Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CPU Load High, Computer Sluggish, MBAM Not Starting


  • Please log in to reply

#16
brispuss

brispuss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

My dial-up connection was behaving itself for awhile, where I could connect on first dial-up attempt.

 

Anyway, the error 691 has once again occurred.

 

Here is the log of ppp trace while receiving 691 error on dial-up attempt -

 

 
[3684] 07-15 13:31:07:529: PROTOCOL_MSG_Start recvd, d=, hPort=9,flags=0,mask=883020a,IfType=-1
[3700] 07-15 13:31:07:529: Line up event occurred on port 9
[3700] 07-15 13:31:07:530: Local identification = MSRAS-0-MINE-PC
[3700] 07-15 13:31:07:530: PortName: COM3
[3700] 07-15 13:31:07:530: Starting PPP on link with IfType=0xffffffff,IPIf=0xffffffff,IPv6If=0xffffffff
[3700] 07-15 13:31:07:530: RasGetBuffer returned 2765ba0 for SendBuf
[3700] 07-15 13:31:07:530: FsmInit called for protocol = c021, port = 9
[3700] 07-15 13:31:07:530: FsmInit for protocol = c021 Configuration 0x883020a 
[3700] 07-15 13:31:07:530: PPP ConfigMask 0x883020a 
[3700] 07-15 13:31:07:530: PPP ConfigMask = 883020a
[3700] 07-15 13:31:07:530: PPP ConfigMask = 883020a
[3700] 07-15 13:31:07:530: APs available = e
[3700] 07-15 13:31:07:530: FsmReset called for protocol = c021, port = 9
[3700] 07-15 13:31:07:530: Inserting port in bucket # 1
[3700] 07-15 13:31:07:530: Inserting bundle in bucket # 0
[3700] 07-15 13:31:07:530: FsmOpen event received for protocol c021 on port 9
[3700] 07-15 13:31:07:530: FsmThisLayerStarted called for protocol = c021, port = 9
[3700] 07-15 13:31:07:530: FsmUp event received for protocol c021 on port 9
[3700] 07-15 13:31:07:530: <PPP packet sent at 07/15/2017 01:31:07:530
[3700] 07-15 13:31:07:530: <Protocol = LCP, Type = Configure-Req, Length = 0x19, Id = 0x0, Port = 9
[3700] 13:31:07:530: <C0 21 01 00 00 17 02 06 00 00 00 00 05 06 36 4B |.!............6K|
[3700] 13:31:07:530: <45 CF 07 02 08 02 0D 03 06 00 00 00 00 00 00 00 |E...............|
[3700] 07-15 13:31:07:530:  
[3700] 07-15 13:31:07:530: InsertInTimerQ called portid=14,Id=0,Protocol=c021,EventType=0,fAuth=0,Timeout=1
[3700] 07-15 13:31:07:530: InsertInTimerQ called portid=14,Id=0,Protocol=0,EventType=3,fAuth=0,Timeout=150
[784] 07-15 13:31:07:689: Packet received (41 bytes) for hPort 9
[784] 07-15 13:31:07:689: Packet received (9 bytes) for hPort 9
[3700] 07-15 13:31:07:689: >PPP packet received at 07/15/2017 01:31:07:689
[3700] 07-15 13:31:07:689: >Protocol = LCP, Type = Configure-Req, Length = 0x29, Id = 0x1, Port = 9
[3700] 13:31:07:689: >C0 21 01 01 00 27 00 04 00 00 01 04 05 F4 02 06 |.!...'..........|
[3700] 13:31:07:689: >00 0A 00 00 03 04 C0 23 07 02 08 02 11 04 05 F4 |.......#........|
[3700] 13:31:07:689: >13 09 03 00 C0 7B 00 0B B8 00 00 00 00 00 00 00 |.....{..........|
[3700] 07-15 13:31:07:689:  
[3700] 07-15 13:31:07:689: CheckOption: Negotiated Options 2
[3700] 07-15 13:31:07:689: CheckOption: Negotiated Options 6
[3700] 07-15 13:31:07:689: CheckOption: Negotiated Options e
[3700] 07-15 13:31:07:689: CheckOption: Negotiated Options 8e
[3700] 07-15 13:31:07:689: CheckOption: Negotiated Options 18e
[3700] 07-15 13:31:07:689: <PPP packet sent at 07/15/2017 01:31:07:689
[3700] 07-15 13:31:07:689: <Protocol = LCP, Type = Configure-Reject, Length = 0x17, Id = 0x1, Port = 9
[3700] 13:31:07:689: <C0 21 04 01 00 15 00 04 00 00 11 04 05 F4 13 09 |.!..............|
[3700] 13:31:07:689: <03 00 C0 7B 00 0B B8 00 00 00 00 00 00 00 00 00 |...{............|
[3700] 07-15 13:31:07:689:  
[3700] 07-15 13:31:07:689: >PPP packet received at 07/15/2017 01:31:07:689
[3700] 07-15 13:31:07:689: >Protocol = LCP, Type = Configure-Reject, Length = 0x9, Id = 0x0, Port = 9
[3700] 13:31:07:689: >C0 21 04 00 00 07 0D 03 06 00 00 00 00 00 00 00 |.!..............|
[3700] 07-15 13:31:07:689:  
[3700] 07-15 13:31:07:690: RemoveFromTimerQ called portid=14,Id=0,Protocol=c021,EventType=0,fAuth=0
[3700] 07-15 13:31:07:690: <PPP packet sent at 07/15/2017 01:31:07:690
[3700] 07-15 13:31:07:690: <Protocol = LCP, Type = Configure-Req, Length = 0x16, Id = 0x1, Port = 9
[3700] 13:31:07:690: <C0 21 01 01 00 14 02 06 00 00 00 00 05 06 36 4B |.!............6K|
[3700] 13:31:07:690: <45 CF 07 02 08 02 00 00 00 00 00 00 00 00 00 00 |E...............|
[3700] 07-15 13:31:07:690:  
[3700] 07-15 13:31:07:690: InsertInTimerQ called portid=14,Id=1,Protocol=c021,EventType=0,fAuth=0,Timeout=1
[784] 07-15 13:31:07:827: Packet received (24 bytes) for hPort 9
[3700] 07-15 13:31:07:827: >PPP packet received at 07/15/2017 01:31:07:827
[3700] 07-15 13:31:07:827: >Protocol = LCP, Type = Configure-Req, Length = 0x18, Id = 0x2, Port = 9
[3700] 13:31:07:827: >C0 21 01 02 00 16 01 04 05 F4 02 06 00 0A 00 00 |.!..............|
[3700] 13:31:07:827: >03 04 C0 23 07 02 08 02 00 00 00 00 00 00 00 00 |...#............|
[3700] 07-15 13:31:07:827:  
[3700] 07-15 13:31:07:827: CheckOption: Negotiated Options 18e
[3700] 07-15 13:31:07:827: CheckOption: Negotiated Options 18e
[3700] 07-15 13:31:07:827: CheckOption: Negotiated Options 18e
[3700] 07-15 13:31:07:827: CheckOption: Negotiated Options 18e
[3700] 07-15 13:31:07:827: CheckOption: Negotiated Options 18e
[3700] 07-15 13:31:07:827: <PPP packet sent at 07/15/2017 01:31:07:827
[3700] 07-15 13:31:07:827: <Protocol = LCP, Type = Configure-Ack, Length = 0x18, Id = 0x2, Port = 9
[3700] 13:31:07:827: <C0 21 02 02 00 16 01 04 05 F4 02 06 00 0A 00 00 |.!..............|
[3700] 13:31:07:827: <03 04 C0 23 07 02 08 02 00 00 00 00 00 00 00 00 |...#............|
[3700] 07-15 13:31:07:827:  
[784] 07-15 13:31:07:833: Packet received (22 bytes) for hPort 9
[3700] 07-15 13:31:07:833: >PPP packet received at 07/15/2017 01:31:07:833
[3700] 07-15 13:31:07:833: >Protocol = LCP, Type = Configure-Ack, Length = 0x16, Id = 0x1, Port = 9
[3700] 13:31:07:833: >C0 21 02 01 00 14 02 06 00 00 00 00 05 06 36 4B |.!............6K|
[3700] 13:31:07:833: >45 CF 07 02 08 02 00 00 00 00 00 00 00 00 00 00 |E...............|
[3700] 07-15 13:31:07:833:  
[3700] 07-15 13:31:07:833: RemoveFromTimerQ called portid=14,Id=1,Protocol=c021,EventType=0,fAuth=0
[3700] 07-15 13:31:07:833: FsmThisLayerUp called for protocol = c021, port = 9
[3700] 07-15 13:31:07:833: LCP Local Options-------------
[3700] 07-15 13:31:07:833: MRU=1500,ACCM=0,Auth=0,MagicNumber=910902735,PFC=ON,ACFC=ON
[3700] 07-15 13:31:07:833: Recv Framing = PPP,SSHF=OFF,MRRU=1500,LinkDiscrim=0
[3700] 07-15 13:31:07:833: LCP Remote Options-------------
[3700] 07-15 13:31:07:833: MRU=1524,ACCM=655360,Auth=c023,MagicNumber=0,PFC=ON,ACFC=ON
[3700] 07-15 13:31:07:833: Send Framing = PPP,SSHF=OFF,MRRU=1500,LinkDiscrim=0
[3700] 07-15 13:31:07:833: LCP Configured successfully
[3700] 07-15 13:31:07:833: Sending Version Identification MSRASV5.20
[3700] 07-15 13:31:07:833: <PPP packet sent at 07/15/2017 01:31:07:833
[3700] 07-15 13:31:07:833: <Protocol = LCP, Type = Identification, Length = 0x14, Id = 0x2, Port = 9
[3700] 13:31:07:833: <C0 21 0C 02 00 12 36 4B 45 CF 4D 53 52 41 53 56 |.!....6KE.MSRASV|
[3700] 13:31:07:833: <35 2E 32 30 00 00 00 00 00 00 00 00 00 00 00 00 |5.20............|
[3700] 07-15 13:31:07:833:  
[3700] 07-15 13:31:07:834: Sending ComputerName Identification MSRAS-0-MINE-PC
[3700] 07-15 13:31:07:834: <PPP packet sent at 07/15/2017 01:31:07:834
[3700] 07-15 13:31:07:834: <Protocol = LCP, Type = Identification, Length = 0x19, Id = 0x3, Port = 9
[3700] 13:31:07:834: <C0 21 0C 03 00 17 36 4B 45 CF 4D 53 52 41 53 2D |.!....6KE.MSRAS-|
[3700] 13:31:07:834: <30 2D 4D 49 4E 45 2D 50 43 00 00 00 00 00 00 00 |0-MINE-PC.......|
[3700] 07-15 13:31:07:834:  
[3700] 07-15 13:31:07:834: Client: LCP Configured successfully for Guid {C3D37ECC-02F8-4A83-A2E8-C29B31478532}
[3700] 07-15 13:31:07:834: Sending Correlation Guid {C3D37ECC-02F8-4A83-A2E8-C29B31478532}
[3700] 07-15 13:31:07:834: <PPP packet sent at 07/15/2017 01:31:07:834
[3700] 07-15 13:31:07:834: <Protocol = LCP, Type = Identification, Length = 0x1a, Id = 0x4, Port = 9
[3700] 13:31:07:834: <C0 21 0C 04 00 18 36 4B 45 CF CC 7E D3 C3 F8 02 |.!....6KE..~....|
[3700] 13:31:07:834: <83 4A A2 E8 C2 9B 31 47 85 32 00 00 00 00 00 00 |.J....1G.2......|
[3700] 07-15 13:31:07:834:  
[3700] 07-15 13:31:07:834: Authenticating phase started
[3700] 07-15 13:31:07:835: Calling APWork in APStart
[3700] 07-15 13:31:07:835: <PPP packet sent at 07/15/2017 01:31:07:835
[3700] 07-15 13:31:07:835: <Protocol = PAP, Type = Protocol specific, Length = 0x17, Id = 0x7, Port = 9
[3700] 07-15 13:31:07:835:  
[3700] 07-15 13:31:07:835: InsertInTimerQ called portid=14,Id=7,Protocol=c023,EventType=0,fAuth=0,Timeout=1
[784] 07-15 13:31:08:043: Packet received (7 bytes) for hPort 9
[3700] 07-15 13:31:08:043: >PPP packet received at 07/15/2017 01:31:08:043
[3700] 07-15 13:31:08:043: >Protocol = PAP, Type = Protocol specific, Length = 0x7, Id = 0x7, Port = 9
[3700] 07-15 13:31:08:043:  
[3700] 07-15 13:31:08:043: RemoveFromTimerQ called portid=14,Id=7,Protocol=c023,EventType=0,fAuth=0
[3700] 07-15 13:31:08:043: Auth Protocol c023 terminated with error 691
[3700] 07-15 13:31:08:043: NotifyCaller(hPort=9, dwMsgId=1)
[3684] 07-15 13:31:08:046: PROTOCOL_MSG_Stop recvd
 
[3700] 07-15 13:31:08:046: FsmClose event received for protocol c021 on port 9
[3700] 07-15 13:31:08:046: RemoveFromTimerQ called portid=14,Id=1,Protocol=c021,EventType=0,fAuth=0
[3700] 07-15 13:31:08:046: FsmThisLayerDown called for protocol = c021, port = 9
[3700] 07-15 13:31:08:046: RemoveFromTimerQ called portid=14,Id=7,Protocol=c023,EventType=0,fAuth=0
[3700] 07-15 13:31:08:046: RemoveFromTimerQ called portid=14,Id=0,Protocol=c029,EventType=0,fAuth=0
[3700] 07-15 13:31:08:046: <PPP packet sent at 07/15/2017 01:31:08:046
[3700] 07-15 13:31:08:046: <Protocol = LCP, Type = Terminate-Req, Length = 0x12, Id = 0x5, Port = 9
[3700] 13:31:08:046: <C0 21 05 05 00 10 36 4B 45 CF 00 3C CD 74 00 00 |.!....6KE..<.t..|
[3700] 13:31:08:046: <02 B3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[3700] 07-15 13:31:08:046:  
[3700] 07-15 13:31:08:046: InsertInTimerQ called portid=14,Id=5,Protocol=c021,EventType=0,fAuth=0,Timeout=1
[3684] 07-15 13:31:08:049: PROTOCOL_MSG_Stop recvd
 
[3700] 07-15 13:31:08:049: FsmClose event received for protocol c021 on port 9
[3700] 07-15 13:31:08:049: RemoveFromTimerQ called portid=14,Id=5,Protocol=c021,EventType=0,fAuth=0
[3700] 07-15 13:31:08:049: FsmThisLayerFinished called for protocol = c021, port = 9
[3700] 07-15 13:31:08:049: NotifyCaller(hPort=9, dwMsgId=10)
[784] 07-15 13:31:11:668: PROTOCOL_MSG_LineDown recvd, hPort=9
 
[3700] 07-15 13:31:11:668: Line down event occurred on port 9
[3700] 07-15 13:31:11:668: FsmDown event received for protocol c021 on port 9
[3700] 07-15 13:31:11:668: RemoveFromTimerQ called portid=14,Id=5,Protocol=c021,EventType=0,fAuth=0
[3700] 07-15 13:31:11:668: FsmReset called for protocol = c021, port = 9
[3700] 07-15 13:31:11:668: RemoveFromTimerQ called portid=14,Id=0,Protocol=0,EventType=3,fAuth=0
[3700] 07-15 13:31:11:668: RemoveFromTimerQ called portid=14,Id=0,Protocol=0,EventType=7,fAuth=0
[3700] 07-15 13:31:11:668: RemoveFromTimerQ called portid=14,Id=0,Protocol=0,EventType=2,fAuth=0
[3700] 07-15 13:31:11:668: RemoveFromTimerQ called portid=14,Id=0,Protocol=0,EventType=1,fAuth=0
[3700] 07-15 13:31:11:669: RemoveFromTimerQ called portid=14,Id=0,Protocol=c029,EventType=0,fAuth=0
[3700] 07-15 13:31:11:669: LcpEnd
[3700] 07-15 13:31:11:669: Post line down event occurred on port 9
[3700] 07-15 13:31:11:669: NotifyCaller(hPort=9, dwMsgId=25)
 
 
What does this mean?

  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,798 posts
  • MVP

Pretty much what you thought:

 

Auth Protocol c023 terminated with error 691

 

username/password incorrect.

 

 

What usually happens is they have several authentication servers that share the load.  One of them is probably sick or programmed wrong or has an incorrect database.  Nothing you can do on your end except complain to the ISP.


  • 0

#18
brispuss

brispuss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

Thanks!

 

I've emailed my ISP together with a copy of PPP scan log. We'll see what happens (if anything).

 

Avast Free Antivirus seems to be having problems updating its database (possibly because I'm on a slow dial-up connection; this is a common issue unfortunately where some other programs will not update (completely) due to slow internet connection).

 

It seems an Avast executable named "instup.exe" is running, which I presume is the updating process, but is apparently generating some error messages within Avast program itself and within a program named Process Monitor which I'm running to view what is happening. Basically it appears that Avast is NOT updating, although it seems Avast is trying to. And it very briefly shows the update download progress indicator (which doesn't appear to be progressing) before quickly showing the "error"(?) in Avast screen that Setup is already running!?

 

Here are screenshots of what is happening -

 

Avast_Updating.png

 

Avast_Process.PNG


  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,798 posts
  • MVP

Perhaps it was a mistake to right click and Run As Admin tho that's what I have always done.  The folders that Avast is trying to get to do not exist where it thinks they are.  I would uninstall it and try a new install.


  • 0

#20
brispuss

brispuss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

Having trouble with Avast Free Antivirus (AFA)!

 

First, it wouldn't let me uninstall it with a message that Avast Setup was still running!!? So I rebooted into Safe Mode and manged to uninstall AFA then.

 

Rebooted to Normal Mode, and this time re-installed AFA just by double clicking the standalone installer executable, instead of running the installer as an Administrator.

 

Under AFA Update Settings, I made sure to check that the program and virus definition updates were set to "Manual". I don't want automatic updates running in the background as they would severely limit available bandwidth on the internet (I'm on dial-up) for browsing and other tasks.

 

Also set the option that "I only connect to the internet using a dial up modem".

 

This time updating the Virus Definitions seemed to work (although there was a very brief error message appearing at the start of the updating). The updating progress indicator worked this time also.

 

Next I tried to update the "Specialized Definitions" under the Boot-time scan. There was no feedback of any kind by AFA that the specialized definitions were actually being downloaded (no progress indicator, no indication of file size, nothing)!? However the computer network indicator showed that data was being downloaded.

 

After about four hours (!!), the network indicator showed that data was still being downloaded!? At this stage approximately 70 ~ 80+ MB of data would have been downloaded. Surely the Specialized Definitions file(s) wouldn't be as large as 70 ~ 100 MB (or whatever)? I then cancelled the download by exiting AFA.

 

Later I started AFA again, and it stated that the Specialized Definitions are installed and ready to use!? How can that be when I stopped the downloading previously!?

 

Before attempting a Boot-Time SCan, I'd like some further guidance, especially regarding the size of the Specialized Definition file(s), if known.

 

Are there some other alternative anti-malware scanners to verify (as far as possible) that there is no malware residing in my computer? By the way, I've tried ESET Online Scanner, but it doesn't seem to work, as required files to be downloaded do not complete downloading (probably because of my slow internet connection).


  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,798 posts
  • MVP

Sorry it's giving you such grief.  I haven't worked with dialup in about 10 years.  No idea how big the extra definitions are.  I think they used to say but

 

I just did it and they don't say anymore.  Took about 20 seconds on a 9.86 Mbps to download and install so they may be that big.  

 

If it says it has the definitions go ahead and try the boot-time scan.

 

As for other scanners, we can try Rogue Killer.  It's not as heavy duty as the Avast boot-time scan but it's still about a 21MB download.

 

Let's run Rogue Killer
 
Portable 32 bits <==USE THIS ONE
 
 
Download and Save.
 
 
 
Right click on the downloaded file (RogueKillerX64.exe or RogueKiller.exe)  and Run As admin
 
Start Scan
Start Scan
 
Will take about 20 minutes to complete.
 
Open Report
Export TXT (save it to your desktop as rk) Save
 
Do not let Rogue Killer remove anything until you hear from me.  Leave Rogue Killer up (but minimized) so you won't have to rescan.
 
Open rk.txt and copy and paste it to your next Reply. 
 

 

 


  • 0

#22
brispuss

brispuss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

RogueKiller scan result -

 

RogueKiller V12.11.6.0 [Jul 10 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Administrator [Administrator]
Started from : C:\Users\Administrator\Desktop\RogueKiller_portable32.exe
Mode : Scan -- Date : 07/17/2017 00:14:41 (Duration : 00:18:52)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 12 ¤¤¤
[PUP.Gen1] HKEY_USERS\RK_Administrator_ON_D_0B86\Software\Headlight -> Found
[PUP.Gen1] HKEY_USERS\RK_Mine_ON_D_51C0\Software\Headlight -> Found
[PUP.Gen1] HKEY_USERS\RK_Peter Bahniuk_ON_F_6CF3\Software\Headlight -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\RK_Software_ON_F_787A\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583} | Exec : %windir%\Network Diagnostic
 
\xpnetdiag.exe [x] -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eapihdrv (\??\C:\Users\ADMINI~1\AppData\Local\Temp\ehdrv.sys) -> Found
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\eapihdrv (\??\C:\Users\ADMINI~1\AppData\Local\Temp\ehdrv.sys) -> Found
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{855466F3-7F95-42EE-A38B-74B33AED5942} | NameServer : 203.97.78.43 203.97.78.44 ([-][New 
 
Zealand])  -> Found
[Hj.Name|Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B6D4835D-9C63-4C90-AD94-E55D0567FC0A} : 
 
v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\Administrator\AppData\Roaming\audiodg.exe|Name=audiodg.exe| [x] -> Found
[Hj.Name|Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FF5C5D59-30FF-41B6-A4FC-A7B8D3DE5587} : 
 
v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\Administrator\AppData\Roaming\audiodg.exe|Name=audiodg.exe| [x] -> Found
[Hj.Name|Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {B6D4835D-9C63-4C90-AD94-E55D0567FC0A} : 
 
v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\Administrator\AppData\Roaming\audiodg.exe|Name=audiodg.exe| [x] -> Found
[Hj.Name|Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {FF5C5D59-30FF-41B6-A4FC-A7B8D3DE5587} : 
 
v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\Administrator\AppData\Roaming\audiodg.exe|Name=audiodg.exe| [x] -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-1002102086-959386047-1437358805-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5003AZEX-00K1GA0 ATA Device +++++
--- User ---
[MBR] 6298a53a541a561785cfb7070376a726
[BSP] f1e87c7c3825a3d91fde04dfd8b0c4b4 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 100108 MB [Windows XP Bootstrap | Windows XP Bootloader]
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 205021530 | Size: 376829 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD5003AZEX-00K1GA0 ATA Device +++++
--- User ---
[MBR] cdb34e5aec052ecd0887ef37212376ab
[BSP] aed50a63cdcd7e59f30aa533771429dd : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 122607 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 251320860 | Size: 317440 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 901439280 | Size: 36773 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
Will attempt Avast Boot-Scan shortly, and post results later (all being well).
 
EDIT: here is AFA log -
 
07/17/2017 00:39
Scan of C:
 
Scan of *STARTUP
 
File C:\Program Files\Bookmark Buddy Unicode\BmkBuddy.chm|>$FIftiMain Error 42136 {CHM archive is corrupted.}
File C:\Program Files\Common Files\Adobe\AdobeGCClient\AdobeGCClient.zip.aamdownload|>icudtl.dat Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\FLVPlayer4Free\FLVPlayer4Free.exe is infected by Win32:UnwantedSig [PUP], Moved to chest
File C:\ProgramData\Adobe\ARM\Acrobat_11.0.00\AcrobatUpd11018.msp|>PCW_CAB_ACR11018|>acrord32.dll Error 42127 {CAB archive is corrupted.}
File C:\ProgramData\Adobe\ARM\Acrobat_11.0.00\AcrobatUpd11018.msp|>PCW_CAB_ACR11018 Error 42144 {OLE archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\034bc94c37a25e5a1ee034dd8838f899\BIT5A11.tmp|>Gfxv2_0.exe Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\0530405d08a1565ce0f4d4855f837400\BIT751.tmp|>package_18_for_kb3133977~31bf3856ad364e35~x86~~6.1.1.2.cat Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\806200e5fccb279c89b4bf13d3f85971\BITD820.tmp|>msxml.msi|>01File Error 42144 {OLE archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\806200e5fccb279c89b4bf13d3f85971\BITD820.tmp|>msxml.msi|>XML_Core.cab|>WINHTTP50_FILE.781A0624_31FF_4712_BFFD_31C829FFDBF1 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\806200e5fccb279c89b4bf13d3f85971\BITD820.tmp|>msxml.msi|>XML_Core.cab Error 42144 {OLE archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\806200e5fccb279c89b4bf13d3f85971\BITD820.tmp|>msxml.msi Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\80a4974833aff18679f8d22a5730fb4f\BIT2BEA.tmp|>x86_microsoft-windows-wcfcorecomp.resources_31bf3856ad364e35_6.1.7601.22733_ru-ru_ec65c75401ef1f88.manifest Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\47703e59601a15fe5cf334c23dccb1bc\BITDC39.tmp|>0 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\9ba023cff2c0f65c1db11f6ed40d3a95\BITD37A.tmp|>package_70_for_kb2973351~31bf3856ad364e35~x86~~6.1.1.1.cat Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\f24a3908119f46dcc2f94950d10e5d59\BITD4FB.tmp|>91 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\6b9b4fc6823f294c6dcf68681f138c98\BIT2A44.tmp|>4 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\cdb4e93c36d86e31de82c28ceafef9bb\BIT2437.tmp|>package_16_for_kb2931356~31bf3856ad364e35~x86~~6.1.1.0.cat Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\5b261aaaf352ac4f5c8ec379fefc1bc5\BIT25CE.tmp|>0 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\772dcae78c677485613b2d83fc664e64\BITD475.tmp|>package_36_for_kb2843630_bf~31bf3856ad364e35~x86~~6.1.3.1.cat Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\7f0d7a9417404f09a672ee41baf33456\BITCD6C.tmp|>package_for_kb3074543_sp1~31bf3856ad364e35~x86~~6.1.1.0.mum Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\4ea2e4665df5b5a3d08336abf32996c3\BIT2DAF.tmp|>12 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\88901c6b6e2efc8b22a3016bb35a2673\BITFFDD.tmp|>0 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\9ea70d08006fef60dafecf797e87aecd\BITCE86.tmp|>x86_0c720d210b0b3f27d83864fcf5196d0f_31bf3856ad364e35_6.1.7601.18103_none_5fefab570aa764db.manifest Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\a37580c907360a2ecf6b26d37bff05ec\BITD91B.tmp|>65 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\6fb1a2cb1394e96eaff8225487ea67fc\BITDF57.tmp|>package_12_for_kb3110329~31bf3856ad364e35~x86~~6.1.1.1.mum Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\229af6d78c47149dcd9f6bdb404545fa\BITDA06.tmp|>msxml.msi|>01File Error 42144 {OLE archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\229af6d78c47149dcd9f6bdb404545fa\BITDA06.tmp|>msxml.msi|>XML_Core.cab|>ul_msxml4.dll.7B30B69B_0E6C_B7E0_FF6B_D6B9ABF34537 Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\229af6d78c47149dcd9f6bdb404545fa\BITDA06.tmp|>msxml.msi|>XML_Core.cab Error 42144 {OLE archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\229af6d78c47149dcd9f6bdb404545fa\BITDA06.tmp|>msxml.msi Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\24a8a7461f35598f815bb23b701bae27\BITEF6E.tmp|>15 Error 42127 {CAB archive is corrupted.}
File C:\PEiD-0.95\PEIDSO.exe is infected by Win32:Trojan-gen, Moved to chest
File C:\Users\Administrator\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db|>data Error 42125 {ZIP archive is corrupted.}
File C:\Users\Administrator\Downloads\ht4zl.WinThruster.1.79.69.2469.Multilingual.rar|>Setup_WinThruster_2015.exe Error 42126 {RAR archive is corrupted.}
Number of searched folders: 18858
Number of tested files: 316416
Number of infected files: 2
 

Edited by brispuss, 16 July 2017 - 08:43 AM.

  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,798 posts
  • MVP

RK doesn't like headlight and the suspicous path stuff so you can let RK remove it all if you want or not.  It didn't really find anything bad.

 

Avast did find two trojans or at least what it thinks are trojans.  It also shows a lot of corrupt archives.  It just flags them.  I usually go back and manually delete the archives since a corrupt archive can cause odd problems if a program tries to use it.  

 

File C:\Program Files\Bookmark Buddy Unicode\BmkBuddy.chm|>$FIftiMain Error 42136 {CHM archive is corrupted.}

 

The actual file name stops at the | symbol.  So the file that you would delete is:   C:\Program Files\Bookmark Buddy Unicode\BmkBuddy.chm

 

These:

 

C:\Windows\SoftwareDistribution\Download \... files.  These are Windows Updates.  

The recommended procedure for these is:

 

net stop wuauserv
del C:\Windows\SoftwareDistribution  /q  /s

net start wuauserv

 

(from an elevated command prompt)

 

I'm assuming these downloads got corrupted by your dial up services.


  • 0

#24
brispuss

brispuss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

Thanks.

 

I've run the commands for Windows updating.

 

Headlight is related to legitimate software, so it is not of any concern.

 

I'll reinstall some of the corrupted programs/files and reinstall those legitimate programs that were removed (BookMark Buddy and FLVPlayer4Free).

 

Otherwise the system is apparently malware free now?


Edited by brispuss, 16 July 2017 - 06:29 PM.

  • 0

#25
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,798 posts
  • MVP

Looks good to me.  I think we can clean up:

 

Time to clean up:
 
To delete the Quarantine Folder used by FRST create a fixlist.txt file with just the following line:
 
DeleteQuarantine:
 
Save the fixlist.txt to the same folder as FRST then run FRST and hit Fix.  You can easily delete any other folders and logs.
 
If we installed Speccy it needs to be uninstalled.  Process Explorer, VEW, AdwCleaner, JRT  and their logs and Speccy's log can just be deleted.
 
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  Flash is now the most malware targeted program so it must be kept up to date.  Be careful with Adobe.  They are fond of offering optional downloads like yahoo or Ask toolbars or that worthless McAfee Security Scan.  Go slow and uncheck the optional stuff.
 
Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions. 
 
 
If you use Chrome/Firefox then get the Ublock Origin  Add-on from https://www.ublock.org/.  For IE go to adblockplus.org  and get the add-on.  (It's actually a program for IE)
 
If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox.  Close Chrome/Firefox/Skpe. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow starting..
 
To prevent a relatively new phishing attack:  In Firefox, type:
 
about:config
 
in the URL box and hit Enter.  You should get a new page of options (if you get a notice about voiding the warranty just cancel the warning).  In the Search box put in 
 
puny
 
You should only get one option:
network.IDN_show_punycode
We want it to say True but by default it is False so double click on it to toggle from False to True.
Close and restart firefox.
 
To test it you can go to:
 
 
If the value is false you will see https://www.apple.cominstead of the correct value
 
 
If you are a Facebook user get the FB Purity extension for your browser:
This will stop all of the suggested pages and ads so that Facebook loads much quicker.
 
 
Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will probably be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.combefore you open them.
 
Due to a recent rise in the number of Crytolocker infections I am now recommending you install:
 
CryptoPrevent
 
 
The free version does not update on its own so you should check for updated versions once in a while. When you install it the default is NONE which is kind of worthless so change it to Standard or default. If you have problems after installing CryptoPrevent you can just uninstall it.
 
If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...0637284.htmlandhttp://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.
 
Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

  • 0

Advertisements


#26
brispuss

brispuss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts

What needs to be done has been done.

 

Thanks!


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP