Jump to content

system restore and autochk virus daily


meesh
 Share

Recommended Posts

hello,

i recently had a popup fiasco and in one day hundreds of things installed themselves on my xp.

i think i have gotten rid of everything but on a daily basis my antivirus says my system information volume and autochk is infected. i turned off and created new restore points and my scans are clean for a day and then again it says i have a virus in system information volume. lately my mspaint and calculator go missing even though i keep restoring them via the xp installation disk (not sure if that's related). i have attempted to get help from bleeping computer but there is not much help or new information from what i've already done. my scans with malwarebytes (adwcleaner, mbar anti rootkit and mbam anti malware) all come up clean - but they did DURING the time when i had obvious malware.. but my realtime antivirus says 30 or more infected files daily (i turned system restore on and off and i get a clean scan for a day before it comes back).

is there any way to fix this from coming back?

thanks in advance.

Link to post
Share on other sites

@meesh Run the following and post the 2 produced logs....

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin....

 

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Let me see those logs....

Fixlist.txt

Link to post
Share on other sites

hello,

Every time i run FRST it says "failed to update" (and i close it and continue) - not sure if that matters.

Below is 'fixed' FRST scan and attached is Zemana log.

thanks.

Fix result of Farbar Recovery Scan Tool (x86) Version: 27-11-2016
Ran by Meesh (09-12-2016 13:03:44) Run:2
Running from C:\Documents and Settings\Michelle\Desktop
Loaded Profiles: Meesh (Available Profiles: Meesh & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
BootExecute: autocheck autochk /p \??\C:
CMD: ipconfig /flushdns
EmptyTemp:
end

 

*****************

Restore point was successfully created.
Processes closed successfully.
hklm\System\CurrentControlSet\Control\Session Manager\\BootExecute => value restored successfully

========= ipconfig /flushdns =========

 

Windows IP Configuration

 

Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 42095 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/dllcache/drivers => 354773 B
Edge => 0 B
Chrome => 0 B
Firefox => 22490735 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default User => 0 B
All Users => 0 B
systemprofile => 0 B
LocalService => 424 B
NetworkService => 66228 B
Michelle => 1790736 B
Administrator => 9534656 B

RecycleBin => 0 B
EmptyTemp: => 32.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 13:03:57 ====

2016.12.09-13.09.13-i0-t92-d2.txt

Link to post
Share on other sites

seems ok except that after sending the logs i did another full system scan with avast and still it's showing about 10 "threat detected" rootkit and win32 malware in system volume information..(autochk in the results happened only once). as i said in my original post this started happening after a day of hundreds of accidental popups - before then my scans were always clean. aside from a few fishy actions while using office word (not sure if related), my computer seems a lot better than it was so not sure if i should believe avast.

 

Link to post
Share on other sites

Thanks for the update, I want to clear out system restore folder and create a fresh RP as your system stands now. If your security responds to either of the next steps either accept the alert or, turn your security off to let them run....

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following item is the only one checked:

 
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.


Now click on "Run" and wait patiently until the tool has completed.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs, also tell me if there any remaining issues or concerns........

Thank you,

Kevin....

 

Link to post
Share on other sites

hi kevin,

after the scan i turned system restore on and off to clear it (i've done it numerous times and it causes the next scan to be clean but then goes right back to finding viruses and malware in the results soon after). i can't seem to download delfix. the first link says server not found and the second link says it's downloading shortly but nothing ever happens. i did use sophos once but i deleted it a few days ago - not sure if you want me to skip ahead to step 2 (download and use sophos) without using delfix. pls. advise.

thanks.

 

Link to post
Share on other sites

hi,

no threats found on sophos.

an avast scan after doing all that STILL saying 2 rootkit and 2 win32:malware in system volume information.

FRST.txt below and addition attached.

thanks

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-12-2016
Ran by Meesh (administrator) on MEESH (10-12-2016 10:30:19)
Running from C:\Documents and Settings\Michelle\Desktop
Loaded Profiles: Meesh (Available Profiles: Meesh & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\WLTRYSVC.EXE
(Dell Inc.) C:\WINDOWS\system32\BCMWLTRY.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Dell Inc.) C:\WINDOWS\system32\WLTRAY.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Flux Software LLC) C:\Documents and Settings\Michelle\Local Settings\Application Data\FluxSoftware\Flux\flux.exe
() C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
(Absolute Software Corp.) C:\WINDOWS\system32\rpcnet.exe
(Zemana Ltd.) C:\Program Files\Zemana AntiMalware\ZAM.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Sophos Limited) C:\Program Files\Sophos\Sophos Virus Removal Tool\SVRTgui.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\WINDOWS\system32\WLTRAY.exe [2220032 2008-10-24] (Dell Inc.)
HKLM\...\Run: [AESTFltr] => C:\WINDOWS\system32\AESTFltr.exe [729088 2009-02-20] (Andrea Electronics Corporation)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9080768 2016-11-25] (AVAST Software)
HKLM\...\Run: [ZAM] => C:\Program Files\Zemana AntiMalware\ZAM.exe [13915888 2016-11-22] (Zemana Ltd.)
HKU\S-1-5-21-602162358-706699826-1801674531-1003\...\Policies\Explorer: [NoInstrumentation] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-11-25] (AVAST Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Flux.lnk [2014-04-25]
ShortcutTarget: Flux.lnk -> C:\Documents and Settings\Michelle\Local Settings\Application Data\FluxSoftware\Flux\flux.exe (Flux Software LLC)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.197.128.2 209.197.128.5
Tcpip\..\Interfaces\{DBBE1544-E486-4338-93FA-79A615A21BC7}: [DhcpNameServer] 209.197.128.2 209.197.128.5

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-602162358-706699826-1801674531-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-602162358-706699826-1801674531-1003 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\i2kwq7w8.default-1480308880781 [2016-12-10]
FF NewTab: C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\i2kwq7w8.default-1480308880781 -> about:newtab
FF Homepage: C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\i2kwq7w8.default-1480308880781 -> about:home
FF Extension: (Adguard AdBlocker) - C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\i2kwq7w8.default-1480308880781\Extensions\adguardadblocker@adguard.com.xpi [2016-11-27]
FF Extension: (Popup Blocker Ultimate) - C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\i2kwq7w8.default-1480308880781\Extensions\{60B7679C-BED9-11E5-998D-8526BB8E7F8B}.xpi [2016-12-09]
FF Extension: (Adblock Plus) - C:\Documents and Settings\Michelle\Application Data\Mozilla\Firefox\Profiles\i2kwq7w8.default-1480308880781\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-28]
FF Extension: (Adblock Plus Pop-up Addon) - C:\Program Files\Mozilla Firefox\browser\extensions\adblockpopups@jessehakanen.net.xpi [2016-05-14]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_23_0_0_207.dll [2016-11-08] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\WINDOWS\system32\Adobe\Director\np32dsw_1225195.dll [2016-09-20] (Adobe Systems, Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Asset Management Daemon; C:\Program Files\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe [114688 2008-02-13] () [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-11-25] (AVAST Software)
S4 DTSRVC; C:\Program Files\Common Files\Portrait Displays\Shared\dtsrvc.exe [139632 2012-09-26] (Portrait Displays, Inc.)
S4 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
S4 O2FLASH; C:\WINDOWS\system32\DRIVERS\o2flash.exe [72224 2009-01-08] (O2Micro International)
S4 PdiService; C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [123248 2012-09-18] (Portrait Displays, Inc.)
R2 rpcnet; C:\WINDOWS\system32\rpcnet.exe [78032 2016-12-05] (Absolute Software Corp.)
S4 STacSV; c:\program files\idt\xpv10_6147v005\wdm\stacsv.exe [249938 2009-02-20] (IDT, Inc.)
R2 wltrysvc; C:\WINDOWS\System32\bcmwltry.exe [1961984 2008-10-24] (Dell Inc.) [File not signed]
R2 ZAMSvc; C:\Program Files\Zemana AntiMalware\ZAM.exe [13915888 2016-11-22] (Zemana Ltd.)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AESTAud; C:\WINDOWS\System32\drivers\AESTAud.sys [112512 2009-02-20] (Andrea Electronics Corporation)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [34008 2016-11-25] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [92256 2016-11-25] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-11-25] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [60424 2016-11-25] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [735488 2016-11-25] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [433768 2016-11-25] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [184592 2016-11-25] (AVAST Software)
S3 aswTap; C:\WINDOWS\System32\DRIVERS\aswTap.sys [35144 2014-07-04] (The OpenVPN Project)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [66688 2016-11-25] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [224752 2016-11-25] (AVAST Software)
S3 BCM43XX; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [1287552 2008-10-24] (Broadcom Corporation)
R3 BTDriver; C:\WINDOWS\System32\DRIVERS\btport.sys [37424 2007-03-23] (Broadcom Corporation.)
R3 BTKRNL; C:\WINDOWS\System32\DRIVERS\btkrnl.sys [876384 2007-03-31] (Broadcom Corporation.)
S3 BTWDNDIS; C:\WINDOWS\System32\DRIVERS\btwdndis.sys [149123 2007-03-23] (Broadcom Corporation.)
R3 BTWUSB; C:\WINDOWS\System32\Drivers\btwusb.sys [67960 2007-03-23] (Broadcom Corporation.)
R3 O2MDGRDR; C:\WINDOWS\System32\DRIVERS\o2mdg.sys [51616 2009-01-08] (O2Micro )
R3 O2SDGRDR; C:\WINDOWS\System32\DRIVERS\o2sdg.sys [41760 2009-01-08] (O2Micro )
R3 PdiPorts; C:\WINDOWS\System32\Drivers\PdiPorts.sys [17136 2010-05-14] (Portrait Displays, Inc.)
S1 Pivot; C:\WINDOWS\System32\drivers\pivot.sys [17465 2010-05-13] (Portrait Displays, Inc.) [File not signed]
S3 pivotmou; C:\WINDOWS\System32\drivers\pivotmou.sys [11323 2010-05-13] (Portrait Displays, Inc.) [File not signed]
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1548339 2009-02-20] (IDT, Inc.)
R1 ZAM; C:\WINDOWS\System32\drivers\zam32.sys [181496 2016-12-09] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard32.sys [181496 2016-12-09] (Zemana Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-10 10:30 - 2016-12-10 10:30 - 00009081 _____ C:\Documents and Settings\Michelle\Desktop\FRST.txt
2016-12-10 10:29 - 2016-12-10 10:30 - 00000000 ___DC C:\FRST
2016-12-10 10:29 - 2016-12-10 10:29 - 01761792 ____C (Farbar) C:\Documents and Settings\Michelle\Desktop\FRST.exe
2016-12-10 10:27 - 2016-12-10 10:27 - 02420224 ____C (Farbar) C:\Documents and Settings\Michelle\Desktop\FRST64.exe
2016-12-10 09:56 - 2016-12-10 09:56 - 00000000 ____D C:\WINDOWS\LastGood
2016-12-10 09:56 - 2016-12-10 09:56 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Sophos
2016-12-10 09:55 - 2016-12-10 09:56 - 00002465 _____ C:\Documents and Settings\All Users\Desktop\Sophos Virus Removal Tool.lnk
2016-12-10 09:55 - 2016-12-10 09:55 - 00000000 ____D C:\Program Files\Sophos
2016-12-10 09:55 - 2016-12-10 09:55 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Sophos
2016-12-10 09:51 - 2016-12-10 09:51 - 00001146 ____C C:\DelFix.txt
2016-12-09 13:22 - 2016-12-09 13:22 - 00002005 _____ C:\Documents and Settings\Michelle\Desktop\2016.12.09-13.09.13-i0-t92-d2.txt
2016-12-09 13:09 - 2016-12-10 10:29 - 00025523 _____ C:\WINDOWS\ZAM.krnl.trace
2016-12-09 13:09 - 2016-12-10 10:29 - 00009802 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2016-12-09 13:08 - 2016-12-09 13:08 - 00181496 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard32.sys
2016-12-09 13:08 - 2016-12-09 13:08 - 00181496 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam32.sys
2016-12-09 13:08 - 2016-12-09 13:08 - 00001605 _____ C:\Documents and Settings\All Users\Desktop\Zemana AntiMalware.lnk
2016-12-09 13:08 - 2016-12-09 13:08 - 00000000 ____D C:\Program Files\Zemana AntiMalware
2016-12-09 13:08 - 2016-12-09 13:08 - 00000000 ____D C:\Documents and Settings\Michelle\Local Settings\Application Data\Zemana
2016-12-09 13:08 - 2016-12-09 13:08 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\Zemana
2016-12-09 13:08 - 2016-12-09 13:08 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Zemana AntiMalware
2016-12-05 12:54 - 2016-12-05 12:54 - 01880440 _____ C:\Documents and Settings\Michelle\Desktop\bookmarks_12_04.html
2016-12-05 11:17 - 2008-04-13 18:00 - 00343040 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mspaint.exe
2016-12-05 11:17 - 2008-04-13 18:00 - 00343040 _____ (Microsoft Corporation) C:\WINDOWS\system32\mspaint.exe
2016-12-05 02:03 - 2008-04-14 07:00 - 00114688 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\calc.exe
2016-12-05 02:03 - 2008-04-14 07:00 - 00114688 _____ (Microsoft Corporation) C:\WINDOWS\system32\calc.exe
2016-12-04 23:56 - 2016-12-10 02:19 - 00032652 _____ C:\WINDOWS\SchedLgU.Txt
2016-12-04 00:28 - 2016-12-04 00:28 - 00042737 _____ C:\Documents and Settings\Michelle\Desktop\noise log.xlsx
2016-12-03 15:35 - 2016-12-05 11:12 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2016-12-03 15:11 - 2001-08-17 22:36 - 00050176 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\umaxp60.dll
2016-12-03 15:07 - 2008-04-13 18:00 - 00455168 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\tintsetp.exe
2016-12-03 15:03 - 2001-08-17 22:36 - 00053248 ____C (Stallion Technologies) C:\WINDOWS\system32\dllcache\stlncoin.dll
2016-12-03 14:54 - 2008-04-13 18:00 - 00030208 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\sm81w.dll
2016-12-03 14:49 - 2001-08-17 22:36 - 00057856 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\EXCH_scripto.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00347136 _____ (Hilgraeve, Inc.) C:\WINDOWS\system32\hypertrm.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00227840 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\avtapi.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00227840 _____ (Microsoft Corporation) C:\WINDOWS\system32\avtapi.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00214528 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wordpad.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00184320 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\accwiz.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\accwiz.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00138752 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\sndvol32.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00138752 _____ (Microsoft Corporation) C:\WINDOWS\system32\sndvol32.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00131584 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\sndrec32.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00131584 _____ (Microsoft Corporation) C:\WINDOWS\system32\sndrec32.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00123392 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mplay32.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\mplay32.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00073216 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\avwav.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\system32\avwav.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00068608 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\access.cpl
2016-12-03 14:30 - 2008-04-13 18:00 - 00068608 _____ (Microsoft Corporation) C:\WINDOWS\system32\access.cpl
2016-12-03 14:30 - 2008-04-13 18:00 - 00044544 _____ (Hilgraeve, Inc.) C:\WINDOWS\system32\hticons.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00035328 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\winchat.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00035328 _____ (Microsoft Corporation) C:\WINDOWS\system32\winchat.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00016384 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\avmeter.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00016384 _____ (Microsoft Corporation) C:\WINDOWS\system32\avmeter.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00013312 ____C (Hilgraeve, Inc.) C:\WINDOWS\system32\dllcache\htrn_jis.dll
2016-12-03 14:30 - 2008-04-13 18:00 - 00005632 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\write.exe
2016-12-03 14:30 - 2008-04-13 18:00 - 00005632 _____ (Microsoft Corporation) C:\WINDOWS\system32\write.exe
2016-12-03 14:29 - 2008-04-13 18:00 - 00539136 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\dialer.exe
2016-12-03 14:12 - 2016-12-10 01:17 - 00588800 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\autochk.exe
2016-12-03 14:12 - 2016-12-10 01:17 - 00588800 _____ (Microsoft Corporation) C:\WINDOWS\system32\autochk.exe
2016-12-03 13:52 - 2001-08-17 22:36 - 00614429 ____C (Digi International Inc.) C:\WINDOWS\system32\dllcache\digiview.exe
2016-12-02 18:14 - 2016-12-10 10:30 - 00000000 ___DC C:\Documents and Settings\Michelle\Local Settings\Temp
2016-12-02 18:14 - 2016-12-09 13:03 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\temp
2016-12-02 18:14 - 2016-12-02 18:14 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\temp
2016-12-02 18:14 - 2016-12-02 18:14 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\temp
2016-12-02 18:14 - 2016-12-02 18:14 - 00000000 ____D C:\Documents and Settings\Default User\Local Settings\Temp
2016-12-01 12:14 - 2016-12-01 12:14 - 00000008 __RSH C:\Documents and Settings\All Users\ntuser.pol
2016-11-30 12:06 - 2016-11-30 12:12 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\SophosClean
2016-11-29 02:44 - 2016-12-05 02:04 - 00005120 ___SH C:\WINDOWS\system32\Thumbs.db
2016-11-27 23:47 - 2016-12-01 10:33 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-11-27 23:47 - 2016-11-27 23:47 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2016-11-27 23:47 - 2016-11-27 23:47 - 00000724 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2016-11-27 11:49 - 2001-08-17 22:36 - 00031744 ____C (IBM Corporation) C:\WINDOWS\system32\dllcache\tp4.dll
2016-11-27 11:48 - 2001-08-17 22:36 - 00155648 ____C (Stallion Technologies) C:\WINDOWS\system32\dllcache\stlnprop.dll
2016-11-27 11:48 - 2001-08-17 22:36 - 00053760 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\sw_wheel.dll
2016-11-27 11:48 - 2001-08-17 22:36 - 00041472 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\sw_effct.dll
2016-11-27 11:47 - 2001-08-17 22:36 - 00114688 ____C (Sony Corporation) C:\WINDOWS\system32\dllcache\sonypi.dll
2016-11-27 11:47 - 2001-08-17 22:36 - 00024660 ____C (Perle Systems Ltd.) C:\WINDOWS\system32\dllcache\spxupchk.dll
2016-11-27 11:44 - 2001-08-17 22:36 - 00079872 ____C (Ricoh Co., Ltd.) C:\WINDOWS\system32\dllcache\rwia430.dll
2016-11-27 11:44 - 2001-08-17 22:36 - 00009216 ____C (Brother Industries, Ltd.) C:\WINDOWS\system32\dllcache\rsmgrstr.dll
2016-11-27 11:43 - 2001-08-17 22:37 - 00105984 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\phdsext.ax
2016-11-27 11:43 - 2001-08-17 22:36 - 00035328 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\psisload.dll
2016-11-27 11:42 - 2001-08-17 22:36 - 00044544 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ovui2.dll
2016-11-27 11:42 - 2001-08-17 22:36 - 00020480 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ovcomc.dll
2016-11-27 11:40 - 2001-08-17 22:36 - 00007168 ____C (Moxa Technologies Co., Ltd) C:\WINDOWS\system32\dllcache\mxport.dll
2016-11-27 11:38 - 2001-08-17 22:36 - 00037376 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\kousd.dll
2016-11-27 11:37 - 2001-08-17 22:36 - 00026624 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\icam3ext.dll
2016-11-27 11:36 - 2001-08-17 22:36 - 00093696 ____C () C:\WINDOWS\system32\dllcache\hpgt42.dll
2016-11-27 11:35 - 2001-08-17 22:36 - 00123392 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hpgt21tk.dll
2016-11-27 11:34 - 2001-08-17 22:36 - 00051200 ____C (Equinox Systems Inc.) C:\WINDOWS\system32\dllcache\eqnlogr.exe
2016-11-27 11:34 - 2001-08-17 22:36 - 00043008 ____C (SEIKO EPSON CORP.) C:\WINDOWS\system32\dllcache\esucm.dll
2016-11-27 11:34 - 2001-08-17 13:28 - 00241206 ____C (3Com Corporation) C:\WINDOWS\system32\dllcache\el656se5.sys
2016-11-27 11:33 - 2001-08-17 22:36 - 00229462 ____C (Digi International Inc.) C:\WINDOWS\system32\dllcache\digifwrk.dll
2016-11-27 11:33 - 2001-08-17 22:36 - 00038985 ____C (Eicon Technology) C:\WINDOWS\system32\dllcache\disrvsu.dll
2016-11-27 11:33 - 2001-08-17 22:36 - 00029768 ____C C:\WINDOWS\system32\dllcache\divasu.dll
2016-11-27 11:32 - 2008-04-14 05:41 - 00249856 ____C (Comtrol® Corporation) C:\WINDOWS\system32\dllcache\ctmasetp.dll
2016-11-27 11:31 - 2001-08-17 22:36 - 00041472 ____C (Brother Industries, Ltd.) C:\WINDOWS\system32\dllcache\brmfusb.dll
2016-11-27 11:31 - 2001-08-17 22:36 - 00015360 ____C (Brother Industries, Ltd.) C:\WINDOWS\system32\dllcache\brmfbidi.dll
2016-11-27 00:24 - 2016-11-27 00:24 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2016-11-27 00:20 - 2016-11-27 10:59 - 00000000 ____D C:\WINDOWS\erdnt
2016-11-26 23:52 - 2016-12-10 01:18 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-11-26 23:52 - 2016-12-05 10:46 - 00121560 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-11-26 23:52 - 2016-11-27 00:23 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-11-26 23:52 - 2016-11-26 23:52 - 00000777 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2016-11-26 23:52 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-11-25 13:35 - 2016-11-25 13:35 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2016-11-25 13:35 - 2016-11-25 13:35 - 00000000 ____D C:\Documents and Settings\Michelle\Application Data\AVAST Software
2016-11-25 13:35 - 2016-11-25 13:35 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVAST Software
2016-11-25 13:34 - 2016-12-10 09:25 - 00000362 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-11-25 13:33 - 2016-11-25 13:34 - 00735488 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsnx.sys
2016-11-25 13:33 - 2016-11-25 13:34 - 00433768 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsp.sys
2016-11-25 13:33 - 2016-11-25 13:34 - 00224752 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys
2016-11-25 13:33 - 2016-11-25 13:33 - 00319760 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-11-25 13:33 - 2016-11-25 13:33 - 00184592 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys
2016-11-25 13:33 - 2016-11-25 13:33 - 00092256 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-11-25 13:33 - 2016-11-25 13:33 - 00066688 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswTdi.sys
2016-11-25 13:33 - 2016-11-25 13:33 - 00064272 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys
2016-11-25 13:33 - 2016-11-25 13:33 - 00060424 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-11-25 13:33 - 2016-11-25 13:33 - 00053208 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-11-25 13:33 - 2016-11-25 13:33 - 00034008 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-11-25 13:31 - 2016-11-25 13:31 - 00000000 ____D C:\Program Files\AVAST Software
2016-11-25 12:15 - 2016-11-25 12:15 - 00051248 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2016-11-24 19:25 - 2016-11-24 19:25 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\ESET
2016-11-24 02:14 - 2001-08-17 22:36 - 00023040 ____C (Xerox Corporation) C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2016-11-24 02:12 - 2001-08-17 22:36 - 00087040 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2016-11-24 02:10 - 2001-08-17 22:36 - 00094720 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\umaxud32.dll
2016-11-24 02:10 - 2001-08-17 22:36 - 00028160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\umaxu40.dll
2016-11-24 02:09 - 2001-08-17 22:36 - 00216064 ____C (UMAX Data Systems Inc.) C:\WINDOWS\system32\dllcache\um34scan.dll
2016-11-24 02:09 - 2001-08-17 22:36 - 00047616 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\umaxcam.dll
2016-11-24 02:03 - 2001-08-17 22:36 - 00082432 ____C (Ricoh Co., Ltd.) C:\WINDOWS\system32\dllcache\rwia450.dll
2016-11-24 02:01 - 2001-08-17 22:36 - 00016384 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\philcam1.dll
2016-11-24 01:55 - 2008-04-14 05:42 - 00043008 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\ksxbar.ax
2016-11-24 01:55 - 2001-08-17 22:36 - 00058368 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\m3091dc.dll
2016-11-24 01:54 - 2008-04-14 05:42 - 00151552 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\irftp.exe
2016-11-24 01:53 - 2001-08-17 22:36 - 00061952 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\icam4ext.dll
2016-11-24 01:52 - 2008-04-13 18:00 - 13463552 ____C C:\WINDOWS\system32\dllcache\SETC7E.tmp
2016-11-24 01:52 - 2001-08-17 22:34 - 00009216 ____C (IBM Corporation) C:\WINDOWS\system32\dllcache\ibmsgnet.dll
2016-11-24 01:51 - 2001-08-17 22:36 - 00126976 ____C (Hewlett Packard) C:\WINDOWS\system32\dllcache\hpgt34tk.dll
2016-11-24 01:51 - 2001-08-17 22:36 - 00101376 ____C () C:\WINDOWS\system32\dllcache\hpgt34.dll
2016-11-24 01:51 - 2001-08-17 22:36 - 00089088 ____C () C:\WINDOWS\system32\dllcache\hpgt33.dll
2016-11-24 01:51 - 2001-08-17 22:36 - 00068608 ____C (Avisioin) C:\WINDOWS\system32\dllcache\hpgt53tk.dll
2016-11-24 01:51 - 2001-08-17 22:36 - 00032768 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hpgtmcro.dll
2016-11-24 01:51 - 2001-08-17 22:36 - 00019456 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hr1w.dll
2016-11-24 01:51 - 2001-08-17 22:36 - 00013312 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hpsjmcro.dll
2016-11-24 01:50 - 2001-08-17 22:36 - 00092160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\fuusd.dll
2016-11-24 01:49 - 2001-08-17 22:36 - 00045568 ____C (SEIKO EPSON CORP.) C:\WINDOWS\system32\dllcache\esunib.dll
2016-11-24 01:47 - 2001-08-17 22:36 - 00256512 ____C (Creative Technology Ltd.) C:\WINDOWS\system32\dllcache\devcon32.dll
2016-11-24 01:47 - 2001-08-17 22:36 - 00110621 ____C (Digi International, Inc.) C:\WINDOWS\system32\dllcache\digirlpt.dll
2016-11-24 01:47 - 2001-08-17 22:36 - 00102484 ____C (Digi International Inc.) C:\WINDOWS\system32\dllcache\digiinf.dll
2016-11-24 01:47 - 2001-08-17 22:36 - 00027648 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\cyzports.dll
2016-11-24 01:46 - 2001-08-17 22:36 - 00175104 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\csamsp.dll
2016-11-24 01:46 - 2001-08-17 22:36 - 00027648 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\cyyports.dll
2016-11-24 01:45 - 2008-04-14 05:42 - 00018432 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\bdaplgin.ax
2016-11-24 01:45 - 2008-04-14 05:41 - 00121856 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\camext30.dll
2016-11-24 01:45 - 2001-08-17 22:36 - 00102400 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\binlsvc.dll
2016-11-24 01:45 - 2001-08-17 22:36 - 00074240 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\camexo20.dll
2016-11-24 01:44 - 2008-04-14 05:42 - 00009728 ____C (ATI Technologies Inc.) C:\WINDOWS\system32\dllcache\ativdaxx.ax
2016-11-24 01:44 - 2008-04-14 05:41 - 00032768 ____C (ATI Technologies Inc.) C:\WINDOWS\system32\dllcache\ativtmxx.dll
2016-11-24 01:44 - 2008-04-13 22:04 - 00028672 ____C (ATI Technologies Inc.) C:\WINDOWS\system32\dllcache\atinsnxx.sys
2016-11-24 00:13 - 2016-11-24 00:13 - 00000000 ____D C:\Documents and Settings\Michelle\Local Settings\Application Data\ESET
2016-11-23 14:34 - 2016-11-23 14:34 - 00028672 _____ C:\WINDOWS\system32\config\SAM.gsbackup
2016-11-23 14:34 - 2016-11-23 14:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Geek Squad
2016-11-23 13:51 - 2016-11-23 13:51 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\CEF
2016-11-21 19:34 - 2016-11-30 11:02 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\Travel scholarship for photographers available [Worldwide] _ IJNet_files
2016-11-21 19:34 - 2016-11-30 11:02 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\Travel Photography Scholarship 2016 → WIN a photography assignment to Japan_files
2016-11-21 19:34 - 2016-11-21 19:34 - 00433617 _____ C:\Documents and Settings\Michelle\My Documents\Travel Photography Scholarship 2016 → WIN a photography assignment to Japan.htm
2016-11-21 19:34 - 2016-11-21 19:34 - 00376759 _____ C:\Documents and Settings\Michelle\My Documents\Travel scholarship for photographers available [Worldwide] _ IJNet.htm
2016-11-12 23:49 - 2016-11-12 23:49 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\Bluetooth Exchange Folder

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-10 10:03 - 2016-01-24 15:52 - 00000000 ____D C:\Program Files\antivius programs
2016-12-10 10:03 - 2015-12-28 01:27 - 00007680 ___SH C:\WINDOWS\Thumbs.db
2016-12-10 09:36 - 2016-03-10 21:32 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-12-10 09:25 - 2013-09-12 02:18 - 00078032 ____C (Absolute Software Corp.) C:\WINDOWS\system32\rpcnet.dll
2016-12-10 09:25 - 2013-09-11 09:05 - 00017920 ____C C:\WINDOWS\system32\rpcnetp.dll
2016-12-10 09:25 - 2013-09-11 09:05 - 00000006 ___HC C:\WINDOWS\Tasks\SA.DAT
2016-12-10 09:25 - 2013-09-11 04:53 - 00017920 ____C C:\WINDOWS\system32\rpcnetp.exe
2016-12-10 09:25 - 2008-04-13 18:00 - 00002206 ____C C:\WINDOWS\system32\wpa.dbl
2016-12-10 02:19 - 2013-09-11 09:08 - 00000178 __SHC C:\Documents and Settings\Michelle\ntuser.ini
2016-12-10 02:18 - 2013-09-11 09:08 - 00000000 ____D C:\Documents and Settings\Michelle
2016-12-10 01:17 - 2013-09-11 04:48 - 00000000 RSHDC C:\WINDOWS\system32\dllcache
2016-12-09 16:35 - 2013-09-13 22:18 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\BOOKS
2016-12-09 13:32 - 2013-09-11 09:08 - 00000000 ___RD C:\Documents and Settings\Michelle\My Documents\My Pictures
2016-12-09 12:15 - 2016-01-10 14:17 - 00340992 ___SH C:\Documents and Settings\Michelle\Desktop\Thumbs.db
2016-12-08 10:45 - 2013-09-11 09:08 - 00000000 ___RD C:\Documents and Settings\Michelle\My Documents
2016-12-06 13:38 - 2014-10-01 10:36 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\computers_mice_software_hardware how to's
2016-12-05 11:17 - 2013-09-11 04:55 - 00604180 ____C C:\WINDOWS\system32\PerfStringBackup.INI
2016-12-05 11:17 - 2013-09-11 04:48 - 00000000 ____D C:\WINDOWS\security
2016-12-05 11:17 - 2013-09-11 04:48 - 00000000 ____D C:\WINDOWS\Help
2016-12-05 11:11 - 2015-11-10 10:30 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\account invoices_receipts
2016-12-05 00:37 - 2013-09-12 02:18 - 00078032 ____N (Absolute Software Corp.) C:\WINDOWS\system32\rpcnet.exe
2016-12-05 00:33 - 2014-06-13 20:19 - 00000239 ___SH C:\boot.ini
2016-12-05 00:33 - 2014-03-30 07:28 - 00000178 __SHC C:\Documents and Settings\Administrator\ntuser.ini
2016-12-05 00:33 - 2008-04-13 18:00 - 00000507 ____C C:\WINDOWS\win.ini
2016-12-05 00:33 - 2008-04-13 18:00 - 00000227 ____C C:\WINDOWS\system.ini
2016-12-04 23:36 - 2014-03-30 07:28 - 00000000 ____D C:\Documents and Settings\Administrator
2016-12-04 18:05 - 2013-09-13 22:18 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\FB
2016-12-03 15:14 - 2013-09-13 22:18 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\CALENDARS...card pics
2016-12-03 14:30 - 2013-09-11 08:59 - 00000000 ____D C:\Program Files\Windows NT
2016-12-03 14:30 - 2013-09-11 04:48 - 00000000 ____D C:\WINDOWS\Cursors
2016-12-03 13:36 - 2015-11-25 16:22 - 00000000 ___DC C:\Program Files\CC Cleaner backups
2016-12-03 12:55 - 2013-09-11 09:00 - 00000000 ___RD C:\Documents and Settings\All Users\Start Menu\Programs\Games
2016-12-03 11:30 - 2013-09-11 09:05 - 00000000 __SHD C:\Documents and Settings\NetworkService
2016-12-01 12:14 - 2013-09-11 04:53 - 00000000 ____D C:\Documents and Settings\All Users
2016-12-01 11:00 - 2014-01-27 01:36 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2016-12-01 10:33 - 2016-10-20 23:29 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-11-28 12:39 - 2013-09-11 09:08 - 00000000 ___RD C:\Documents and Settings\Michelle\My Documents\My Music
2016-11-28 10:56 - 2013-09-13 22:19 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\JOBS STUFF
2016-11-27 23:54 - 2013-09-13 22:09 - 00000000 ____D C:\Documents and Settings\Michelle\Application Data\Mozilla
2016-11-27 00:39 - 2013-09-11 04:53 - 00000000 ___HD C:\Documents and Settings\Default User
2016-11-27 00:32 - 2014-03-21 18:55 - 00000000 ____D C:\Documents and Settings\Michelle\Local Settings\Application Data\Temp
2016-11-25 13:35 - 2013-09-11 04:48 - 00000000 ___HD C:\WINDOWS\inf
2016-11-25 13:30 - 2013-09-13 22:30 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software
2016-11-25 13:28 - 2014-11-16 23:31 - 00002515 ____C C:\Documents and Settings\Michelle\Desktop\Microsoft Office Word 2007.lnk
2016-11-21 20:22 - 2015-12-28 20:27 - 00134656 ___SH C:\Documents and Settings\Michelle\My Documents\Thumbs.db
2016-11-21 09:25 - 2016-08-18 09:09 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\APTS
2016-11-18 02:08 - 2016-11-05 12:46 - 00000682 _____ C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
2016-11-17 16:45 - 2016-11-03 19:55 - 00000000 ____D C:\Documents and Settings\Michelle\My Documents\BRIDGES LOCATIONS
2016-11-16 21:22 - 2013-09-11 09:05 - 00000000 __SHD C:\Documents and Settings\LocalService
2016-11-16 21:22 - 2013-09-11 09:00 - 00000000 ____D C:\WINDOWS\Registration
2016-11-16 16:26 - 2013-09-11 14:06 - 00000000 ___RD C:\Documents and Settings\Michelle\My Documents\My Videos
2016-11-10 10:19 - 2013-09-11 14:13 - 00000000 ____D C:\Program Files\Roxio
2016-11-10 10:18 - 2013-09-11 14:13 - 00000000 ____D C:\Program Files\Common Files\Roxio Shared
2016-11-10 10:17 - 2013-09-11 14:13 - 00000000 ____D C:\Program Files\Common Files\Sonic Shared

==================== Files in the root of some directories =======

2013-09-25 18:19 - 2013-09-25 18:19 - 0936168 ____C (Microsoft Corporation) C:\Program Files\SaveAsPDF.exe
2013-09-25 18:11 - 2013-09-25 18:11 - 0956344 ____C (Microsoft Corporation) C:\Program Files\SaveAsPDFandXPS.exe
2014-04-24 22:25 - 2014-04-24 22:25 - 0000460 ___HC () C:\Documents and Settings\Michelle\Application Data\iColorDisplay3.lic
2014-04-24 22:25 - 2014-04-24 22:25 - 0000606 ____C () C:\Documents and Settings\Michelle\Application Data\iColorDisplay3.prefs
2013-10-27 09:54 - 2016-09-23 14:50 - 0210944 ____C () C:\Documents and Settings\Michelle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-04-24 22:17 - 2014-04-24 22:17 - 0000131 ____C () C:\Documents and Settings\Michelle\Local Settings\Application Data\fusioncache.dat
2013-11-14 13:30 - 2013-11-14 13:30 - 0000268 __RHC () C:\Documents and Settings\All Users\Application Data\Jazz
2013-11-14 13:31 - 2013-11-14 13:31 - 0000268 __RHC () C:\Documents and Settings\All Users\Application Data\Jazz Kit
2013-11-14 13:30 - 2013-11-14 13:30 - 0000268 __RHC () C:\Documents and Settings\All Users\Application Data\Jingles
2013-11-14 13:30 - 2013-11-14 13:30 - 0000020 ___HC () C:\Documents and Settings\All Users\Application Data\PKP_DLeo.DAT
2013-11-14 13:31 - 2013-11-14 13:42 - 0000020 ___HC () C:\Documents and Settings\All Users\Application Data\PKP_DLes.DAT
2013-11-14 13:30 - 2014-02-11 19:58 - 0000020 ___HC () C:\Documents and Settings\All Users\Application Data\PKP_DLet.DAT
2013-11-14 13:30 - 2014-02-11 19:59 - 0000020 ___HC () C:\Documents and Settings\All Users\Application Data\PKP_DLev.DAT

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Addition.txt

Link to post
Share on other sites

This is frustrating for sure, I want you to create a registry back up with another tool, turn off system restore to clean out all present points (4 showing in frst log). 

Tweaking.com Registry Backup
 
  • Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop.
  • Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All".
  • Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C:)", and click the "Make New Folder" button.
  • Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract".
  • From the newly extracted files, right click on hPxdDvj.png and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.(Windows Vista/7/8/10 users: Accept UAC warning if it is enabled.)
  • A screen like this should appear:
    user posted image
     
  • Type a custom name in Backup Name if you want, then choose Backup Now.
  • If backup is successful, a message will appear at the lower half of the screen with an option to view logs.
  • The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings.
  • Close Tweaking.com Registry Backup when done.

Next,

Turn OFF System Restore and reboot.

Next,

Do a full scan with Avast, what does it show...?

Next,

If that Scan comes back clean turn System Restore back on, name the new RP for reference....

Next,

Please download aswMBR ( 4.5MB ) to your desktop.
 
  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.


Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

 

Edited by kevinf80
Part of text was missing
Link to post
Share on other sites

hello,

after turning system restore off my avast scan was clean.

when i opened/ran aswMBR i did not get the message "download the latest Avast! virus definitions" .i left the default scan as 'quick scan'.

the log is pasted below:

(not sure if it's relevant but my computer seems to be loading slower on startup after all of these scans than it used to when i had malware - even though i have less than 5 things checked to begin on startup).

thanks.

aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2016-12-11 12:38:26
-----------------------------
12:38:26.062    OS Version: Windows 5.1.2600 Service Pack 3
12:38:26.062    Number of processors: 2 586 0x170A
12:38:26.062    ComputerName: MEESH  UserName: Meesh
12:38:27.390    Initialize success
12:38:27.390    VM: initialized successfully
12:38:27.390    VM: Intel CPU BiosDisabled
12:38:36.937    AVAST engine defs: 16121100
12:38:48.234    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:38:48.234    Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
12:38:48.421    Disk 0 MBR read successfully
12:38:48.421    Disk 0 MBR scan
12:38:48.437    Disk 0 Windows XP default MBR code
12:38:48.437    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS       152617 MB offset 63
12:38:48.453    Disk 0 default boot code
12:38:48.453    Disk 0 scanning sectors +312560640
12:38:48.562    Disk 0 scanning C:\WINDOWS\system32\drivers
12:39:00.562    Service scanning
12:39:17.968    Modules scanning
12:39:17.968    Disk 0 trace - called modules:
12:39:17.968    
12:39:21.046    AVAST engine scan C:\WINDOWS
12:39:37.984    AVAST engine scan C:\WINDOWS\system32
12:42:33.703    AVAST engine scan C:\WINDOWS\system32\drivers
12:42:45.484    AVAST engine scan C:\Documents and Settings\Michelle
12:49:44.984    AVAST engine scan C:\Documents and Settings\All Users
12:51:54.515    Disk 0 statistics 1514476/0/0 @ 1.25 MB/s
12:51:54.531    Scan finished successfully
13:00:48.609    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Michelle\Desktop\MBR.dat"
13:00:48.609    The log file has been saved successfully to "C:\Documents and Settings\Michelle\Desktop\aswMBR.txt"

 

 

 

Link to post
Share on other sites

the virus that would not die!

every time i've turned system restore off and back on it the scan comes up clean immediately after but eventually goes back to finding something in system restore.

most recent scan results: 2 listed on avast - actually, on every scan, for every file listed as "threat rootkit" there's a file with the same number and different extension ('BAK') listed as 'threat: win32:malware-gen'. (so all those times that i had 30.. it was 15 listed as rootkit and the same 15 with diff. extension listed as malware)... and every time i have tried to 'fix' it, it deletes (or sends to chest) the malware version but will not do anything for the rootkit version (even after the recommended bootscan).

once it came up with a virus in autochk but after i copied/replaced autochk from the installation disc it no longer comes up (though i still can only do chkdck from the disc).

i recently uninstalled and reinstalled avast thinking it might be corrupt somehow but it hasn't helped so i'm out of ideas:)

 

 

 

 

 

Link to post
Share on other sites

I do not believe your system is infected, I cannot explain why Avast is flagging freshly created restore points as malicious.... Lets run a very thorough online Av scan, if there is infected entries on your system ESET will find them... It can take a few hours so you will have to be patient, if the ESET log is clean it will be necessary to contact Avast forum....

user posted imageScan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:
 
  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:
 
  • Select "Enable detection of potentially unwanted applications"
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.


Please include this logfile in your next reply.

Don't forget to re-enable security software!
Link to post
Share on other sites

there is no 'finish' button unless i choose clean or do not clean and it did not save anything to program files.. before i chose an option i saved the result by clicking 'copy to clipboard' and pasted into wordpad. after doing so i chose "do not clean' (because your instructions did not list if i should clean or not - just to 'finish) and then 'finish'. there is nothing from eset in program files. the result pasted into wordpad was as follows:

C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP2\A0000022.exe    a variant of Win32/CompuTrace.B potentially unsafe application   

Link to post
Share on other sites

today this is the eset result:

C:\Documents and Settings\Michelle\Desktop\ccsetup525.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP3\A0000102.exe    a variant of Win32/CompuTrace.B potentially unsafe application    
C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP3\A0000240.exe    a variant of Win32/CompuTrace.B potentially unsafe application    
C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP4\A0000314.exe    a variant of Win32/CompuTrace.B potentially unsafe application    

 

 

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Turn off System Restore and leave it off..

Next,

Create a registry back up with Tweaking.com tool as you did in Reply ID 14.

Next,

Run another scan with ESET as you did previously, post that log....

fixlist.txt

Link to post
Share on other sites

(after the eset scan results i posted previously i did choose clean - i'm not sure if that screwed things up with the fixlist..and after the most recent scan i turned system restore back on.. it seems the only time my eset (or avast) scans are clean are when i do them while system restore is off)

ESET results: no threat found

fixlog:

Fix result of Farbar Recovery Scan Tool (x86) Version: 07-12-2016
Ran by Meesh (15-12-2016 21:27:42) Run:1
Running from C:\Documents and Settings\Michelle\Desktop
Loaded Profiles: Meesh (Available Profiles: Meesh & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
C:\Documents and Settings\Michelle\Desktop\ccsetup525.exe    
C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP3\A0000102.exe    
C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP3\A0000240.exe    
C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP4\A0000314.exe    
end

 


*****************

"C:\Documents and Settings\Michelle\Desktop\ccsetup525.exe" => not found.
"C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP3\A0000102.exe" => not found.
"C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP3\A0000240.exe" => not found.
"C:\System Volume Information\_restore{432B7F42-79F8-4AAD-A7F8-2374DB7400BC}\RP4\A0000314.exe" => not found.

==== End of Fixlog 21:27:42 ====

eset log:

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.