Author Topic: WinXP sp3 running SLOOOOWWW CPU flatlined SCgeneric Rmvd often  (Read 581 times)

0 Members and 1 Guest are viewing this topic.

Offline Blue55

  • Full Member
  • ***
  • Posts: 107
    • View Profile
WinXP sp3 running SLOOOOWWW CPU flatlined SCgeneric Rmvd often
« on: November 21, 2017, 11:59:48 PM »
WinXP sp3 running SLOOOOOWWWWW.  SVChost.exe at 99% almost all the time from startup. CPU flatlined at 100% busy all the time. The simplest task usually takes 5 to 20 minutes and forget about having Email open or anything.
AVG removes SCgeneric trojan at every scan for months (but I guess thats a False Positive). We have a brand new Windows 7 Refurb here ( Wow, huh? ) waiting for everything to be moved over but I am hoping to not move any viruses also. Meanwhile in the last few days it so doggone slow its useless. Its been slow for a while but this is now unusable.

Result of Security Analysis by Rocket Grannie (x86) Updated: 18th Novemeber, 2017
Running from:C:\Documents and Settings\Keith.patriotplastics\Desktop (20:38:20 - 11/21/2017)
***---------------------------------------------------------***
Microsoft Windows XP Professional X86 Service Pack 3
WARNING! Windows XP is no longer supported
Internet Explorer 8
Default Browser: Firefox
***------------Antivirus - Antispyware - Firewall-----------***
AVG AntiVirus Business Edition (Enabled - up to Date)


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-11-2017
Ran by keith (administrator) on KEITH-26D9165CE (21-11-2017 20:20:38)
Running from C:\Documents and Settings\Keith.patriotplastics\Desktop
Loaded Profiles: keith (Available Profiles: Keith & Administrator & keith & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\Av\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avgsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgwdsvcx.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\TeamViewer_Service.exe
() C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgnsx.exe
(Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgemcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgmfapx.exe
(SigmaTel, Inc.) C:\WINDOWS\stsystra.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Framework\Common\avguix.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\Av\avgui.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [SigmatelSysTrayApp] => C:\WINDOWS\stsystra.exe [282624 2006-07-27] (SigmaTel, Inc.)
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AvgUi] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [220944 2016-12-06] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\qttask.exe [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\Framework\Common\avguirnx.exe [220944 2016-12-06] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [587288 2017-09-05] (Oracle Corporation)
HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start hxxp://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBGAEwANAAzAC0AQwAzAEcANgAyAC0AQwAzADMAQgBBAC0AUQBGAEEAWgBLAC0ARwBQAEgARgBIAA"&"inst=NwA2AC0ANQAwADUANgA5ADMAMgA (the data entry has 264 more characters).
HKLM\...\RunOnce: [AvgRemover] => C:\Documents and Settings\administrator.patriotplastics\Local Settings\Temporary Internet Files\Content.IE5\69O5A76H\avg_remover_stf_x86_2013_2706[1].exe /run_number=2 /avgdir="C:\Program Files\AVG\AV (the data entry has 83 more characters).
Winlogon\Notify\LMIinit: C:\WINDOWS\system32\LMIinit.dll [2014-01-20] (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <==== ATTENTION
HKU\S-1-5-21-799565685-2143723220-303131718-1145\...\Run: [MSMSGS] => "C:\Program Files\Messenger\msmsgs.exe" /background
HKU\S-1-5-21-799565685-2143723220-303131718-1145\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [7685808 2017-09-20] (Piriform Ltd)
HKU\S-1-5-21-799565685-2143723220-303131718-1145\...\Run: [eiMCvckBNJM] => "C:\Documents and Settings\Keith.patriotplastics\Application Data\Oracle\bin\javaw.exe" -jar "C:\Documents and Settings\Keith.patriotplastics\qkNLjFXydlV\lyEPHGwnzvh.mnxrgM"
HKU\S-1-5-21-799565685-2143723220-303131718-1145\...\Run: [WinPatrol] => C:\Program Files\WinPatrol Free Ruiware\winpatrol.exe
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\Av\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{E28DF2AB-EA1C-48E1-BCD6-758837D65A34}: [NameServer] 192.168.101.4,8.8.8.8

Internet Explorer:
==================
HKU\S-1-5-21-799565685-2143723220-303131718-1145\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.boston.com/
HKU\S-1-5-21-799565685-2143723220-303131718-1145\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxp://isearch.avg.com/search?cid={1DB0F4E5-3D17-4368-AEA4-1A995EBEDE89}&mid=e920423caa3676ec5e0c5198bdd21d38-aad196c280661481dd272b3efdf3a7009200c457&lang=en&ds=AVG&pr=pr&d=2012-10-19 10:46:43&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> {A531D99C-5A22-449b-83DA-872725C6D0ED} URL = hxxp://search.alot.com/web?q={searchTerms}
SearchScopes: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NS&chn=oem&geo=US&ver=22.10.0.85&locale=en_US&guid=1C75FB00-2486-44A7-B4DB-886994237A3A&doi=2016-09-01&gct=sb&qsrc=2869
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_151\bin\ssv.dll [2017-11-20] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_151\bin\jp2ssv.dll [2017-11-20] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default [2017-11-21]
FF Homepage: C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default -> hxxp://www.boston.com/
FF Extension: (Facebook Disconnect) - C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default\Extensions\facebook@disconnect.me.xpi [2016-04-27] [Lagacy]
FF Extension: (Flash Killer) - C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default\Extensions\flashkiller@joli.clic.xpi [2016-04-27] [Lagacy]
FF Extension: (Google Disconnect) - C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default\Extensions\google@disconnect.me.xpi [2016-04-27] [Lagacy]
FF Extension: (Flashblock) - C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-01-04] [Lagacy]
FF Extension: (__MSG_appName__) - C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}.xpi [2017-10-23]
FF Extension: (Adblock Plus) - C:\Documents and Settings\Keith.patriotplastics\Application Data\Mozilla\Firefox\Profiles\obhfu8ex.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-11-09]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-10-18] [Lagacy] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_27_0_0_187.dll [2017-11-14] ()
FF Plugin: @java.com/DTPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\dtplugin\npDeployJava1.dll [2017-11-20] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.151.2 -> C:\Program Files\Java\jre1.8.0_151\bin\plugin2\npjp2.dll [2017-11-20] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [272384 2017-11-14] (Adobe Systems Incorporated) [File not signed]
R2 avgfws; C:\Program Files\AVG\Av\avgfws.exe [1458352 2017-09-08] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files\AVG\Av\avgidsagent.exe [4153400 2017-09-08] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files\AVG\Framework\Common\avgsvcx.exe [935184 2016-12-06] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\Av\avgwdsvcx.exe [606352 2017-09-08] (AVG Technologies CZ, s.r.o.)
S3 getPlusHelper; C:\Program Files\NOS\bin\getPlus_Helper.dll [51168 2009-09-23] (NOS Microsystems Ltd.)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware Free\mbamservice.exe [4430792 2017-08-07] (Malwarebytes)
S3 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2009-10-19] (SolidWorks) [File not signed]
R2 TeamViewer; C:\Program Files\TeamViewer\TeamViewer_Service.exe [5611280 2015-08-07] (TeamViewer GmbH)
R2 vToolbarUpdater14.0.1; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe [945328 2013-01-15] ()

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AmdPPM; C:\WINDOWS\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
R1 Avgdiskx; C:\WINDOWS\System32\DRIVERS\avgdiskx.sys [134912 2016-05-13] (AVG Technologies CZ, s.r.o.)
R3 Avgfwdx; C:\WINDOWS\System32\DRIVERS\avgfwdx.sys [30944 2012-01-12] (AVG Technologies CZ, s.r.o.)
S3 Avgfwfd; C:\WINDOWS\System32\DRIVERS\avgfwdx.sys [30944 2012-01-12] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriverl; C:\WINDOWS\System32\DRIVERS\avgidsdriverlx.sys [247552 2017-03-23] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [220920 2017-09-04] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [31664 2015-11-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [244992 2016-11-30] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\WINDOWS\System32\DRIVERS\avglogx.sys [287008 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [197376 2017-04-11] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [47360 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [231680 2016-07-27] (AVG Technologies CZ, s.r.o.)
R0 avgunivx; C:\WINDOWS\System32\DRIVERS\avgunivx.sys [65280 2016-06-20] (AVG Technologies CZ, s.r.o.)
S0 cercsr6; C:\WINDOWS\system32\Drivers\cercsr6.sys [39904 2004-12-13] (Adaptec, Inc.) [File not signed]
R3 STHDA; C:\WINDOWS\System32\drivers\sthda.sys [1171464 2006-07-27] (SigmaTel, Inc.)
S1 avgtp; \??\C:\WINDOWS\system32\drivers\avgtpx86.sys [X]
S4 IntelIde; no ImagePath
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; no ImagePath
S3 NAVENG; \??\C:\Program Files\Norton Security\NortonData\22.9.1.12\Definitions\SDSDefs\20170413.007\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Norton Security\NortonData\22.9.1.12\Definitions\SDSDefs\20170413.007\NAVEX15.SYS [X]
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-11-21 20:20 - 2017-11-21 20:22 - 000013930 _____ C:\Documents and Settings\Keith.patriotplastics\Desktop\FRST.txt
2017-11-21 20:10 - 2017-11-21 20:20 - 000000000 ____D C:\FRST
2017-11-21 20:08 - 2017-11-21 19:54 - 001787904 _____ (Farbar) C:\Documents and Settings\Keith.patriotplastics\Desktop\FRST.exe
2017-11-21 20:07 - 2017-11-21 19:45 - 000899584 _____ C:\Documents and Settings\Keith.patriotplastics\Desktop\RGSA.exe
2017-11-21 13:35 - 2017-05-18 05:27 - 000000030 _____ C:\AVScanner.ini
2017-11-20 18:02 - 2017-11-20 18:02 - 000000000 ____D C:\Program Files\Common Files\Java
2017-11-20 17:17 - 2017-11-20 17:17 - 000000000 ____D C:\Documents and Settings\Keith.patriotplastics\My Documents\- LARGE items that were on DESKTOP
2017-11-20 16:52 - 2017-11-20 16:52 - 000000000 ____D C:\Documents and Settings\Keith.patriotplastics\My Documents\ProcessExplorer to Fix Svchost-exe High CPU Usage
2017-11-20 12:43 - 2017-11-20 12:43 - 000022212 ____H C:\WINDOWS\system32\mlfcache.dat
2017-11-20 10:48 - 2017-11-20 10:48 - 000246426 _____ C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\census.cache
2017-11-20 10:47 - 2017-11-20 10:47 - 000174912 _____ C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\ars.cache
2017-11-20 10:01 - 2017-11-20 10:01 - 000000036 _____ C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\housecall.guid.cache
2017-11-17 11:04 - 2017-11-17 11:05 - 000128594 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2017-11-17 08:07 - 2017-11-17 08:07 - 000001165 _____ C:\Documents and Settings\Keith.patriotplastics\Desktop\Install Kaspersky Free version 18.0.0.405.lnk
2017-11-16 12:18 - 2017-11-17 08:07 - 000000000 ____D C:\Documents and Settings\All Users\Kaspersky Lab Setup Files
2017-11-16 12:16 - 2017-11-16 12:16 - 002438712 _____ (Kaspersky Lab) C:\Documents and Settings\Keith.patriotplastics\Desktop\kfa18.0.0.405abcden_es_fr_13382.exe
2017-11-15 06:54 - 2017-11-15 09:20 - 000000000 ____D C:\Program Files\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-11-21 20:25 - 2016-12-28 06:53 - 000000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-11-21 20:22 - 2009-10-19 18:15 - 000000000 ____D C:\Documents and Settings\Keith.patriotplastics\Local Settings\Temp
2017-11-21 20:17 - 2012-08-24 12:37 - 000000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2017-11-21 20:10 - 2014-03-17 05:58 - 000000222 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2017-11-21 20:04 - 2009-10-19 18:00 - 000081409 _____ C:\WINDOWS\system32\nvapps.xml
2017-11-21 20:01 - 2009-10-19 18:13 - 000000168 _____ C:\WINDOWS\system32\config\netlogon.ftl
2017-11-21 19:58 - 2012-08-24 12:37 - 000000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2017-11-21 19:47 - 2012-10-19 09:43 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2017-11-21 19:44 - 2017-10-12 05:28 - 000221112 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-11-21 19:43 - 2017-05-04 14:10 - 000000314 ____H C:\WINDOWS\Tasks\AVG EUpdate Task.job
2017-11-21 19:43 - 2009-10-19 17:56 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-11-21 19:40 - 2009-10-19 18:17 - 000000178 ___SH C:\Documents and Settings\Keith.patriotplastics\ntuser.ini
2017-11-21 19:40 - 2009-10-19 17:56 - 000032532 _____ C:\WINDOWS\SchedLgU.Txt
2017-11-21 13:46 - 2012-08-24 12:37 - 000000000 ____D C:\Program Files\Google
2017-11-21 13:37 - 2009-10-19 18:15 - 000000000 ____D C:\Documents and Settings\Keith.patriotplastics
2017-11-21 12:05 - 2009-10-19 13:38 - 000000000 ____D C:\WINDOWS\security
2017-11-20 18:18 - 2015-08-03 12:08 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Oracle
2017-11-20 18:09 - 2017-05-04 13:25 - 000000000 ____D C:\Program Files\Java
2017-11-20 18:07 - 2017-05-04 13:27 - 000000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Java
2017-11-20 17:44 - 2017-05-04 13:27 - 000095808 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll
2017-11-20 17:41 - 2017-05-04 13:27 - 000160256 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2017-11-20 12:44 - 2017-04-13 11:48 - 000000000 ____D C:\Documents and Settings\Keith.patriotplastics\Start Menu\Programs\Norton
2017-11-20 12:44 - 2017-04-13 11:48 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2017-11-20 12:43 - 2017-04-13 11:48 - 000000930 _____ C:\Documents and Settings\Keith.patriotplastics\Desktop\Norton Installation Files.lnk
2017-11-20 11:17 - 2017-04-13 11:55 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\NortonInstaller
2017-11-20 06:05 - 2004-08-04 05:00 - 000002206 _____ C:\WINDOWS\system32\wpa.dbl
2017-11-17 08:02 - 2009-10-19 13:38 - 000000000 ___HD C:\WINDOWS\inf
2017-11-16 12:18 - 2009-10-19 13:44 - 000000000 ____D C:\Documents and Settings\All Users
2017-11-16 11:15 - 2017-06-23 07:05 - 000000000 ____D C:\Program Files\Norton Security
2017-11-16 11:03 - 2009-10-19 18:14 - 000000000 __SHD C:\WINDOWS\CSC
2017-11-15 13:05 - 2014-06-24 11:32 - 000000000 ____D C:\Program Files\Mozilla Maintenance Service
2017-11-14 09:25 - 2014-04-08 15:40 - 000803328 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2017-11-14 09:25 - 2012-02-16 12:56 - 000144896 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2017-11-14 09:25 - 2009-10-19 17:51 - 000000000 ____D C:\WINDOWS\system32\Macromed
2017-11-09 06:10 - 2014-03-17 05:58 - 000000216 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2017-11-08 13:49 - 2009-10-19 18:25 - 000000000 ____D C:\oestore
2017-11-06 06:24 - 2009-10-19 13:45 - 000572762 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-10-25 05:12 - 2017-10-12 05:29 - 000150816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2017-10-25 05:12 - 2017-10-12 05:28 - 000040384 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2017-10-24 12:53 - 2009-10-19 13:44 - 000000000 ____D C:\Documents and Settings

==================== Files in the root of some directories =======

2017-04-07 12:16 - 2017-04-14 06:09 - 000000000 _____ () C:\Documents and Settings\Keith.patriotplastics\TempWmicBatchFile.bat
2017-11-20 10:47 - 2017-11-20 10:47 - 000174912 _____ () C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\ars.cache
2017-11-20 10:48 - 2017-11-20 10:48 - 000246426 _____ () C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\census.cache
2009-11-04 12:28 - 2010-09-22 11:31 - 000006656 _____ () C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-11-20 10:01 - 2017-11-20 10:01 - 000000036 _____ () C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\housecall.guid.cache
2017-04-12 05:37 - 2017-04-12 05:37 - 000000000 _____ () C:\Documents and Settings\Keith.patriotplastics\Local Settings\Application Data\{1FE970E3-156B-48E1-872F-D4DA345591A3}

Some files in TEMP:
====================
2017-11-16 11:21 - 2017-11-16 11:21 - 000008728 _____ () C:\Documents and Settings\Keith.patriotplastics\Local Settings\Temp\BullseyeCoverage-2-x86.dll
2017-11-20 17:05 - 2017-11-20 17:06 - 001856576 _____ (Oracle Corporation) C:\Documents and Settings\Keith.patriotplastics\Local Settings\Temp\jre-8u151-windows-au.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Offline Blue55

  • Full Member
  • ***
  • Posts: 107
    • View Profile
Re: WinXP sp3 running SLOOOOWWW CPU flatlined SCgeneric Rmvd often
« Reply #1 on: November 22, 2017, 12:00:38 AM »
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 19-11-2017
Ran by keith (21-11-2017 20:32:50)
Running from C:\Documents and Settings\Keith.patriotplastics\Desktop
Microsoft Windows XP Professional Service Pack 3 (X86) (2009-10-19 22:55:09)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1275210071-630328440-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
ASPNET (S-1-5-21-1275210071-630328440-839522115-1005 - Limited - Enabled)
Guest (S-1-5-21-1275210071-630328440-839522115-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1275210071-630328440-839522115-1000 - Limited - Disabled)
Keith (S-1-5-21-1275210071-630328440-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Keith
SUPPORT_388945a0 (S-1-5-21-1275210071-630328440-839522115-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Business Edition (Enabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG AntiVirus Business Edition (Disabled) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM\...\{6D8D64BE-F500-55B6-705D-DFD08AFE0624}) (Version: 1.7.186 - Adobe Systems Incorporated) Hidden
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.7.186 - Adobe Systems Incorporated)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.2.8900 - Adobe Systems Inc.)
Adobe Download Manager (HKLM\...\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}) (Version: 1.6.2.48 - NOS Microsystems Ltd.)
Adobe Flash Player 27 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 27.0.0.187 - Adobe Systems Incorporated)
Adobe Flash Player 27 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 27.0.0.187 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Apple Application Support (HKLM\...\{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG (HKLM\...\{AF2F870E-DFB3-4E94-BC0C-0119609F6281}) (Version: 16.161.8039 - AVG Technologies) Hidden
AVG 2016 (HKLM\...\{43A28682-68D0-43A2-906A-126B40B1FFA7}) (Version: 16.0.4782 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 16.161.8039 - AVG Technologies)
Broadcom Gigabit Integrated Controller (HKLM\...\{7E369B27-13E2-41A5-9879-358EE1C8B5AD}) (Version: 9.02.06 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.35 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows5.0.0.0) (Version: 5.0.0.0 - Coupons.com Incorporated)
Dell Resource CD (HKLM\...\{FCD9CD52-7222-4672-94A0-A722BA702FD0}) (Version: 1.00.0000 - Dell Inc.)
FMW 1 (HKLM\...\{A2B92392-DC17-416B-88F6-A6A55E053E32}) (Version: 1.143.3 - AVG Technologies) Hidden
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
High Definition Audio Driver Package - KB835221 (HKLM\...\KB835221WXP) (Version: 20040219.000000 - Microsoft Corporation)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.37 - Irfan Skiljan)
Java 8 Update 151 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F32180151F0}) (Version: 8.0.1510.12 - Oracle Corporation)
Malwarebytes version 3.2.2.2029 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2029 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Base Smart Card Cryptographic Service Provider Package (HKLM\...\KB909520) (Version:  - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Office XP Professional with FrontPage (HKLM\...\{90280409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version:  - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 52.5.0 ESR (x86 en-US) (HKLM\...\Mozilla Firefox 52.5.0 ESR (x86 en-US)) (Version: 52.5.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 52.5.0.6520 - Mozilla)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
QuickTime (HKLM\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.4820.0 - SigmaTel)
SolidWorks eDrawings 2010 (HKLM\...\{10CF8B73-4BF5-4565-8F79-BD56600E4E09}) (Version: 10.0.727 - Dassault Systèmes SolidWorks Corp.)
SolidWorks eDrawings 2012 (HKLM\...\{AA70C64F-28D6-4014-8AB0-0C61ECFC7313}) (Version: 12.3.113 - Dassault Systèmes SolidWorks Corp.)
TeamViewer 10 (HKLM\...\TeamViewer) (Version: 10.0.45862 - TeamViewer)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WebFldrs XP (HKLM\...\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}) (Version: 9.50.7523 - Microsoft Corporation) Hidden
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Management Framework Core (HKLM\...\KB968930) (Version:  - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version:  - )
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ContextMenuHandlers1: [AVG Shell Extension] -> {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} => C:\Program Files\AVG\Av\avgse.dll [2017-09-08] (AVG Technologies CZ, s.r.o.)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes Anti-Malware Free\mbshlext.dll [2017-08-30] (Malwarebytes)
ContextMenuHandlers5: [00nView] -> {1E9B04FB-F9E5-4718-997B-B8DA88302A48} => C:\WINDOWS\system32\nvshell.dll [2006-10-03] ()
ContextMenuHandlers5: [NvCplDesktopContext] -> {A70C977A-BF00-412C-90B7-034C51DA2439} => C:\WINDOWS\system32\nvcpl.dll [2006-10-03] (NVIDIA Corporation)
ContextMenuHandlers6: [AVG Shell Extension] -> {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} => C:\Program Files\AVG\Av\avgse.dll [2017-09-08] (AVG Technologies CZ, s.r.o.)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes Anti-Malware Free\mbshlext.dll [2017-08-30] (Malwarebytes)

==================== Scheduled Tasks=============================

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\AVG EUpdate Task.job => C:\Program Files\AVG\SetupAVG Technologiesጏ耄0303
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job => C:\WINDOWS\system32\xp_eos.exe
Task: C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job => C:\WINDOWS\system32\xp_eos.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


Shortcut: C:\Documents and Settings\Keith.patriotplastics\NetHood\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.co

==================== Loaded Modules (Whitelisted) ==============

2005-01-21 13:55 - 2005-01-21 13:55 - 000094274 _____ () C:\WINDOWS\system32\HPBHealr.dll
2009-10-19 17:59 - 2006-10-03 13:07 - 000196608 _____ () C:\WINDOWS\system32\nvapi.dll
2013-01-15 07:04 - 2013-01-15 07:03 - 000945328 ____N () C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.0.1\ToolbarUpdater.exe
2009-10-19 17:59 - 2006-10-03 13:07 - 000466944 _____ () C:\WINDOWS\system32\nvshell.dll
2017-05-04 14:10 - 2016-06-23 14:07 - 048920064 _____ () C:\Program Files\AVG\UiDll\2623\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-04 05:00 - 2004-08-04 05:00 - 000000734 _____ C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-799565685-2143723220-303131718-1145\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\Soap Bubbles.bmp
DNS Servers: 192.168.101.4 - 8.8.8.8
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

DomainProfile\AuthorizedApplications: [C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe] => Enabled:WebKit
DomainProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\TeamViewer.exe] => Enabled:Teamviewer Remote Control Application
DomainProfile\AuthorizedApplications: [C:\Program Files\TeamViewer\TeamViewer_Service.exe] => Enabled:Teamviewer Remote Control Service
DomainProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2015\avgmfapx.exe] => Enabled:AVG Installer
DomainProfile\AuthorizedApplications: [C:\Program Files\AVG\Av\avgmfapx.exe] => Enabled:AVG Installer
DomainProfile\AuthorizedApplications: [C:\Program Files\AVG\Av\avgnsx.exe] => Enabled:Online Shield
DomainProfile\AuthorizedApplications: [C:\Program Files\AVG\Av\avgwdsvcx.exe] => Enabled:AVG Remote Administration
DomainProfile\AuthorizedApplications: [C:\Program Files\AVG\Av\avgemcx.exe] => Enabled:Personal Email Scanner
DomainProfile\AuthorizedApplications: [C:\Program Files\Mozilla Firefox\firefox.exe] => Enabled:Firefox (C:\Program Files\Mozilla Firefox)
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG9\avgam.exe] => Enabled:avgam.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG9\avgdiagex.exe] => Enabled:avgdiagex.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG9\avgemc.exe] => Enabled:avgemc.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG9\avgupd.exe] => Enabled:avgupd.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG9\avgnsx.exe] => Enabled:avgnsx.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgnsx.exe] => Enabled:Online Shield
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgdiagex.exe] => Enabled:AVG Diagnostics 2012
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgmfapx.exe] => Enabled:AVG Installer
StandardProfile\AuthorizedApplications: [C:\Program Files\AVG\AVG2012\avgemcx.exe] => Enabled:Personal E-mail Scanner
DomainProfile\GloballyOpenPorts: [5985:TCP] => Disabled:Windows Remote Management
DomainProfile\GloballyOpenPorts: [80:TCP] => Disabled:Windows Remote Management - Compatibility Mode (HTTP-In)

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/21/2017 06:42:41 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 06:38:46 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 04:52:49 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 04:39:14 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 03:12:57 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 03:07:48 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 02:21:52 PM) (Source: AutoEnrollment) (EventID: 15) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007003a).  The specified server cannot perform the requested operation.
  Enrollment will not be performed.

Error: (11/21/2017 01:30:05 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 01:19:21 PM) (Source: Userenv) (EventID: 1053) (User: NT AUTHORITY)
Description: Windows cannot determine the user or computer name. (The RPC server is unavailable. ). Group Policy processing aborted.

Error: (11/21/2017 12:29:01 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application firefox.exe, version 52.5.0.6520, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (11/21/2017 07:44:01 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (11/21/2017 07:44:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The LogMeIn Kernel Information Provider service failed to start due to the following error:
The system cannot find the path specified.

Error: (11/21/2017 07:44:00 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.

Error: (11/21/2017 09:49:03 AM) (Source: DCOM) (EventID: 10000) (User: patriotplastics)
Description: Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}.
The error:
"%%2 = The system cannot find the file specified."
Happened while starting this command:
C:\Program Files\Messenger\msmsgs.exe -Embedding

Error: (11/21/2017 08:37:54 AM) (Source: DCOM) (EventID: 10000) (User: patriotplastics)
Description: Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}.
The error:
"%%2 = The system cannot find the file specified."
Happened while starting this command:
C:\Program Files\Messenger\msmsgs.exe -Embedding

Error: (11/21/2017 08:13:20 AM) (Source: DCOM) (EventID: 10000) (User: patriotplastics)
Description: Unable to start a DCOM Server: {FB7199AB-79BF-11D2-8D94-0000F875C541}.
The error:
"%%2 = The system cannot find the file specified."
Happened while starting this command:
C:\Program Files\Messenger\msmsgs.exe -Embedding

Error: (11/21/2017 06:21:19 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/21/2017 06:21:04 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/21/2017 06:21:02 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The LogMeIn Kernel Information Provider service failed to start due to the following error:
The system cannot find the path specified.

Error: (11/21/2017 06:21:02 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
Access is denied.


==================== Memory info ===========================

Processor: AMD Athlon(tm) 64 Processor 3800+
Percentage of memory in use: 70%
Total physical RAM: 958.36 MB
Available physical RAM: 281.16 MB
Total Virtual: 2313.89 MB
Available Virtual: 1579.34 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:74.46 GB) (Free:29.61 GB) NTFS ==>[drive with boot components (Windows XP)]
Drive h: () (Network) (Total:33.91 GB) (Free:1.71 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18339
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: WinXP sp3 running SLOOOOWWW CPU flatlined SCgeneric Rmvd often
« Reply #2 on: November 22, 2017, 12:31:56 AM »
When moving to the new computer, what files are being moved?  You're referring to documents and pictures that you'll copy to a CD/DVD or USB stick.  You won't be transferring any programs.  In fact, something to consider for the "new to you" Windows 7 computer -- looking at the "running processes", the program that seems to be a hog is the 12 processes by AVG.  As to the SCgeneric trojan, that false/positive was supposedly fixed by AVG in June. 

What you may want to do when you set up the new computer (or even before) is to post a fresh set of logs in a new topic just for a "quick check".  If it has programs like QuickTime (no longer supported) or Java or unnecessary toolbars, we can address that.

Running FRST "may" give you some breathing room.  It is merely set to remove left-over Norton files and some other old filesk.  One thing you should do first, however, is to enable System Restore.  FRST will then create a restore point prior to removing anything.

Please do the following to run FRST:

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End", including both lies.  Right-click and select "Copy ".
Code: [Select]
Start::
CreateRestorePoint:
CloseProcesses:
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} -  No File
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
S4 IntelIde; no ImagePath
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; no ImagePath
S3 NAVENG; \??\C:\Program Files\Norton Security\NortonData\22.9.1.12\Definitions\SDSDefs\20170413.007\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Norton Security\NortonData\22.9.1.12\Definitions\SDSDefs\20170413.007\NAVEX15.SYS [X]
U1 WS2IFSL; no ImagePath
2017-11-20 12:44 - 2017-04-13 11:48 - 000000000 ____D C:\Documents and Settings\Keith.patriotplastics\Start Menu\Programs\Norton
2017-11-20 12:44 - 2017-04-13 11:48 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2017-11-20 12:43 - 2017-04-13 11:48 - 000000930 _____ C:\Documents and Settings\Keith.patriotplastics\Desktop\Norton Installation Files.lnk
2017-11-20 11:17 - 2017-04-13 11:55 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\NortonInstaller
2017-11-16 11:15 - 2017-06-23 07:05 - 000000000 ____D C:\Program Files\Norton Security
EmptyTemp:
End::
  • Please right-click on FRST/FRST64 to run as administrator.  When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST/FRST64.exe
  • Please post the log in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Blue55

  • Full Member
  • ***
  • Posts: 107
    • View Profile
Re: WinXP sp3 running SLOOOOWWW CPU flatlined SCgeneric Rmvd often
« Reply #3 on: November 22, 2017, 04:22:58 AM »
I couldnt get it to enable restore points and I’m in a hurry, so I removed that one line. I just flew without a net.
You said to copy from Start to End inclusive but didn’t say where to paste it. I gathered that I should make a fixlist.txt doc on the desktop like was mentioned at the end and pasted it in there.
Also I don’t think I got it to run as admin so I ran it as User and hit the fourth button that said “Fix”.  Maybe an XP thing.
It did something that took ages.
At one point AVG alerted to frst.exe as a threat. I chose to NOT protect me and allow it as an exception.
-
After the restart, it was still sloooww. I had seen SCGeneric from 2 consecutive AVG scans a couple months ago.
Also after the restart, I double checked that AVG was updated -it was. I also just now looked at the Nov15 and the Nov20 AVG scans. Both times it saw SCGenric2.BZPJ .  It said it had healed it successfully (and yet did the same thing 5 days later). It opens a SCGeneric web page but in the program it says SCGenric2.BZPJ specifically. I dont know if that matters. It said it was EMBEDDED into JAVA Update Jusched.exe [3372]. Hmmm.
I didn't like the sounds of that so I ripped off Java. Uninstalled. JAVA icon gone in control panel. ProgFiles Common- no Java folder. ATF cleaner.  It may have been a bit better but not impressive. Anytime it takes me more than 45 minutes to open Firefox, I am not impressed. But it did open and I put Java back on. Should I run another scan ?

Oh, I removed Quicktime. I didn't see those other programs.
When I was trying to open AVG and look at the scan results again and it was ignoring me, I had it up to about 30 AVG processes at one point.  :( 
He probably won't be moving programs. Bookmarks, documents and Emails mostly I think.

Fix result of Farbar Recovery Scan Tool (x86) Version: 19-11-2017
Ran by keith (21-11-2017 22:44:08) Run:1
Running from C:\Documents and Settings\Keith.patriotplastics\Desktop
Loaded Profiles: keith (Available Profiles: Keith & Administrator & keith & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CloseProcesses:
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-799565685-2143723220-303131718-1145 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File
S4 IntelIde; no ImagePath
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; no ImagePath
S3 NAVENG; \??\C:\Program Files\Norton Security\NortonData\22.9.1.12\Definitions\SDSDefs\20170413.007\NAVENG.SYS [X]
S3 NAVEX15; \??\C:\Program Files\Norton Security\NortonData\22.9.1.12\Definitions\SDSDefs\20170413.007\NAVEX15.SYS [X]
U1 WS2IFSL; no ImagePath
2017-11-20 12:44 - 2017-04-13 11:48 - 000000000 ____D C:\Documents and Settings\Keith.patriotplastics\Start Menu\Programs\Norton
2017-11-20 12:44 - 2017-04-13 11:48 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\Norton
2017-11-20 12:43 - 2017-04-13 11:48 - 000000930 _____ C:\Documents and Settings\Keith.patriotplastics\Desktop\Norton Installation Files.lnk
2017-11-20 11:17 - 2017-04-13 11:55 - 000000000 ____D C:\Documents and Settings\All Users\Application Data\NortonInstaller
2017-11-16 11:15 - 2017-06-23 07:05 - 000000000 ____D C:\Program Files\Norton Security
EmptyTemp:

*****************

Processes closed successfully.
HKU\S-1-5-21-799565685-2143723220-303131718-1145\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => value removed successfully.
HKLM\Software\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => key not found.
HKU\S-1-5-21-799565685-2143723220-303131718-1145\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value removed successfully.
HKLM\Software\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => key removed successfully.
HKU\S-1-5-21-799565685-2143723220-303131718-1145\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully.
HKLM\Software\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
HKLM\Software\Classes\PROTOCOLS\Handler\linkscanner => key removed successfully.
HKLM\Software\Classes\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => key not found.
HKLM\System\CurrentControlSet\Services\IntelIde => key removed successfully.
IntelIde => service removed successfully.
HKLM\System\CurrentControlSet\Services\LMIInfo => key removed successfully.
LMIInfo => service removed successfully.
HKLM\System\CurrentControlSet\Services\LMIRfsClientNP => key removed successfully.
LMIRfsClientNP => service removed successfully.
HKLM\System\CurrentControlSet\Services\NAVENG => key removed successfully.
NAVENG => service removed successfully.
HKLM\System\CurrentControlSet\Services\NAVEX15 => key removed successfully.
NAVEX15 => service removed successfully.
HKLM\System\CurrentControlSet\Services\WS2IFSL => key removed successfully.
WS2IFSL => service removed successfully.
C:\Documents and Settings\Keith.patriotplastics\Start Menu\Programs\Norton => moved successfully
C:\Documents and Settings\All Users\Application Data\Norton => moved successfully
C:\Documents and Settings\Keith.patriotplastics\Desktop\Norton Installation Files.lnk => moved successfully
C:\Documents and Settings\All Users\Application Data\NortonInstaller => moved successfully
C:\Program Files\Norton Security => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 1044471 B
Java, Flash, Steam htmlcache => 466601 B
Windows/system/dllcache/drivers => 928929 B
Edge => 0 B
Chrome => 0 B
Firefox => 20464167 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 16677 B
All Users => 0 B
systemprofile => 315027491 B
LocalService => 66164 B
NetworkService => 66164 B
Keith => 65979 B
LogMeInRemoteUser => 16677 B
Administrator => 16677 B
Keith.patriotplastics => 89978064 B
administrator.patriotplastics => 65979 B

RecycleBin => 0 B
EmptyTemp: => 408.4 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 23:05:26 ====

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 18339
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: WinXP sp3 running SLOOOOWWW CPU flatlined SCgeneric Rmvd often
« Reply #4 on: November 22, 2017, 01:12:46 PM »
Actually, removing Java was a good decision -- reinstalling it, not so good. :D  The reason is that there are very few reasons why Java is needed on a personal computer. If it is on the Windows 7 computer, I encourage you to uninstall it.

Any programs that are not initially on the Windows 7 computer will need to be downloaded and installed, not transferred from XP.  This will include CCleaner, Firefox ESR (since the extensions Keith uses are "legacy" and not available with the change to extensions), IrfanView (if it is still used), Malwarebytes, SolidWorks eDrawings and, of course, antivirus software.  Note:  If you elect to continue with AVG, first check that another antivirus software isn't installed on the computer.

Microsoft Office XP Professional with FrontPage:  Obviously, this is no longer supported and I don't believe it included a program for managing email nor do I see another email program installed.  Thus, if Keith uses an online mail service, he will merely need to log on to that account from the new computer to access his email.

As I indicated last night, documents can be copied to CD/DVD or USB.  Do you know how to back up Bookmarks?  The Bookmarks can also be added to the same media as the documents.

One thing that could help in speeding up the computer while copying documents and bookmarks is to disable (or uninstall) AVG as long as the computer isn't connected to the internet.  Other than that, I don't believe there is much more that can be done for this old computer.  IMO, the sooner you move to the new PC, the better.  :)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.