Text only | Text with Images

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: Ghost on September 17, 2015, 12:43:42 AM

Title: Windows XP Home may have infections?
Post by: Ghost on September 17, 2015, 12:43:42 AM
Hi all,
A friend of a friend was given this tower. I believe it was bought at a storage locker sale.
I have ran Malwarebytes twice and found nothing but i would like someone to check the 2 initial scans.
Thank you.
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:15-09-2015
Ran by coolcee (administrator) on BIGCEE (16-09-2015 20:34:27)
Running from C:\Documents and Settings\coolcee\Desktop
Loaded Profiles: coolcee (Available Profiles: coolcee)
Platform: Microsoft Windows XP Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe
(Intel Corporation) C:\WINDOWS\system32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\system32\igfxpers.exe
(Sun Microsystems, Inc.) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
(Sonic Solutions) C:\WINDOWS\system32\dla\tfswctrl.exe
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
() C:\Program Files\Dell\Media Experience\DMXLauncher.exe
(Corel, Inc.) C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
(Oracle Corporation) C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1404928 2004-10-14] (Analog Devices, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [IntelMeM] => C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [221184 2003-09-03] (Intel Corporation)
HKLM\...\Run: [DVDLauncher] => C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [53248 2005-02-23] (CyberLink Corp.)
HKLM\...\Run: [dla] => C:\WINDOWS\system32\dla\tfswctrl.exe [127035 2004-12-06] (Sonic Solutions)
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [249856 2005-06-10] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-06-10] (InstallShield Software Corporation)
HKLM\...\Run: [DMXLauncher] => C:\Program Files\Dell\Media Experience\DMXLauncher.exe [86016 2005-01-27] ()
HKLM\...\Run: [Corel Photo Downloader] => C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe [106496 2005-08-31] (Corel, Inc.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1694208 2004-10-13] (Microsoft Corporation)
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\...\InprocServer32: [Default-pngfilt] C:\DOCUME~1\coolcee\LOCALS~1\Temp\1D98.dmp <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{75D03F2D-E30E-4884-BCD2-54466CAEBB5D}: [DhcpNameServer] 75.75.76.76 75.75.75.75

Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/dell?hl=en
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/dell?hl=en
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com/hws/sb/dell/en/side.html
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.google.com/hws/sb/dell/en/side.html
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/dell?hl=en
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
URLSearchHook: HKU\S-1-5-21-1465688935-4282910304-3035079473-1006 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03] (Adobe Systems Incorporated)
BHO: DriveLetterAccess -> {5CA3D70E-1895-11CF-8E15-001234567890} -> C:\WINDOWS\system32\dla\tfswshx.dll [2004-12-06] (Sonic Solutions)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll [2012-04-04] (Oracle Corporation)
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No File
BHO: CBrowserHelperObject Object -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} -> c:\Program Files\GoogleAFE\GoogleAE.dll [2005-12-08] (Google)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll [2012-04-04] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-1465688935-4282910304-3035079473-1006 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1384024254810
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

FireFox:
========
FF ProfilePath: C:\Documents and Settings\coolcee\Application Data\Mozilla\Firefox\Profiles\websroo9.default
FF Homepage: hxxp://www.bing.com/
FF Plugin: @java.com/DTPlugin,version=10.4.1 -> C:\WINDOWS\system32\npDeployJava1.dll [2012-04-04] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.4.1 -> C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll [2012-04-04] (Oracle Corporation)
FF Extension: AboutPlug - C:\Documents and Settings\coolcee\Application Data\Mozilla\Firefox\Profiles\websroo9.default\Extensions\{C49B68AC-0D21-40A7-9EE0-77D822273103}.xpi [2015-09-16]
FF Extension: Adblock Plus - C:\Documents and Settings\coolcee\Application Data\Mozilla\Firefox\Profiles\websroo9.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-09-16]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 aspnet_state; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [32768 2004-07-15] (Microsoft Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe [161664 2012-04-04] (Oracle Corporation)
S4 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-06-18] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S3 NetSvc; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [143360 2003-12-17] (Intel(R) Corporation) [File not signed]
S2 0002181442429379mcinstcleanup; C:\DOCUME~1\coolcee\LOCALS~1\Temp\000218~1.EXE -cleanup -nolog [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 abp480n5; C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS [23552 2001-08-17] (Microsoft Corporation)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation)
R0 drvmcdb; C:\WINDOWS\System32\drivers\drvmcdb.sys [87488 2004-12-01] (Sonic Solutions) [File not signed]
R2 drvnddm; C:\WINDOWS\System32\drivers\drvnddm.sys [40480 2004-11-23] (Sonic Solutions) [File not signed]
R3 IntelC51; C:\WINDOWS\System32\DRIVERS\IntelC51.sys [1233525 2004-03-06] (Intel Corporation)
R3 IntelC52; C:\WINDOWS\System32\DRIVERS\IntelC52.sys [647929 2004-03-06] (Intel Corporation)
R3 IntelC53; C:\WINDOWS\System32\DRIVERS\IntelC53.sys [61157 2004-06-16] (Intel Corporation)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
R3 mohfilt; C:\WINDOWS\System32\DRIVERS\mohfilt.sys [37048 2004-03-06] (Intel Corporation)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation)
R0 PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [20640 2005-04-25] (Sonic Solutions) [File not signed]
S3 SDDMI2; C:\WINDOWS\system32\DDMI2.sys [6977 2004-06-09] (Gteko Ltd.) [File not signed]
S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
R1 sscdbhk5; C:\WINDOWS\System32\drivers\sscdbhk5.sys [5627 2004-07-14] (Sonic Solutions) [File not signed]
R1 ssrtln; C:\WINDOWS\System32\drivers\ssrtln.sys [23545 2004-07-14] (Sonic Solutions) [File not signed]
R2 tfsnboio; C:\WINDOWS\System32\dla\tfsnboio.sys [25883 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsncofs; C:\WINDOWS\System32\dla\tfsncofs.sys [34843 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsndrct; C:\WINDOWS\System32\dla\tfsndrct.sys [4123 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsndres; C:\WINDOWS\System32\dla\tfsndres.sys [2239 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsnifs; C:\WINDOWS\System32\dla\tfsnifs.sys [86586 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsnopio; C:\WINDOWS\System32\dla\tfsnopio.sys [15227 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsnpool; C:\WINDOWS\System32\dla\tfsnpool.sys [6363 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsnudf; C:\WINDOWS\System32\dla\tfsnudf.sys [98714 2004-12-06] (Sonic Solutions) [File not signed]
R2 tfsnudfa; C:\WINDOWS\System32\dla\tfsnudfa.sys [100603 2004-12-06] (Sonic Solutions) [File not signed]
S3 bvrp_pci; no ImagePath
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S3 wanatw; system32\DRIVERS\wanatw4.sys [X]
U1 WS2IFSL; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-16 20:34 - 2015-09-16 20:35 - 00011173 _____ C:\Documents and Settings\coolcee\Desktop\FRST.txt
2015-09-16 20:34 - 2015-09-16 20:34 - 00000000 ____D C:\FRST
2015-09-16 20:33 - 2015-09-16 20:33 - 01695232 _____ (Farbar) C:\Documents and Settings\coolcee\Desktop\FRST.exe
2015-09-16 17:40 - 2015-09-16 17:40 - 00001084 _____ C:\Documents and Settings\coolcee\Desktop\checkup.txt
2015-09-16 17:33 - 2015-09-16 17:33 - 00852704 _____ C:\Documents and Settings\coolcee\Desktop\SecurityCheck.exe
2015-09-16 16:53 - 2015-09-16 19:53 - 00098520 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-09-16 16:53 - 2015-09-16 16:56 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2015-09-16 16:52 - 2015-09-16 16:56 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-09-16 16:52 - 2015-09-16 16:52 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes
2015-09-16 16:52 - 2015-06-18 08:41 - 00121560 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-09-16 16:52 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-09-16 16:49 - 2015-09-16 16:49 - 00000687 _____ C:\Documents and Settings\coolcee\Desktop\Shortcut to PowerDefragmenter.lnk
2015-09-16 16:47 - 2015-09-16 16:49 - 00000000 ____D C:\Program Files\Power Defrag
2015-09-16 16:47 - 2015-09-16 16:47 - 00000000 ____D C:\Program Files\7-Zip
2015-09-16 16:47 - 2015-09-16 16:47 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\7-Zip
2015-09-16 16:34 - 2015-09-16 16:34 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-09-16 16:27 - 2015-09-16 16:27 - 00000730 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
2015-09-16 16:27 - 2015-09-16 16:27 - 00000724 _____ C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
2015-09-16 16:27 - 2015-09-16 16:27 - 00000000 ____D C:\Documents and Settings\coolcee\Local Settings\Application Data\Mozilla
2015-09-16 16:27 - 2015-09-16 16:27 - 00000000 ____D C:\Documents and Settings\coolcee\Application Data\Mozilla
2015-09-16 16:26 - 2015-09-16 16:34 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-09-16 16:12 - 2013-10-13 16:47 - 115025336 _____ C:\Documents and Settings\coolcee\Desktop\avira_free_antivirus_en.exe
2015-09-16 14:33 - 2015-09-16 14:33 - 00001548 _____ C:\Documents and Settings\coolcee\Desktop\CCleaner.lnk
2015-09-16 14:33 - 2015-09-16 14:33 - 00000000 ____D C:\Documents and Settings\coolcee\Start Menu\Programs\CCleaner
2015-09-16 14:32 - 2015-09-16 14:33 - 00000000 ____D C:\Program Files\CCleaner
2015-09-16 14:28 - 2015-09-16 14:28 - 00000917 _____ C:\Documents and Settings\coolcee\Desktop\Revo Uninstaller.lnk
2015-09-16 14:28 - 2015-09-16 14:28 - 00000000 ____D C:\Program Files\VS Revo Group
2015-09-16 14:27 - 2009-10-10 11:00 - 00271872 _____ (OldTimer Tools) C:\Documents and Settings\coolcee\Desktop\TFC.exe
2015-09-16 14:27 - 2007-11-21 18:18 - 00577088 _____ (Microsoft Corporation ) C:\Documents and Settings\coolcee\Desktop\TweakUiPowertoySetup.exe
2015-09-16 14:27 - 2006-08-19 06:13 - 00935026 _____ C:\Documents and Settings\coolcee\Desktop\spywareguardsetupmin.exe
2015-09-16 14:27 - 2006-07-20 17:23 - 09114776 _____ C:\Documents and Settings\coolcee\Desktop\sygate552710.exe
2015-09-16 14:26 - 2015-01-30 19:58 - 04095448 _____ (BrightFort LLC ) C:\Documents and Settings\coolcee\Desktop\spywareblastersetup50.exe
2015-09-16 14:26 - 2015-01-30 19:50 - 20447072 _____ (Malwarebytes Corporation ) C:\Documents and Settings\coolcee\Desktop\mbam-setup-2.0.4.1028.exe
2015-09-16 14:25 - 2007-04-24 12:19 - 00050688 _____ (Atribune.org) C:\Documents and Settings\coolcee\Desktop\ATF-Cleaner.exe
2015-09-15 22:11 - 2015-09-15 22:11 - 00002259 _____ C:\Documents and Settings\All Users\Desktop\Play Polar Golfer.lnk
2015-09-15 19:40 - 2015-09-15 19:40 - 00002250 _____ C:\Documents and Settings\All Users\Desktop\Play Blasterball 2.lnk
2015-09-15 18:25 - 2004-08-04 00:56 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\hidserv.dll
2015-09-15 18:25 - 2004-08-04 00:56 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidserv.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-16 20:35 - 2012-01-11 11:50 - 00000000 ____D C:\Documents and Settings\coolcee\Local Settings\Temp
2015-09-16 20:24 - 2012-01-11 11:50 - 00000000 ____D C:\Documents and Settings\coolcee
2015-09-16 20:17 - 2004-08-10 15:08 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-09-16 20:17 - 2004-08-10 14:59 - 00000159 ____N C:\WINDOWS\wiadebug.log
2015-09-16 20:17 - 2004-08-10 14:59 - 00000049 ____N C:\WINDOWS\wiaservc.log
2015-09-16 20:15 - 2012-01-11 11:50 - 00000178 ___SH C:\Documents and Settings\coolcee\ntuser.ini
2015-09-16 20:15 - 2004-08-10 15:08 - 00032354 ____N C:\WINDOWS\SchedLgU.Txt
2015-09-16 17:25 - 2013-11-09 16:02 - 00000426 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{7BB9EFBE-0EB2-4B05-A0C7-DE9E7907DF5E}.job
2015-09-16 17:22 - 2012-01-11 11:50 - 00001513 _____ C:\Documents and Settings\coolcee\Start Menu\Programs\Notepad.lnk
2015-09-16 17:22 - 2012-01-11 11:50 - 00000000 ___RD C:\Documents and Settings\coolcee\Start Menu\Programs\Accessories
2015-09-16 16:17 - 2012-04-30 13:35 - 00005852 ___SH C:\WINDOWS\system32\KGyGaAvL.sys
2015-09-16 16:17 - 2012-04-30 13:35 - 00000104 __RSH C:\WINDOWS\system32\83714DDF86.sys
2015-09-16 16:02 - 2006-01-28 19:06 - 00000000 ____D C:\WINDOWS\occache
2015-09-16 16:01 - 2006-01-28 19:06 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\QuickTime
2015-09-16 16:01 - 2006-01-28 19:05 - 00000000 ____D C:\Program Files\Common Files\Real
2015-09-16 16:00 - 2006-01-28 19:06 - 00000000 ____D C:\WINDOWS\system32\QuickTime
2015-09-16 15:56 - 2012-01-11 11:50 - 00000000 ___HD C:\Documents and Settings\coolcee\Application Data\Gtek
2015-09-16 15:56 - 2006-01-28 19:09 - 00000000 ____D C:\Documents and Settings\Default User\Application Data\Gtek
2015-09-15 22:11 - 2006-01-28 19:09 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Dell Games
2015-09-15 19:36 - 2006-01-28 19:12 - 00002399 _____ C:\Documents and Settings\All Users\Desktop\Corel Photo Album 6.lnk
2015-09-14 13:36 - 2004-08-10 14:51 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl

==================== Files in the root of some directories =======

2013-12-14 17:28 - 2013-12-14 17:28 - 0012358 _____ () C:\Documents and Settings\coolcee\Application Data\PFP120JCM.{PB
2013-12-14 17:28 - 2013-12-14 17:28 - 0061678 _____ () C:\Documents and Settings\coolcee\Application Data\PFP120JPR.{PB
2015-06-16 07:30 - 2015-06-16 07:30 - 0003584 _____ () C:\Documents and Settings\coolcee\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-02-25 22:25 - 2013-02-25 22:25 - 0000130 _____ () C:\Documents and Settings\coolcee\Local Settings\Application Data\fusioncache.dat

ZeroAccess:
C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c}
C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c}\L\201d3dde

ZeroAccess:
C:\Documents and Settings\coolcee\Local Settings\Application Data\{36d3a9c1-8100-9073-73a4-b6855f7d838c}

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:15-09-2015
Ran by coolcee (2015-09-16 20:35:37)
Running from C:\Documents and Settings\coolcee\Desktop
Microsoft Windows XP Service Pack 2 (X86) (2012-01-11 15:50:29)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1465688935-4282910304-3035079473-500 - Administrator - Enabled)
coolcee (S-1-5-21-1465688935-4282910304-3035079473-1006 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\coolcee
Guest (S-1-5-21-1465688935-4282910304-3035079473-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-1465688935-4282910304-3035079473-1005 - Limited - Disabled)
SUPPORT_388945a0 (S-1-5-21-1465688935-4282910304-3035079473-1002 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)


==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 4.42 (HKLM\...\7-Zip) (Version:  - )
Adobe Acrobat - Reader 6.0.2 Update (HKLM\...\{AC76BA86-0000-0000-0000-6028747ADE01}) (Version: 6.0.2 - Adobe Systems)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.1.102.55 - Adobe Systems Incorporated)
Adobe Reader 6.0.1 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A00000000001}) (Version: 006.000.001 - Adobe Systems Incorporated)
AOLIcon (Version: 1.00.0000 - Dell) Hidden
Banctec Service Agreement (HKLM\...\{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}) (Version: 1.11.0000 - Dell)
Blasterball 2 (HKLM\...\D1A6F3FD-7B40-443F-8767-BADB25A0D222) (Version: 09/20/2005  11:55 AM - WildTangent)
CCleaner (remove only) (HKLM\...\CCleaner) (Version:  - )
Corel Paint Shop Pro X (HKLM\...\{1A15507A-8551-4626-915D-3D5FA095CC1B}) (Version: 10.0 - Corel Inc)
Corel Photo Album 6 (HKLM\...\{8A9B8148-DDD7-448F-BD6C-358386D32354}) (Version: 6.00 - Corel, Inc.)
Dell Digital Jukebox Driver (HKLM\...\Dell Digital Jukebox Driver) (Version:  - )
Dell Driver Reset Tool (HKLM\...\{5905F42D-3F5F-4916-ADA6-94A3646AEE76}) (Version: 1.02.0000 - Dell Inc.)
Dell Game Console (HKLM\...\Dell Game Console) (Version:  - WildTangent)
Dell Media Experience (HKLM\...\{AC0EE5B0-A8FB-4D0A-AF03-2EDC518F841B}) (Version: 3.00 - Dell)
Dell System Restore (HKLM\...\{74F7662C-B1DB-489E-A8AC-07A06B24978B}) (Version: 2.00.0000 - Dell Inc.)
Digital Content Portal (HKLM\...\{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}) (Version: 1.00.0000 - Dell)
EducateU (HKLM\...\{A683A2C0-821C-486F-858C-FA634DB5E864}) (Version: 1.00.0000 - Dell)
ELIcon (Version: 1.00.0000 - Dell) Hidden
Google AFE (HKLM\...\{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}) (Version:  - )
Intel(R) 537EP V9x DF PCI Modem (HKLM\...\Intel(R) 537EP V9x DF PCI Modem) (Version:  - )
Intel(R) Extreme Graphics 2 Driver (HKLM\...\{8A708DD8-A5E6-11D4-A706-000629E95E20}) (Version: 6.14.10.4299 - )
Intel(R) PRO Network Adapters and Drivers (HKLM\...\PROSet) (Version:  - )
Intel(R) PROSet for Wired Connections (HKLM\...\{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}) (Version: 8.00.5000 - Dell)
Java 2 Runtime Environment, SE v1.4.2_03 (HKLM\...\{7148F0A8-6813-11D6-A77B-00B0D0142030}) (Version: 1.4.2_03 - Sun Microsystems, Inc.)
Java(TM) 7 Update 4 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217004FF}) (Version: 7.0.40 - Oracle)
JavaFX 2.1.0 (HKLM\...\{1111706F-666A-4037-7777-210328764D10}) (Version: 2.1.0 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft Plus! Digital Media Edition Installer (HKLM\...\{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}) (Version: 1.1.0.3514 - Microsoft Corporation)
Microsoft Plus! Photo Story 2 LE (HKLM\...\{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}) (Version: 1.1.0.3463 - Microsoft Corporation)
Modem Event Monitor (HKLM\...\{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}) (Version:  - )
Modem Helper (HKLM\...\{7F142D56-3326-11D5-B229-002078017FBF}) (Version: 2.40 - BVRP Software)
Modem On Hold (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 1.12 - BVRP Software, Inc)
Mozilla Firefox 40.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 40.0.3 (x86 en-US)) (Version: 40.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 40.0.3 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Photo Click (HKLM\...\{6E179C77-7335-458D-9537-4F4EAC0181ED}) (Version: 1.0.0 - Photo Click)
Polar Bowler (HKLM\...\26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3) (Version: 09/21/2005  06:04 PM - WildTangent)
Polar Golfer (HKLM\...\651956B7-1969-42AA-9453-E0B813019D54) (Version: 09/20/2005  12:01 AM - WildTangent)
PowerDVD 5.5 (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version:  - )
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Sonic DLA (HKLM\...\{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}) (Version: 4.95 - Sonic Solutions)
Sonic RecordNow Audio (HKLM\...\{AB708C9B-97C8-4AC9-899B-DBF226AC9382}) (Version: 2.0.0 - Sonic Solutions)
Sonic RecordNow Copy (HKLM\...\{B12665F4-4E93-4AB4-B7FC-37053B524629}) (Version: 2.0.0 - Sonic Solutions)
Sonic RecordNow Data (HKLM\...\{075473F5-846A-448B-BCB3-104AA1760205}) (Version: 2.0.0 - Sonic Solutions)
Sonic Update Manager (HKLM\...\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}) (Version: 3.0.0 - Sonic Solutions)
WebCyberCoach 3.2 Dell (HKLM\...\WebCyberCoach_wtrb) (Version:  - )
WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
WildTangent Web Driver (HKLM\...\WildTangent CDA) (Version:  - )
Windows Installer 3.1 (KB893803) (HKLM\...\KB893803v2) (Version: 3.1 - Microsoft Corporation)
Windows Internet Explorer 8 (HKLM\...\ie8) (Version: 20090308.140743 - Microsoft Corporation)
Windows Media Format Runtime (HKLM\...\Windows Media Format Runtime) (Version:  - )
Windows Media Player 10 (HKLM\...\Windows Media Player) (Version:  - )
Windows XP Hotfix - KB873339 (HKLM\...\KB873339) (Version: 20041117.092459 - Microsoft Corporation)
Windows XP Hotfix - KB885250 (HKLM\...\KB885250) (Version: 20050118.202711 - Microsoft Corporation)
Windows XP Hotfix - KB885835 (HKLM\...\KB885835) (Version: 20041027.181713 - Microsoft Corporation)
Windows XP Hotfix - KB887472 (HKLM\...\KB887472) (Version: 20041014.162858 - Microsoft Corporation)
Windows XP Hotfix - KB888113 (HKLM\...\KB888113) (Version: 20041116.131036 - Microsoft Corporation)
Windows XP Hotfix - KB888310 (HKLM\...\KB888310) (Version: 20041027.095746 - Microsoft Corporation)
Windows XP Hotfix - KB889673 (HKLM\...\KB889673) (Version: 20041116.085848 - Microsoft Corporation)
Windows XP Hotfix - KB890175 (HKLM\...\KB890175) (Version: 20041201.233338 - Microsoft Corporation)
Windows XP Hotfix - KB891781 (HKLM\...\KB891781) (Version: 20050110.165439 - Microsoft Corporation)
WordPerfect Office 12 (HKLM\...\{AF19F291-F22F-4798-9662-525305AE9E48}) (Version: 12.01 - Corel Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1465688935-4282910304-3035079473-1006_Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}\InprocServer32 -> C:\DOCUME~1\coolcee\LOCALS~1\Temp\1D98.dmp No File

==================== Restore Points =========================

Could not list restore points
Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2004-08-10 14:51 - 2004-08-04 07:00 - 00000734 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{7BB9EFBE-0EB2-4B05-A0C7-DE9E7907DF5E}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (Whitelisted) ==============

2006-05-14 00:23 - 2006-05-14 00:23 - 00138752 _____ () C:\Program Files\7-Zip\7-zip.dll
2005-01-27 03:02 - 2005-01-27 03:02 - 00086016 _____ () C:\Program Files\Dell\Media Experience\DMXLauncher.exe

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\Web\Wallpaper\Bliss.bmp
DNS Servers: 75.75.76.76 - 75.75.75.75
sharedaccess Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Faulty Device Manager Devices =============

Could not list Devices. Check "winmgmt" service or repair WMI.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/16/2015 08:17:44 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 07:53:39 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 06:35:32 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 05:50:25 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 04:46:50 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 04:25:01 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 04:08:49 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 03:52:43 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (09/16/2015 03:23:46 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Hanging application ATF-Cleaner.exe, version 3.0.0.2, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (09/16/2015 03:08:19 PM) (Source: WinMgmt) (EventID: 28) (User: )
Description: WinMgmt could not initialize the core parts.  This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.


System errors:
=============
Error: (09/16/2015 05:30:55 PM) (Source: DCOM) (EventID: 10005) (User: BIGCEE)
Description: DCOM got error "%McAfee SiteAdvisor Service" attempting to start the service McAfee SiteAdvisor Service with arguments ""
in order to run the server:
{5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error: (09/16/2015 03:15:28 PM) (Source: DCOM) (EventID: 10005) (User: BIGCEE)
Description: DCOM got error "%McAfee SiteAdvisor Service" attempting to start the service McAfee SiteAdvisor Service with arguments ""
in order to run the server:
{5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}

Error: (06/17/2015 07:41:36 AM) (Source: DCOM) (EventID: 10010) (User: BIGCEE)
Description: The server {0002DF01-0000-0000-C000-000000000046} did not register with DCOM within the required timeout.

Error: (07/08/2014 12:09:44 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (07/08/2014 12:09:44 PM) (Source: W32Time) (EventID: 17) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (07/08/2014 12:09:44 PM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (07/08/2014 12:09:44 PM) (Source: W32Time) (EventID: 17) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (06/22/2014 12:50:38 AM) (Source: DCOM) (EventID: 10010) (User: BIGCEE)
Description: The server {601D72B9-326F-46CD-815E-12D5D15761BA} did not register with DCOM within the required timeout.

Error: (06/22/2014 12:43:33 AM) (Source: W32Time) (EventID: 29) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (06/22/2014 12:43:33 AM) (Source: W32Time) (EventID: 17) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)


==================== Memory info ===========================

Processor:  Intel(R) Celeron(R) CPU 2.53GHz
Percentage of memory in use: 35%
Total physical RAM: 509.98 MB
Available physical RAM: 327 MB
Total Virtual: 1248.78 MB
Available Virtual: 1108.45 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:71.46 GB) (Free:65.17 GB) NTFS ==>[drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 74.5 GB) (Disk ID: D0F4738C)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=71.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=3 GB) - (Type=DB)

==================== End of Addition.txt ============================

Results of screen317's Security Check version 1.008 
Windows XP Service Pack 2 x86   
Out of date service pack!! (http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3)
Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Security Center service is not running! This report may not be accurate!
McAfee SecurityCenter     
`````````Anti-malware/Other Utilities Check:`````````[/u]
CCleaner (remove only)   
JavaFX 2.1.0   
Java(TM) 7 Update 4 
Java 2 Runtime Environment, SE v1.4.2_03
Java version 32-bit out of Date!
Adobe Reader 6 Adobe Reader out of Date!
Mozilla Firefox (40.0.3)
````````Process Check: objlist.exe by Laurent````````[/u] 
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C:: 6%
````````````````````End of Log``````````````````````[/u]
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 17, 2015, 02:00:41 AM
Hi, Ghost.

I know you told me that the person who will be using this computer will only be doing so for a short time. Good thing too.  At this point, the first thing that needs to be addressed is signs of the ZeroAccess rootkit.  We'll start with FRST and then double-check with MBAR.

Please do the following to run FRST: 

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
Code Select

start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\...\InprocServer32: [Default-pngfilt] C:\DOCUME~1\coolcee\LOCALS~1\Temp\1D98.dmp <==== ATTENTION
Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
URLSearchHook: HKU\S-1-5-21-1465688935-4282910304-3035079473-1006 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No File
Toolbar: HKU\S-1-5-21-1465688935-4282910304-3035079473-1006 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S2 0002181442429379mcinstcleanup; C:\DOCUME~1\coolcee\LOCALS~1\Temp\000218~1.EXE -cleanup -nolog [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S3 wanatw; system32\DRIVERS\wanatw4.sys [X]
2013-12-14 17:28 - 2013-12-14 17:28 - 0012358 _____ () C:\Documents and Settings\coolcee\Application Data\PFP120JCM.{PB
2013-12-14 17:28 - 2013-12-14 17:28 - 0061678 _____ () C:\Documents and Settings\coolcee\Application Data\PFP120JPR.{PB
2015-06-16 07:30 - 2015-06-16 07:30 - 0003584 _____ () C:\Documents and Settings\coolcee\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c}
C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c}\L\201d3dde
C:\Documents and Settings\coolcee\Local Settings\Application Data\{36d3a9c1-8100-9073-73a4-b6855f7d838c}
EmptyTemp:
end
Please download Malwarebytes Anti-Rootkit here (http://downloads.malwarebytes.org/file/mbar).  Unzip the contents to a folder on the Desktop.

Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 17, 2015, 03:24:00 AM
Hi corrine,
Here are the logs requested.
Fix result of Farbar Recovery Scan Tool (x86) Version:15-09-2015
Ran by coolcee (2015-09-16 22:18:30) Run:1
Running from C:\Documents and Settings\coolcee\Desktop
Loaded Profiles: coolcee (Available Profiles: coolcee)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\...\InprocServer32: [Default-pngfilt] C:\DOCUME~1\coolcee\LOCALS~1\Temp\1D98.dmp <==== ATTENTION
Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 03 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
URLSearchHook: HKU\S-1-5-21-1465688935-4282910304-3035079473-1006 - (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} ->  No File
Toolbar: HKU\S-1-5-21-1465688935-4282910304-3035079473-1006 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S2 0002181442429379mcinstcleanup; C:\DOCUME~1\coolcee\LOCALS~1\Temp\000218~1.EXE -cleanup -nolog [X]
S3 USBAAPL; System32\Drivers\usbaapl.sys [X]
S3 wanatw; system32\DRIVERS\wanatw4.sys [X]
2013-12-14 17:28 - 2013-12-14 17:28 - 0012358 _____ () C:\Documents and Settings\coolcee\Application Data\PFP120JCM.{PB
2013-12-14 17:28 - 2013-12-14 17:28 - 0061678 _____ () C:\Documents and Settings\coolcee\Application Data\PFP120JPR.{PB
2015-06-16 07:30 - 2015-06-16 07:30 - 0003584 _____ () C:\Documents and Settings\coolcee\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c}
C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c}\L\201d3dde
C:\Documents and Settings\coolcee\Local Settings\Application Data\{36d3a9c1-8100-9073-73a4-b6855f7d838c}
EmptyTemp:
end
*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}" => key removed successfully.
Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
Winsock: Catalog5 000000000003\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\\{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} => value removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}" => key removed successfully.
HKCR\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} => key not found.
HKU\S-1-5-21-1465688935-4282910304-3035079473-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
0002181442429379mcinstcleanup => service removed successfully.
USBAAPL => service removed successfully.
wanatw => service removed successfully.
C:\Documents and Settings\coolcee\Application Data\PFP120JCM.{PB => moved successfully
C:\Documents and Settings\coolcee\Application Data\PFP120JPR.{PB => moved successfully
C:\Documents and Settings\coolcee\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c} => moved successfully
"C:\Windows\Installer\{36d3a9c1-8100-9073-73a4-b6855f7d838c}\L\201d3dde" => File/Folder not found.
C:\Documents and Settings\coolcee\Local Settings\Application Data\{36d3a9c1-8100-9073-73a4-b6855f7d838c} => moved successfully
EmptyTemp: => 15.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 22:18:52 ====

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2015.09.16.06
  rootkit: v2015.08.16.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
coolcee :: BIGCEE [administrator]

9/16/2015 10:32:14 PM
mbar-log-2015-09-16 (22-32-14).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 311756
Time elapsed: 40 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.526000 GHz
Memory total: 534757376, free: 335159296

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.526000 GHz
Memory total: 534757376, free: 352706560

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.526000 GHz
Memory total: 534757376, free: 354193408

Downloaded database version: v2015.09.16.06
Downloaded database version: v2015.08.16.01
Downloaded database version: v2015.09.16.01
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     09/16/2015 22:31:43
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
sr.sys
drvmcdb.sys
PxHelp20.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\ialmnt5.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\IntelC53.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\IntelC51.sys
\SystemRoot\system32\DRIVERS\IntelC52.sys
\SystemRoot\system32\DRIVERS\mohfilt.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\senfilt.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\MODEMCSA.sys
\SystemRoot\System32\Drivers\i2omgmt.SYS
\SystemRoot\system32\drivers\sscdbhk5.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\drivers\ssrtln.sys
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ialmdnt5.dll
\SystemRoot\System32\ialmrnt5.dll
\SystemRoot\System32\ialmdev5.DLL
\SystemRoot\System32\ialmdd5.DLL
\??\C:\WINDOWS\system32\drivers\mbam.sys
\SystemRoot\system32\drivers\drvnddm.sys
\SystemRoot\system32\dla\tfsndres.sys
\SystemRoot\system32\dla\tfsnifs.sys
\SystemRoot\system32\dla\tfsnopio.sys
\SystemRoot\system32\dla\tfsnpool.sys
\SystemRoot\system32\dla\tfsnboio.sys
\SystemRoot\system32\dla\tfsncofs.sys
\SystemRoot\system32\dla\tfsndrct.sys
\SystemRoot\system32\dla\tfsnudf.sys
\SystemRoot\system32\dla\tfsnudfa.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\System32\Drivers\HTTP.sys
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2015.09.16.06
  rootkit: v2015.08.16.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff823e4ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff823ce958, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff823e4ab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff823ccd98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: D0F4738C

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262
    Partition is not bootable

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 80325  Numsec = 149854320
    Partition is bootable
    Partition file system is NTFS

    Partition 2 type is Other (0xdb)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 149934645  Numsec = 6297480
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

Disk Size: 80000000000 bytes
Sector size: 512 bytes

Done!
File "C:\WINDOWS\system32\config\SOFTWARE" is compressed (flags = 1)
File "C:\Documents and Settings\All Users\NTUSER.DAT" is compressed (flags = 1)
File "C:\Documents and Settings\All Users\NTUSER.DAT.LOG" is compressed (flags = 1)
File "C:\WINDOWS\vmmreg32.dll" is compressed (flags = 1)
File "C:\WINDOWS\winhelp.exe" is compressed (flags = 1)
File "C:\WINDOWS\winhlp32.exe" is compressed (flags = 1)
File "C:\WINDOWS\hh.exe" is compressed (flags = 1)
File "C:\WINDOWS\regedit.exe" is compressed (flags = 1)
File "C:\WINDOWS\TASKMAN.EXE" is compressed (flags = 1)
File "C:\WINDOWS\twain.dll" is compressed (flags = 1)
File "C:\WINDOWS\twain_32.dll" is compressed (flags = 1)
File "C:\WINDOWS\twunk_16.exe" is compressed (flags = 1)
File "C:\WINDOWS\twunk_32.exe" is compressed (flags = 1)
File "C:\WINDOWS\NOTEPAD.EXE" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\AcLua.dll" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\AcSpecfc.dll" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\AcXtrnal.dll" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\apphelp.sdb" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\apph_sp.sdb" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\drvmain.sdb" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\msimain.sdb" is compressed (flags = 1)
File "C:\WINDOWS\AppPatch\sysmain.sdb" is compressed (flags = 1)
File "C:\WINDOWS\Help\apps.chm" is compressed (flags = 1)
File "C:\WINDOWS\Help\bnts.dll" is compressed (flags = 1)
File "C:\WINDOWS\Help\sniffpol.dll" is compressed (flags = 1)
File "C:\WINDOWS\Help\sstub.dll" is compressed (flags = 1)
File "C:\WINDOWS\Help\tshoot.dll" is compressed (flags = 1)
Scan finished
=======================================


Removal queue found; removal started
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-1-80325-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\VBR-0-2-149934645-i.mbam...
Removing C:\Documents and Settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished

Thanks;-)
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 17, 2015, 06:08:54 PM
Hi, Ghost.

Following up on our email correspondence, please let me know if you found SP3 downloaded to an old computer. 

Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 17, 2015, 11:39:52 PM
Hi Corrine,
i found my cd with SP3 on it but another twist, the cd-rom doesnt work;-(.
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 18, 2015, 12:26:51 AM
The long way around but can you upload SP3 via your computer to OneDrive or DropBox, then disconnect your computer and connect the XP box to the Internet to download SP3?  Considering the state that you found this computer, I'm concerned that it won't take long for it to become infected.  Even getting it to SP3 isn't doing a lot considering the number of updates that were released between SP3 and end-of-life.

I strongly encourage creating a limited user account for the person to use when on the Internet. 
As I have no doubt you were anticipating, Java needs to be updated.  First, you'll have to uninstall the following because it wasn't until JRE SE 6u11, that previous versions were removed when an update was released.  Following that, go here to get the latest version of Java:  http://java.com/en/download/, being careful during the installation to uncheck any additional offers included.

Java 2 Runtime Environment, SE v1.4.2_03 (HKLM\...\{7148F0A8-6813-11D6-A77B-00B0D0142030}) (Version: 1.4.2_03 - Sun Microsystems, Inc.)
Java(TM) 7 Update 4 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217004FF}) (Version: 7.0.40 - Oracle)
JavaFX 2.1.0 (HKLM\...\{1111706F-666A-4037-7777-210328764D10}) (Version: 2.1.0 - Oracle Corporation)

Adobe ended support of Adobe Reader on Windows XP.  Although it will still work, I suggest uninstalling Adobe Reader and installing Sumatra PDF, available from http://blog.kowalczyk.info/software/sumatrapdf/free-pdf-reader.html.

It appears as though AVG Free still works on Windows XP.  System requirements:  processor: 1.5 GHhz or faster, memory: 512 MB of RAM, screen resolution: at least 1024x768 pixels, disk space needed for installation: 1500 MB, browser: Internet Explorer 6 or higher.  http://www.avg.com/us-en/protection-features-pc

I'm not having a lot of luck yet finding a software firewall for Windows XP. Perhaps you'll have better luck here:  http://www.oldversion.com/windows/software/security/

Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 18, 2015, 01:22:30 AM
Hi Corrine,
Right after this post ill set up a limited accounr for her.
I have uninstalled both Java entries and installed the updates, installed free Avast AV, uninstalled Adobe Reader and installed Sumatra PDF, and found Sygate FW on my old thumbdrive and that is installed.
As far as SP3 ill do that tomorrow after work. its almost 9:30 here and that doesnt give me enough time to d/l SP3 and install.
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 18, 2015, 01:36:15 AM
Sounds like a plan, Ghost!
Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 18, 2015, 04:19:53 PM
Hi Corrine,
I have created a Limited account.
I tried to no avail to install SP3 but Acess Denied.  Googled the whole text of the popup (Service Pack 3 setup cannot update a checked (debug) system with a free (retail) version of service Pack 3, or vice versa). i checked the registry and it is set to "unprocessed free" so i left it as is. Im at a dead end unless there is another step ,or steps i can do?
I uninstalled the old JRE updates but cant install the latest JRE update. I tried the online and offline update to no avail.
I installed Avast AV. I wanted to install Avira free but without SP3 i cant;-(.
I also installed Sumatra PDF.



Title: Re: Windows XP Home may have infections?
Post by: plodr on September 18, 2015, 08:52:50 PM
I looked over my CDs and I have 32 bit XP SP3 that I downloaded in 2012.
I zipped it and I'm uploading it to my google drive.

When it is finished, I will send you a PM with the link for downloading. The size is 316MB. Unzip and it becomes an exe, also 316MB because it is already compressed.

I'd probably download it to a USB stick and unzip it.  Then put it on the "sick" computer and see if this will install.
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 19, 2015, 12:00:59 AM
I've been thinking about this computer.  Even though it is only supposed to be for a short period of time, I'm not real comfortable with the person using this machine.  Seriously, I wish you could. get agreement to install Linux on it.  Seeing as how ComboFix doesn't work on Windows 8x or Windows 10, I had switched to using FRST.  However, this old box may benefit from a run through with ComboFix. 

Here are the instructions if you like to try ComboFix (Note:  I'm not even certain if it will run since I don't think it will be able to download the Recovery Console):

Please follow these instructions carefully.

Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe).

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html).

Now, please run ComboFix:

Title: Re: Windows XP Home may have infections?
Post by: techie on September 19, 2015, 01:10:32 AM
You can still download SP3 from Microsoft, IT standalone package.

http://www.microsoft.com/en-us/download/details.aspx?id=24

or as a ISO file to burn to CD

http://www.microsoft.com/en-us/download/details.aspx?id=25129
Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 19, 2015, 02:36:02 AM
Well Plodr you aced it! The install went without a hitch and im doing my happy dance;-))
Hi techie,
Thanks for the links and i have put them in my favorites for a later day when i may need one of them . Thanks;-)
10:30 here so ill uninstall Avast AV and install Avira tomorrow after work.
Thanks to all for the links;-).
I will also run ComboFix tomorrow.
Title: Re: Windows XP Home may have infections?
Post by: plodr on September 19, 2015, 02:29:41 PM
It's always good when something works!  ;D

I downloaded both SP2 and SP3 for XP back in 2012 and burned them to a CD, just in case I'd need them or one of the senior citizens I help from time to time needs them.

I'll remove the SP3 from google drive so I get back more storage.
Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 19, 2015, 05:47:35 PM
Hi Corrine,
QuoteI've been thinking about this computer.  Even though it is only supposed to be for a short period of time, I'm not real comfortable with the person using this machine.  Seriously, I wish you could. get agreement to install Linux on it.
I agree and ill work on it.
I ran ComboFix and it installed the Recovery Console but it does not come up on bootup or reboot?
ComboFix did connect to the net and download it. I watched Sygate icon and checked the traffic logs so i know it did download and ComboFix said it was installed.
Anyway here is the ComboFix log:
ComboFix 15-09-07.01 - coolcee 09/19/2015  12:59:10.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.237 [GMT -4:00]
Running from: c:\documents and settings\coolcee\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
c:\windows\$msi31uninstall_kb893803v2$
c:\windows\$msi31uninstall_kb893803v2$\msi.dll
c:\windows\$msi31uninstall_kb893803v2$\msiexec.exe
c:\windows\$msi31uninstall_kb893803v2$\msihnd.dll
c:\windows\$msi31uninstall_kb893803v2$\msimsg.dll
c:\windows\$msi31uninstall_kb893803v2$\msisip.dll
c:\windows\$msi31uninstall_kb893803v2$\reg00013
c:\windows\$msi31uninstall_kb893803v2$\reg00014
c:\windows\$msi31uninstall_kb893803v2$\reg00015
c:\windows\$msi31uninstall_kb893803v2$\reg00016
c:\windows\$msi31uninstall_kb893803v2$\reg00017
c:\windows\$msi31uninstall_kb893803v2$\reg00018
c:\windows\$msi31uninstall_kb893803v2$\reg00019
c:\windows\$msi31uninstall_kb893803v2$\reg00020
c:\windows\$msi31uninstall_kb893803v2$\reg00021
c:\windows\$msi31uninstall_kb893803v2$\reg00022
c:\windows\$msi31uninstall_kb893803v2$\reg00023
c:\windows\$msi31uninstall_kb893803v2$\reg00024
c:\windows\$msi31uninstall_kb893803v2$\reg00025
c:\windows\$msi31uninstall_kb893803v2$\reg00026
c:\windows\$msi31uninstall_kb893803v2$\reg00027
c:\windows\$msi31uninstall_kb893803v2$\reg00028
c:\windows\$msi31uninstall_kb893803v2$\reg00029
c:\windows\$msi31uninstall_kb893803v2$\reg00030
c:\windows\$msi31uninstall_kb893803v2$\reg00031
c:\windows\$msi31uninstall_kb893803v2$\reg00032
c:\windows\$msi31uninstall_kb893803v2$\reg00033
c:\windows\$msi31uninstall_kb893803v2$\reg00034
c:\windows\$msi31uninstall_kb893803v2$\reg00035
c:\windows\$msi31uninstall_kb893803v2$\reg00036
c:\windows\$msi31uninstall_kb893803v2$\reg00037
c:\windows\$msi31uninstall_kb893803v2$\reg00038
c:\windows\$msi31uninstall_kb893803v2$\reg00039
c:\windows\$msi31uninstall_kb893803v2$\reg00040
c:\windows\$msi31uninstall_kb893803v2$\reg00041
c:\windows\$msi31uninstall_kb893803v2$\reg00042
c:\windows\$msi31uninstall_kb893803v2$\reg00043
c:\windows\$msi31uninstall_kb893803v2$\reg00044
c:\windows\$msi31uninstall_kb893803v2$\reg00045
c:\windows\$msi31uninstall_kb893803v2$\reg00046
c:\windows\$msi31uninstall_kb893803v2$\reg00047
c:\windows\$msi31uninstall_kb893803v2$\reg00048
c:\windows\$msi31uninstall_kb893803v2$\reg00051
c:\windows\$msi31uninstall_kb893803v2$\reg00052
c:\windows\$msi31uninstall_kb893803v2$\reg00053
c:\windows\$msi31uninstall_kb893803v2$\reg00054
c:\windows\$msi31uninstall_kb893803v2$\reg00055
c:\windows\$msi31uninstall_kb893803v2$\reg00056
c:\windows\$msi31uninstall_kb893803v2$\reg00057
c:\windows\$msi31uninstall_kb893803v2$\reg00058
c:\windows\$msi31uninstall_kb893803v2$\reg00059
c:\windows\$msi31uninstall_kb893803v2$\reg00060
c:\windows\$msi31uninstall_kb893803v2$\reg00061
c:\windows\$msi31uninstall_kb893803v2$\reg00062
c:\windows\$msi31uninstall_kb893803v2$\reg00063
c:\windows\$msi31uninstall_kb893803v2$\reg00064
c:\windows\$msi31uninstall_kb893803v2$\reg00065
c:\windows\$msi31uninstall_kb893803v2$\reg00066
c:\windows\$msi31uninstall_kb893803v2$\reg00067
c:\windows\$msi31uninstall_kb893803v2$\reg00068
c:\windows\$msi31uninstall_kb893803v2$\reg00069
c:\windows\$msi31uninstall_kb893803v2$\reg00070
c:\windows\$msi31uninstall_kb893803v2$\reg00071
c:\windows\$msi31uninstall_kb893803v2$\reg00072
c:\windows\$msi31uninstall_kb893803v2$\reg00073
c:\windows\$msi31uninstall_kb893803v2$\reg00074
c:\windows\$msi31uninstall_kb893803v2$\reg00075
c:\windows\$msi31uninstall_kb893803v2$\reg00076
c:\windows\$msi31uninstall_kb893803v2$\reg00077
c:\windows\$msi31uninstall_kb893803v2$\reg00078
c:\windows\$msi31uninstall_kb893803v2$\reg00079
c:\windows\$msi31uninstall_kb893803v2$\reg00080
c:\windows\$msi31uninstall_kb893803v2$\reg00081
c:\windows\$msi31uninstall_kb893803v2$\reg00082
c:\windows\$msi31uninstall_kb893803v2$\reg00083
c:\windows\$msi31uninstall_kb893803v2$\reg00084
c:\windows\$msi31uninstall_kb893803v2$\reg00085
c:\windows\$msi31uninstall_kb893803v2$\reg00086
c:\windows\$msi31uninstall_kb893803v2$\reg00087
c:\windows\$msi31uninstall_kb893803v2$\reg00088
c:\windows\$msi31uninstall_kb893803v2$\reg00089
c:\windows\$msi31uninstall_kb893803v2$\reg00090
c:\windows\$msi31uninstall_kb893803v2$\reg00091
c:\windows\$msi31uninstall_kb893803v2$\reg00092
c:\windows\$msi31uninstall_kb893803v2$\reg00093
c:\windows\$msi31uninstall_kb893803v2$\reg00094
c:\windows\$msi31uninstall_kb893803v2$\reg00095
c:\windows\$msi31uninstall_kb893803v2$\reg00096
c:\windows\$msi31uninstall_kb893803v2$\reg00097
c:\windows\$msi31uninstall_kb893803v2$\reg00098
c:\windows\$msi31uninstall_kb893803v2$\reg00099
c:\windows\$msi31uninstall_kb893803v2$\reg00100
c:\windows\$msi31uninstall_kb893803v2$\reg00101
c:\windows\$msi31uninstall_kb893803v2$\reg00102
c:\windows\$msi31uninstall_kb893803v2$\reg00103
c:\windows\$msi31uninstall_kb893803v2$\reg00104
c:\windows\$msi31uninstall_kb893803v2$\reg00105
c:\windows\$msi31uninstall_kb893803v2$\reg00106
c:\windows\$msi31uninstall_kb893803v2$\reg00107
c:\windows\$msi31uninstall_kb893803v2$\reg00108
c:\windows\$msi31uninstall_kb893803v2$\reg00109
c:\windows\$msi31uninstall_kb893803v2$\reg00110
c:\windows\$msi31uninstall_kb893803v2$\reg00111
c:\windows\$msi31uninstall_kb893803v2$\reg00112
c:\windows\$msi31uninstall_kb893803v2$\reg00113
c:\windows\$msi31uninstall_kb893803v2$\reg00114
c:\windows\$msi31uninstall_kb893803v2$\reg00115
c:\windows\$msi31uninstall_kb893803v2$\reg00116
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.exe
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.inf
c:\windows\$msi31uninstall_kb893803v2$\spuninst\spuninst.txt
c:\windows\$msi31uninstall_kb893803v2$\spuninst\updspapi.dll
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2015-08-19 to 2015-09-19  )))))))))))))))))))))))))))))))
.
.
2015-09-19 16:29 . 2015-09-19 16:29   --------   d-----w-   c:\documents and settings\coolcee\Application Data\AVAST Software
2015-09-19 16:20 . 2015-09-19 16:20   208664   ----a-w-   c:\windows\system32\drivers\aswVmm.sys
2015-09-19 16:20 . 2015-09-19 16:20   434184   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2015-09-19 16:20 . 2015-09-19 16:20   49776   ----a-w-   c:\windows\system32\drivers\aswRvrt.sys
2015-09-19 16:20 . 2015-09-19 16:20   76000   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2015-09-19 16:20 . 2015-09-19 16:20   24016   ----a-w-   c:\windows\system32\drivers\aswHwid.sys
2015-09-19 16:20 . 2015-09-19 16:20   55200   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2015-09-19 16:20 . 2015-09-19 16:18   789296   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2015-09-19 16:20 . 2015-09-19 16:18   313472   ----a-w-   c:\windows\system32\aswBoot.exe
2015-09-19 16:18 . 2015-09-19 16:18   43112   ----a-w-   c:\windows\avastSS.scr
2015-09-19 16:11 . 2015-09-19 16:27   --------   d-----w-   c:\program files\Avast
2015-09-19 15:51 . 2015-09-19 15:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVAST Software
2015-09-19 00:59 . 2008-04-14 02:57   79872   ------w-   c:\windows\system32\dllcache\msxml6r.dll
2015-09-19 00:59 . 2009-07-31 15:05   1372672   ------w-   c:\windows\system32\msxml6.dll
2015-09-19 00:59 . 2009-07-31 15:05   1372672   ------w-   c:\windows\system32\dllcache\msxml6.dll
2015-09-19 00:59 . 2008-04-14 02:57   79872   ------w-   c:\windows\system32\msxml6r.dll
2015-09-19 00:48 . 2008-04-14 09:41   4255   ------w-   c:\windows\system32\drivers\adv01nt5.dll
2015-09-19 00:47 . 2008-04-14 09:42   11325   ------w-   c:\windows\system32\drivers\vchnt5.dll
2015-09-19 00:47 . 2008-04-14 04:26   12800   ------w-   c:\windows\system32\drivers\usb8023x.sys
2015-09-19 00:47 . 2008-04-14 04:06   44672   ------w-   c:\windows\system32\drivers\uagp35.sys
2015-09-19 00:47 . 2008-04-14 04:06   5888   ------w-   c:\windows\system32\drivers\smbali.sys
2015-09-19 00:47 . 2008-04-14 03:53   13240   ------w-   c:\windows\system32\drivers\slwdmsup.sys
2015-09-19 00:47 . 2008-04-14 04:13   14208   ------w-   c:\windows\system32\drivers\wacompen.sys
2015-09-19 00:47 . 2008-04-14 02:04   25471   ------w-   c:\windows\system32\drivers\watv10nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   22271   ------w-   c:\windows\system32\drivers\watv06nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11935   ------w-   c:\windows\system32\drivers\wadv11nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11871   ------w-   c:\windows\system32\drivers\wadv09nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11807   ------w-   c:\windows\system32\drivers\wadv07nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11295   ------w-   c:\windows\system32\drivers\wadv08nt.sys
2015-09-19 00:39 . 2015-09-19 00:39   --------   d-----w-   c:\windows\EHome
2015-09-19 00:28 . 2015-09-19 02:17   --------   d-----w-   C:\219139e4c70a557a317b
2015-09-18 15:15 . 2015-09-18 15:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Licenses
2015-09-18 15:15 . 2012-05-02 16:17   1070152   ----a-w-   c:\windows\system32\MSCOMCTL.OCX
2015-09-18 15:15 . 2009-03-24 16:52   129872   ----a-w-   c:\windows\system32\MSSTDFMT.DLL
2015-09-18 15:15 . 2015-09-18 15:24   --------   d-----w-   c:\program files\SpywareBlaster
2015-09-18 15:14 . 2015-09-18 15:39   --------   d-----w-   c:\program files\SpywareGuard
2015-09-18 13:05 . 2015-09-18 13:06   --------   d-----w-   c:\program files\SP3
2015-09-18 01:10 . 2015-09-18 01:10   --------   d-sh--w-   c:\documents and settings\NetworkService\PrivacIE
2015-09-18 01:10 . 2015-09-18 01:10   --------   d-sh--w-   c:\documents and settings\NetworkService\UserData
2015-09-18 01:10 . 2015-09-18 01:10   --------   d-sh--w-   c:\documents and settings\NetworkService\IECompatCache
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg6n.sys
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg5n.sys
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg4n.sys
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg3n.sys
2015-09-18 01:04 . 2004-08-10 20:53   21075   ----a-w-   c:\windows\system32\drivers\wpsdrvnt.sys
2015-09-18 01:04 . 2004-08-10 20:51   59984   ----a-w-   c:\windows\system32\drivers\Teefer.sys
2015-09-18 01:04 . 2004-08-10 21:05   83096   ----a-w-   c:\windows\system32\SSSensor.dll
2015-09-18 01:04 . 2015-09-18 01:04   --------   d-----w-   c:\program files\Sygate
2015-09-18 01:03 . 2015-09-18 01:03   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2015-09-18 00:49 . 2015-09-18 00:49   --------   d-----w-   c:\documents and settings\coolcee\Application Data\SumatraPDF
2015-09-18 00:49 . 2015-09-18 00:49   --------   d-----w-   c:\program files\SumatraPDF
2015-09-17 02:31 . 2015-09-17 03:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-09-17 00:34 . 2015-09-17 02:21   --------   d-----w-   C:\FRST
2015-09-16 20:53 . 2015-09-17 02:31   170200   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-09-16 20:52 . 2015-09-17 02:25   121560   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2015-09-16 20:52 . 2015-09-16 20:56   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware
2015-09-16 20:52 . 2015-09-16 20:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2015-09-16 20:52 . 2015-06-18 12:41   23256   ----a-w-   c:\windows\system32\drivers\mbam.sys
2015-09-16 20:47 . 2015-09-16 20:47   --------   d-----w-   c:\program files\7-Zip
2015-09-16 20:47 . 2015-09-16 20:49   --------   d-----w-   c:\program files\Power Defrag
2015-09-16 20:34 . 2015-09-16 20:34   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2015-09-16 20:27 . 2015-09-16 20:27   --------   d-----w-   c:\documents and settings\coolcee\Local Settings\Application Data\Mozilla
2015-09-16 18:32 . 2015-09-16 18:33   --------   d-----w-   c:\program files\CCleaner
2015-09-16 18:28 . 2015-09-16 18:28   --------   d-----w-   c:\program files\VS Revo Group
2015-09-15 22:25 . 2004-08-04 04:56   21504   ------w-   c:\windows\system32\hidserv.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-09-19 16:18   696120   ----a-w-   c:\program files\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"AvastUI.exe"="c:\program files\Avast\AvastUI.exe" [2015-09-19 6134544]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 17:06   106496   ----a-w-   c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 11:00   15360   ------w-   c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-04-06 01:19   77824   ----a-w-   c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-06 01:22   94208   ----a-w-   c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12   221184   ----a-w-   c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44   249856   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44   81920   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-06 01:23   114688   ----a-w-   c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 01:42   1404928   ----a-w-   c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [9/19/2015 12:20 PM 208664]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/19/2015 12:20 PM 789296]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/19/2015 12:20 PM 434184]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [9/19/2015 12:20 PM 24016]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [9/19/2015 12:20 PM 76000]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/16/2015 4:52 PM 23256]
S0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [9/19/2015 12:20 PM 49776]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [9/16/2015 4:52 PM 1133880]
S4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [9/16/2015 4:52 PM 1871160]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWHWID
.
Contents of the 'Scheduled Tasks' folder
.
2015-09-19 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Avast\AvastEmUpdate.exe [2015-09-19 16:18]
.
2015-09-19 c:\windows\Tasks\User_Feed_Synchronization-{7BB9EFBE-0EB2-4B05-A0C7-DE9E7907DF5E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\coolcee\Application Data\Mozilla\Firefox\Profiles\wult6a61.default-1442591269296\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-09-19 13:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2015-09-19  13:15:07
ComboFix-quarantined-files.txt  2015-09-19 17:15
.
Pre-Run: 63,954,206,720 bytes free
Post-Run: 63,903,944,704 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3FB16F09EBF749C41CCC12665E5CE590
91722E6BC3A2B40FF00222DCA4A3DB3E

I ran the Mcafee uninstaller but its still there. I got a caution about it when installing Avast AV. Can we get rid of it?
Thanks;-)
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 19, 2015, 07:11:01 PM
Hi, Ghost.  It appears that McAfee is "stuck" in the Windows Security Center.  ComboFix can remove the reference since McAfee is no longer installed.  If you still get a caution, please let me know.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Code Select

SecCenter::

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 19, 2015, 08:13:55 PM
Hi Corrine.
I dont seem to be getting the mcafee error now;-).
ComboFix 15-09-07.01 - coolcee 09/19/2015  15:53:25.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.235 [GMT -4:00]
Running from: c:\documents and settings\coolcee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\coolcee\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((   Files Created from 2015-08-19 to 2015-09-19  )))))))))))))))))))))))))))))))
.
.
2015-09-19 16:29 . 2015-09-19 16:29   --------   d-----w-   c:\documents and settings\coolcee\Application Data\AVAST Software
2015-09-19 16:20 . 2015-09-19 16:20   208664   ----a-w-   c:\windows\system32\drivers\aswVmm.sys
2015-09-19 16:20 . 2015-09-19 16:20   434184   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2015-09-19 16:20 . 2015-09-19 16:20   49776   ----a-w-   c:\windows\system32\drivers\aswRvrt.sys
2015-09-19 16:20 . 2015-09-19 16:20   76000   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2015-09-19 16:20 . 2015-09-19 16:20   24016   ----a-w-   c:\windows\system32\drivers\aswHwid.sys
2015-09-19 16:20 . 2015-09-19 16:20   55200   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2015-09-19 16:20 . 2015-09-19 16:18   789296   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2015-09-19 16:20 . 2015-09-19 16:18   313472   ----a-w-   c:\windows\system32\aswBoot.exe
2015-09-19 16:18 . 2015-09-19 16:18   43112   ----a-w-   c:\windows\avastSS.scr
2015-09-19 16:11 . 2015-09-19 16:27   --------   d-----w-   c:\program files\Avast
2015-09-19 15:51 . 2015-09-19 15:51   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVAST Software
2015-09-19 00:59 . 2008-04-14 02:57   79872   ------w-   c:\windows\system32\dllcache\msxml6r.dll
2015-09-19 00:59 . 2009-07-31 15:05   1372672   ------w-   c:\windows\system32\msxml6.dll
2015-09-19 00:59 . 2009-07-31 15:05   1372672   ------w-   c:\windows\system32\dllcache\msxml6.dll
2015-09-19 00:59 . 2008-04-14 02:57   79872   ------w-   c:\windows\system32\msxml6r.dll
2015-09-19 00:48 . 2008-04-14 09:41   4255   ------w-   c:\windows\system32\drivers\adv01nt5.dll
2015-09-19 00:47 . 2008-04-14 09:42   11325   ------w-   c:\windows\system32\drivers\vchnt5.dll
2015-09-19 00:47 . 2008-04-14 04:26   12800   ------w-   c:\windows\system32\drivers\usb8023x.sys
2015-09-19 00:47 . 2008-04-14 04:06   44672   ------w-   c:\windows\system32\drivers\uagp35.sys
2015-09-19 00:47 . 2008-04-14 04:06   5888   ------w-   c:\windows\system32\drivers\smbali.sys
2015-09-19 00:47 . 2008-04-14 03:53   13240   ------w-   c:\windows\system32\drivers\slwdmsup.sys
2015-09-19 00:47 . 2008-04-14 04:13   14208   ------w-   c:\windows\system32\drivers\wacompen.sys
2015-09-19 00:47 . 2008-04-14 02:04   25471   ------w-   c:\windows\system32\drivers\watv10nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   22271   ------w-   c:\windows\system32\drivers\watv06nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11935   ------w-   c:\windows\system32\drivers\wadv11nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11871   ------w-   c:\windows\system32\drivers\wadv09nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11807   ------w-   c:\windows\system32\drivers\wadv07nt.sys
2015-09-19 00:47 . 2008-04-14 02:04   11295   ------w-   c:\windows\system32\drivers\wadv08nt.sys
2015-09-19 00:39 . 2015-09-19 00:39   --------   d-----w-   c:\windows\EHome
2015-09-19 00:28 . 2015-09-19 02:17   --------   d-----w-   C:\219139e4c70a557a317b
2015-09-18 15:15 . 2015-09-18 15:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Licenses
2015-09-18 15:15 . 2012-05-02 16:17   1070152   ----a-w-   c:\windows\system32\MSCOMCTL.OCX
2015-09-18 15:15 . 2009-03-24 16:52   129872   ----a-w-   c:\windows\system32\MSSTDFMT.DLL
2015-09-18 15:15 . 2015-09-18 15:24   --------   d-----w-   c:\program files\SpywareBlaster
2015-09-18 15:14 . 2015-09-18 15:39   --------   d-----w-   c:\program files\SpywareGuard
2015-09-18 13:05 . 2015-09-18 13:06   --------   d-----w-   c:\program files\SP3
2015-09-18 01:10 . 2015-09-18 01:10   --------   d-sh--w-   c:\documents and settings\NetworkService\PrivacIE
2015-09-18 01:10 . 2015-09-18 01:10   --------   d-sh--w-   c:\documents and settings\NetworkService\UserData
2015-09-18 01:10 . 2015-09-18 01:10   --------   d-sh--w-   c:\documents and settings\NetworkService\IECompatCache
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg6n.sys
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg5n.sys
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg4n.sys
2015-09-18 01:04 . 2004-08-10 21:05   14240   ----a-w-   c:\windows\system32\drivers\wg3n.sys
2015-09-18 01:04 . 2004-08-10 20:53   21075   ----a-w-   c:\windows\system32\drivers\wpsdrvnt.sys
2015-09-18 01:04 . 2004-08-10 20:51   59984   ----a-w-   c:\windows\system32\drivers\Teefer.sys
2015-09-18 01:04 . 2004-08-10 21:05   83096   ----a-w-   c:\windows\system32\SSSensor.dll
2015-09-18 01:04 . 2015-09-18 01:04   --------   d-----w-   c:\program files\Sygate
2015-09-18 01:03 . 2015-09-18 01:03   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2015-09-18 00:49 . 2015-09-18 00:49   --------   d-----w-   c:\documents and settings\coolcee\Application Data\SumatraPDF
2015-09-18 00:49 . 2015-09-18 00:49   --------   d-----w-   c:\program files\SumatraPDF
2015-09-17 02:31 . 2015-09-17 03:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2015-09-17 00:34 . 2015-09-17 02:21   --------   d-----w-   C:\FRST
2015-09-16 20:53 . 2015-09-17 02:31   170200   ----a-w-   c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-09-16 20:52 . 2015-09-17 02:25   121560   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2015-09-16 20:52 . 2015-09-16 20:56   --------   d-----w-   c:\program files\Malwarebytes Anti-Malware
2015-09-16 20:52 . 2015-09-16 20:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2015-09-16 20:52 . 2015-06-18 12:41   23256   ----a-w-   c:\windows\system32\drivers\mbam.sys
2015-09-16 20:47 . 2015-09-16 20:47   --------   d-----w-   c:\program files\7-Zip
2015-09-16 20:47 . 2015-09-16 20:49   --------   d-----w-   c:\program files\Power Defrag
2015-09-16 20:34 . 2015-09-16 20:34   --------   d-----w-   c:\program files\Mozilla Maintenance Service
2015-09-16 20:27 . 2015-09-16 20:27   --------   d-----w-   c:\documents and settings\coolcee\Local Settings\Application Data\Mozilla
2015-09-16 18:32 . 2015-09-16 18:33   --------   d-----w-   c:\program files\CCleaner
2015-09-16 18:28 . 2015-09-16 18:28   --------   d-----w-   c:\program files\VS Revo Group
2015-09-15 22:25 . 2004-08-04 04:56   21504   ------w-   c:\windows\system32\hidserv.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-09-19 16:18   696120   ----a-w-   c:\program files\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"AvastUI.exe"="c:\program files\Avast\AvastUI.exe" [2015-09-19 6134544]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 17:06   106496   ----a-w-   c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 11:00   15360   ------w-   c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19   53248   ------w-   c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-04-06 01:19   77824   ----a-w-   c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-04-06 01:22   94208   ----a-w-   c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 02:12   221184   ----a-w-   c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44   249856   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44   81920   ----a-w-   c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 09:42   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2005-04-06 01:23   114688   ----a-w-   c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-15 01:42   1404928   ----a-w-   c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [9/19/2015 12:20 PM 49776]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [9/19/2015 12:20 PM 208664]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/19/2015 12:20 PM 789296]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/19/2015 12:20 PM 434184]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [9/19/2015 12:20 PM 24016]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [9/19/2015 12:20 PM 76000]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/16/2015 4:52 PM 23256]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [9/16/2015 4:52 PM 1133880]
S4 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [9/16/2015 4:52 PM 1871160]
.
Contents of the 'Scheduled Tasks' folder
.
2015-09-19 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Avast\AvastEmUpdate.exe [2015-09-19 16:18]
.
2015-09-19 c:\windows\Tasks\User_Feed_Synchronization-{7BB9EFBE-0EB2-4B05-A0C7-DE9E7907DF5E}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\coolcee\Application Data\Mozilla\Firefox\Profiles\wult6a61.default-1442591269296\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gws_rd=ssl
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-09-19 16:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2376)
c:\windows\system32\SSSensor.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2015-09-19  16:08:27
ComboFix-quarantined-files.txt  2015-09-19 20:08
ComboFix2.txt  2015-09-19 17:15
.
Pre-Run: 64,138,178,560 bytes free
Post-Run: 64,129,200,128 bytes free
.
- - End Of File - - 7C4DC1F96BAAC284601961C040E68391
91722E6BC3A2B40FF00222DCA4A3DB3E
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 19, 2015, 10:10:37 PM
Maybe not but the Security Center is still wrong and I haven't seen any signs of McAfee in Programs or in registry entries from the logs.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

This works for all versions of Windows (see How do I restore security settings to a known working state? (https://support.microsoft.com/en-us/kb/313222)).
Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 19, 2015, 11:37:47 PM
Hi Corrine,
Followed instructions for cmd command and get this in the cmd window:

'secedit' is not recognized as an internal or external command, operable program or batch file


Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 20, 2015, 12:40:33 AM
Security Check showed:  "Windows Security Center service is not running!"  In addition, CF is still showing McAfee.  Just one last thing before cleaning up the tools we used: 

Type services.msc in the Run box.  Then check that wscsvc is Started and set to Automatic.

Again, my encouragement to convince the person to use Linux until a new computer is purchased, most especially if there will be anything related to finances.

Please download Delfix from here (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix).

Ensure the following boxes are checked:
The program will run for a few moments and then notepad will open with a log.   Please paste the log in your next reply.

Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 20, 2015, 01:14:24 AM
Hi Corrine,
QuoteThen check that wscsvc is Started and set to Automatic.
It is started and set to automatic;-).
# DelFix v1.011 - Logfile created 19/09/2015 at 21:07:16
# Updated 18/08/2015 by Xplode
# Username : coolcee - BIGCEE
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\Combofix
Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\Documents and Settings\coolcee\Desktop\Addition.txt
Deleted : C:\Documents and Settings\coolcee\Desktop\ComboFix.exe
Deleted : C:\Documents and Settings\coolcee\Desktop\ComboFix.txt
Deleted : C:\Documents and Settings\coolcee\Desktop\ComboFix2.txt
Deleted : C:\Documents and Settings\coolcee\Desktop\Fixlog.txt
Deleted : C:\Documents and Settings\coolcee\Desktop\FRST.exe
Deleted : C:\Documents and Settings\coolcee\Desktop\FRST.txt
Deleted : C:\Documents and Settings\coolcee\Desktop\SecurityCheck.exe
Deleted : C:\Documents and Settings\coolcee\Desktop\TFC.exe
Deleted : C:\WINDOWS\grep.exe
Deleted : C:\WINDOWS\PEV.exe
Deleted : C:\WINDOWS\NIRCMD.exe
Deleted : C:\WINDOWS\MBR.exe
Deleted : C:\WINDOWS\SED.exe
Deleted : C:\WINDOWS\SWREG.exe
Deleted : C:\WINDOWS\SWSC.exe
Deleted : C:\WINDOWS\SWXCACLS.exe
Deleted : C:\WINDOWS\Zip.exe
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #677 [Installed Windows XP KB955069. | 09/19/2015 01:19:14]
Deleted : RP #678 [Installed Windows XP KB973687. | 09/19/2015 01:20:25]
Deleted : RP #679 [Installed Windows XP KB955759. | 09/19/2015 01:21:37]
Deleted : RP #680 [Installed Windows XP KB956572. | 09/19/2015 01:22:56]
Deleted : RP #681 [Installed Windows XP KB956802. | 09/19/2015 01:24:20]
Deleted : RP #682 [Installed Windows XP KB956803. | 09/19/2015 01:25:29]
Deleted : RP #683 [Installed Windows XP KB956844. | 09/19/2015 01:26:38]
Deleted : RP #684 [Installed Windows XP KB958644. | 09/19/2015 01:27:48]
Deleted : RP #685 [Installed Windows XP KB959426. | 09/19/2015 01:28:58]
Deleted : RP #686 [Installed Windows XP KB960225. | 09/19/2015 01:30:12]
Deleted : RP #687 [Installed Windows XP KB960803. | 09/19/2015 01:31:21]
Deleted : RP #688 [Installed Windows XP KB960859. | 09/19/2015 01:32:33]
Deleted : RP #689 [Installed Windows XP KB961501. | 09/19/2015 01:33:44]
Deleted : RP #690 [Installed Windows XP KB967715. | 09/19/2015 01:35:02]
Deleted : RP #691 [Installed Windows XP KB968389. | 09/19/2015 01:36:21]
Deleted : RP #692 [Installed Windows XP KB969059. | 09/19/2015 01:37:35]
Deleted : RP #693 [Installed Windows XP KB970238. | 09/19/2015 01:38:45]
Deleted : RP #694 [Installed Windows XP KB970430. | 09/19/2015 01:39:56]
Deleted : RP #695 [Installed Windows XP KB971468. | 09/19/2015 01:41:06]
Deleted : RP #696 [Installed Windows XP KB971657. | 09/19/2015 01:42:16]
Deleted : RP #697 [Installed Windows XP KB971737. | 09/19/2015 01:43:26]
Deleted : RP #698 [Installed Windows XP KB972270. | 09/19/2015 01:44:45]
Deleted : RP #699 [Installed Windows XP KB973507. | 09/19/2015 01:45:55]
Deleted : RP #700 [Installed Windows XP KB973687. | 09/19/2015 01:47:05]
Deleted : RP #701 [Installed Windows XP KB973815. | 09/19/2015 01:48:15]
Deleted : RP #702 [Installed Windows XP KB973869. | 09/19/2015 01:49:26]
Deleted : RP #703 [Installed Windows XP KB974112. | 09/19/2015 01:50:37]
Deleted : RP #704 [Installed Windows XP KB974318. | 09/19/2015 01:51:46]
Deleted : RP #705 [Installed Windows XP KB974392. | 09/19/2015 01:52:57]
Deleted : RP #706 [Installed Windows XP KB974571. | 09/19/2015 01:54:05]
Deleted : RP #707 [Installed Windows XP KB975025. | 09/19/2015 01:55:13]
Deleted : RP #708 [Installed Windows XP KB975467. | 09/19/2015 01:56:20]
Deleted : RP #709 [Installed Windows XP KB975560. | 09/19/2015 01:57:31]
Deleted : RP #710 [Installed Windows XP KB975561. | 09/19/2015 01:58:46]
Deleted : RP #711 [Installed Windows XP KB975562. | 09/19/2015 02:00:00]
Deleted : RP #712 [Installed Windows XP KB975713. | 09/19/2015 02:01:12]
Deleted : RP #713 [Installed Windows XP KB977914. | 09/19/2015 02:02:27]
Deleted : RP #714 [Installed Windows XP KB978037. | 09/19/2015 02:03:38]
Deleted : RP #715 [Installed Windows XP KB978338. | 09/19/2015 02:04:47]
Deleted : RP #716 [Installed Windows XP KB978542. | 09/19/2015 02:05:59]
Deleted : RP #717 [Installed Windows XP KB978601. | 09/19/2015 02:07:10]
Deleted : RP #718 [Installed Windows XP KB978706. | 09/19/2015 02:08:21]
Deleted : RP #719 [Installed Windows XP KB979309. | 09/19/2015 02:09:31]
Deleted : RP #720 [Installed Windows XP KB979482. | 09/19/2015 02:10:41]
Deleted : RP #721 [Installed Windows XP KB979559. | 09/19/2015 02:11:51]
Deleted : RP #722 [Installed Windows XP KB979683. | 09/19/2015 02:13:10]
Deleted : RP #723 [Installed Windows XP KB980218. | 09/19/2015 02:14:31]
Deleted : RP #724 [Installed Windows XP KB980232. | 09/19/2015 02:15:46]
Deleted : RP #725 [Revo Uninstaller's restore point - avast! Free Antivirus | 09/19/2015 14:27:23]
Deleted : RP #726 [avast! Free Antivirus Setup | 09/19/2015 14:28:59]
Deleted : RP #727 [avast! antivirus system restore point | 09/19/2015 16:12:53]
Deleted : RP #728 [Revo Uninstaller's restore point - Avast Free Antivirus | 09/20/2015 00:18:26]
Deleted : RP #729 [avast! antivirus system restore point | 09/20/2015 00:19:31]
Deleted : RP #730 [Revo Uninstaller's restore point - Avast Free Antivirus | 09/20/2015 00:22:10]
Deleted : RP #731 [avast! antivirus system restore point | 09/20/2015 00:33:18]

New restore point created !

########## - EOF - ##########

Thank you,
Ghost
Title: Re: Windows XP Home may have infections?
Post by: Corrine on September 20, 2015, 01:29:36 AM
Let me know if the person takes you up on the offer to use Linux.  :)
Title: Re: Windows XP Home may have infections?
Post by: Ghost on September 20, 2015, 01:34:13 AM
Hi Corrine,
I will do that and thanks again for your help;-)
Ghost
Text only | Text with Images