tqh

Here is the MBAM log as instructed in malware removal forum... Thanks. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/14/2016 Scan Time: 3:43:08 PM Logfile: MBAM log 11-14-16a.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.14.09 Rootkit Database: v2016.10.31.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows XP Service Pack 3 CPU: x86 File System: NTFS User: poi Scan Type: Threat Scan Result: Completed Objects Scanned: 388087 Time Elapsed: 20 min, 58 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 Trojan.Zbot, C:\WINDOWS\vncutil.exe, , [1b16427ed0ca1f172eff03ce10f3639d], Physical Sectors: 0 (No malicious items detected) (end) vncutil.zip

Thank you kindly. I'm not 100% sure what you wanted me to post. I just copied and pasted the information presented post-scan. SHA256: e6b2b7c8a04443e1e308889488e09b95fb30e8e1a165f9a7792fe789d4825e8e File name: vncutil.exe Detection ratio: 1 / 55 Analysis date: 2016-11-14 21:23:15 UTC ( 0 minutes ago ) 3 0 Probably harmless! There are strong indicators suggesting that this file is safe to use. Analysis File detail Relationships Additional information Comments Votes Antivirus Result Update Malwarebytes Trojan.Zbot 20161114 ALYac 20161114 AVG 20161114 AVware 20161114 Ad-Aware 20161114 AegisLab 20161114 AhnLab-V3 20161114 Alibaba 20161114 Antiy-AVL 20161114 Arcabit 20161114 Avast 20161114 Avira (no cloud) 20161114 Baidu 20161111 BitDefender 20161114 Bkav 20161112 CAT-QuickHeal 20161114 CMC 20161114 ClamAV 20161114 Comodo 20161114 CrowdStrike Falcon (ML) 20161024 Cyren 20161114 DrWeb 20161114 ESET-NOD32 20161114 Emsisoft 20161114 F-Prot 20161114 F-Secure 20161114 Fortinet 20161114 GData 20161114 Ikarus 20161114 Invincea 20161018 Jiangmin 20161114 K7AntiVirus 20161114 K7GW 20161114 Kaspersky 20161114 Kingsoft 20161114 McAfee 20161114 McAfee-GW-Edition 20161114 eScan 20161114 Microsoft 20161114 NANO-Antivirus 20161114 Panda 20161114 Qihoo-360 20161114 Rising 20161114 SUPERAntiSpyware 20161114 Sophos 20161114 Symantec 20161114 Tencent 20161114 TheHacker 20161114 TrendMicro 20161114 TrendMicro-HouseCall 20161114 VBA32 20161114 VIPRE 20161114 ViRobot 20161114 Yandex 20161114 Zillya 20161114 Zoner 20161114 nProtect 20161114

Hello MB Forum, This computer has been acting bizarre for a week or so. Completely freezing up requiring reboot. Ran AVAST boot scan and didn't find anything. Fully updated MBAM and ran a standard scan. Found Trojan.zbot. I didn't act on the result because I decided I needed to have this looked at. I will wait for your instruction. I also attached the MBAM log. Thanks as always for your continued service. Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2016 Ran by poi (administrator) on FLOYD (14-11-2016 10:35:13) Running from C:\Documents and Settings\poi\Desktop Loaded Profiles: poi (Available Profiles: poi & ewq & az & UpdatusUser & Administrator) Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States) Internet Explorer Version 8 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE (Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe () C:\Program Files\USB TV\EM28XX\BDARemote.exe (Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [17887232 2009-06-25] (Realtek Semiconductor Corp.) HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1634112 2012-05-15] () HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated) HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9044392 2016-11-08] (AVAST Software) HKLM\...\Policies\Explorer: [NoComputersNearMe] 0 HKU\S-1-5-21-1123561945-2111687655-725345543-1008\...\Run: [Zoom] => 0 HKU\S-1-5-21-1123561945-2111687655-725345543-1008\...\Policies\Explorer: [NoComputersNearMe] 0 ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-09-27] (AVAST Software) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2007-09-11] ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BDARemote.lnk [2010-05-26] ShortcutTarget: BDARemote.lnk -> C:\Program Files\USB TV\EM28XX\BDARemote.exe () Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk [2007-09-11] ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation) GroupPolicy: Restriction ? <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{A9B57C27-3A8D-4410-BF03-21FBC3F1992C}: [DhcpNameServer] 192.168.1.1 Internet Explorer: ================== HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-1123561945-2111687655-725345543-1008\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-1123561945-2111687655-725345543-1008\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch SearchScopes: HKLM -> DefaultScope value is missing SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-10-24] (AVAST Software) DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269795619093 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL [2001-01-22] (Microsoft Corporation) Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll [2008-04-13] (Microsoft Corporation) Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation) FireFox: ======== FF ProfilePath: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default [2016-11-14] FF DefaultSearchEngine: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> Google FF DefaultSearchEngine.US: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> Google FF Homepage: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> about:blank FF Extension: (Classic Theme Restorer) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-10-24] FF Extension: (Blur) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\donottrackplus@abine.com.xpi [2016-11-10] FF Extension: (Adblock Plus) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-10-28] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-01-14] [not signed] FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-10-24] FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-10-24] FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-30] () FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-1123561945-2111687655-725345543-1008: @zoom.us/ZoomVideoPlugin -> C:\Documents and Settings\poi\Application Data\Zoom\bin\npzoomplugin.dll [2016-11-09] (Zoom Video Communications, Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.) ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [270016 2016-10-30] (Adobe Systems Incorporated) [File not signed] R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-09-27] (AVAST Software) S4 Belkin Wireless USB Network Adapter Service; C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [49152 2004-03-29] () [File not signed] R2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [270336 2001-02-23] (Microsoft Corporation) [File not signed] ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [20747 2007-09-11] (Meetinghouse Data Communications) [File not signed] S3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [4017536 2006-08-18] (Realtek Semiconductor Corp.) S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1684736 2009-06-25] (Creative) S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [34008 2016-09-27] (AVAST Software) R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [92256 2016-09-27] (AVAST Software) R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-09-27] (AVAST Software) R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [60424 2016-09-27] (AVAST Software) R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [735488 2016-09-27] (AVAST Software) R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [433768 2016-09-27] (AVAST Software) R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [184592 2016-09-27] (AVAST Software) S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [66688 2016-09-27] (AVAST Software) R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [224752 2016-10-13] (AVAST Software) S3 BVRPMPR5; C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [49904 2009-09-30] (Avanquest Software) [File not signed] S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation) R2 CDRPDACC; C:\Program Files\321Studios\Shared\CDRPDACC.SYS [4633 2002-07-25] (Arrowkey) [File not signed] S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation) R2 HPFECP13; C:\WINDOWS\System32\drivers\HPFECP13.SYS [52800 1998-09-25] () [File not signed] S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [51056 2003-05-14] (HP) S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2003-05-14] (HP) S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21488 2003-05-14] (HP) R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [44032 2009-07-27] (Atheros Communications, Inc.) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2016-11-14] (Malwarebytes) [File not signed] S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1389056 2009-06-25] (Creative Technology Ltd.) S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation) R3 NTIDrvr; C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys [6912 2007-09-11] (NewTech Infosystems, Inc.) [File not signed] S3 NuidFltr; C:\WINDOWS\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation) R0 nvatabus; C:\WINDOWS\System32\DRIVERS\nvatabus.sys [54656 2003-06-18] (NVIDIA Corporation) [File not signed] S3 NVENET; C:\WINDOWS\System32\DRIVERS\NVENET.sys [97280 2003-05-27] (NVIDIA Corporation) [File not signed] R3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [123840 2012-04-18] (NVIDIA Corporation) R0 nv_agp; C:\WINDOWS\System32\DRIVERS\nv_agp.sys [21120 2003-05-27] (NVIDIA Corporation) [File not signed] R3 Pcouffin; C:\WINDOWS\System32\Drivers\Pcouffin.sys [33376 2007-09-11] (VSO Software) [File not signed] R3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [21248 2003-09-19] (Padus, Inc.) [File not signed] S3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [232192 2005-08-02] (Ralink Technology, Corp.) [File not signed] S3 RTL8023xp; C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys [74496 2005-03-04] (Realtek Semiconductor Corporation ) S3 SANDRA; C:\Program Files\SiSoftware\SiSoftware Sandra 2002 Professional\sandra.sys [9600 2001-10-30] (SiSoftware) [File not signed] R0 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [716272 2008-08-15] () [File not signed] S3 xbreader; C:\WINDOWS\System32\Drivers\xbreader.sys [19677 2001-01-02] (Thesycon GmbH, Germany) [File not signed] S3 catchme; \??\C:\DOCUME~1\poi\LOCALS~1\Temp\catchme.sys [X] S3 gdrv; \??\C:\WINDOWS\gdrv.sys [X] S3 hSONYPVh; \??\C:\DOCUME~1\poi\LOCALS~1\Temp\hSONYPVh.sys [X] S4 IntelIde; no ImagePath U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-11-14 10:35 - 2016-11-14 10:35 - 00013614 _____ C:\Documents and Settings\poi\Desktop\FRST.txt 2016-11-14 10:35 - 2016-11-14 10:35 - 00000000 ____D C:\FRST 2016-11-14 10:34 - 2016-11-14 10:34 - 01760768 _____ (Farbar) C:\Documents and Settings\poi\Desktop\FRST.exe 2016-11-14 10:29 - 2016-11-14 10:29 - 00001115 _____ C:\Documents and Settings\poi\Desktop\mbam log 11-14-16.txt 2016-11-14 09:43 - 2016-11-14 09:45 - 00000000 ____D C:\Program Files\Mozilla Firefox 2016-11-10 22:53 - 2016-11-10 22:53 - 00000005 _____ C:\Documents and Settings\poi\Desktop\nw22560.txt 2016-11-10 11:02 - 2016-11-11 16:17 - 01073664 _____ C:\Documents and Settings\poi\Desktop\B714F600 2016-11-10 11:02 - 2016-11-10 13:16 - 01073664 _____ C:\Documents and Settings\poi\Desktop\2016.10.31.xls 2016-11-10 10:58 - 2016-11-10 10:58 - 00014336 _____ C:\Documents and Settings\poi\My Documents\Book1 (version 1).xls 2016-11-10 10:57 - 2016-11-10 10:57 - 00847102 _____ C:\Documents and Settings\poi\Desktop\2016.10.31.Tables.xlsx 2016-11-10 10:09 - 2016-11-10 10:09 - 00000000 ____D C:\Documents and Settings\poi\Start Menu\Programs\Zoom 2016-11-10 10:08 - 2016-11-10 10:09 - 17764880 _____ (Microsoft Corporation) C:\Documents and Settings\poi\Desktop\ZoomInstallerXP.exe 2016-11-09 01:08 - 2016-11-09 01:08 - 00106496 _____ C:\WINDOWS\Minidump\Mini110916-01.dmp 2016-11-03 10:53 - 2016-11-03 10:53 - 00169217 _____ C:\Documents and Settings\poi\Desktop\_invoice 1-2016.10.01.pdf 2016-11-03 10:31 - 2016-11-05 14:56 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Audio 2016-10-31 17:36 - 2016-10-31 17:36 - 00000697 _____ C:\Documents and Settings\poi\Desktop\Hrs to be worked.txt 2016-10-28 15:04 - 2016-10-28 15:04 - 00621056 _____ C:\Documents and Settings\poi\Desktop\Tables 10-20-16.xls 2016-10-28 14:04 - 2016-11-10 10:06 - 00133768 _____ (Zoom Video Communications, Inc.) C:\Documents and Settings\poi\Desktop\Zoom_launcher.exe 2016-10-28 13:13 - 2016-10-30 22:10 - 00180624 _____ C:\Documents and Settings\poi\Desktop\ SPH 2016_REVISED.pdf 2016-10-28 08:31 - 2016-10-28 08:31 - 00673860 _____ C:\Documents and Settings\poi\Desktop\Focus Groups_IO Colloquim_10-21-2016.pptm 2016-10-28 08:20 - 2016-10-28 08:20 - 00331264 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides Comments 10-28-16.ppt 2016-10-28 08:15 - 2016-10-28 08:15 - 00324608 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides.ppt 2016-10-28 08:13 - 2016-10-28 08:13 - 00186447 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides.pptx 2016-10-24 16:12 - 2016-10-24 16:12 - 00251501 _____ C:\Documents and Settings\poi\Desktop\6_DegreeLicensure Release_.pdf 2016-10-24 11:27 - 2016-09-27 12:00 - 00319760 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe 2016-10-24 10:41 - 2016-10-24 10:41 - 02147107 _____ C:\Documents and Settings\poi\Desktop\Symposium Program Handout.pdf 2016-10-20 18:35 - 2016-10-20 18:35 - 49505220 _____ C:\Documents and Settings\poi\Desktop\zoom_0.mp4 2016-10-20 17:45 - 2016-10-20 17:45 - 00044544 _____ C:\Documents and Settings\poi\Desktop\ and work.xls 2016-10-20 17:45 - 2016-10-20 17:45 - 00037923 _____ C:\Documents and Settings\poi\Desktop\ and work.xlsx ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-11-14 10:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\poi\Local Settings\temp 2016-11-14 10:15 - 2014-10-07 10:28 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2016-11-14 09:54 - 2016-08-22 10:01 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2016-11-14 09:44 - 2012-05-03 14:29 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2016-11-14 09:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\az\Local Settings\temp 2016-11-14 09:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\ewq\Local Settings\temp 2016-11-14 09:15 - 2014-04-22 21:07 - 00000260 _____ C:\WINDOWS\Tasks\WGASetup.job 2016-11-14 09:15 - 2014-04-02 00:28 - 00000218 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job 2016-11-14 09:15 - 2013-05-15 16:30 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job 2016-11-14 09:14 - 2007-09-11 09:42 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2016-11-14 09:03 - 2007-09-11 09:53 - 00032416 _____ C:\WINDOWS\SchedLgU.Txt 2016-11-13 13:39 - 2010-03-12 00:46 - 00000278 ___SH C:\Documents and Settings\poi\ntuser.ini 2016-11-12 04:58 - 2007-09-11 04:34 - 00509960 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2016-11-12 04:49 - 2001-08-23 06:00 - 00002262 _____ C:\WINDOWS\system32\wpa.dbl 2016-11-10 22:53 - 2007-09-11 10:43 - 00002489 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk 2016-11-10 10:58 - 2010-03-12 00:46 - 00000000 ___RD C:\Documents and Settings\poi\My Documents 2016-11-10 10:58 - 2007-09-11 10:43 - 00002487 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk 2016-11-10 10:09 - 2016-07-22 08:25 - 00000000 ____D C:\Documents and Settings\poi\Application Data\Zoom 2016-11-09 01:08 - 2011-04-05 14:43 - 00000000 ____D C:\WINDOWS\Minidump 2016-11-08 23:43 - 2014-04-02 00:28 - 00000212 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job 2016-11-08 09:02 - 2016-06-30 16:45 - 00000000 ____D C:\Documents and Settings\poi\My Documents\SPH Climate 2016-11-08 07:48 - 2009-02-19 12:47 - 00000000 ____D C:\Program Files\HLM7Student 2016-11-08 07:48 - 2009-02-19 12:47 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\SSI, Inc 2016-11-07 15:40 - 2011-04-04 22:42 - 00000278 ___SH C:\Documents and Settings\ewq\ntuser.ini 2016-11-07 12:16 - 2010-03-13 04:27 - 00000000 ____D C:\Documents and Settings\poi\Application Data\vlc 2016-10-31 16:58 - 2016-08-22 09:35 - 00027648 _____ C:\Documents and Settings\poi\Desktop\LNSCP.xls 2016-10-30 22:13 - 2010-03-12 00:46 - 00000000 ____D C:\Documents and Settings\poi 2016-10-30 16:17 - 2012-04-10 16:12 - 00796352 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe 2016-10-30 16:17 - 2011-08-16 19:18 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2016-10-30 16:16 - 2016-02-20 02:41 - 00000000 ____D C:\Documents and Settings\poi\Desktop\New Folder 2016-10-30 16:16 - 2007-09-11 09:41 - 00000000 ____D C:\WINDOWS\system32\Macromed 2016-10-24 11:33 - 2014-07-02 14:19 - 00000000 ____D C:\Documents and Settings\poi\Local Settings\Application Data\Adobe 2016-10-24 11:30 - 2014-11-11 19:30 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk 2016-10-24 11:29 - 2007-09-11 04:30 - 00000000 ___HD C:\WINDOWS\inf 2016-10-24 11:22 - 2016-09-06 23:30 - 00000353 _____ C:\Documents and Settings\poi\Desktop\notes 9-6.txt 2016-10-24 11:21 - 2016-09-23 11:52 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Summary of Analyses 2016-10-24 11:21 - 2016-09-08 10:17 - 01365904 _____ C:\Documents and Settings\poi\Desktop\WritersGuide1.0 [Team Notes].pdf 2016-10-18 19:28 - 2016-10-13 06:43 - 00590336 _____ C:\Documents and Settings\poi\Desktop\File for Risk Matrix Team.xls 2016-10-18 17:54 - 2016-10-13 06:34 - 00447477 _____ C:\Documents and Settings\poi\Desktop\File for Risk Matrix Team.xlsx 2016-10-16 13:56 - 2016-09-27 11:33 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Data Test Download 9-27-16 ==================== Files in the root of some directories ======= 2010-03-12 05:46 - 2012-08-21 10:27 - 0247808 _____ () C:\Documents and Settings\poi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2008-06-22 17:42 - 2008-08-14 01:12 - 0003276 _____ () C:\Documents and Settings\All Users\Application Data\hpzinstall.log ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of FRST.txt ============================ Addition.txt mbam log 11-14-16.txt

Thanks for this. Got it to work with the third one listed on that site. tqh

I originally was able to bypass ctl-alt-del on this computer that I am working on and then I had a problem where I could not get the computer out of sleep mode or I just couldn't get back to the welcome screen. Once I rebooted, I had to use ctl-alt-del for the first time in a month of using this computer. Is there a way to get back to the original configuration and why would that change? TIA, tqh

Hello again. Thanks for all your help on this problem. I am curious what does the .reg file do? I read the linked topics and don't quite understand. Is it analogous to resetting the update service? What would be an indicator of it merging successfully? Just curious. Thanks in advance

Nevermind. Seems like it is ok now. Thanks.

Ok this seemed to work. Thanks! However, windows update is extremely slow. I even plugged in my modem directly and it is still not doing anything. I just want to get this thing to where it is not using up so much RAM and processor (and work properly). This thing is not doing anything; hardly any data is being transferred. Thanks in advance

Hello again. I was hoping this was a done deal, but I still keep getting the windows update notifications everytime I reboot. I watch and make sure they install successfully yet they still come back. Any ideas?

I will take a look. I am assuming it will get rid of the folder that I mentioned? Your help is greatly appreciated.

Hello MB Forum, I am trying to block Windows 10 from forcing itself on my computer. Based on my research, I need to delete the following file as one of the steps: $Windows.~BT However, I read that this could be problematic as you can't revert back to 7 if you ever do upgrade to 10. Also, I can't even delete it due to permissions. I've tried everything possible and I still get a message that I need permission from (username) to delete. If I click "Try Again", nothing happens. So, 1) should I delete the folder? It seems ok, but since I have not yet done it I figured I would ask. And 2) how do I grant the appropriate permissions to successfully delete the folder. Thanks in advance

So I reinstalled firefox (did not uninstall then install) and that seemed to work well. I uninstalled MB and installed per the instructions above and updated then scanned. Got a shutdown and error message, but then rescanned and it worked. No malware detected. Audio seems to work. However, I keep getting notifications about the malicious sw removal and now I am getting one about a security update for IE8. I don't think these are that big a deal, but if someone thinks differently, then please let me know. Since I started this whole thing, windows wants to download and install the malicious sw removal tool after every reboot. I probably was being overly cautious. If you guys think everything is ok, then we can probably close this topic. Thank you very much for your help.

So, can you make a copy of the profile folder, xyz.default for example, to a memory stick then reinstall firefox? If on reinstall the profile gets deleted can you then replace the contents of the new profile folder with the older content? Also, AVAST notified me of a firefox update but I was not able to update through AVAST. I have not been able to sit down and work on this, so thanks for your patience.

Well I can't access the forum with IE.

Ok to DH Lipman. Pretty good and I laughed, but will I lose all my bookmarks, plugins, etc.??

Hello MB Forum, I have searched quite a bit on the web and can't find a good solution to my problem. I hope I may be able to get some help here. Some background... I have a computer running XP and have a TV hooked up with a DVI to HDMI cable. I tried hooking up some headphones through my analog jack and ended up losing sound on my TV - but only for that particular profile. My solution was to try and do a system restore because I have never had a problem doing that in the past. I restored back a couple weeks and I noticed that SRestore changed some file names. Of course I did not write them down because they seemed harmless. The sound worked, but when I got around to starting firefox, it did absolutely nothing. I went to the actual application under program files and it still would not work. I tried to go back under system restore and that did not help. I then stopped because I suspected malware. I ran a scan w/ MB and the scan failed initially. I also noticed that my program is not updating to 2.2.0.1024. Maybe because it is XP? When I finally got MB to run, it did not detect anything. I also ran a boot-time scan with AVAST. I have a corrupted file under C:\NVIDIA\Display Driver. This may be what caused the problem with the sound, but under another profile the sound worked. So, I am at a loss because I suspect that if I uninstall FF and reinstall it I will lose everything including bookmarks and plugins. I have a few restore points I could try but I don't think that will work. I'm starting to think system restore messed up my FF profile/folder. Any help would be great. Thanks in advance

Should I try to run TFC with Avast disabled? Remember, it crashed on this computer. However, it did not produce a BSOD.

computer seems to be running fine no signs of infection reqested log posted below thanks again Results of screen317's Security Check version 0.99.78 Windows Vista Service Pack 2 x64 (UAC is enabled) Internet Explorer 9 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! avast! Antivirus Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Adobe Flash Player 11.9.900.170 Adobe Reader 9 Adobe Reader out of Date! Adobe Reader 10.1.8 Adobe Reader out of Date! Mozilla Firefox (26.0) ````````Process Check: objlist.exe by Laurent```````` AVAST Software Avast AvastSvc.exe AVAST Software Avast AvastUI.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````

Hey there. I ran the MSRT and found nothing. There was no log. From the above quote in bold: Can you provide some credible information about WMI (link)? Just curious. Also, the security center notification seems to have disappeared. Not sure what happened to get rid of it, but it quit after running the last two AdwCleaner and MBAM. Did this editor used to have a spell check function? Just curious.

Thanks. Here are the requested logs. # AdwCleaner v3.016 - Report created 01/01/2014 at 17:55:05 # Updated 23/12/2013 by Xplode # Operating System : Windows Vista Home Premium Service Pack 2 (64 bits) # Username : KAREN - KAREN-PC # Running from : C:\Users\KAREN\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16526 -\\ Mozilla Firefox v26.0 (en-US) [ File : C:\Users\KAREN\AppData\Roaming\Mozilla\Firefox\Profiles\x4scr48k.default\prefs.js ] ************************* AdwCleaner[R0].txt - [21740 octets] - [26/12/2013 21:33:33] AdwCleaner[R1].txt - [6489 octets] - [27/12/2013 19:28:26] AdwCleaner[R2].txt - [2363 octets] - [01/01/2014 17:51:07] AdwCleaner[s0].txt - [6083 octets] - [27/12/2013 19:31:43] AdwCleaner[s1].txt - [2136 octets] - [01/01/2014 17:55:05] ########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [2196 octets] ########## Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.01.01.06 Windows Vista Service Pack 2 x64 NTFS Internet Explorer 9.0.8112.16421 KAREN :: KAREN-PC [administrator] 1/1/2014 6:13:58 PM mbam-log-2014-01-01 (18-13-58).txt Scan type: Full scan (C:\|D:\|E:\|G:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 417232 Time elapsed: 1 hour(s), 26 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\KAREN\Desktop\Update\Setup.exe (PUP.Optional.Ibryte) -> Quarantined and deleted successfully. (end)

Ok cool. Thank you.

Does it matter that this is on my machine and not the other one?

Hello MB forum. I just ran TFC on my machine and received a BSOD. I ran it again and got the same thing. I now have 6 files on my desktop that otherwise would be hidden. They look like temp .docx files. There is also a file named desktop.ini. I don't suspect malware, but have included a MB quick scan log. I also included the two BSOD "reports". I would like to get rid of the new files on the desktop, but have decided to hold off. This is a separate issue with a separate computer than the topic under malware removal. Thanks in advance for any help. Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.12.31.07 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 11.0.9600.16476 iop :: FLOYD00 [administrator] 12/31/2013 4:18:22 PM mbam-log-2013-12-31 (16-18-22).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 308132 Time elapsed: 6 minute(s), 30 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Blue Screen Crash 12-31-13 Problem signature: Problem Event Name: BlueScreen OS Version: 6.1.7601.2.1.0.768.3 Locale ID: 1033 Additional information about the problem: BCCode: f4 BCP1: 0000000000000006 BCP2: FFFFFA8006B53740 BCP3: FFFFFA8006B3CE10 BCP4: FFFFF800031D9780 OS Version: 6_1_7601 Service Pack: 1_0 Product: 768_1 Files that help describe the problem: C:\Windows\Minidump\123113-27378-01.dmp C:\Users\iop\AppData\Local\Temp\WER-209977-0.sysdata.xml Problem signature: Problem Event Name: BlueScreen OS Version: 6.1.7601.2.1.0.768.3 Locale ID: 1033 Additional information about the problem: BCCode: 3b BCP1: 00000000C0000005 BCP2: FFFFF800031B1DFE BCP3: FFFFF88002290A80 BCP4: 0000000000000000 OS Version: 6_1_7601 Service Pack: 1_0 Product: 768_1 Files that help describe the problem: C:\Windows\Minidump\123113-24476-01.dmp C:\Users\iop\AppData\Local\Temp\WER-84084-0.sysdata.xml

So, what about the TFC. Sorry I put OTC in the PM. Should I try to run it again?

I'm still getting the "problem reports and solutions" from windows. Under virus alert is the notification about the "virus" in this thread title. Also, there are remnants of AVG on here. I ran screen317s security check and the result indicated that Adobe reader 9 and 10 are on here and that Adobe reader is out of date. If I try to update Adobe, it gives me the note that it is already up to date. Also, is there a way to make sure Java is completely uninstalled and is there a way to get it out of the add-ons for FF/IE? Finally, AVAST web rep add-on is not installed on FF. Any clues? If not, no big deal. Thanks once again. Almost forgot. When I ran the boot scan and AVAST found a number of PUPs (mindspark, etc.) the infected files were moved to the virus chest (a number of .dll files). Also, someone ran a scan back in Sept. and some malware was moved to the virus chest. FileRepMalware pops up twice. JS:lfram-DMK [Trj] is on there. Win32:Evo-gen[susp] is on there twice. I guess my question is, what should I do with these, if anything? Do we need to probe more? I should have given you these details when I wrote that I did the boot scan way back there. Anything to be concerned about? Hate to do this, but I just opened up IE and the homepage was set to Bing. I received an alert at the bottom stating that an unknown program wants bing to be the homepage or something like that. I clicked no. Didn't seem to matter. Her yahoo toolbar option is gone from the add-ons page. I'm hope this is a very minor issue. Appreciate the help.