Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware type unknown from downloaded email and internet browsing


  • Please log in to reply

#1
jdnz

jdnz

    Member

  • Member
  • PipPip
  • 14 posts
Cheers,

Malware on friend's Windows XP SP3 computer. They opened/downloaded/unzipped email with zip attachment as .exe. They did not run .exe, but I do not know what .exe type b/c they used revo to uninstall. The Windows XP computer does not look to have any running anti-virus program. Software looks to be out of date combined with malware infection. They say they have used malwarebytes, but program did not find anything. IE is the way they generally connect but not working well. We are trying to use Firefox for diagnosis. OTL attachment pasted below.

Thank you all.


OTL logfile created on: 12/28/2013 7:50:18 PM
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

127.07 Mb Total Physical Memory | 4.94 Mb Available Physical Memory | 3.89% Memory free
385.81 Mb Paging File | 87.89 Mb Available in Paging File | 22.78% Paging File free
Paging file location(s): C:\pagefile.sys 192 384 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 3.38 Gb Free Space | 9.08% Space Free | Partition Type: NTFS

Computer Name: R1 | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Admin\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\AOL\acs\AOLDial.exe (America Online)
PRC - C:\Program Files\Common Files\AOL\1364077436\ee\aolsoftware.exe (AOL Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\AOL\acs\AOLacsd.exe (AOL LLC)
PRC - C:\WINDOWS\system32\pctspk.exe (PCtel, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\WINDOWS\system32\cpwmon2k.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\NavLogon.dll ()


========== Services (SafeList) ==========

SRV - (AOL ACS) -- C:\Program Files\Common Files\AOL\acs\AOLacsd.exe (AOL LLC)
SRV - (Pctspk) -- C:\WINDOWS\system32\pctspk.exe (PCtel, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (NVXBAR) -- system32\DRIVERS\NVxbar.sys File not found
DRV - (nvTUNEP) -- system32\DRIVERS\nvtunep.sys File not found
DRV - (nvcap) -- system32\DRIVERS\nvcap.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys File not found
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (BANTExt) -- C:\WINDOWS\system32\drivers\BANTExt.sys ()
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (NUVision) -- C:\WINDOWS\system32\drivers\NUVision.sys (Nogatech Ltd.)
DRV - (tbcwdm) -- C:\WINDOWS\system32\drivers\tbcwdm.sys (Voyetra Turtle Beach)
DRV - (tbcspud) -- C:\WINDOWS\system32\drivers\tbcspud.sys (Voyetra Turtle Beach)
DRV - (wanatw) -- C:\WINDOWS\system32\drivers\wanatw4.sys (America Online, Inc.)
DRV - (Vpctcom) -- C:\WINDOWS\system32\drivers\vpctcom.sys (PCtel, Inc.)
DRV - (Vvoice) -- C:\WINDOWS\system32\drivers\vvoice.sys (PCtel, Inc.)
DRV - (Vmodem) -- C:\WINDOWS\system32\drivers\vmodem.sys (PCTEL, INC.)
DRV - (Ptserlp) -- C:\WINDOWS\system32\drivers\ptserlp.sys (PCTEL, INC.)
DRV - (EL90XBC) -- C:\WINDOWS\system32\drivers\el90xbc5.sys (3Com Corporation)
DRV - (Aspi32) -- C:\WINDOWS\System32\drivers\aspi32.sys (Adaptec)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 70 B5 F9 C8 9A FE CE 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:19.0.2
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/11/13 15:20:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 19.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/11/13 15:20:45 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}: C:\Program Files\DAP\DAPFireFox

[2012/04/21 14:18:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions
[2013/04/22 17:05:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/03/07 09:31:00 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2013/03/07 09:30:20 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013/03/07 09:30:20 | 000,002,086 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2013/04/14 15:12:59 | 000,000,019 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm File not found
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm File not found
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm File not found
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5A5C8D1A-CB5B-4532-97F0-35F0BDA3C853}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{C1DB031C-DEF5-4D78-959D-B6343A61388E}: NameServer = 205.188.146.145
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/23 17:13:15 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/12/28 19:43:32 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe

========== Files - Modified Within 30 Days ==========

[2013/12/28 19:45:15 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2013/12/28 17:58:21 | 005,158,590 | ---- | M] (Swearware) -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2013/12/28 16:34:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/12/28 16:30:11 | 000,018,059 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2013/12/28 16:29:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/12/28 16:29:33 | 133,316,608 | -HS- | M] () -- C:\hiberfil.sys
[2013/12/28 16:18:45 | 001,233,962 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Adw.exe
[2013/12/28 15:52:09 | 004,121,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Admin\Desktop
[2013/12/27 18:20:42 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2013/12/27 14:53:39 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/12/27 14:12:24 | 000,080,456 | ---- | M] (Malwarebytes Corporation) -- C:\Documents and Settings\Admin\Desktop\mbam-clean-1.60.2.0003.exe

========== Files Created - No Company Name ==========

[2013/12/28 16:11:22 | 001,233,962 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Adw.exe
[2013/12/27 18:20:42 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2013/12/27 14:53:39 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk


========== ZeroAccess Check ==========

[2006/10/27 17:40:58 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 19:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 19:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/01/09 15:37:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\EQATEC Analytics
[2012/04/25 16:58:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\OpenOffice.org
[2013/02/11 19:33:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Opera
[2012/08/04 14:50:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Oracle
[2012/04/22 15:41:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\ProgSense
[2012/09/05 10:16:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\SumatraPDF
[2013/03/27 09:41:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\VSRevoGroup

========== Purity Check ==========



< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Don't see much.


Download : ADWCleaner to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).

Posted Image

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder.



Junkware-Removal-Tool

Please download Junkware Removal Tool to your desktop. Make sure you get the correct Download button. Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site
  • Pause your anti-virus. Close all browsers.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.



Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

  • 1

#3
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner,

We thank you for responding to our posting. The logs are pasted below. After FRST ran, we did not know what to do after it created the 2 logs so we closed the program AND did not click FIX button. If we should click fix let us know.

# AdwCleaner v3.016 - Report created 29/12/2013 at 18:05:17
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Admin
# Running from : C:\Documents and Settings\Admin\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{000123B4-9B42-4900-B3F7-F4B073EFC214}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4250488A-CB24-0893-C066-B1AEA57BCFF2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Orbit_is1


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v19.0.2 (en-US)

[ File : C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\xzk36lty.default-1362958483423\prefs.js ]


*************************

AdwCleaner[S1].txt - [1673 octets] - [28/12/2013 16:27:15]
AdwCleaner[S2].txt - [1216 octets] - [29/12/2013 18:05:17]

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1276 octets] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Admin on Sun 12/29/2013 at 18:23:32.68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Documents and Settings\Admin\Application Data\mozilla\firefox\profiles\xzk36lty.default-1362958483423\minidumps [4 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/29/2013 at 18:32:05.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 29-12-2013 01
Ran by Admin (administrator) on R on 29-12-2013 18:34:06
Running from C:\Documents and Settings\Admin\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(PCtel, Inc.) C:\WINDOWS\system32\pctspk.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [KernelFaultCheck] - %systemroot%\system32\dumprep 0 -k
Winlogon\Notify\NavLogon: C:\WINDOWS\system32\NavLogon.dll ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.microsoft...=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP =

0x70B5F9C89AFECE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache =

http://www.msn.com/?ocid=iehp
SearchScopes: HKLM - DefaultScope value is missing.
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} -

C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll

(Microsoft Corporation)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5}

http://download.eset...lineScanner.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program

Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Hosts: 127.0.0.1 localhost
Tcpip\..\Interfaces\{5A5C8D1A-CB5B-4532-97F0-35F0BDA3C853}: [NameServer]192.168.0.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Admin\Application

Data\Mozilla\Firefox\Profiles\xzk36lty.default-1362958483423
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_7_700_224.dll

()
FF Plugin: @java.com/DTPlugin,version=10.9.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle

Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program

Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program

Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll No File
FF HKCU\...\Firefox\Extensions: [{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}] - C:\Program

Files\DAP\DAPFireFox

========================== Services (Whitelisted) =================

S3 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46640 2006-10-23] (AOL LLC)
R2 Pctspk; C:\Windows\system32\pctspk.exe [86016 2001-08-17] (PCtel, Inc.)

==================== Drivers (Whitelisted) ====================

R2 Aspi32; C:\Windows\System32\Drivers\Aspi32.sys [23936 1997-12-22] (Adaptec)
R1 BANTExt; C:\Windows\System32\Drivers\BANTExt.sys [3840 2011-08-09] ()
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
S3 EL90XBC; C:\Windows\System32\DRIVERS\el90xbc5.sys [66591 2001-08-17] (3Com Corporation)
R3 gameenum; C:\Windows\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\mbamswissarmy.sys [40776 2013-12-28] (Malwarebytes
Corporation)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
S3 NUVision; C:\Windows\System32\DRIVERS\NUVision.sys [151104 2006-10-31] (Nogatech Ltd.)
S3 Ptserlp; C:\Windows\System32\DRIVERS\ptserlp.sys [112574 2001-08-17] (PCTEL, INC.)
S3 SONYPVU1; C:\Windows\System32\DRIVERS\SONYPVU1.SYS [7552 2001-08-17] (Sony Corporation)
R3 tbcspud; C:\Windows\System32\drivers\tbcspud.sys [149632 2003-06-23] (Voyetra Turtle Beach)
R3 tbcwdm; C:\Windows\System32\drivers\tbcwdm.sys [554304 2003-06-23] (Voyetra Turtle Beach)
R0 Vmodem; C:\Windows\System32\DRIVERS\vmodem.sys [604253 2001-08-17] (PCTEL, INC.)
R0 Vpctcom; C:\Windows\System32\DRIVERS\vpctcom.sys [397502 2001-08-17] (PCtel, Inc.)
R0 Vvoice; C:\Windows\System32\DRIVERS\vvoice.sys [64605 2001-08-17] (PCtel, Inc.)
R3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
S3 catchme; \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys [x]
S2 nvcap; system32\DRIVERS\nvcap.sys [x]
S2 nvTUNEP; system32\DRIVERS\nvtunep.sys [x]
S2 NVXBAR; system32\DRIVERS\NVxbar.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-12-29 18:32 - 2013-12-29 18:33 - 00000752 _____ C:\Documents and

Settings\Admin\Desktop\JRT.txt
2013-12-29 18:11 - 2013-12-29 18:11 - 00000000 ____D C:\WINDOWS\ERUNT
2013-12-29 18:10 - 2013-12-29 18:10 - 00001322 _____ C:\Documents and

Settings\Admin\Desktop\AdwCleaner - 12-29-2013 report.txt
2013-12-29 18:09 - 2013-12-29 18:09 - 00000876 _____ C:\Documents and

Settings\Admin\Desktop\AdwCleaner[S2].txt
2013-12-29 17:25 - 2013-12-29 17:31 - 01034531 _____ (Thisisu) C:\Documents and
Settings\Admin\Desktop\JRT.exe
2013-12-29 14:07 - 2013-12-29 14:07 - 00026884 _____ C:\Documents and
Settings\Admin\Desktop\OTL12-28-2013.Txt
2013-12-28 20:15 - 2013-12-28 20:21 - 00071010 _____ C:\Documents and
Settings\Admin\Desktop\OTL.Txt
2013-12-28 19:43 - 2013-12-28 19:45 - 00602112 _____ (OldTimer Tools) C:\Documents and
Settings\Admin\Desktop\OTL.exe
2013-12-28 17:23 - 2013-12-28 17:58 - 05158590 _____ (Swearware) C:\Documents and
Settings\Admin\Desktop\ComboFix.exe
2013-12-28 16:30 - 2013-12-28 16:30 - 00001673 _____ C:\Documents and
Settings\Admin\Desktop\AdwCleaner[S1].txt
2013-12-27 19:00 - 2013-12-27 19:00 - 00001892 _____ C:\Documents and
Settings\Admin\Desktop\RKreport[7]_S_12272013_02d1900.txt
2013-12-27 18:20 - 2013-12-27 18:20 - 00000682 _____ C:\Documents and Settings\All
Users\Desktop\CCleaner.lnk
2013-12-27 17:56 - 2013-12-27 17:56 - 00000230 _____ C:\Documents and Settings\Admin\My
Documents\not working file - 2013.txt
2013-12-27 14:54 - 2013-12-28 16:34 - 00040776 _____ (Malwarebytes Corporation)
C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2013-12-27 14:54 - 2013-12-27 14:54 - 00000000 ____D C:\Documents and Settings\Admin\Application
Data\Malwarebytes
2013-12-27 14:53 - 2013-12-27 14:53 - 00000784 _____ C:\Documents and Settings\All
Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-27 14:53 - 2013-12-27 14:53 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-27 14:53 - 2013-12-27 14:53 - 00000000 ____D C:\Documents and Settings\All Users\Start
Menu\Programs\Malwarebytes' Anti-Malware
2013-12-27 14:53 - 2013-12-27 14:53 - 00000000 ____D C:\Documents and Settings\All
Users\Application Data\Malwarebytes
2013-12-27 14:53 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation)
C:\WINDOWS\system32\Drivers\mbam.sys
2013-12-27 14:48 - 2013-12-27 14:48 - 00000216 _____ C:\Documents and Settings\Admin\My
Documents\m-bytes info 2013.txt
2013-12-27 14:12 - 2013-12-27 14:12 - 00080456 _____ (Malwarebytes Corporation) C:\Documents and
Settings\Admin\Desktop\mbam-clean-1.60.2.0003.exe
2013-12-26 12:25 - 2013-12-26 12:25 - 00002560 _____ C:\Documents and Settings\Admin\My
Documents\startup.txt
2013-12-25 15:31 - 2013-12-25 15:32 - 00033936 _____ C:\Documents and Settings\Admin\My
Documents\OTL Report 12-25-2013.txt
2013-12-25 14:23 - 2013-01-18 14:13 - 10156344 _____ (Malwarebytes Corporation) C:\Documents and
Settings\Admin\Desktop\mbam-setup.exe
2013-12-24 21:04 - 2013-12-24 21:04 - 00001479 _____ C:\Documents and
Settings\Admin\Desktop\RKreport[6]_S_12242013_02d2104.txt
2013-12-24 20:07 - 2013-12-24 20:07 - 00000091 _____ C:\Documents and Settings\Admin\Application
Data\mbam.context.scan
2013-12-21 08:45 - 2003-01-10 16:13 - 00033588 ____R (America Online, Inc.)
2013-12-12 15:07 - 2013-12-12 15:07 - 00000000 ____D C:\Documents and Settings\Admin\My
Documents\New Folder
2013-12-11 12:47 - 2013-12-11 19:25 - 00001098 _____ C:\Documents and Settings\Admin\My
Documents\CRI.txt
2013-12-11 10:28 - 2013-12-11 12:19 - 00000000 ____D C:\Documents and Settings\Admin\My
Documents\CRI_II.txt
2013-12-09 17:43 - 2013-12-09 20:30 - 00000000 ____D C:\Documents and Settings\Admin\My
Documents\WDJN.txt
2013-12-09 11:46 - 2013-12-09 20:34 - 00001886 _____ C:\Documents and Settings\Admin\My
Documents\consu.txt
2013-12-02 18:10 - 2013-12-02 18:10 - 00000361 _____ C:\Documents and Settings\Admin\My
Documents\bdf.txt
2013-12-02 14:05 - 2013-12-02 14:16 - 02746135 _____ C:\Documents and Settings\Admin\My
Documents\tr.txt
2013-11-30 19:43 - 2013-11-30 20:15 - 00000213 _____ C:\Documents and Settings\Admin\My
Documents\coup.txt
2013-11-29 15:54 - 2013-11-29 15:54 - 00000110 ____H C:\Documents and Settings\Admin\My
Documents\.~lock.TDC.docx#
2013-11-29 14:50 - 2013-11-29 14:50 - 00000110 ____H C:\Documents and Settings\Admin\My
Documents\.~lock.comp.docx#

==================== One Month Modified Files and Folders =======

2013-12-29 18:34 - 2013-10-10 09:45 - 00004816 _____ C:\Documents and

Settings\Admin\Desktop\FRST.txt
2013-12-29 18:33 - 2013-12-29 18:32 - 00000752 _____ C:\Documents and

Settings\Admin\Desktop\JRT.txt
2013-12-29 18:11 - 2013-12-29 18:11 - 00000000 ____D C:\WINDOWS\ERUNT
2013-12-29 18:10 - 2013-12-29 18:10 - 00001322 _____ C:\Documents and

Settings\Admin\Desktop\AdwCleaner - 12-29-2013 report.txt
2013-12-29 18:09 - 2013-12-29 18:09 - 00000876 _____ C:\Documents and

Settings\Admin\Desktop\AdwCleaner[S2].txt
2013-12-29 18:08 - 2013-10-05 16:16 - 00000000 ____D C:\AdwCleaner
2013-12-29 18:07 - 2006-10-23 17:19 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2013-12-29 18:07 - 2005-02-24 06:32 - 00018059 _____ C:\WINDOWS\system32\nvapps.xml
2013-12-29 18:06 - 2006-10-23 17:19 - 00032642 _____ C:\WINDOWS\SchedLgU.Txt
2013-12-29 18:06 - 2006-10-23 17:10 - 02006230 _____ C:\WINDOWS\WindowsUpdate.log
2013-12-29 18:05 - 2006-10-23 18:51 - 00000178 ___SH C:\Documents and Settings\Admin\ntuser.ini
2013-12-29 17:48 - 2013-10-10 09:40 - 01064199 _____ (Farbar) C:\Documents and

Settings\Admin\Desktop\FRST.exe
2013-12-29 17:39 - 2013-10-20 17:22 - 01233962 _____ C:\Documents and

Settings\Admin\Desktop\AdwCleaner.exe
2013-12-29 17:31 - 2013-12-29 17:25 - 01034531 _____ (Thisisu) C:\Documents and

Settings\Admin\Desktop\JRT.exe
2013-12-28 20:21 - 2013-12-28 20:15 - 00071010 _____ C:\Documents and

Settings\Admin\Desktop\OTL.Txt
2013-12-28 19:45 - 2013-12-28 19:43 - 00602112 _____ (OldTimer Tools) C:\Documents and

Settings\Admin\Desktop\OTL.exe
2013-12-28 16:34 - 2013-12-27 14:54 - 00040776 _____ (Malwarebytes Corporation)
C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2013-12-28 16:30 - 2013-12-28 16:30 - 00001673 _____ C:\Documents and
Settings\Admin\Desktop\AdwCleaner.txt
2013-12-27 18:54 - 2006-10-23 17:07 - 00000000 ____D C:\WINDOWS\Registration
2013-12-27 18:20 - 2013-12-27 18:20 - 00000682 _____ C:\Documents and Settings\All
Users\Desktop\CCleaner.lnk
2013-12-27 18:20 - 2012-04-21 08:13 - 00000000 ____D C:\Program Files\CCleaner
2013-12-27 17:56 - 2013-12-27 17:56 - 00000230 _____ C:\Documents and Settings\Admin\My
Documents\not working file - 2013.txt
2013-12-27 17:33 - 2006-10-23 17:09 - 00000000 ____D C:\WINDOWS\system32\Restore
2013-12-27 17:23 - 2013-01-19 15:31 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB2598479$
2013-12-27 14:54 - 2013-12-27 14:54 - 00000000 ____D C:\Documents and Settings\Admin\Application
Data\Malwarebytes
2013-12-27 14:53 - 2013-12-27 14:53 - 00000784 _____ C:\Documents and Settings\All
Users\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-27 14:53 - 2013-12-27 14:53 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-27 14:53 - 2013-12-27 14:53 - 00000000 ____D C:\Documents and Settings\All Users\Start
Menu\Programs\Malwarebytes' Anti-Malware
2013-12-27 14:53 - 2013-12-27 14:53 - 00000000 ____D C:\Documents and Settings\All
Users\Application Data\Malwarebyte
2013-12-26 12:25 - 2013-12-26 12:25 - 00002560 _____ C:\Documents and Settings\Admin\My
Documents\startup.txt
2013-12-25 14:36 - 2013-02-20 18:54 - 00000000 ____D C:\Program Files\stinger
2013-12-25 14:22 - 2013-02-20 18:59 - 00014664 _____ (McAfee, Inc.) C:\WINDOWS\stinger.sys
2013-12-24 21:04 - 2013-12-24 21:04 - 00001479 _____ C:\Documents and
Settings\Admin\Desktop\RKreport[6]_S_12242013_02d2104.txt
2013-12-21 22:35 - 2012-08-18 15:29 - 00000409 _____ C:\WINDOWS\wiadebug.log
2013-12-21 22:35 - 2012-08-18 15:29 - 00000050 _____ C:\WINDOWS\wiaservc.log
2013-12-21 12:27 - 2013-12-21 12:27 - 00000302 _____ C:\Documents and Settings\Admin\My
Documents\can9to201.txt
2013-12-21 08:45 - 2012-08-19 16:59 - 00503611 _____ C:\WINDOWS\setupapi.log
2013-12-19 21:05 - 2013-12-19 21:05 - 00000020 _____ C:\Documents and Settings\Admin\My
Documents\PBor.txt
2013-12-12 17:14 - 2013-12-12 14:04 - 00000000 ____D C:\Documents and Settings\Admin\My
Documents\WO
2013-12-12 16:21 - 2013-12-12 16:18 - 00000000 ____D C:\Documents and Settings\Admin\My

Documents\WO_II
2013-12-12 15:07 - 2013-12-12 15:07 - 00000000 ____D C:\Documents and Settings\Admin\My

Documents\New Folder
2013-12-12 13:57 - 2013-12-12 11:10 - 00000000 ____D C:\Documents and Settings\Admin\My

2013-12-06 23:00 - 2013-11-29 17:30 - 00003094 _____ C:\Documents and Settings\Admin\My
Documents\12-06-2013.txt

2013-12-04 16:28 - 2013-12-04 16:28 - 00000219 _____ C:\Documents and Settings\Admin\My
Documents\zee.txt

2013-12-03 19:15 - 2013-12-03 19:15 - 00000097 _____ C:\Documents and Settings\Admin\My

Documents\1-un.txt
2013-11-29 15:54 - 2013-11-29 15:54 - 00000110 ____H C:\Documents and Settings\Admin\My

Documents\.~lock.TDC.docx#

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 29-12-2013 01
Ran by Admin at 2013-12-29 18:35:50
Running from C:\Documents and Settings\Admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================


==================== Installed Programs ======================

abrMate version 1.1 (Version: 1.1 - )
Adobe Flash Player 11 ActiveX (Version: 11.3.300.268 - Adobe Systems Incorporated)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224 - Adobe Systems Incorporated)
Adobe Help Center 1.0 (Version: 001.000.000 - Adobe Systems)
AOL Uninstaller (Choose which Products to Remove) (Version: - AOL Inc.)
Belarc Advisor 8.2 (Version: 8.2.7.7 - Belarc Inc.)
CCleaner (Version: 4.09 - Piriform)
CutePDF Writer 3.0 (Version: 3.0 - CutePDF.com)
ERUNT 1.1j (Version: - Lars Hederer)
ESET Online Scanner v3 (Version: - )
Google Update Helper (Version: - )
GPL Ghostscript (Version: 9.07 - Artifex Software Inc.)
InterVideo WinDVD (Version: - )
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 (Version: - Microsoft Corporation)
Microsoft .NET Framework 2.0 (Version: 2.0.50727 - Microsoft Corporation)
Microsoft VC9 runtime libraries (Version: 1.0.0 - AOL Inc.)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022 - Microsoft

Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148 -

Microsoft Corporation)
Mozilla Firefox 19.0.2 (x86 en-US) (Version: 19.0.2 - Mozilla)
NVIDIA Drivers (Version: - )
OpenOffice.org 3.3 (Version: 3.3.9567 - OpenOffice.org)
RealPlayer G2 (Version: - )
Retouch Pilot Free 3.5.3 (Version: 3.5.3 - Two Pilots)
Revo Uninstaller 1.94 (Version: 1.94 - VS Revo Group)
Studio PCTV USB (Version: - )
SumatraPDF 2.2.1 (Version: 2.2.1 - Krzysztof Kowalczyk)
Turtle Beach Santa Cruz (Version: 5.12.1.4193 - Turtle Beach)
Update for Windows Internet Explorer 8 (KB2598845) (Version: 1 - Microsoft Corporation)
Update for Windows Internet Explorer 8 (KB2632503) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2345886) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2492386) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2661254-v2) (Version: 2 - Microsoft Corporation)
Update for Windows XP (KB2736233) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB2749655) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB951978) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB968389) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB971029) (Version: 1 - Microsoft Corporation)
Update for Windows XP (KB973815) (Version: 1 - Microsoft Corporation)
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2 - Microsoft

Corporation)
Windows Internet Explorer 8 (Version: 20090308.140743 - Microsoft Corporation)
Windows XP Service Pack 3 (Version: 20080414.031525 - Microsoft Corporation)
WinRAR archiver (Version: - )

==================== Restore Points =========================

27-12-2013 22:34:13 System Checkpoint
29-12-2013 00:16:40 System Checkpoint

==================== Hosts content: ==========================

2013-03-05 12:41 - 2013-04-14 15:12 - 00000019 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============


==================== Loaded Modules (whitelisted) =============

2000-12-22 06:51 - 2000-12-22 06:51 - 00028672 _____ () C:\WINDOWS\system32\NavLogon.dll
2013-04-28 18:36 - 2012-10-04 18:50 - 00088688 _____ () C:\WINDOWS\system32\cpwmon2k.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============

Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
Manufacturer: 3Com
Service: EL90XBC
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the

Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt) (User: )
Description: Event filter with query "select * from __ClassOperationEvent where TargetClass isa

"MSNdis_NotifyAdapterRemoval"" could not be (re)activated in namespace "//./ROOT/WMI"
because of error 0x80041012. Events may not be delivered through this filter until the
problem is corrected.

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt) (User: )
Description: Event filter with query "SELECT * FROM MSNdis_NotifyAdapterRemoval" could not be

(re)activated in namespace "//./ROOT/WMI"
because of error 0x80041012. Events may not be delivered through this filter until the
problem is corrected.

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt) (User: )
Description: Event filter with query "SELECT * FROM MSNdis_NotifyAdapterArrival" could not be

(re)activated in namespace "//./ROOT/WMI"
because of error 0x80041012. Events may not be delivered through this filter until the
problem is corrected.

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt) (User: )
Description: Event filter with query "SELECT * FROM MSNdis_StatusMediaDisconnect" could not be

(re)activated in namespace "//./ROOT/WMI"
because of error 0x80041012. Events may not be delivered through this filter until the
problem is corrected.

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt) (User: )
Description: Event filter with query "select * from __ClassOperationEvent where TargetClass isa

"MSNdis_StatusMediaConnect"" could not be (re)activated in namespace "//./ROOT/WMI"
because of error 0x80041012. Events may not be delivered through this filter until the
problem is corrected.

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt) (User: )
Description: Event filter with query "SELECT * FROM MSNdis_StatusMediaConnect" could not be

(re)activated in namespace "//./ROOT/WMI"
because of error 0x80041012. Events may not be delivered through this filter until the
problem is corrected.

Error: (12/26/2013 01:06:52 PM) (Source: WinMgmt) (User: )
Description: Event filter with query "select * from __ClassOperationEvent where TargetClass isa

"MSNdis_StatusMediaDisconnect"" could not be (re)activated in namespace "//./ROOT/WMI"
because of error 0x80041012. Events may not be delivered through this filter until the
problem is corrected.

Error: (12/19/2013 07:33:31 PM) (Source: Application Error) (User: )
Description: Faulting application soffice.bin, version 3.3.9556.500, faulting module , version

9.0.30729.4148, fault address 0x0005bea4.
Processing media-specific event for [soffice.bin!ws!]

Error: (12/19/2013 07:33:22 PM) (Source: Application Error) (User: )
Description: Faulting application soffice.bin, version 3.3.9556.500, faulting module , version

0.0.0.0, fault address 0x00000000.
Processing media-specific event for [soffice.bin!ws!]

Error: (08/27/2013 03:56:57 PM) (Source: Application Error) (User: )
Description: Faulting application sinf.exe, version 2.6.4.1, faulting module sysinfo.dll, version

2.6.4.1, fault address 0x000423dd.
Processing media-specific event for [sinf.exe!ws!]


System errors:
=============
Error: (12/29/2013 06:07:22 PM) (Source: Service Control Manager) (User: )
Description: The nVidia WDM A/V Crossbar service failed to start due to the following error:
%%2

Error: (12/29/2013 06:07:22 PM) (Source: Service Control Manager) (User: )
Description: The nVidia WDM TVTuner service failed to start due to the following error:
%%2

Error: (12/29/2013 06:07:22 PM) (Source: Service Control Manager) (User: )
Description: The nVidia WDM Video Capture (universal) service failed to start due to the

following error:
%%2

Error: (12/28/2013 08:14:34 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.

Error: (12/28/2013 08:14:34 PM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (12/28/2013 08:14:34 PM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The

referenced assembly is not installed on your system.

Error: (12/28/2013 08:14:34 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.

Error: (12/28/2013 08:14:34 PM) (Source: SideBySide) (User: )
Description: Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Error: (12/28/2013 08:14:34 PM) (Source: SideBySide) (User: )
Description: Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The

referenced assembly is not installed on your system.

Error: (12/28/2013 08:14:34 PM) (Source: SideBySide) (User: )
Description: Generate Activation Context failed for

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.


Microsoft Office Sessions:
=========================
Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt)(User: )
Description: //./ROOT/WMIselect * from __ClassOperationEvent where TargetClass isa

"MSNdis_NotifyAdapterRemoval"0x80041012

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt)(User: )
Description: //./ROOT/WMISELECT * FROM MSNdis_NotifyAdapterRemoval0x80041012

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt)(User: )
Description: //./ROOT/WMISELECT * FROM MSNdis_NotifyAdapterArrival0x80041012

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt)(User: )
Description: //./ROOT/WMISELECT * FROM MSNdis_StatusMediaDisconnect0x80041012

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt)(User: )
Description: //./ROOT/WMIselect * from __ClassOperationEvent where TargetClass isa

"MSNdis_StatusMediaConnect"0x80041012

Error: (12/26/2013 01:06:53 PM) (Source: WinMgmt)(User: )
Description: //./ROOT/WMISELECT * FROM MSNdis_StatusMediaConnect0x80041012

Error: (12/26/2013 01:06:52 PM) (Source: WinMgmt)(User: )
Description: //./ROOT/WMIselect * from __ClassOperationEvent where TargetClass isa

"MSNdis_StatusMediaDisconnect"0x80041012

Error: (12/19/2013 07:33:31 PM) (Source: Application Error)(User: )
Description: soffice.bin3.3.9556.5009.0.30729.41480005bea4

Error: (12/19/2013 07:33:22 PM) (Source: Application Error)(User: )
Description: soffice.bin3.3.9556.5000.0.0.000000000

Error: (08/27/2013 03:56:57 PM) (Source: Application Error)(User: )
Description: sinf.exe2.6.4.1sysinfo.dll2.6.4.1000423dd


==================== Memory info ===========================

Percentage of memory in use: 84%
Total physical RAM: 127.07 MB
Available physical RAM: 20.29 MB
Total Pagefile: 305.81 MB
Available Pagefile: 184.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.25 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:37.25 GB) (Free:3.42 GB) NTFS ==>[Drive with boot components (Windows

XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 37 GB) (Disk ID: 1D8D1D8C)
Partition 1: (Active) - (Size=37 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Edited by jdnz, 29 December 2013 - 06:38 PM.

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Download and save the norton removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

Run the Norton Removal tool.

Reboot.

You do not have an anti-virus so download the free Avast:

http://files.avast.c...virus_setup.exe

and install it. Once it updates, let it run a boot-time scan as follows:


Click on the Orange ball. Click on Scans. Change Quickscan to Boot-time Scan. Click on Settings. Where it says Heuristic Sensitivity click on the last rectangle so that all of them are orange and it says High. Check both boxes. Then change When a threat is found ... to: Move to Chest. OK. Now click on Start. Close the Avast window and then reboot. The scan will start. It will tell you where it will save the report. Usually it's
C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location. When Windows loads Click on the Orange Ball then Scan, Then Scan History (at the bottom of the page). Click on the last scan and then Detailed Report. If it found anything then open the aswBoot.txt file and copy and paste it. If you can't find it then take a screen shot of the Detailed Report:


Press the Alt + the Print Screen key on your keyboard. It may be labeled [PrtScn].

Open Microsoft Paint (All Programs, Accessories,Paint).

Go to the Edit menu and choose Paste (or just do Ctrl + v) and the image should appear.


Go to the File Menu and choose Save As.

Navigate to the folder where you want to save the image. (Desktop)

Type a file name for the image: Avast

Select a file type. jpeg

Click the Save button.

Attach Avast.jpg to your Reply.

(Start a Reply. Click on the Browse button, point it at your desktop and click on Avast.jpg then Open. Now click on Attach this File)

FRST doesn't show anything other than the remnants of Norton which the tool should remove. Let's check for errors:

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application.

Reboot.


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.



Get the free version of Speccy:

http://www.filehippo...download_speccy (Look in the upper right for the Download
Latest Version button - Do NOT press the large Start Download button on the upper left!) Download, Save and Install it. Run Speccy. When it finishes (the little icon in the bottom left will stop moving), File, Save as Text File, (to your desktop) note the name it gives. OK. Open the file in notepad and delete the line that gives the serial number of your Operating System. (It will be near the top about 10 lines down.) Attach the file to your next post.


Have you run defrag recently?
  • 1

#5
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thank you for helping us. Norton Removal Tool downloads to about 440kb (not to complete download) and shows as a 'completed download.' When opening file it states 'corrupt file.' Tried this a few times and same results.

Edited by jdnz, 30 December 2013 - 07:13 PM.

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Just downloaded it and it worked fine. I zipped it up and attached it. Download, Save and then right click on it and Extract All.
  • 1

#7
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
.zip worked fine. We will proceed to the next step. Thank You.
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Sorry about removing your download manager but most of them come with so much foistware that I just lump them in to the bad guy category. Also unless you have dial-up (which you tell me you do) do then they don't do much for you. Try the
Lite version of the Free Download Manager.
http://www.freedownl...rg/download.htm

I just did a trial install and it didn't seem to have any foistware with it and it is highly rated in this article (which does warn of some foistware):

http://www.techsuppo...oad-manager.htm
  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Are you back on line now?
  • 0

#10
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

We are back online! Thankfully.

Quick Update.

We were able to install and run the Norton uninstall tool from the .zip file.

We were able to download the antivirus program and we are now in the process of installing and updating.

The Event Viewer Tool and Speccy were both downloaded and we will run them both after the anti-virus program.

As per the download managers, were not looking for "speed" (although it could always help), but for a way to restart a download if it gets interrupted in the middle of a download - instead of starting from scratch. As a note, we have yet to check out the ones you notated. The A/V program itself was downloaded start to finish without interruption.

I will keep you posted on the A/V update now that we are back online.

Thank you so much for taking the time to follow up with us. We are planning on responding with an update for you tomorrow (1-4-2014).

Have a great day/evening.
  • 0

Advertisements


#11
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

Thank you for taking the time to help us out. We are both very appreciative of you taking your

time to advise us.

We have made some significant progress, as you will see below.

Some observations that you should know about.

A. After uninstalling the Norton remnants using Norton Uninstaller - the AOL Dialer worked fine, however after a reboot we launched the 'AOL Dialer' to log-on and the 'AOL Dialer' hangs on 'Step 4' and does not progress through to 'Step 7' to allow us to sign-on.
The error message:
"authentication service error 12057. An error occured during authentication. Please try again."
*PLEASE NOTE we are however able to sign-on using the full AOL 9.7 Desktop software, so
connectivity seems to be working.*

B. The Avast program did find some items you will see in the log. The Avast program also seems to have taken over the computer system with all its added benefits. This has made the computer run slower than usual and a challenge to navigate onto the web etc. You will see that I needed to 'disable' the real-time scanning for the time being to post this information. Maybe there is an edit we can do or alternative?

C. We also noticed on CCleaner under applications it lists the Avast Antivirus Program twice (2 times) as the following: 1. Avast Antivirus 6 2. Avast Antivirus 8.

D. Of note, at times we also run mozilla firefox, however it was not launched at the time of the scanning of Speccy.

E. If you see a network card installed in any log, please note we do not use this item.

As requested the logs are pasted below for your review. Thank You again.

aswBoot log
01/04/2014 11:02
Scan of all local drives

File C:\Documents and Settings\Admin\Desktop\mbam-setup.com|>{commonappdata}\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref Error 42145 {Installer archive is corrupted.}

File C:\Documents and Settings\Admin\My Documents\BaCk from the\Documents and Settings\Adm\My Documents\Favorites\CORN\Field Crops Farm Farmer Supply Resources.url is infected by INI:Shortcut-inf [Trj], Moved to chest

File C:\Documents and Settings\Admin\My Documents\fontadds\clementine_sketch.zip|>clementine sketch.ttf Error 42125 {ZIP archive is corrupted.}

File C:\Documents and Settings\Admin\My Documents\Downloads\00o\OOo_3.3.0_Win_x86_install-wJRE_en-US(1).exe.part|>$INSTDIR\openofficeorg1.cab|>libxml2.dll Error 42127 {CAB archive is corrupted.}

File C:\Documents and Settings\Admin\My Documents\Downloads\JDownloader.zip|>JDownloader\jd\plugins\decrypter\SflnkgNt.class Error 42125 {ZIP archive is corrupted.}

File C:\Documents and Settings\Admin\My

Documents\Downloads\OOo_3.3.0_Win_x86_install-wJRE_en-US(1).exe|>$INSTDIR\openofficeorg1.cab|>soffice.bin Error 42127 {CAB archive is corrupted.}

Number of searched folders: 9425

Number of tested files: 373132

Number of infected files: 1

=======================================================================

Vino's Event Viewer v01c run on Windows XP in English
Report run at 04/01/2014 2:25:30 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 04/01/2014 2:17:53 PM
Type: error Category: 0
Event: 7011 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Log: 'System' Date/Time: 04/01/2014 2:17:53 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The nVidia WDM A/V Crossbar service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 04/01/2014 2:17:53 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The nVidia WDM TVTuner service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 04/01/2014 2:17:53 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The nVidia WDM Video Capture (universal) service failed to start due to the following error: The system cannot find the file specified.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

(no system log information generated.)

=======================================================

Generated with Speccy v1.24.632

Summary
Operating System
Windows XP Professional 32-bit SP3
CPU
Intel Pentium 4
Willamette 0.18um Technology
RAM
128MB Dual-Channel RDRAM
Motherboard
Dell 8100 (Microprocessor)
Graphics
MV500 ([email protected])
32MB NVIDIA GeForce2 GTS/GeForce2 Pro (NVIDIA)
Storage
37GB Western Digital WDC WD400BB (ATA)
Optical Drives
SONY CD-RW CRX160E
NEC DV-5700A
Audio
Santa Cruz WDM Interface
Operating System
Windows XP Professional 32-bit SP3
Computer type: Tower
Windows Security Center
Firewall Disabled
Windows Update
AutoUpdate Not configured
Antivirus
Antivirus Disabled
Company Name AVAST Software
Display Name avast! Antivirus
Product Version 9.0.2011
Virus Signature Database Up to date
.NET Frameworks installed
v2.0
Internet Explorer
Version 8.0.6001.18702
Environment Variables
USERPROFILE C:\Documents and Settings\Admin
SystemRoot C:\WINDOWS
User Variables
TEMP C:\Documents and Settings\Admin\Local

Settings\Temp
TMP C:\Documents and Settings\Admin\Local

Settings\Temp
Machine Variables
ComSpec C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK NO
NUMBER_OF_PROCESSORS 1
OS Windows_NT
Path C:\WINDOWS\system32
C:\WINDOWS
C:\WINDOWS\system32\wbem
C:\Program Files\Common Files\Adobe\AGL
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 15 Model 1 Stepping 2,

GenuineIntel
PROCESSOR_LEVEL 15
PROCESSOR_REVISION 0102
TEMP C:\WINDOWS\TEMP
TMP C:\WINDOWS\TEMP
windir C:\WINDOWS
Power Profile
Active power scheme Home/Office Desk
Hibernation Enabled
Turn Off Monitor after: (On AC Power) 20 min
Turn Off Hard Disk after: (On AC Power) Never
Suspend after: (On AC Power) Never
Screen saver Enabled
Uptime
Current Session
Current Time 1/4/2014 8:11:53 PM
Current Uptime 21,370 sec (0 d, 05 h, 56 m, 10 s)
Last Boot Time 1/4/2014 2:15:43 PM
Services
Running AOL Connectivity Service
Running Application Layer Gateway Service
Running avast! Antivirus
Running BITS
Running COM+ Event System
Running Computer Browser
Running CryptSvc
Running DCOM Server Process Launcher
Running DHCP Client
Running Distributed Link Tracking Client
Running DNS Client
Running Error Reporting Service
Running Event Log
Running Fast User Switching Compatibility
Running Help and Support
Running HID Input Service
Running IPSEC Services
Running Logical Disk Manager
Running Network Connections
Running Network Location Awareness (NLA)
Running NVIDIA Display Driver Service
Running PCTEL Speaker Phone
Running Plug and Play
Running Print Spooler
Running Protected Storage
Running Remote Access Connection Manager
Running Remote Procedure Call (RPC)
Running Remote Registry
Running Secondary Logon
Running Security Accounts Manager
Running Security Center
Running Server
Running Shell Hardware Detection
Running SSDP Discovery Service
Running System Event Notification
Running System Restore Service
Running Task Scheduler
Running TCP/IP NetBIOS Helper
Running Telephony
Running Terminal Services
Running Themes
Running WebClient
Running Windows Audio
Running Windows Firewall/Internet Connection Sharing (ICS)
Running Windows Management Instrumentation
Running Windows Time
Running Wireless Zero Configuration
Running Workstation
Stopped .NET Runtime Optimization Service v2.0.50727_X86
Stopped Adobe LM Service
Stopped Alerter
Stopped Application Management
Stopped ASP.NET State Service
Stopped Automatic Updates
Stopped ClipBook
Stopped COM+ System Application
Stopped Distributed Transaction Coordinator
Stopped Extensible Authentication Protocol Service
Stopped Health Key and Certificate Management Service
Stopped HTTP SSL
Stopped IMAPI CD-Burning COM Service
Stopped Indexing Service
Stopped Logical Disk Manager Administrative Service
Stopped Messenger
Stopped MS Software Shadow Copy Provider
Stopped Net Logon
Stopped NetMeeting Remote Desktop Sharing
Stopped Network Access Protection Agent
Stopped Network DDE
Stopped Network DDE DSDM
Stopped Network Provisioning Service
Stopped NT LM Security Support Provider
Stopped Performance Logs and Alerts
Stopped Portable Media Serial Number Service
Stopped QoS RSVP
Stopped Remote Access Auto Connection Manager
Stopped Remote Desktop Help Session Manager
Stopped Remote Procedure Call (RPC) Locator
Stopped Removable Storage
Stopped Routing and Remote Access
Stopped Smart Card
Stopped Telnet
Stopped Uninterruptible Power Supply
Stopped Universal Plug and Play Device Host
Stopped Volume Shadow Copy
Stopped Windows Image Acquisition (WIA)
Stopped Windows Installer
Stopped Windows Management Instrumentation Driver Extensions
Stopped Wired AutoConfig
Stopped WMI Performance Adapter
TimeZone
TimeZone GMT -5:00 Hours
Language English (United States)
Location United States
Format English (United States)
Currency $
Date Format M/d/yyyy
Time Format h:mm:ss tt
Scheduler
1/4/2014 9:24 PM;Every 12 hour(s) from 9:24 PM for 24 hour(s) every day,

starting 1/4/2014
avast! Emergency Update
System Folders
Application Data C:\Documents and Settings\All Users\Application

Data
Cookies C:\Documents and Settings\Admin\Cookies
Desktop C:\Documents and Settings\Admin\Desktop
Documents C:\Documents and Settings\All Users\Documents
Fonts C:\WINDOWS\Fonts
Global Favorites C:\Documents and Settings\All Users\Favorites
Internet History C:\Documents and Settings\Admin\Local

Settings\History
Local Application Data C:\Documents and Settings\Admin\Local

Settings\Application Data
Music C:\Documents and Settings\All Users\Documents\My Music
Path for burning CD C:\Documents and Settings\Admin\Local

Settings\Application Data\Microsoft\CD Burning
Physical Desktop C:\Documents and Settings\Admin\Desktop
Pictures C:\Documents and Settings\All Users\Documents\My Pictures
Program Files C:\Program Files
Public Desktop C:\Documents and Settings\All Users\Desktop
Start Menu C:\Documents and Settings\All Users\Start Menu
Start Menu Programs C:\Documents and Settings\All Users\Start

Menu\Programs
Startup C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Templates C:\Documents and Settings\All Users\Templates
Temporary Internet Files C:\Documents and Settings\Admin\Local

Settings\Temporary Internet Files
User Favorites C:\Documents and Settings\Admin\Favorites
Videos C:\Documents and Settings\All Users\Documents\My Videos
Windows Directory C:\WINDOWS
Windows/System C:\WINDOWS\system32
Process List
alg.exe
Process ID 556
Path C:\WINDOWS\System32\alg.exe
Memory Usage 64 KB
Peak Memory Usage 3.56 MB
AOLacsd.exe
Process ID 2948
User SYSTEM
Domain NT AUTHORITY
Path C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
Memory Usage 1.10 MB
Peak Memory Usage 6.42 MB
aolsoftware.exe
Process ID 384
User Admin
Domain R1
Path C:\Program Files\Common

Files\AOL\1388711988\ee\AOLSoftware.exe
Memory Usage 2.08 MB
Peak Memory Usage 9.13 MB
aoltpsd3.exe
Process ID 3576
User Admin
Domain R1
Path C:\Program Files\Common

Files\AOL\Topspeed\3.0\aoltpsd3.exe
Memory Usage 388 KB
Peak Memory Usage 4.16 MB
AvastSvc.exe
Process ID 1028
User SYSTEM
Domain NT AUTHORITY
Path C:\Program Files\AVAST

Software\Avast\AvastSvc.exe
Memory Usage 5.20 MB
Peak Memory Usage 47 MB
AvastUI.exe
Process ID 2628
User Admin
Domain R1
Path C:\Program Files\AVAST Software\Avast\AvastUI.exe
Memory Usage 2.09 MB
Peak Memory Usage 35 MB
csrss.exe
Process ID 484
User SYSTEM
Domain NT AUTHORITY
Path \??\C:\WINDOWS\system32\csrss.exe
Memory Usage 940 KB
Peak Memory Usage 5.28 MB
ctfmon.exe
Process ID 708
User Admin
Domain R1
Path C:\WINDOWS\system32\ctfmon.exe
Memory Usage 956 KB
Peak Memory Usage 3.43 MB
explorer.exe
Process ID 1192
User Admin
Domain R1
Path C:\WINDOWS\Explorer.EXE
Memory Usage 2.93 MB
Peak Memory Usage 17 MB
iexplore.exe
Process ID 2444
User Admin
Domain R1
Path C:\Program Files\Internet Explorer\iexplore.exe
Memory Usage 8.36 MB
Peak Memory Usage 16 MB
iexplore.exe
Process ID 2552
User Admin
Domain R1
Path C:\Program Files\Internet Explorer\iexplore.exe
Memory Usage 16 MB
Peak Memory Usage 20 MB
lsass.exe
Process ID 564
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\lsass.exe
Memory Usage 1.34 MB
Peak Memory Usage 5.14 MB
notepad.exe
Process ID 2496
User Admin
Domain R1
Path C:\WINDOWS\system32\NOTEPAD.EXE
Memory Usage 32 KB
Peak Memory Usage 3.61 MB
nvsvc32.exe
Process ID 1576
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\nvsvc32.exe
Memory Usage 40 KB
Peak Memory Usage 3.76 MB
pctspk.exe
Process ID 1592
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\pctspk.exe
Memory Usage 28 KB
Peak Memory Usage 2.48 MB
services.exe
Process ID 552
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\services.exe
Memory Usage 1.23 MB
Peak Memory Usage 3.17 MB
smss.exe
Process ID 428
User SYSTEM
Domain NT AUTHORITY
Path \SystemRoot\System32\smss.exe
Memory Usage 36 KB
Peak Memory Usage 508 KB
Speccy.exe
Process ID 2532
User Admin
Domain R1
Path C:\Program Files\Speccy\Speccy.exe
Memory Usage 12 MB
Peak Memory Usage 30 MB
spoolsv.exe
Process ID 1316
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\spoolsv.exe
Memory Usage 1.30 MB
Peak Memory Usage 4.71 MB
svchost.exe
Process ID 720
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\svchost.exe
Memory Usage 700 KB
Peak Memory Usage 3.12 MB
svchost.exe
Process ID 780
Path C:\WINDOWS\system32\svchost.exe
Memory Usage 1.02 MB
Peak Memory Usage 4.00 MB
svchost.exe
Process ID 844
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\System32\svchost.exe
Memory Usage 6.92 MB
Peak Memory Usage 14 MB
svchost.exe
Process ID 936
Path C:\WINDOWS\system32\svchost.exe
Memory Usage 468 KB
Peak Memory Usage 2.82 MB
svchost.exe
Process ID 972
Path C:\WINDOWS\system32\svchost.exe
Memory Usage 76 KB
Peak Memory Usage 2.98 MB
svchost.exe
Process ID 1420
Path C:\WINDOWS\system32\svchost.exe
Memory Usage 44 KB
Peak Memory Usage 3.77 MB
svchost.exe
Process ID 2200
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\svchost.exe
Memory Usage 36 KB
Peak Memory Usage 7.17 MB
System
Process ID 4
Memory Usage 28 KB
Peak Memory Usage 4.03 MB
System Idle Process
Process ID 0
waol.exe
Process ID 2848
User Admin
Domain R1
Path C:\Program Files\AOL Desktop 9.7\waol.exe
Memory Usage 3.46 MB
Peak Memory Usage 34 MB
winlogon.exe
Process ID 508
User SYSTEM
Domain NT AUTHORITY
Path \??\C:\WINDOWS\system32\winlogon.exe
Memory Usage 856 KB
Peak Memory Usage 12 MB
wmiprvse.exe
Process ID 1964
Path C:\WINDOWS\system32\wbem\wmiprvse.exe
Memory Usage 3.52 MB
Peak Memory Usage 7.17 MB
wmiprvse.exe
Process ID 2220
User SYSTEM
Domain NT AUTHORITY
Path C:\WINDOWS\system32\wbem\wmiprvse.exe
Memory Usage 2.78 MB
Peak Memory Usage 4.95 MB
wscntfy.exe
Process ID 704
User Admin
Domain R1
Path C:\WINDOWS\system32\wscntfy.exe
Memory Usage 40 KB
Peak Memory Usage 2.23 MB
Security Options
Accounts: Administrator account status Enabled
Accounts: Guest account status Enabled
Accounts: Limit local account use of blank passwords to console logon

only Enabled
Accounts: Rename administrator account Administrator
Accounts: Rename guest account Guest
Audit: Audit the access of global system objects Disabled
Audit: Audit the use of Backup and Restore privilege Disabled
Audit: Shut down system immediately if unable to log security audits

Disabled
DCOM: Machine Access Restrictions in Security Descriptor Definition

Language (SDDL) syntax Not defined
DCOM: Machine Launch Restrictions in Security Descriptor Definition

Language (SDDL) syntax Not defined
Devices: Allow undock without having to log on Enabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Disabled
Devices: Restrict floppy access to locally logged-on user only Disabled
Devices: Unsigned driver installation behavior Warn but allow

installation
Domain controller: Allow server operators to schedule tasks Not

defined
Domain controller: LDAP server signing requirements Not defined
Domain controller: Refuse machine account password changes Not

defined
Domain member: Digitally encrypt or sign secure channel data (always)

Enabled
Domain member: Digitally encrypt secure channel data (when possible)

Enabled
Domain member: Digitally sign secure channel data (when possible)

Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key

Disabled
Interactive logon: Display user information when the session is locked

Not defined
Interactive logon: Do not display last user name Disabled
Interactive logon: Do not require CTRL+ALT+DEL Not defined
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain

controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration

14 days
Interactive logon: Require Domain Controller authentication to unlock

workstation Disabled
Interactive logon: Require smart card Not defined
Interactive logon: Smart card removal behavior No Action
Microsoft network client: Digitally sign communications (always)

Disabled
Microsoft network client: Digitally sign communications (if server

agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB

servers Disabled
Microsoft network server: Amount of idle time required before suspending

session 15 minutes
Microsoft network server: Digitally sign communications (always)

Disabled
Microsoft network server: Digitally sign communications (if client

agrees) Disabled
Microsoft network server: Disconnect clients when logon hours expire

Enabled
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts

Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and

shares Disabled
Network access: Do not allow storage of credentials or .NET Passports for

network authentication Disabled
Network access: Let Everyone permissions apply to anonymous users

Disabled
Network access: Named Pipes that can be accessed anonymously

COMNAP,COMNODE,SQL\QUERY,SPOOLSS,LLSRPC,browser
Network access: Remotely accessible registry pathsSystem\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows
NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\
Terminal Server,System\CurrentControlSet\Control\Terminal
Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Network access: Shares that can be accessed anonymously COMCFG,DFS$
Network access: Sharing and security model for local accounts Guest only - local users authenticate as Guest
Network security: Do not store LAN Manager hash value on next password change Disabled
Network security: Force logoff when logon hours expire Disabled
Network security: LAN Manager authentication level Send LM & NTLM responses
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including

secure RPC) clients No minimum
Network security: Minimum session security for NTLM SSP based (including

secure RPC) servers No minimum
Recovery console: Allow automatic administrative logon Enabled
Recovery console: Allow floppy copy and access to all drives and all

folders Enabled
Shutdown: Allow system to be shut down without having to log on Enabled
Shutdown: Clear virtual memory pagefile Disabled
System cryptography: Use FIPS compliant algorithms for encryption,

hashing, and signing Disabled
System objects: Default owner for objects created by members of the

Administrators group Object creator
System objects: Require case insensitivity for non-Windows subsystems

Enabled
System objects: Strengthen default permissions of internal system objects

(e.g. Symbolic Links) Enabled
Device Tree
Advanced Configuration and Power Interface (ACPI) PC
Microsoft ACPI-Compliant System
ACPI Fixed Feature Button
ACPI Power Button
Intel Pentium 4 CPU 1.60GHz
System board
Unsupported Device
PCI bus
Intel 82801BA/BAM SMBus

Controller - 2443
Intel 82850 Processor to

I/O Controller - 2530
Intel®

82850/82860 Processor to AGP Controller - 2532


NVIDIA GeForce2 GTS/GeForce2 Pro


Color Monitor
Intel® 82801

PCI Bridge - 244E
3Com

3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)


Santa Cruz™


Santa Cruz Game Port


Santa Cruz WDM Interface


U.S. Robotics 56K Voice PCI


Unimodem Half-Duplex Audio Device
Intel® 82801BA

LPC Interface Controller - 2440


Communications Port (COM1)
Direct

memory access controller
ISAPNP

Read Data Port
Numeric

data processor


Programmable interrupt controller
PS/2

Compatible Mouse
Standard

101/102-Key or Microsoft Natural PS/2 Keyboard
System

board
System

CMOS/real time clock
System

speaker
System

timer


Standard floppy disk controller


Floppy disk drive


ECP Printer Port (LPT1)


Printer Port Logical Interface
Intel® 82801BA

Ultra ATA Storage Controller - 244B


Primary IDE Channel


WDC WD400BB


Secondary IDE Channel


_NEC DV-5700A


SONY CD-RW CRX160E
Intel®

82801BA/BAM USB Universal Host Controller - 2442
USB Root

Hub
Intel®

82801BA/BAM USB Universal Host Controller - 2444
USB Root

Hub
CPU
Intel Pentium 4
Cores 1
Threads 1
Name Intel Pentium 4
Code Name Willamette
Package Socket 423 mPGA
Technology 0.18um
Specification Intel Pentium 4 CPU 1.60GHz
Family F
Extended Family F
Model 1
Extended Model 1
Stepping 2
Revision D0
Instructions MMX, SSE, SSE2
Virtualization Not supported
Hyperthreading Not supported
Stock Core Speed 1600 MHz
Stock Bus Speed 100 MHz
Caches
L1 Data Cache Size 8 KBytes
L1 trace cache 12 Kµops
L2 Unified Cache Size 256 KBytes
Core 0
Core Speed 1595.5 MHz
Multiplier x 16.0
Thread 1
APIC ID 0
RAM
Memory slots
Total memory slots 4
Used memory slots 2
Free memory slots 2
Memory
Type RDRAM
Size 128 MBytes
Channels # Dual
Physical Memory
Memory Usage 86 %
Total Physical 127 MB
Available Physical 18 MB
Total Virtual 497 MB
Available Virtual 126 MB
SPD
Number Of SPD Modules 2
Slot #1
Type RDRAM
Size 64 MBytes
Manufacturer Hyundai Electronics
Max Bandwidth PC600-53 (300 MHz)
Part Number R13216H-653
Serial Number
Week/year 51 / 100
Slot #2
Type RDRAM
Size 64 MBytes
Manufacturer Hyundai Electronics
Max Bandwidth PC600-53 (300 MHz)
Part Number R13216H-653
Serial Number
Week/year 51 / 100
Motherboard
Manufacturer Dell
Model 8100
Chipset Vendor Intel
Chipset Model i850
Chipset Revision A2
Southbridge Vendor Intel
Southbridge Model 82801BA (ICH2)
Southbridge Revision 02
BIOS
Brand Dell
Version A09
Date 10/2/2001
PCI Data
Slot PCI
Slot Type PCI
Slot Usage Available
Bus Width 32 bit
Slot Designation PCI1
Characteristics 5V, 3.3V, PME
Slot Number 0
Slot PCI
Slot Type PCI
Slot Usage Available
Bus Width 32 bit
Slot Designation PCI2
Characteristics 5V, 3.3V, PME
Slot Number 1
Slot PCI
Slot Type PCI
Slot Usage Available
Bus Width 32 bit
Slot Designation PCI3
Characteristics 5V, 3.3V, PME
Slot Number 2
Slot PCI
Slot Type PCI
Slot Usage In Use
Bus Width 32 bit
Slot Designation PCI4
Characteristics 5V, 3.3V, PME
Slot Number 3
Slot PCI
Slot Type PCI
Slot Usage In Use
Bus Width 32 bit
Slot Designation PCI5
Characteristics 5V, 3.3V, PME
Slot Number 4
Slot AGP 4X
Slot Type AGP 4X
Slot Usage In Use
Bus Width 32 bit
Slot Designation AGP1
Characteristics PME
Slot Number 5
Graphics
Monitor
Name MV500 on NVIDIA GeForce2 GTS/GeForce2 Pro
Current Resolution 800x600 pixels
Work Resolution 800x566 pixels
State Enabled, Primary, Output devices support
Monitor Width 800
Monitor Height 600
Monitor BPP 32 bits per pixel
Monitor Frequency 60 Hz
Device \\.\DISPLAY1\Monitor0
NVIDIA GeForce2 GTS/GeForce2 Pro
Manufacturer NVIDIA
Model GeForce2 GTS/GeForce2 Pro
GPU NV15
Device ID 10DE-0150
Revision A5
Subvendor NVIDIA (10DE)
Current Performance Level Level 0
Transistors 25 M
Release Date Apr 2000
DirectX Support 7.0
OpenGL Support 1.2
GPU Clock 200 MHz
Memory Clock 333 MHz
Driver version 7.1.8.4
BIOS Version 2.15.01.13.01
ROPs 4
Shaders Vertex 4/Pixel 40
Memory Type DDR
Memory 32 MB
Bus Width 128 Bit
Pixel Fillrate 0.8 GPixels/s
Texture Fillrate 1.6 GTexels/s
Bandwidth 10.7 GB/s
Count of performance levels : 1
Level 1
Storage
Hard drives
WDC WD400BB
Manufacturer Western Digital
Form Factor GB/2.5-inch
Interface/Connector SATA 1.5 Gb/s with 22-pin SATA

connector
Heads 16
Cylinders 4,863
Tracks 1,240,065
Sectors 78,124,095
Device type Fixed
ATA Standard ATA/ATAPI-5
LBA Size 28bit LBA
Power On Count 1280 times
Power On Time 224.0 days
Features S.M.A.R.T., AAM
Transfer Mode Ultra DMA/100
Interface ATA
Capacity 37.3 GB
Real size 40,000,000,000 bytes
RAID Type None
S.M.A.R.T
Status Good
01 Read Error Rate 200 (200) Data

0000000000
03 Spin-Up Time 099 (093) Data 0000000989
04 Start/Stop Count 099 (099) Data

000000052D
05 Reallocated Sectors Count 200 (200)

Data 0000000000
07 Seek Error Rate 200 (200) Data

0000000000
09 Power-On Hours (POH) 093 (093) Data

0000001500
0A Spin Retry Count 100 (100) Data

0000000000
0B Recalibration Retries 100 (100)

Data 0000000000
0C Device Power Cycle Count 099 (099)

Data 0000000500
C4 Reallocation Event Count 200 (200)

Data 0000000000
C5 Current Pending Sector Count 200 (200)

Data 0000000000
C6 Uncorrectable Sector Count 200 (200)

Data 0000000000
C7 UltraDMA CRC Error Count 200 (200)

Data 0000000000
C8 Write Error Rate / Multi-Zone Error

Rate 200 (200) Data 0000000000
Partition 0
Partition ID Disk #0, Partition #0
Disk Letter C:
File System NTFS
Volume Serial Number
Size 37.3 GB
Used Space 31.7 GB (86%)
Free Space 5.55 GB (14%)
Optical Drives
CD-RW
Media Type CD Writer
Name SONY CD-RW
Availability Running/Full Power
Capabilities Random Access, Supports Removable Media
Read capabilities CD-R, CD-RW, CD-ROM
Write capabilities CD-R, CD-RW
Config Manager Error Code Device is working properly
Config Manager User Config FALSE
Drive D:
Media Loaded FALSE
SCSI Bus 0
SCSI Logical Unit 0
SCSI Port 1
SCSI Target Id 0
Status OK
DV-5700A
Media Type DVD Reader
Name NEC DV-5700A
Availability Running/Full Power
Capabilities Random Access, Supports Removable Media
Read capabilities CD-R, CD-RW, CD-ROM, DVD-ROM, DVD-R, DVD-R DL,

DVD-RW DL
Config Manager Error Code Device is working properly
Config Manager User Config FALSE
Drive E:
Media Loaded FALSE
SCSI Bus 0
SCSI Logical Unit 0
SCSI Port 1
SCSI Target Id 1
Status OK
Audio
Sound Cards
Santa Cruz WDM Interface
Unimodem Half-Duplex Audio Device
Playback Devices
Santa Cruz
Modem #0 Line Record
Recording Devices
Santa Cruz
Modem #0 Line Playback
Peripherals
Standard 101/102-Key
Device Kind Keyboard
Device Name Standard 101/102-Key
Vendor (Standard keyboards)
Location plugged into keyboard port
Driver
Date 7-1-2001
Version 5.1.2600.2180
File C:\WINDOWS\system32\DRIVERS\i8042prt.sys
File C:\WINDOWS\system32\DRIVERS\kbdclass.sys
PS/2 Compatible Mouse
Device Kind Mouse
Device Name PS/2 Compatible Mouse
Vendor Microsoft
Location plugged into PS/2 mouse port
Driver
Date 7-1-2001
Version 5.1.2600.0
File C:\WINDOWS\system32\DRIVERS\i8042prt.sys
File C:\WINDOWS\system32\DRIVERS\mouclass.sys
Printers
CutePDF Writer (Default Printer)
Printer Port CPW2:
Print Processor WinPrint
Availability
Priority 1
Duplex None
Print Quality
Status Unknown
Driver
Driver Name CutePDF Writer (v6.00)
Driver Path

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\PSCRIPT5.DLL
Network
You are connected to the internet
Connected through WAN (PPP/SLIP) Interface
IP Address xxx.xxx.x.xx
Subnet mask xxx.xxx.xxx.xxx
Gateway server xxx.xxx.x.xx
Preferred DNS server xxx.xxx.xxx.xxx
DHCP Disabled
External IP Address xxx.xxx.x.xx
Adapter Type PPP
NetBIOS over TCP/IP Unknown
NETBIOS Node Type Mixed node
Link Speed 0 Bps
Computer Name
NetBIOS Name A
DNS Name A
Membership Part of workgroup
Workgroup A
Remote Desktop
Disabled
Console
State Active
Domain A
WinInet Info
The Internet (1)
Local system has a valid connection to the Internet, but it might or

might not be currently connected
Local system uses a modem to connect to the Internet
Local system has RAS to connect to the Internet
Wi-Fi Info
Wi-Fi not enabled
WinHTTPInfo
WinHTTPSessionProxyType No proxy
Session Proxy
Session Proxy Bypass
Connect Retries 5
Connect Timeout (ms) 60,000
HTTP Version HTTP 1.1
Max Connects Per 1.0 Servers INFINITE
Max Connects Per Servers INFINITE
Max HTTP automatic redirects 10
Max HTTP status continue 10
Send Timeout (ms) 30,000
IEProxy Auto Detect Yes
IEProxy Auto Config
IEProxy
IEProxy Bypass
Default Proxy Config Access Type No proxy
Default Config Proxy
Default Config Proxy Bypass
Sharing and Discovery
File and printer sharing service Enabled
Simple File Sharing Enabled
Administrative Shares Enabled
Network access: Sharing and security model for local accounts Guest

only - local users authenticate as Guest
Adapters List
WAN (PPP/SLIP) Interface
Connection Name The Internet (1)
NetBIOS over TCPIP No
DHCP enabled No
MAC Address xxx.xxx.xxx.xxx
IP Address xxx.xxx.xxx.xxx
Subnet mask xxx.xxx.xxx.xxx
Gateway server xxx.xxx.xxx.xxx
DNS Server xxx.xxx.xxx.xxx
Network Shares
SharedDocs C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS
Current TCP Connections
C:\Program Files\AOL Desktop 9.7\waol.exe (2848)
Local ESTABLISHED Remote xx.xxx.xx.x:xxxx (Querying...

)
Local ESTABLISHED Remote xxx.xxx.x.x:xxxx (Querying...

) (ICQ)
C:\Program Files\AVAST Software\Avast\AvastSvc.exe (1028)
Local LISTEN
Local LISTEN
Local LISTEN
Local LISTEN
Local LISTEN
Local LISTEN
Local LISTEN
Local LISTEN
Local LISTEN
Local LISTEN
Local CLOSE-WAIT Remote (Querying... )
Local CLOSE-WAIT Remote (Querying... )
Local ESTABLISHED Remote (Querying... ) (HTTP)
Local CLOSE-WAIT Remote (Querying... ) (HTTP)
C:\Program Files\AVAST Software\Avast\AvastUI.exe (2628)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTPS)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTPS)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTPS)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTPS)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTPS)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTPS)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTPS)
Local xxx.xxx.x.xx:xxxx CLOSE-WAIT Remote

xxx.xxx.x.xx:xxxx (Querying... ) (HTTP)
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe

(3576)
Local xxx.x.x.x:xxxxx LISTEN
C:\WINDOWS\System32\alg.exe (556)
Local xxx.x.x.x:xxxxx LISTEN
C:\WINDOWS\system32\svchost.exe (780)
Local x.x.x.x:xxx (DCE) LISTEN
System Process
Local x.x.x.x:xxx (Windows shares) LISTEN

Generated with Speccy v1.24.632

==============================================

RKINNER, Thank you for your help, we will wait for your response and next step.

Edited by jdnz, 04 January 2014 - 09:18 PM.

  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top. Renable Avast

Wait a full minute then:

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.
  • 1

#13
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello RKinner:

Please note that we had Avast running when the computer started so no need for us to re-launch the program. At this point we have Avast automatic updates disabled.

We pasted *TWO (2)* logs below - about 45 min. apart - so you may have an additional example of order.

We hope we were able to follow your directions correctly. Please let us know if you seek a new log run.

The logs are pasted below. Thank you for your assistance.

==========================================================
1st 1st 1st 1st 1st 1st 1st 1st 1st 1st *****************************************
===========================================================

Process CPU Private Bytes Working Set PID Description Company Name Verified Signer

System Idle Process 1.23 0 K 16 K 0

procexp.exe 4.00 26,120 K 9,344 K 3896 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation

firefox.exe 98,856 K 40,396 K 2816 Firefox Mozilla Corporation (Verified) Mozilla Corporation

Interrupts 1.23 0 K 0 K n/a Hardware Interrupts and DPCs

wscntfy.exe 600 K 84 K 1056 Windows Security Center Notification App Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

winlogon.exe 6,452 K 1,384 K 508 Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher

waol.exe 29,420 K 4,172 K 3744 AOL Software AOL Inc. (Verified) AOL Inc.

System 0 K 32 K 4

svchost.exe 13,204 K 2,952 K 820 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 1,312 K 816 K 868 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 3,012 K 368 K 720 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 1,724 K 392 K 780 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 1,604 K 64 K 900 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 1,316 K 80 K 1208 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 5,440 K 48 K 236 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

spoolsv.exe 3,204 K 400 K 1124 Spooler SubSystem App Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

smss.exe 172 K 40 K 436 Windows NT Session Manager Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

services.exe 1,728 K 484 K 552 Services and Controller app Microsoft Corporation (Verified) Microsoft Windows Component Publisher

pctspk.exe 820 K 28 K 1288 PCTSPK.EXE PCtel, Inc. (No signature was present in the subject) PCtel, Inc.

nvsvc32.exe 1,916 K 44 K 1272 NVIDIA Driver Helper Service, Version 71.84 NVIDIA Corporation (Verified) Microsoft Windows Hardware Compatibility Publisher

notepad.exe 1,164 K 332 K 3928 Notepad Microsoft Corporation (Verified) Microsoft Windows Component Publisher

lsass.exe 3,776 K 960 K 564 LSA Shell (Export Version) Microsoft Corporation (Verified) Microsoft Windows Component Publisher

explorer.exe 18,192 K 3,764 K 1728 Windows Explorer Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

ctfmon.exe 952 K 1,264 K 2712 CTF Loader Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

csrss.exe 1,600 K 896 K 484 Client Server Runtime Process Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

AvastUI.exe 38,544 K 3,100 K 2696 avast! Antivirus AVAST Software (Verified) AVAST Software a.s.

AvastSvc.exe 30,656 K 7,244 K 1028 avast! Service AVAST Software (Verified) AVAST Software a.s.

aoltpsd3.exe 2,624 K 852 K 1652 AOL TopSpeed AOL Inc. (Verified) AOL Inc.

aolsoftware.exe 6,900 K 4,064 K 2348 AOL AOL Inc. (Verified) AOL Inc.

AOLacsd.exe 6,636 K 1,128 K 2164 AOL Connectivity Service AOL LLC (Verified) AOL LLC

alg.exe 1,176 K 68 K 1504 Application Layer Gateway Service Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

- END OF LOG -

==============================
==============================
==============================

====================================================================
2nd 2nd 2nd 2nd 2nd 2nd 2nd 2nd 2nd 2nd 2nd 2nd 2nd 2nd ********************************
====================================================================

Process CPU Private Bytes Working Set PID Description Company Name Verified Signer

System Idle Process 92.00 0 K 16 K 0

winlogon.exe 7,592 K 860 K 508 Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher

procexp.exe 5.00 26,192 K 14,476 K 3896 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation

Interrupts 1.00 0 K 0 K n/a Hardware Interrupts and DPCs

wscntfy.exe 600 K 260 K 1056 Windows Security Center Notification App Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

waol.exe 29,448 K 3,420 K 3744 AOL Software AOL Inc. (Verified) AOL Inc.

System 0 K 32 K 4

svchost.exe 13,260 K 2,624 K 820 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 2,992 K 696 K 720 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 1,724 K 200 K 780 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 1,340 K 704 K 868 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 1,604 K 64 K 900 Generic Host Process for Win32 Services Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

svchost.exe 1,316 K 620 K 1208 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

svchost.exe 5,440 K 216 K 236 Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher

spoolsv.exe 3,204 K 44 K 1124 Spooler SubSystem App Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

smss.exe 172 K 40 K 436 Windows NT Session Manager Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

services.exe 1,728 K 784 K 552 Services and Controller app Microsoft Corporation (Verified) Microsoft Windows Component Publisher

pctspk.exe 820 K 156 K 1288 PCTSPK.EXE PCtel, Inc. (No signature was present in the subject) PCtel, Inc.

nvsvc32.exe 1,916 K 276 K 1272 NVIDIA Driver Helper Service, Version 71.84 NVIDIA Corporation (Verified) Microsoft Windows Hardware Compatibility Publisher

notepad.exe 1,164 K 276 K 3928 Notepad Microsoft Corporation (Verified) Microsoft Windows Component Publisher

notepad.exe 2,232 K 300 K 3132 (No signature was present in the subject)

lsass.exe 3,860 K 1,308 K 564 LSA Shell (Export Version) Microsoft Corporation (Verified) Microsoft Windows Component Publisher

firefox.exe 1.00 102,052 K 33,856 K 2816 Firefox Mozilla Corporation (Verified) Mozilla Corporation

explorer.exe 18,208 K 2,412 K 1728 Windows Explorer Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

ctfmon.exe 960 K 728 K 2712 CTF Loader Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

csrss.exe 1,600 K 756 K 484 Client Server Runtime Process Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

AvastUI.exe 38,544 K 1,424 K 2696 avast! Antivirus AVAST Software (Verified) AVAST Software a.s.

AvastSvc.exe 31,344 K 9,224 K 1028 avast! Service AVAST Software (Verified) AVAST Software a.s.

aoltpsd3.exe 2,624 K 1,044 K 1652 AOL TopSpeed AOL Inc. (Verified) AOL Inc.

aolsoftware.exe 1.00 6,900 K 3,496 K 2348 AOL AOL Inc. (Verified) AOL Inc.

AOLacsd.exe 6,636 K 1,236 K 2164 AOL Connectivity Service AOL LLC (Verified) AOL LLC

alg.exe 1,176 K 68 K 1504 Application Layer Gateway Service Microsoft Corporation (No signature was present in the subject) Microsoft Corporation

- END OF LOG -

Thank you for helping us. We will check back for your next directions.
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Things look normal in the second log but pretty bad in the first and the odd thing is I can't see what is using so much CPU time. There should be something above System Idle Process 1.23 but there isn't anything.

Let's try autoruns from
http://live.sysinter...om/autoruns.exe

Download Save and Run the program. File, Save, to your desktop, autoruns.arn, OK

Either zip up the file if you have the ability (7-zip works nicely) or just rename it from autoruns.arn to autoruns.txt then ATTACH it. Do not copy and paste.
  • 0

#15
jdnz

jdnz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi RKinner:

Thank you for your timely response.

We followed your directions for the .zip with 7-zip, however the geekstogo forum shows the error..."Error...You aren't permitted to upload this kind of file." We also tried to attach and upload with the txt. The same error shows. Does our account have access to upload?

The following is the text we typed to you to go along with the *(not yet)* attached log. We will wait to hear back from you on how to proceed with attaching the file . Sorry for the delay.
===================================================

We can re-run 'Get Process Explorer' again if you'd like? Do let us know. What should be above the System Idle Process 1.23?

Please also note we had to disable the Avast today (for the time being) it was slowing the system down and becoming a bit too intrusive with its pop-ups. Maybe a setting or two needs to be adjusted? In addition, we could not end the processes of the Avast. We tried through the 'Task Manager' and 'Services.msc', but no luck. It stated we did not have access/permission. At this point some are still running. It sure seems to be well hooked into the system.

Attached you will find the requested Autoruns as a .zip file. For Autoruns program we kept the check marks next to Microsoft and Windows Entries Hidden. If you should need them unchecked, please do let us know and we will be happy to do so.

*At some point some computer items may have been stopped or edited to not run by using a program such as CCleaner.* Not sure if you would be able to tell what they are through the Autoruns program. We can change any setting that you request back to its default/original. I can post the CCleaner startup info if you'd like.

By the way, any feedback on the log of items that Avast found in the earlier posting?

Thank you and we will check back for the next set of directions. Much appreciated.

Edited by jdnz, 06 January 2014 - 07:50 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP