tqh
-
Posts
156 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by tqh
-
-
Thank you kindly. I'm not 100% sure what you wanted me to post. I just copied and pasted the information presented post-scan.
SHA256: e6b2b7c8a04443e1e308889488e09b95fb30e8e1a165f9a7792fe789d4825e8e File name: vncutil.exe Detection ratio: 1 / 55 Analysis date: 2016-11-14 21:23:15 UTC ( 0 minutes ago ) 30Probably harmless! There are strong indicators suggesting that this file is safe to use.Antivirus Result Update Malwarebytes Trojan.Zbot 20161114 ALYac 20161114 AVG 20161114 AVware 20161114 Ad-Aware 20161114 AegisLab 20161114 AhnLab-V3 20161114 Alibaba 20161114 Antiy-AVL 20161114 Arcabit 20161114 Avast 20161114 Avira (no cloud) 20161114 Baidu 20161111 BitDefender 20161114 Bkav 20161112 CAT-QuickHeal 20161114 CMC 20161114 ClamAV 20161114 Comodo 20161114 CrowdStrike Falcon (ML) 20161024 Cyren 20161114 DrWeb 20161114 ESET-NOD32 20161114 Emsisoft 20161114 F-Prot 20161114 F-Secure 20161114 Fortinet 20161114 GData 20161114 Ikarus 20161114 Invincea 20161018 Jiangmin 20161114 K7AntiVirus 20161114 K7GW 20161114 Kaspersky 20161114 Kingsoft 20161114 McAfee 20161114 McAfee-GW-Edition 20161114 eScan 20161114 Microsoft 20161114 NANO-Antivirus 20161114 Panda 20161114 Qihoo-360 20161114 Rising 20161114 SUPERAntiSpyware 20161114 Sophos 20161114 Symantec 20161114 Tencent 20161114 TheHacker 20161114 TrendMicro 20161114 TrendMicro-HouseCall 20161114 VBA32 20161114 VIPRE 20161114 ViRobot 20161114 Yandex 20161114 Zillya 20161114 Zoner 20161114 nProtect 20161114 -
Hello MB Forum,
This computer has been acting bizarre for a week or so. Completely freezing up requiring reboot. Ran AVAST boot scan and didn't find anything. Fully updated MBAM and ran a standard scan. Found Trojan.zbot. I didn't act on the result because I decided I needed to have this looked at. I will wait for your instruction. I also attached the MBAM log. Thanks as always for your continued service.
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2016
Ran by poi (administrator) on FLOYD (14-11-2016 10:35:13)
Running from C:\Documents and Settings\poi\Desktop
Loaded Profiles: poi (Available Profiles: poi & ewq & az & UpdatusUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
() C:\Program Files\USB TV\EM28XX\BDARemote.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
==================== Registry (Whitelisted) ====================(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [17887232 2009-06-25] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1634112 2012-05-15] ()
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9044392 2016-11-08] (AVAST Software)
HKLM\...\Policies\Explorer: [NoComputersNearMe] 0
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\...\Run: [Zoom] => 0
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\...\Policies\Explorer: [NoComputersNearMe] 0
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-09-27] (AVAST Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2007-09-11]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BDARemote.lnk [2010-05-26]
ShortcutTarget: BDARemote.lnk -> C:\Program Files\USB TV\EM28XX\BDARemote.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk [2007-09-11]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
GroupPolicy: Restriction ? <======= ATTENTION==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A9B57C27-3A8D-4410-BF03-21FBC3F1992C}: [DhcpNameServer] 192.168.1.1Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-10-24] (AVAST Software)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269795619093
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL [2001-01-22] (Microsoft Corporation)
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll [2008-04-13] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)FireFox:
========
FF ProfilePath: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default [2016-11-14]
FF DefaultSearchEngine: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> Google
FF DefaultSearchEngine.US: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> Google
FF Homepage: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> about:blank
FF Extension: (Classic Theme Restorer) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-10-24]
FF Extension: (Blur) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\donottrackplus@abine.com.xpi [2016-11-10]
FF Extension: (Adblock Plus) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-10-28]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-01-14] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-10-24]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-10-24]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-30] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1123561945-2111687655-725345543-1008: @zoom.us/ZoomVideoPlugin -> C:\Documents and Settings\poi\Application Data\Zoom\bin\npzoomplugin.dll [2016-11-09] (Zoom Video Communications, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [270016 2016-10-30] (Adobe Systems Incorporated) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-09-27] (AVAST Software)
S4 Belkin Wireless USB Network Adapter Service; C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [49152 2004-03-29] () [File not signed]
R2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [270336 2001-02-23] (Microsoft Corporation) [File not signed]===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [20747 2007-09-11] (Meetinghouse Data Communications) [File not signed]
S3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [4017536 2006-08-18] (Realtek Semiconductor Corp.)
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1684736 2009-06-25] (Creative)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [34008 2016-09-27] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [92256 2016-09-27] (AVAST Software)
R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-09-27] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [60424 2016-09-27] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [735488 2016-09-27] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [433768 2016-09-27] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [184592 2016-09-27] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [66688 2016-09-27] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [224752 2016-10-13] (AVAST Software)
S3 BVRPMPR5; C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [49904 2009-09-30] (Avanquest Software) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R2 CDRPDACC; C:\Program Files\321Studios\Shared\CDRPDACC.SYS [4633 2002-07-25] (Arrowkey) [File not signed]
S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
R2 HPFECP13; C:\WINDOWS\System32\drivers\HPFECP13.SYS [52800 1998-09-25] () [File not signed]
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [51056 2003-05-14] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2003-05-14] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21488 2003-05-14] (HP)
R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [44032 2009-07-27] (Atheros Communications, Inc.)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2016-11-14] (Malwarebytes) [File not signed]
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1389056 2009-06-25] (Creative Technology Ltd.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NTIDrvr; C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys [6912 2007-09-11] (NewTech Infosystems, Inc.) [File not signed]
S3 NuidFltr; C:\WINDOWS\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
R0 nvatabus; C:\WINDOWS\System32\DRIVERS\nvatabus.sys [54656 2003-06-18] (NVIDIA Corporation) [File not signed]
S3 NVENET; C:\WINDOWS\System32\DRIVERS\NVENET.sys [97280 2003-05-27] (NVIDIA Corporation) [File not signed]
R3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [123840 2012-04-18] (NVIDIA Corporation)
R0 nv_agp; C:\WINDOWS\System32\DRIVERS\nv_agp.sys [21120 2003-05-27] (NVIDIA Corporation) [File not signed]
R3 Pcouffin; C:\WINDOWS\System32\Drivers\Pcouffin.sys [33376 2007-09-11] (VSO Software) [File not signed]
R3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [21248 2003-09-19] (Padus, Inc.) [File not signed]
S3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [232192 2005-08-02] (Ralink Technology, Corp.) [File not signed]
S3 RTL8023xp; C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys [74496 2005-03-04] (Realtek Semiconductor Corporation )
S3 SANDRA; C:\Program Files\SiSoftware\SiSoftware Sandra 2002 Professional\sandra.sys [9600 2001-10-30] (SiSoftware) [File not signed]
R0 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [716272 2008-08-15] () [File not signed]
S3 xbreader; C:\WINDOWS\System32\Drivers\xbreader.sys [19677 2001-01-02] (Thesycon GmbH, Germany) [File not signed]
S3 catchme; \??\C:\DOCUME~1\poi\LOCALS~1\Temp\catchme.sys [X]
S3 gdrv; \??\C:\WINDOWS\gdrv.sys [X]
S3 hSONYPVh; \??\C:\DOCUME~1\poi\LOCALS~1\Temp\hSONYPVh.sys [X]
S4 IntelIde; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========(If an entry is included in the fixlist, the file/folder will be moved.)
2016-11-14 10:35 - 2016-11-14 10:35 - 00013614 _____ C:\Documents and Settings\poi\Desktop\FRST.txt
2016-11-14 10:35 - 2016-11-14 10:35 - 00000000 ____D C:\FRST
2016-11-14 10:34 - 2016-11-14 10:34 - 01760768 _____ (Farbar) C:\Documents and Settings\poi\Desktop\FRST.exe
2016-11-14 10:29 - 2016-11-14 10:29 - 00001115 _____ C:\Documents and Settings\poi\Desktop\mbam log 11-14-16.txt
2016-11-14 09:43 - 2016-11-14 09:45 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-11-10 22:53 - 2016-11-10 22:53 - 00000005 _____ C:\Documents and Settings\poi\Desktop\nw22560.txt
2016-11-10 11:02 - 2016-11-11 16:17 - 01073664 _____ C:\Documents and Settings\poi\Desktop\B714F600
2016-11-10 11:02 - 2016-11-10 13:16 - 01073664 _____ C:\Documents and Settings\poi\Desktop\2016.10.31.xls
2016-11-10 10:58 - 2016-11-10 10:58 - 00014336 _____ C:\Documents and Settings\poi\My Documents\Book1 (version 1).xls
2016-11-10 10:57 - 2016-11-10 10:57 - 00847102 _____ C:\Documents and Settings\poi\Desktop\2016.10.31.Tables.xlsx
2016-11-10 10:09 - 2016-11-10 10:09 - 00000000 ____D C:\Documents and Settings\poi\Start Menu\Programs\Zoom
2016-11-10 10:08 - 2016-11-10 10:09 - 17764880 _____ (Microsoft Corporation) C:\Documents and Settings\poi\Desktop\ZoomInstallerXP.exe
2016-11-09 01:08 - 2016-11-09 01:08 - 00106496 _____ C:\WINDOWS\Minidump\Mini110916-01.dmp
2016-11-03 10:53 - 2016-11-03 10:53 - 00169217 _____ C:\Documents and Settings\poi\Desktop\_invoice 1-2016.10.01.pdf
2016-11-03 10:31 - 2016-11-05 14:56 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Audio
2016-10-31 17:36 - 2016-10-31 17:36 - 00000697 _____ C:\Documents and Settings\poi\Desktop\Hrs to be worked.txt
2016-10-28 15:04 - 2016-10-28 15:04 - 00621056 _____ C:\Documents and Settings\poi\Desktop\Tables 10-20-16.xls
2016-10-28 14:04 - 2016-11-10 10:06 - 00133768 _____ (Zoom Video Communications, Inc.) C:\Documents and Settings\poi\Desktop\Zoom_launcher.exe
2016-10-28 13:13 - 2016-10-30 22:10 - 00180624 _____ C:\Documents and Settings\poi\Desktop\ SPH 2016_REVISED.pdf
2016-10-28 08:31 - 2016-10-28 08:31 - 00673860 _____ C:\Documents and Settings\poi\Desktop\Focus Groups_IO Colloquim_10-21-2016.pptm
2016-10-28 08:20 - 2016-10-28 08:20 - 00331264 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides Comments 10-28-16.ppt
2016-10-28 08:15 - 2016-10-28 08:15 - 00324608 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides.ppt
2016-10-28 08:13 - 2016-10-28 08:13 - 00186447 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides.pptx
2016-10-24 16:12 - 2016-10-24 16:12 - 00251501 _____ C:\Documents and Settings\poi\Desktop\6_DegreeLicensure Release_.pdf
2016-10-24 11:27 - 2016-09-27 12:00 - 00319760 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-10-24 10:41 - 2016-10-24 10:41 - 02147107 _____ C:\Documents and Settings\poi\Desktop\Symposium Program Handout.pdf
2016-10-20 18:35 - 2016-10-20 18:35 - 49505220 _____ C:\Documents and Settings\poi\Desktop\zoom_0.mp4
2016-10-20 17:45 - 2016-10-20 17:45 - 00044544 _____ C:\Documents and Settings\poi\Desktop\ and work.xls
2016-10-20 17:45 - 2016-10-20 17:45 - 00037923 _____ C:\Documents and Settings\poi\Desktop\ and work.xlsx==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-11-14 10:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\poi\Local Settings\temp
2016-11-14 10:15 - 2014-10-07 10:28 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-11-14 09:54 - 2016-08-22 10:01 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-11-14 09:44 - 2012-05-03 14:29 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-11-14 09:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\az\Local Settings\temp
2016-11-14 09:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\ewq\Local Settings\temp
2016-11-14 09:15 - 2014-04-22 21:07 - 00000260 _____ C:\WINDOWS\Tasks\WGASetup.job
2016-11-14 09:15 - 2014-04-02 00:28 - 00000218 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2016-11-14 09:15 - 2013-05-15 16:30 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-11-14 09:14 - 2007-09-11 09:42 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-11-14 09:03 - 2007-09-11 09:53 - 00032416 _____ C:\WINDOWS\SchedLgU.Txt
2016-11-13 13:39 - 2010-03-12 00:46 - 00000278 ___SH C:\Documents and Settings\poi\ntuser.ini
2016-11-12 04:58 - 2007-09-11 04:34 - 00509960 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-11-12 04:49 - 2001-08-23 06:00 - 00002262 _____ C:\WINDOWS\system32\wpa.dbl
2016-11-10 22:53 - 2007-09-11 10:43 - 00002489 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2016-11-10 10:58 - 2010-03-12 00:46 - 00000000 ___RD C:\Documents and Settings\poi\My Documents
2016-11-10 10:58 - 2007-09-11 10:43 - 00002487 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
2016-11-10 10:09 - 2016-07-22 08:25 - 00000000 ____D C:\Documents and Settings\poi\Application Data\Zoom
2016-11-09 01:08 - 2011-04-05 14:43 - 00000000 ____D C:\WINDOWS\Minidump
2016-11-08 23:43 - 2014-04-02 00:28 - 00000212 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2016-11-08 09:02 - 2016-06-30 16:45 - 00000000 ____D C:\Documents and Settings\poi\My Documents\SPH Climate
2016-11-08 07:48 - 2009-02-19 12:47 - 00000000 ____D C:\Program Files\HLM7Student
2016-11-08 07:48 - 2009-02-19 12:47 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\SSI, Inc
2016-11-07 15:40 - 2011-04-04 22:42 - 00000278 ___SH C:\Documents and Settings\ewq\ntuser.ini
2016-11-07 12:16 - 2010-03-13 04:27 - 00000000 ____D C:\Documents and Settings\poi\Application Data\vlc
2016-10-31 16:58 - 2016-08-22 09:35 - 00027648 _____ C:\Documents and Settings\poi\Desktop\LNSCP.xls
2016-10-30 22:13 - 2010-03-12 00:46 - 00000000 ____D C:\Documents and Settings\poi
2016-10-30 16:17 - 2012-04-10 16:12 - 00796352 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-10-30 16:17 - 2011-08-16 19:18 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-10-30 16:16 - 2016-02-20 02:41 - 00000000 ____D C:\Documents and Settings\poi\Desktop\New Folder
2016-10-30 16:16 - 2007-09-11 09:41 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-10-24 11:33 - 2014-07-02 14:19 - 00000000 ____D C:\Documents and Settings\poi\Local Settings\Application Data\Adobe
2016-10-24 11:30 - 2014-11-11 19:30 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2016-10-24 11:29 - 2007-09-11 04:30 - 00000000 ___HD C:\WINDOWS\inf
2016-10-24 11:22 - 2016-09-06 23:30 - 00000353 _____ C:\Documents and Settings\poi\Desktop\notes 9-6.txt
2016-10-24 11:21 - 2016-09-23 11:52 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Summary of Analyses
2016-10-24 11:21 - 2016-09-08 10:17 - 01365904 _____ C:\Documents and Settings\poi\Desktop\WritersGuide1.0 [Team Notes].pdf
2016-10-18 19:28 - 2016-10-13 06:43 - 00590336 _____ C:\Documents and Settings\poi\Desktop\File for Risk Matrix Team.xls
2016-10-18 17:54 - 2016-10-13 06:34 - 00447477 _____ C:\Documents and Settings\poi\Desktop\File for Risk Matrix Team.xlsx
2016-10-16 13:56 - 2016-09-27 11:33 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Data Test Download 9-27-16==================== Files in the root of some directories =======
2010-03-12 05:46 - 2012-08-21 10:27 - 0247808 _____ () C:\Documents and Settings\poi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-06-22 17:42 - 2008-08-14 01:12 - 0003276 _____ () C:\Documents and Settings\All Users\Application Data\hpzinstall.log==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed==================== End of FRST.txt ============================
-
Thanks for this. Got it to work with the third one listed on that site.
tqh
-
I originally was able to bypass ctl-alt-del on this computer that I am working on and then I had a problem where I could not get the computer out of sleep mode or I just couldn't get back to the welcome screen. Once I rebooted, I had to use ctl-alt-del for the first time in a month of using this computer. Is there a way to get back to the original configuration and why would that change?
TIA,
tqh
-
Hello again. Thanks for all your help on this problem. I am curious what does the .reg file do? I read the linked topics and don't quite understand. Is it analogous to resetting the update service? What would be an indicator of it merging successfully? Just curious.
Thanks in advance
-
Nevermind. Seems like it is ok now. Thanks.
-
Ok this seemed to work. Thanks! However, windows update is extremely slow. I even plugged in my modem directly and it is still not doing anything. I just want to get this thing to where it is not using up so much RAM and processor (and work properly). This thing is not doing anything; hardly any data is being transferred.
Thanks in advance
-
Hello again. I was hoping this was a done deal, but I still keep getting the windows update notifications everytime I reboot. I watch and make sure they install successfully yet they still come back. Any ideas?
-
I will take a look. I am assuming it will get rid of the folder that I mentioned? Your help is greatly appreciated.
-
Hello MB Forum,
I am trying to block Windows 10 from forcing itself on my computer. Based on my research, I need to delete the following file as one of the steps: $Windows.~BT
However, I read that this could be problematic as you can't revert back to 7 if you ever do upgrade to 10. Also, I can't even delete it due to permissions. I've tried everything possible and I still get a message that I need permission from (username) to delete. If I click "Try Again", nothing happens.
So, 1) should I delete the folder? It seems ok, but since I have not yet done it I figured I would ask. And 2) how do I grant the appropriate permissions to successfully delete the folder.
Thanks in advance
-
So I reinstalled firefox (did not uninstall then install) and that seemed to work well. I uninstalled MB and installed per the instructions above and updated then scanned. Got a shutdown and error message, but then rescanned and it worked. No malware detected. Audio seems to work. However, I keep getting notifications about the malicious sw removal and now I am getting one about a security update for IE8. I don't think these are that big a deal, but if someone thinks differently, then please let me know. Since I started this whole thing, windows wants to download and install the malicious sw removal tool after every reboot. I probably was being overly cautious. If you guys think everything is ok, then we can probably close this topic. Thank you very much for your help.
-
So, can you make a copy of the profile folder, xyz.default for example, to a memory stick then reinstall firefox? If on reinstall the profile gets deleted can you then replace the contents of the new profile folder with the older content? Also, AVAST notified me of a firefox update but I was not able to update through AVAST. I have not been able to sit down and work on this, so thanks for your patience.
-
Well I can't access the forum with IE.
-
Ok to DH Lipman. Pretty good and I laughed, but will I lose all my bookmarks, plugins, etc.??
-
Hello MB Forum,
I have searched quite a bit on the web and can't find a good solution to my problem. I hope I may be able to get some help here. Some background...
I have a computer running XP and have a TV hooked up with a DVI to HDMI cable. I tried hooking up some headphones through my analog jack and ended up losing sound on my TV - but only for that particular profile. My solution was to try and do a system restore because I have never had a problem doing that in the past. I restored back a couple weeks and I noticed that SRestore changed some file names. Of course I did not write them down because they seemed harmless. The sound worked, but when I got around to starting firefox, it did absolutely nothing. I went to the actual application under program files and it still would not work. I tried to go back under system restore and that did not help. I then stopped because I suspected malware.
I ran a scan w/ MB and the scan failed initially. I also noticed that my program is not updating to 2.2.0.1024. Maybe because it is XP? When I finally got MB to run, it did not detect anything. I also ran a boot-time scan with AVAST. I have a corrupted file under C:\NVIDIA\Display Driver. This may be what caused the problem with the sound, but under another profile the sound worked. So, I am at a loss because I suspect that if I uninstall FF and reinstall it I will lose everything including bookmarks and plugins. I have a few restore points I could try but I don't think that will work. I'm starting to think system restore messed up my FF profile/folder. Any help would be great.
Thanks in advance
-
Should I try to run TFC with Avast disabled? Remember, it crashed on this computer. However, it did not produce a BSOD.
-
computer seems to be running fine no signs of infection
reqested log posted below thanks again
Results of screen317's Security Check version 0.99.78
Windows Vista Service Pack 2 x64 (UAC is enabled)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Adobe Flash Player 11.9.900.170
Adobe Reader 9 Adobe Reader out of Date!
Adobe Reader 10.1.8 Adobe Reader out of Date!
Mozilla Firefox (26.0)
````````Process Check: objlist.exe by Laurent````````
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
-
TFC is a temporary file cleaner and one can certainly use it as often as they feel they need to but it's not something that has to be run over and over.
I've seen a few other topics on this issue and so far it appears to be an elusive entry to remove from the Security Center - my guess is that it may be stored using WMI which makes it a bit more difficult to get to and remove.
Please download and run the following Malicious Software Removal Tool from Microsoft and let me know if it finds anything or not and reboot once you've run it and let me know if this still shows up as a "new" entry in the Security Center.
Hey there. I ran the MSRT and found nothing. There was no log. From the above quote in bold: Can you provide some credible information about WMI (link)? Just curious. Also, the security center notification seems to have disappeared. Not sure what happened to get rid of it, but it quit after running the last two AdwCleaner and MBAM.
Did this editor used to have a spell check function? Just curious.
-
Thanks. Here are the requested logs.
# AdwCleaner v3.016 - Report created 01/01/2014 at 17:55:05
# Updated 23/12/2013 by Xplode
# Operating System : Windows Vista Home Premium Service Pack 2 (64 bits)
# Username : KAREN - KAREN-PC
# Running from : C:\Users\KAREN\Desktop\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
***** [ Browsers ] *****
-\\ Internet Explorer v9.0.8112.16526
-\\ Mozilla Firefox v26.0 (en-US)
[ File : C:\Users\KAREN\AppData\Roaming\Mozilla\Firefox\Profiles\x4scr48k.default\prefs.js ]
*************************
AdwCleaner[R0].txt - [21740 octets] - [26/12/2013 21:33:33]
AdwCleaner[R1].txt - [6489 octets] - [27/12/2013 19:28:26]
AdwCleaner[R2].txt - [2363 octets] - [01/01/2014 17:51:07]
AdwCleaner[s0].txt - [6083 octets] - [27/12/2013 19:31:43]
AdwCleaner[s1].txt - [2136 octets] - [01/01/2014 17:55:05]
########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [2196 octets] ##########
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2014.01.01.06
Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
KAREN :: KAREN-PC [administrator]
1/1/2014 6:13:58 PM
mbam-log-2014-01-01 (18-13-58).txt
Scan type: Full scan (C:\|D:\|E:\|G:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 417232
Time elapsed: 1 hour(s), 26 minute(s), 57 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\KAREN\Desktop\Update\Setup.exe (PUP.Optional.Ibryte) -> Quarantined and deleted successfully.
(end)
-
Ok cool. Thank you.
-
Does it matter that this is on my machine and not the other one?
-
Hello MB forum. I just ran TFC on my machine and received a BSOD. I ran it again and got the same thing. I now have 6 files on my desktop that otherwise would be hidden. They look like temp .docx files. There is also a file named desktop.ini. I don't suspect malware, but have included a MB quick scan log. I also included the two BSOD "reports". I would like to get rid of the new files on the desktop, but have decided to hold off. This is a separate issue with a separate computer than the topic under malware removal. Thanks in advance for any help.
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.12.31.07
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
iop :: FLOYD00 [administrator]
12/31/2013 4:18:22 PM
mbam-log-2013-12-31 (16-18-22).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 308132
Time elapsed: 6 minute(s), 30 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
Blue Screen Crash 12-31-13
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: f4
BCP1: 0000000000000006
BCP2: FFFFFA8006B53740
BCP3: FFFFFA8006B3CE10
BCP4: FFFFF800031D9780
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\123113-27378-01.dmp
C:\Users\iop\AppData\Local\Temp\WER-209977-0.sysdata.xml
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033
Additional information about the problem:
BCCode: 3b
BCP1: 00000000C0000005
BCP2: FFFFF800031B1DFE
BCP3: FFFFF88002290A80
BCP4: 0000000000000000
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\123113-24476-01.dmp
C:\Users\iop\AppData\Local\Temp\WER-84084-0.sysdata.xml
-
So, what about the TFC. Sorry I put OTC in the PM. Should I try to run it again?
-
I'm still getting the "problem reports and solutions" from windows. Under virus alert is the notification about the "virus" in this thread title. Also, there are remnants of AVG on here. I ran screen317s security check and the result indicated that Adobe reader 9 and 10 are on here and that Adobe reader is out of date. If I try to update Adobe, it gives me the note that it is already up to date. Also, is there a way to make sure Java is completely uninstalled and is there a way to get it out of the add-ons for FF/IE? Finally, AVAST web rep add-on is not installed on FF. Any clues? If not, no big deal. Thanks once again.
Almost forgot. When I ran the boot scan and AVAST found a number of PUPs (mindspark, etc.) the infected files were moved to the virus chest (a number of .dll files). Also, someone ran a scan back in Sept. and some malware was moved to the virus chest. FileRepMalware pops up twice. JS:lfram-DMK [Trj] is on there. Win32:Evo-gen[susp] is on there twice. I guess my question is, what should I do with these, if anything? Do we need to probe more? I should have given you these details when I wrote that I did the boot scan way back there. Anything to be concerned about?
Hate to do this, but I just opened up IE and the homepage was set to Bing. I received an alert at the bottom stating that an unknown program wants bing to be the homepage or something like that. I clicked no. Didn't seem to matter. Her yahoo toolbar option is gone from the add-ons page. I'm hope this is a very minor issue.
Appreciate the help.
Possible False Positive Trojan.zbot
in File Detections
Posted
Here is the MBAM log as instructed in malware removal forum...
Thanks.
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 11/14/2016
Scan Time: 3:43:08 PM
Logfile: MBAM log 11-14-16a.txt
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2016.11.14.09
Rootkit Database: v2016.10.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: poi
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388087
Time Elapsed: 20 min, 58 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 1
Trojan.Zbot, C:\WINDOWS\vncutil.exe, , [1b16427ed0ca1f172eff03ce10f3639d],
Physical Sectors: 0
(No malicious items detected)
(end)
vncutil.zip