9958-4E896F8A6F4A}"

 

{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.co...={searchTerms}"

 

{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/...ox&FORM=IE8SRC"

 

{15E7191B-1318-4249-9958-4E896F8A6F4A} Google  Url="http://www.google.co...tputEncoding?}"

 

 

==== Reset Google Chrome ======================

 

 

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences was reset successfully

 

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Secure Preferences was reset successfully

 

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data was reset successfully

 

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data-journal was reset successfully

 

 

==== Deleting Registry Keys ======================

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe deleted successfully

 

 

==== Empty IE Cache ======================

 

 

C:\Documents and Settings\User\Local Settings\Temp\Temporary Internet Files\Content.IE5 emptied successfully

 

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

 

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

 

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

 

 

==== Empty FireFox Cache ======================

 

 

No FireFox Profiles found

 

 

==== Empty Chrome Cache ======================

 

 

C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache emptied successfully

 

 

==== Empty All Flash Cache ======================

 

 

Flash Cache Emptied Successfully

 

 

==== Empty All Java Cache ======================

 

 

No Java Cache Found

 

 

==== C:\zoek_backup content ======================

 

 

C:\zoek_backup (files=272 folders=28 15032490 bytes)

 

 

==== Empty Temp Folders ======================

 

 

C:\Documents and Settings\Default User\Local Settings\Temp emptied successfully

 

C:\Documents and Settings\LocalService\Local Settings\Temp emptied successfully

 

C:\Documents and Settings\NetworkService\Local Settings\Temp emptied successfully

 

C:\Documents and Settings\User\Local Settings\Temp will be emptied at reboot

 

C:\WINDOWS\Temp will be emptied at reboot

 

 

==== After Reboot ======================

 

 

==== Empty Temp Folders ======================

 

 

C:\WINDOWS\Temp successfully emptied

 

C:\DOCUME~1\User\LOCALS~1\Temp successfully emptied

 

 

==== Empty Recycle Bin ======================

 

 

C:\RECYCLER successfully emptied

 

 

==== Deleting Files / Folders ======================

 

 

"C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not deleted

 

"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found

 

"C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat" deleted

 

 

==== EOF on Sun 10/22/2017 at 11:17:57.31 ======================

 

 

===



#16 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 22 October 2017 - 04:19 PM

Hello don01 and welcome to SWI.

 

dburkhead asked me to continue work on this issue.

That's okay. He already let me know that.

 

-Norton flagged zoek.exe as threat “Trojan.Gen.2”.  I had to disable Norton before downloading

This is a false positive, the file is safe. You did well when disabled it and ran the tool.

 

 

 

By the way, Zemana starts up with every reboot, but provides no realtime protection.  Is it ok to uninstall it now?

Only the premium version (payed) has real time protection. Yes you can remove it now though Add or Remove Programs from Control Panel.

 
Now, I suggest printing out the instructions below and reading the entire post before proceeding. It will make following them easier.
 
 
Please download the portable version of Windows Repair from here.

  • Move the compressed file tweaking.com_windows_repair_aio on your computer Desktop, and extract it there;
  • Boot in Safe Mode with Networking; Instructions on how to do it here: Safe Mode with Networking;
  • Go in the tweaking.com_windows_repair_aio folder, then Tweaking.com - Windows Repair folder, right-click on Repair_Windows.exe and select Run as Administrator;
  • Click Yes to accept the User Account Control security warning that may appear;
  • Wait a few seconds and click the I Agree button to accept the End User License Agreement;

Next, select the Step 2: (Optional) tab menu;

P0hTzY7.png
 
 
 

Click on the icon Open Repair Reparse Points;

51OYyYk.png
 
 
 

Click on 1. Scan Reparse Points button;

DECJY3f.png
 
 
 

Click on 2. Repair Selected button;

p7LSLFH.png

Close the current window;
 
 
 

Now, click the icon Open Repair Environment Variable;

OopkF6J.png
 
 
 

Click the button 2. Apply New Paths;
Click the button 4. Apply New Paths;
Click the button 6. Apply New PathsExt;
Click the button 7. Apply Variables;

0xle0eF.png

Close the current window;
 
 

Next, select the Step 4: (Optional) tab menu;
Click the Next button to start the scan and repair of the System files;

50dbWzz.png
 
 
 

Next,
 
Select the + Repairs - Main tab menu;
Click the Preset: Common Repairs button (it will open a new window);
Click the Start Repairs button and wait until the repairs are complete;
If you are being prompted with a Security Warning, allow it to go through;
Once the repairs are complete, it'll ask you to restart the computer, please do it immediately;
 
 
How is the computer running at this point? Are there any improvements?
 
Thank you.
 
Android 8888

 

 

Edit to add Zemana AntiMalware removal instructions.


Edited by Android 8888, 22 October 2017 - 04:29 PM.

Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#17 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 27 October 2017 - 10:52 AM

I'm back.  Unfortunately my boss told me that he was unable to work on any of the above (time issue not technical issue) so he has passed it back to me now that I am back.  I'll be working on the above instructions today.



#18 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 27 October 2017 - 11:57 AM

Hello and welcome back!

 

It's alright. I will wait for your reply.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#19 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 27 October 2017 - 02:59 PM

Ran the windows repair program.  On "Step Four" when I tried the File System Check I got the following error

[SC] OpenService Failed 1060:

 

The specified service does not exist as an installed service

 

c:\Documents and Settings\User\Desktop\Security\Tweaing.com - Windows Repair>"c:\Windows\system32\sfc: /scannow

Windows File Protection could not initiate a scan of protected system files.

 

The specific error code is 0x000006ba [The RPC server is unavailable.

].

Please Restart Your Computer When System File Checker is Finished.

Press any key to continue . . .



#20 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 27 October 2017 - 03:01 PM

At the moment the computer seems to be operating reasonably well.   However this is right after a fresh reboot.  We'll see how it goes.



#21 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 28 October 2017 - 12:50 PM

Hello dburkhead.

 

Just leave the System File Check error for now and proceed with the other instructions as instructed to run the Repairs on Windows Repair.

 

Let me know what issues are you having with the computer at this point.

 

Thank you.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#22 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 31 October 2017 - 05:15 AM

Are you still with me dburkhead?


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#23 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 31 October 2017 - 08:35 AM

Still here just got busy with other tasks.  Since the error message was in the step covered by the last screenshot I missed that there was a bit after it.  I'll get that today.



#24 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 31 October 2017 - 01:08 PM

Ran the repair.  We'll see how the system behaves.



#25 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 31 October 2017 - 03:10 PM

Hello.

 

 

Ran the repair.  We'll see how the system behaves.

Okay, please keep me posted.

 

Thank you.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#26 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 01 November 2017 - 01:59 PM

The repairs ran yesterday.  Computer has been running since then without a reboot.  Haven't been using it a whole lot since most of our work was on other PC's but it has not had the major slowdown I had come to expect from before.  So it's working a whole lot better than it was.  I just opened up Word, Excel, and a large Excel shared spreadsheet without any undue hesitation.

 

So far, so good.



#27 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 01 November 2017 - 05:11 PM

Good!

 

If the computer is running well it's time to check for updates. Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. Usually this is one of the ways that more contributes to the infection of your computer.

An easiest way to do that is running a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated.

 

Then you can delete the tools we used in the removal process by using DelFix.
 

  • Download DelFix and move the executable to your Desktop;
  • Double-click on DelFix.exe to run the tool;
  • Check the following options :
    • Remove disinfection tools (this option will remove the tools used in the cleaning process).
    • Create registry backup (this option will create a backup from the Windows Registry).
    • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
    • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
  • Once the options mentioned above are checked, click on Run;
  • After DelFix is done running, a log will open.

I don't need to see the log file, just delete it.

After performing the steps above, let me know how is the state of the computer.

 


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#28 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 02 November 2017 - 10:45 AM

I try to download "Delfix" and it ends up getting automatically deleted.



#29 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 02 November 2017 - 02:00 PM

And PSI stops on an error when I attempt to run it.



#30 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 02 November 2017 - 06:13 PM

Hello.

I suspect DelFix has been quarantined by your Norton Security Suite.

Read the information at this link and restore DelFix from quarantine.

Then add an Exclusion for DelFix.exe to Norton Security Suite. Instructions on how to do it here
 

 

And PSI stops on an error when I attempt to run it.

Can you describe the error message?
 

 

Let me know how you get on.


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#31 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 03 November 2017 - 10:29 AM

"Secinia PSI has encountered a problem and needs to close.  We are sorry for the inconvenience."

 

Error signature:

"AppName:  psi.exe  AppVer:  3.0.0.11005  ModName:  psi.exe

ModVer:  3.0.0.11005 Offset:  000d6d26

 

Exception information:

Code:  0x40099915  FkagsL  0x00000001

Record:  0x0000000000000000  Address:  00000000004d6d26"

 

And so on.



#32 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 04 November 2017 - 03:50 PM

Hello dburkhead.


Please proceed with the following Registry Fix to enable System File Checker.

  • Click Start > select Run > type notepad > click OK
  • Copy the following text inside the code box below (starting with the first line "Windows Registry Editor....") and paste it in to the open Notepad.
     
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "SFCDisable"=dword:00000000
    
    
  • Make sure there are no blank spaces before the first line (Windows Registry....) and there should be one blank line at the end. << IMPORTANT
  • Click File at the top and then choose Save As.
  • Change Save As Type to All Files.
  • Name it fix.reg and save it on your computer Desktop.
  • Double-click fix.reg.
  • It will ask you if you want to merge it to the Registry, click Yes.


Restart the computer.


Now, follow the instructions below to run a Check Disk scan on your Windows partition;

 

  • Click on Start > All Programs > Accessories, click on 'Command Prompt';
  • Type the command chkdsk c: /r (there's a space between "c:" and "/r") and press on Enter;
  • A message will be returned, stating that the drive cannot be locked because it's already in use, and you'll be asked if you want to schedule the scan for the next restart. Enter y and press on Enter;
  • Restart your computer, and the chkdsk scan will be launched automatically;
  • Once the chkdsk scan is complete and you're back in Windows, find the log in the Event Viewer and copy/paste its entire contents in your next reply;

 

WARNING: Depending on your hard drive (specs, free space, fragmentation, etc.) this scan can be relatively long to complete. Give it all the time it needs to finish. Do not interrupt it for any reason there is, or you might be damaging your drive in the process and make your Windows unbootable. It's suggested to let this scan run overnight or when you leave the house for a few hours (when you go to work for example). If you are running this scan on a laptop, don't forget to leave it plugged in;

 

 

 

Next,

Follow the instructions below to run a System File Checker scan on your system and provide the CBS log in your next reply;

Click on Start > All Programs > Accessories, click on 'Command Prompt';

  • In the Command Prompt window type the command below and press on Enter;
    sfc /scannow
    Note: There's a space between "sfc" and "/scannow";
  • Once the scan is complete, enter the command below and press Enter
    copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"
  • A file called cbs.txt will have appeared on your Desktop. Upload the file on TinyUpload and post the download URL for it in your next reply;

Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the SFC scan is completed, it won't have the information from the scan anymore. So please upload it as soon as you can.

 

 

How is the system running at this point? Are you able to run Personal Software Inspector (PSI) or RGSA now?


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#33 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 06 November 2017 - 02:32 PM

If I'm understanding correctly, this is the reults from the chkdsk /r
 
Checking file system on C:
The type of the file system is NTFS.
Volume label is WinXP.
 
A disk check has been scheduled.
Windows will now check the disk.                         
Cleaning up minor inconsistencies on the drive.
Cleaning up 2088 unused index entries from index $SII of file 0x9.
Cleaning up 2088 unused index entries from index $SDH of file 0x9.
Cleaning up 2088 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc000009c at offset 0x6b295a000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x6b2967000 for 0x1000 bytes.
Windows replaced bad clusters in file 1759
of name \WINDOWS\MEMORY.DMP.
Read failure with status 0xc000009c at offset 0x1fe257000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x1fe25c000 for 0x1000 bytes.
Windows replaced bad clusters in file 109416
of name \SHARED~1\ARWork\AR1738\FLATTE~1\db08o.f10.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Adding 2 bad clusters to the Bad Clusters File.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.
 
 488384000 KB total disk space.
 113985552 KB in 241502 files.
     81812 KB in 16087 indexes.
       208 KB in bad sectors.
    353296 KB in use by the system.
     65536 KB occupied by the log file.
 373963132 KB available on disk.
 
      4096 bytes in each allocation unit.
 122096000 total allocation units on disk.
  93490783 allocation units available on disk.
 
Internal Info:
50 1c 04 00 41 ee 03 00 b5 74 05 00 00 00 00 00  P...A....t......
73 27 00 00 05 00 00 00 57 09 00 00 00 00 00 00  s'......W.......
40 1b 5f 13 00 00 00 00 48 aa ff 85 00 00 00 00  @._.....H.......
38 a1 0f 44 00 00 00 00 7a 71 07 8e 06 00 00 00  8..D....zq......
ec af 80 70 09 00 00 00 a0 0e 41 e6 10 00 00 00  ...p......A.....
90 a1 40 c4 00 00 00 00 10 3a 07 00 5e af 03 00  ..@......:..^...
00 00 00 00 00 40 20 2d 1b 00 00 00 d7 3e 00 00  .....@ -.....>..
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
 
For more information, see Help and Support Center at http://go.microsoft....link/events.asp.
 
The sfc /scannow will take a bit as apparently I have to find the Windows install disk to allow it to copy some files:
"Files that are required for Windows to run properly must be copied to the DLL Cache"


#34 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 07 November 2017 - 09:42 AM

I ran sfc /scannow and it goes through a long bit checking that files are present and in the original form.  When that completes and I use the command to copy the cbs.log file to a cbs.txt I get "the system cannot find the path specified".  I try to "cd" to it in stages and can get to %windir%\logs but there's nothing below that except a DirectX.log



#35 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 07 November 2017 - 09:45 AM

RGSA still fails.  Same error as before

Secunia PSI still fails.  Same error as before.



#36 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 10 November 2017 - 11:05 AM

Hello dburkhead.

I apologize for the delay in responding.

Your hard disk drive has some physical errors (bad sectors). These bad sectors were identified and placed out of service since they are physically damaged and cannot be fixed. I advise you to backup your data as soon as possible and replace the HDD with a new one because it is very likely that more bad sectors will appear in the future. At the same time they will start increase slowness in your system.

 

Now please re-run Disk Check as instructed below.

 

  • Click on Start > All Programs > Accessories, click on 'Command Prompt';
  • Type the command chkdsk c: /f (there's a space between "c:" and "/f") and press on Enter;
  • A message will be returned, stating that the drive cannot be locked because it's already in use, and you'll be asked if you want to schedule the scan for the next restart. Enter y and press on Enter;
  • Restart your computer, and the chkdsk scan will be launched automatically;
  • Once the chkdsk scan is complete and you're back in Windows, find the log in the Event Viewer and copy/paste its entire contents in your next reply;

 

WARNING: Depending on your hard drive (specs, free space, fragmentation, etc.) this scan can also be relatively long to complete.

 

 

Restart the computer.

 

 

Next, re-run sfc /scannow as instructed below.

 

Click on Start > All Programs > Accessories, click on 'Command Prompt';

  • In the Command Prompt window type the command below and press on Enter;
    sfc /scannow
    
  • Note: There's a space between "sfc" and "/scannow";
  • Once the scan is complete, enter the command below and press Enter
    findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"
    
  • A file called sfcdetails.txt will have appeared on your Desktop. Upload the file on TinyUpload and post the download URL for it in your next reply;

Note: Please note that the CBS.log is volatile, which means that if you don't upload it after the SFC scan is completed, it won't have the information from the scan anymore. So please upload it as soon as you can.

 

 

Please post the results of Disk Check and the link to download the file sfcdetails.txt

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#37 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 15 November 2017 - 11:16 AM

Sorry for the delay.  Busy on unrelated issues.  Not sure if you wanted the re-run of the chkdsk on the current HD (to see if it's changed maybe?) or after replacing with a new one.  Re run on the current:

 

Checking file system on C:
The type of the file system is NTFS.
Volume label is WinXP.
 
 
A disk check has been scheduled.
Windows will now check the disk.                         
Cleaning up minor inconsistencies on the drive.
Cleaning up 16 unused index entries from index $SII of file 0x9.
Cleaning up 16 unused index entries from index $SDH of file 0x9.
Cleaning up 16 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
 
 488384000 KB total disk space.
 115991416 KB in 249968 files.
     83748 KB in 16122 indexes.
       208 KB in bad sectors.
    353300 KB in use by the system.
     65536 KB occupied by the log file.
 371955328 KB available on disk.
 
      4096 bytes in each allocation unit.
 122096000 total allocation units on disk.
  92988832 allocation units available on disk.
 
Internal Info:
50 1c 04 00 76 0f 04 00 a2 96 05 00 00 00 00 00  P...v...........
90 27 00 00 05 00 00 00 44 01 00 00 00 00 00 00  .'......D.......
7a ee d3 13 00 00 00 00 26 11 4b 87 00 00 00 00  z.......&.K.....
6a 17 08 17 00 00 00 00 00 00 00 00 00 00 00 00  j...............
00 00 00 00 00 00 00 00 0a 52 7f ba 00 00 00 00  .........R......
a0 c8 40 c4 00 00 00 00 10 3a 07 00 70 d0 03 00  ..@......:..p...
00 00 00 00 00 e0 8d a7 1b 00 00 00 fa 3e 00 00  .............>..
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
 
For more information, see Help and Support Center at http://go.microsoft....link/events.asp.


#38 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 15 November 2017 - 02:07 PM

Hello dburkhead.

 

Yes I asked you to re-run a Disk Check on your current Hard Disk drive to correct any errors that could remain on it.

 

Now please proceed with the rest of the instructions to re-run System File Checker, upload the log to TinyUpload and post the download link in your reply.

 

Thank you.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#39 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 17 November 2017 - 10:07 AM

The system continues to fail to find the cbs.log file.  Since you said it was volatile, I thought it might be possible I just wasn't getting to it fast enough.  The scannow takes long enough that I can't sit there waiting for the precise moment it finishes.  So I created a short batch file to run the two lines of code to see if that gets me the sfcdetails.txt file you're asking for.



#40 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 17 November 2017 - 10:37 AM

Did not work.  Did not find the CBS.log file.



#41 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 17 November 2017 - 11:35 AM

Hello.
 
Okay, please delete the current RGSA.exe file.

 

Now let's remove Secunia PSI by using the Revo Uninstaller Portable version.
 
Please download the free version of Revo Uninstaller Portable from here and save the compressed file to your computer's Desktop.

  • Double-click the compressed file RevoUninstaller_Portable and extract the files within it (it will be created a folder with the same name);
  • Within that folder, right-click the file RevoUPort and select Run as administrator to open the tool;
  • Click Yes to accept the UAC security warning that may appear;
  • Click OK to accept the License Agreement and Copyright;
  • Select Secunia PSI and click Uninstall. Follow the instructions to complete the removal process;
  • In 'Search Mode' set it to 'Advanced' and click on the Scan button. The tool will search for leftovers;
  • Click on Select All and then on Delete and then Yes to delete the selected items;
    Note: You may have to repeat this step to delete all the leftovers (Registry items, files and folders);
  • Click the Finish button and restart the computer to complete the removal process.

 

Next, open a command prompt window with Administrator privileges, re-run the command sfc /scannow and let me know what is the final message that appear in the command prompt window after running the scan.
 
The final message can start with one of the following lines:
 
1. "Windows Resource Protection did not find any integrity violations."
2. "Windows Resource Protection found corrupt files but was unable to fix some of them."
3. "Windows Resource Protection found corrupt files and successfully repaired them."

 

Restart the computer.

 

 

At this point please let me know in detail what issues are you still having with the computer.

 

Thank you.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#42 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 22 November 2017 - 02:44 PM

The Revo Uninstall went fine.

 

When I try to run sfc /scannow I get a popup that says the program is confirming that protected system files are present and unmodified--this requires a WXP install disk in the drive.  Once that finishes I get nothing.  No messages.of any kind.  I just get the command prompt back.



#43 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 22 November 2017 - 02:46 PM

When we access files remotely, things appear to be fine.  Sometimes there's a bit of lag, but not unacceptably bad.  When working locally via the UI, things can get very, very slow.  Overall, it's an improvement over where we started, but it's still painful to use.



#44 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 22 November 2017 - 03:38 PM

Hi dburkhead.

 

Okay, let's try some more tests to try to figure out what may be the cause of that slowness. As I already told you one of the causes can be the physical errors of the Hard Disk Drive.

 

Please boot into Safe Mode and describe the computer behavior regarding the slowness.
How to start Windows in Safe Mode

Thank you.

 

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#45 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 28 November 2017 - 04:40 PM

Running in Safe Mode do not have the slowness problem.  Continuing to run in Safe Mode for a while since the problem is one that increases over time.



#46 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 29 November 2017 - 01:27 PM

I've left the computer in safe mode for several days now.  Except for things that won't work in safe mode (drivers not installed) the computer has been working fine. 



#47 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 03 December 2017 - 05:04 PM

Hello dburkhead.

I'm sorry for the delay.

Since the computer is working well in Safe Mode, please do the following:

Restart the computer in Normal Mode.

Please download Autoruns by Microsoft and move it to your computer Desktop;
Double-click the autoruns.exe executable file to open the tool;
Click the Run button;
Click the Agree button to accept the EULA (End User License Agreement);
When the program is open click on 'File' and select Save...
Give a name to the file and save it to your computer Desktop;
Please upload that file to TinyUpload and copy and paste the download link in your next reply.

Thank you.

Android 8888


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#48 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 04 December 2017 - 11:16 AM

Autoruns file:

http://s000.tinyuplo...393546862082873



#49 Android 8888

Android 8888

    SWI Malware Tracker

  • Trusted Advisor*
  • PipPipPipPipPip
  • 1,038 posts

Posted 04 December 2017 - 07:02 PM

Hi dburkhead.

 

Please backup your Windows Registry.

To backup the Registry:
First of all create a new folder on the Desktop and give it a name you will remember such as Registry backup.

  • Click Start
  • Type regedit
  • Press Enter
  • A new Window will open.
    • Click File
    • Click Export

Find the folder you just created and click Save. You just created a backup of your Windows Registry.
You can move the folder to wherever you want to store it.


Next,

  • Re-run the program Autoruns;
  • Make sure the tab 'Everything' is selected;
  • Scroll down and right-click on each yellow line and select Delete to completely remove the orphaned entries;
  • Warning: Right-click and delete ONLY the items marked with the yellow lines!
  • Close Autoruns and restart the computer.

     

Next,

Please download Farbar Service Scanner by Farbar and save it the computer Desktop.

  • Double-click the file to run it and make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center / Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your next reply for my review.

 

Please post the contents of FSS.txt and let me know in detail how is the computer running at this point.

 

Android 8888

 


Android 8888
 
Website: http://android8888.comlu.com
 
Tavira - Here's where I live!
 
Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"
 
Our help is free, but if you wish to help keep these forums running please consider a donation; Please see This Topic for details.

#50 dburkhead

dburkhead

    Advanced Member

  • Full Member
  • PipPipPip
  • 156 posts

Posted 05 December 2017 - 12:49 PM

Just after completing the above the computer does seem to be running faster.  There was some hesitation where, for instance, I'd click on one explorer window to activate it and it's window would go active but it took 10-15 seconds before it repainted.  That was very soon after rebooting.  At the moment it seems to be running OK.  I'll want to see if it continues to do so.
 
Farbar Service Scanner Version: 27-01-2016
Ran by User (administrator) on 05-12-2017 at 13:45:50
Running from "C:\Documents and Settings\User\Desktop\Security"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Other Services:
==============
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\afd.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\netbt.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\tcpip.sys => File is digitally signed
C:\WINDOWS\system32\Drivers\ipsec.sys => File is digitally signed
C:\WINDOWS\system32\dnsrslvr.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\ipnathlp.dll => File is digitally signed
C:\WINDOWS\system32\netman.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\srsvc.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\sr.sys => File is digitally signed
C:\WINDOWS\system32\wscsvc.dll => File is digitally signed
C:\WINDOWS\system32\wbem\WMIsvc.dll => File is digitally signed
C:\WINDOWS\system32\wuauserv.dll => File is digitally signed
C:\WINDOWS\system32\qmgr.dll => File is digitally signed
C:\WINDOWS\system32\es.dll => File is digitally signed
C:\WINDOWS\system32\cryptsvc.dll => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
 
Extra List:
=======
Gpc(3) IPSec(5) NetBT(5) PSched(7) SYMTDI(9) Tcpip(4) 
0x09000000050000000100000002000000030000000400000009000000080000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****





Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!