Jump to content

Trojan.zbot found in MB Scan


tqh
 Share

Recommended Posts

Hello MB Forum,

This computer has been acting bizarre for a week or so.  Completely freezing up requiring reboot.  Ran AVAST boot scan and didn't find anything.  Fully updated MBAM and ran a standard scan.  Found Trojan.zbot.  I didn't act on the result because I decided I needed to have this looked at.  I will wait for your instruction.  I also attached the MBAM log.  Thanks as always for your continued service.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2016
Ran by poi (administrator) on FLOYD (14-11-2016 10:35:13)
Running from C:\Documents and Settings\poi\Desktop
Loaded Profiles: poi (Available Profiles: poi & ewq & az & UpdatusUser & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
(NVIDIA Corporation) C:\WINDOWS\system32\nvsvc32.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
() C:\Program Files\USB TV\EM28XX\BDARemote.exe
(Malwarebytes) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [17887232 2009-06-25] (Realtek Semiconductor Corp.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [1634112 2012-05-15] ()
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9044392 2016-11-08] (AVAST Software)
HKLM\...\Policies\Explorer: [NoComputersNearMe] 0
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\...\Run: [Zoom] => 0
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\...\Policies\Explorer: [NoComputersNearMe] 0
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2016-09-27] (AVAST Software)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2007-09-11]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BDARemote.lnk [2010-05-26]
ShortcutTarget: BDARemote.lnk -> C:\Program Files\USB TV\EM28XX\BDARemote.exe ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk [2007-09-11]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
GroupPolicy: Restriction ? <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A9B57C27-3A8D-4410-BF03-21FBC3F1992C}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1123561945-2111687655-725345543-1008\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-10-24] (AVAST Software)
DPF: {17492023-C23A-453E-A040-C7C580BBF700} hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269795619093
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL [2001-01-22] (Microsoft Corporation)
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll [2008-04-13] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL [2000-04-19] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default [2016-11-14]
FF DefaultSearchEngine: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> Google
FF DefaultSearchEngine.US: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> Google
FF Homepage: C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default -> about:blank
FF Extension: (Classic Theme Restorer) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-10-24]
FF Extension: (Blur) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\donottrackplus@abine.com.xpi [2016-11-10]
FF Extension: (Adblock Plus) - C:\Documents and Settings\poi\Application Data\Mozilla\Firefox\Profiles\wxaz6z55.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-10-28]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-01-14] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-10-24]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-10-24]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-30] ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.2.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1123561945-2111687655-725345543-1008: @zoom.us/ZoomVideoPlugin -> C:\Documents and Settings\poi\Application Data\Zoom\bin\npzoomplugin.dll [2016-11-09] (Zoom Video Communications, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [270016 2016-10-30] (Adobe Systems Incorporated) [File not signed]
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-09-27] (AVAST Software)
S4 Belkin Wireless USB Network Adapter Service; C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe [49152 2004-03-29] () [File not signed]
R2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [270336 2001-02-23] (Microsoft Corporation) [File not signed]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [20747 2007-09-11] (Meetinghouse Data Communications) [File not signed]
S3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [4017536 2006-08-18] (Realtek Semiconductor Corp.)
S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1684736 2009-06-25] (Creative)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [34008 2016-09-27] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [92256 2016-09-27] (AVAST Software)
R1 AswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [64272 2016-09-27] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\Drivers\aswRvrt.sys [60424 2016-09-27] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [735488 2016-09-27] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [433768 2016-09-27] (AVAST Software)
R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [184592 2016-09-27] (AVAST Software)
S3 aswTdi; C:\WINDOWS\system32\drivers\aswTdi.sys [66688 2016-09-27] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\Drivers\aswVmm.sys [224752 2016-10-13] (AVAST Software)
S3 BVRPMPR5; C:\WINDOWS\system32\drivers\BVRPMPR5.SYS [49904 2009-09-30] (Avanquest Software) [File not signed]
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R2 CDRPDACC; C:\Program Files\321Studios\Shared\CDRPDACC.SYS [4633 2002-07-25] (Arrowkey) [File not signed]
S3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2008-04-13] (Microsoft Corporation)
R2 HPFECP13; C:\WINDOWS\System32\drivers\HPFECP13.SYS [52800 1998-09-25] () [File not signed]
S3 HPZid412; C:\WINDOWS\System32\DRIVERS\HPZid412.sys [51056 2003-05-14] (HP)
S3 HPZipr12; C:\WINDOWS\System32\DRIVERS\HPZipr12.sys [16496 2003-05-14] (HP)
S3 HPZius12; C:\WINDOWS\System32\DRIVERS\HPZius12.sys [21488 2003-05-14] (HP)
R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [44032 2009-07-27] (Atheros Communications, Inc.)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [170200 2016-11-14] (Malwarebytes) [File not signed]
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1389056 2009-06-25] (Creative Technology Ltd.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NTIDrvr; C:\WINDOWS\System32\DRIVERS\NTIDrvr.sys [6912 2007-09-11] (NewTech Infosystems, Inc.) [File not signed]
S3 NuidFltr; C:\WINDOWS\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
R0 nvatabus; C:\WINDOWS\System32\DRIVERS\nvatabus.sys [54656 2003-06-18] (NVIDIA Corporation) [File not signed]
S3 NVENET; C:\WINDOWS\System32\DRIVERS\NVENET.sys [97280 2003-05-27] (NVIDIA Corporation) [File not signed]
R3 NVHDA; C:\WINDOWS\System32\drivers\nvhda32.sys [123840 2012-04-18] (NVIDIA Corporation)
R0 nv_agp; C:\WINDOWS\System32\DRIVERS\nv_agp.sys [21120 2003-05-27] (NVIDIA Corporation) [File not signed]
R3 Pcouffin; C:\WINDOWS\System32\Drivers\Pcouffin.sys [33376 2007-09-11] (VSO Software) [File not signed]
R3 pfc; C:\WINDOWS\System32\drivers\pfc.sys [21248 2003-09-19] (Padus, Inc.) [File not signed]
S3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [232192 2005-08-02] (Ralink Technology, Corp.) [File not signed]
S3 RTL8023xp; C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys [74496 2005-03-04] (Realtek Semiconductor Corporation                           )
S3 SANDRA; C:\Program Files\SiSoftware\SiSoftware Sandra 2002 Professional\sandra.sys [9600 2001-10-30] (SiSoftware) [File not signed]
R0 sptd; C:\WINDOWS\System32\Drivers\sptd.sys [716272 2008-08-15] () [File not signed]
S3 xbreader; C:\WINDOWS\System32\Drivers\xbreader.sys [19677 2001-01-02] (Thesycon GmbH, Germany) [File not signed]
S3 catchme; \??\C:\DOCUME~1\poi\LOCALS~1\Temp\catchme.sys [X]
S3 gdrv; \??\C:\WINDOWS\gdrv.sys [X]
S3 hSONYPVh; \??\C:\DOCUME~1\poi\LOCALS~1\Temp\hSONYPVh.sys [X]
S4 IntelIde; no ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-14 10:35 - 2016-11-14 10:35 - 00013614 _____ C:\Documents and Settings\poi\Desktop\FRST.txt
2016-11-14 10:35 - 2016-11-14 10:35 - 00000000 ____D C:\FRST
2016-11-14 10:34 - 2016-11-14 10:34 - 01760768 _____ (Farbar) C:\Documents and Settings\poi\Desktop\FRST.exe
2016-11-14 10:29 - 2016-11-14 10:29 - 00001115 _____ C:\Documents and Settings\poi\Desktop\mbam log 11-14-16.txt
2016-11-14 09:43 - 2016-11-14 09:45 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-11-10 22:53 - 2016-11-10 22:53 - 00000005 _____ C:\Documents and Settings\poi\Desktop\nw22560.txt
2016-11-10 11:02 - 2016-11-11 16:17 - 01073664 _____ C:\Documents and Settings\poi\Desktop\B714F600
2016-11-10 11:02 - 2016-11-10 13:16 - 01073664 _____ C:\Documents and Settings\poi\Desktop\2016.10.31.xls
2016-11-10 10:58 - 2016-11-10 10:58 - 00014336 _____ C:\Documents and Settings\poi\My Documents\Book1 (version 1).xls
2016-11-10 10:57 - 2016-11-10 10:57 - 00847102 _____ C:\Documents and Settings\poi\Desktop\2016.10.31.Tables.xlsx
2016-11-10 10:09 - 2016-11-10 10:09 - 00000000 ____D C:\Documents and Settings\poi\Start Menu\Programs\Zoom
2016-11-10 10:08 - 2016-11-10 10:09 - 17764880 _____ (Microsoft Corporation) C:\Documents and Settings\poi\Desktop\ZoomInstallerXP.exe
2016-11-09 01:08 - 2016-11-09 01:08 - 00106496 _____ C:\WINDOWS\Minidump\Mini110916-01.dmp
2016-11-03 10:53 - 2016-11-03 10:53 - 00169217 _____ C:\Documents and Settings\poi\Desktop\_invoice 1-2016.10.01.pdf
2016-11-03 10:31 - 2016-11-05 14:56 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Audio
2016-10-31 17:36 - 2016-10-31 17:36 - 00000697 _____ C:\Documents and Settings\poi\Desktop\Hrs to be worked.txt
2016-10-28 15:04 - 2016-10-28 15:04 - 00621056 _____ C:\Documents and Settings\poi\Desktop\Tables 10-20-16.xls
2016-10-28 14:04 - 2016-11-10 10:06 - 00133768 _____ (Zoom Video Communications, Inc.) C:\Documents and Settings\poi\Desktop\Zoom_launcher.exe
2016-10-28 13:13 - 2016-10-30 22:10 - 00180624 _____ C:\Documents and Settings\poi\Desktop\ SPH 2016_REVISED.pdf
2016-10-28 08:31 - 2016-10-28 08:31 - 00673860 _____ C:\Documents and Settings\poi\Desktop\Focus Groups_IO Colloquim_10-21-2016.pptm
2016-10-28 08:20 - 2016-10-28 08:20 - 00331264 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides Comments 10-28-16.ppt
2016-10-28 08:15 - 2016-10-28 08:15 - 00324608 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides.ppt
2016-10-28 08:13 - 2016-10-28 08:13 - 00186447 _____ C:\Documents and Settings\poi\Desktop\Writer's Guide Update Slides.pptx
2016-10-24 16:12 - 2016-10-24 16:12 - 00251501 _____ C:\Documents and Settings\poi\Desktop\6_DegreeLicensure Release_.pdf
2016-10-24 11:27 - 2016-09-27 12:00 - 00319760 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-10-24 10:41 - 2016-10-24 10:41 - 02147107 _____ C:\Documents and Settings\poi\Desktop\Symposium Program Handout.pdf
2016-10-20 18:35 - 2016-10-20 18:35 - 49505220 _____ C:\Documents and Settings\poi\Desktop\zoom_0.mp4
2016-10-20 17:45 - 2016-10-20 17:45 - 00044544 _____ C:\Documents and Settings\poi\Desktop\ and  work.xls
2016-10-20 17:45 - 2016-10-20 17:45 - 00037923 _____ C:\Documents and Settings\poi\Desktop\ and  work.xlsx

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-14 10:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\poi\Local Settings\temp
2016-11-14 10:15 - 2014-10-07 10:28 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-11-14 09:54 - 2016-08-22 10:01 - 00170200 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-11-14 09:44 - 2012-05-03 14:29 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-11-14 09:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\az\Local Settings\temp
2016-11-14 09:35 - 2013-09-06 14:46 - 00000000 ____D C:\Documents and Settings\ewq\Local Settings\temp
2016-11-14 09:15 - 2014-04-22 21:07 - 00000260 _____ C:\WINDOWS\Tasks\WGASetup.job
2016-11-14 09:15 - 2014-04-02 00:28 - 00000218 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2016-11-14 09:15 - 2013-05-15 16:30 - 00000364 ____H C:\WINDOWS\Tasks\avast! Emergency Update.job
2016-11-14 09:14 - 2007-09-11 09:42 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-11-14 09:03 - 2007-09-11 09:53 - 00032416 _____ C:\WINDOWS\SchedLgU.Txt
2016-11-13 13:39 - 2010-03-12 00:46 - 00000278 ___SH C:\Documents and Settings\poi\ntuser.ini
2016-11-12 04:58 - 2007-09-11 04:34 - 00509960 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-11-12 04:49 - 2001-08-23 06:00 - 00002262 _____ C:\WINDOWS\system32\wpa.dbl
2016-11-10 22:53 - 2007-09-11 10:43 - 00002489 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
2016-11-10 10:58 - 2010-03-12 00:46 - 00000000 ___RD C:\Documents and Settings\poi\My Documents
2016-11-10 10:58 - 2007-09-11 10:43 - 00002487 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
2016-11-10 10:09 - 2016-07-22 08:25 - 00000000 ____D C:\Documents and Settings\poi\Application Data\Zoom
2016-11-09 01:08 - 2011-04-05 14:43 - 00000000 ____D C:\WINDOWS\Minidump
2016-11-08 23:43 - 2014-04-02 00:28 - 00000212 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2016-11-08 09:02 - 2016-06-30 16:45 - 00000000 ____D C:\Documents and Settings\poi\My Documents\SPH Climate
2016-11-08 07:48 - 2009-02-19 12:47 - 00000000 ____D C:\Program Files\HLM7Student
2016-11-08 07:48 - 2009-02-19 12:47 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\SSI, Inc
2016-11-07 15:40 - 2011-04-04 22:42 - 00000278 ___SH C:\Documents and Settings\ewq\ntuser.ini
2016-11-07 12:16 - 2010-03-13 04:27 - 00000000 ____D C:\Documents and Settings\poi\Application Data\vlc
2016-10-31 16:58 - 2016-08-22 09:35 - 00027648 _____ C:\Documents and Settings\poi\Desktop\LNSCP.xls
2016-10-30 22:13 - 2010-03-12 00:46 - 00000000 ____D C:\Documents and Settings\poi
2016-10-30 16:17 - 2012-04-10 16:12 - 00796352 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2016-10-30 16:17 - 2011-08-16 19:18 - 00142528 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2016-10-30 16:16 - 2016-02-20 02:41 - 00000000 ____D C:\Documents and Settings\poi\Desktop\New Folder
2016-10-30 16:16 - 2007-09-11 09:41 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-10-24 11:33 - 2014-07-02 14:19 - 00000000 ____D C:\Documents and Settings\poi\Local Settings\Application Data\Adobe
2016-10-24 11:30 - 2014-11-11 19:30 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk
2016-10-24 11:29 - 2007-09-11 04:30 - 00000000 ___HD C:\WINDOWS\inf
2016-10-24 11:22 - 2016-09-06 23:30 - 00000353 _____ C:\Documents and Settings\poi\Desktop\notes 9-6.txt
2016-10-24 11:21 - 2016-09-23 11:52 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Summary of Analyses
2016-10-24 11:21 - 2016-09-08 10:17 - 01365904 _____ C:\Documents and Settings\poi\Desktop\WritersGuide1.0 [Team Notes].pdf
2016-10-18 19:28 - 2016-10-13 06:43 - 00590336 _____ C:\Documents and Settings\poi\Desktop\File for Risk Matrix Team.xls
2016-10-18 17:54 - 2016-10-13 06:34 - 00447477 _____ C:\Documents and Settings\poi\Desktop\File for Risk Matrix Team.xlsx
2016-10-16 13:56 - 2016-09-27 11:33 - 00000000 ____D C:\Documents and Settings\poi\Desktop\Data Test Download 9-27-16

==================== Files in the root of some directories =======

2010-03-12 05:46 - 2012-08-21 10:27 - 0247808 _____ () C:\Documents and Settings\poi\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2008-06-22 17:42 - 2008-08-14 01:12 - 0003276 _____ () C:\Documents and Settings\All Users\Application Data\hpzinstall.log

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End of FRST.txt ============================

Addition.txt

mbam log 11-14-16.txt

Link to post
Share on other sites

Hello tqh,

Upload that file flagged by Malwarebytes to VirusTotal, see what the diagnosis is...

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\WINDOWS\vncutil.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.

Thank you,

Kevin...

Link to post
Share on other sites

Thank you kindly.  I'm not 100% sure what you wanted me to post.  I just copied and pasted the information presented post-scan.

 

SHA256: e6b2b7c8a04443e1e308889488e09b95fb30e8e1a165f9a7792fe789d4825e8e
File name: vncutil.exe
Detection ratio: 1 / 55
Analysis date: 2016-11-14 21:23:15 UTC ( 0 minutes ago )
chart?chs=120x60&cht=gom&chco=d60c1A,379f32&chds=-100,100&chd=t:100
3
 
0
 
Probably harmless! There are strong indicators suggesting that this file is safe to use.
Antivirus Result Update
Malwarebytes Trojan.Zbot 20161114
ALYac   20161114
AVG   20161114
AVware   20161114
Ad-Aware   20161114
AegisLab   20161114
AhnLab-V3   20161114
Alibaba   20161114
Antiy-AVL   20161114
Arcabit   20161114
Avast   20161114
Avira (no cloud)   20161114
Baidu   20161111
BitDefender   20161114
Bkav   20161112
CAT-QuickHeal   20161114
CMC   20161114
ClamAV   20161114
Comodo   20161114
CrowdStrike Falcon (ML)   20161024
Cyren   20161114
DrWeb   20161114
ESET-NOD32   20161114
Emsisoft   20161114
F-Prot   20161114
F-Secure   20161114
Fortinet   20161114
GData   20161114
Ikarus   20161114
Invincea   20161018
Jiangmin   20161114
K7AntiVirus   20161114
K7GW   20161114
Kaspersky   20161114
Kingsoft   20161114
McAfee   20161114
McAfee-GW-Edition   20161114
eScan   20161114
Microsoft   20161114
NANO-Antivirus   20161114
Panda   20161114
Qihoo-360   20161114
Rising   20161114
SUPERAntiSpyware   20161114
Sophos   20161114
Symantec   20161114
Tencent   20161114
TheHacker   20161114
TrendMicro   20161114
TrendMicro-HouseCall   20161114
VBA32   20161114
VIPRE   20161114
ViRobot   20161114
Yandex   20161114
Zillya   20161114
Zoner   20161114
nProtect   20161114
Link to post
Share on other sites

Only Malwarebytes flags the file at VT, other 55 say is harmless. I`d say that is a false positive but will be beneficial to post into the FP forum and have it checked...

Go here: https://forums.malwarebytes.org/forum/42-file-detections/

Read the stickie at the top  and follow those instructions to have the file checked out....

Let me know the outcome...

Thank you,

Kevin.

 

Link to post
Share on other sites

Well, I still have had a significant number of "freezes" where I had to do a hard reboot.  No BSOD.  I realize this is an old machine in its twilight, but I have had very few problems with it.  Any ideas?  I noticed in the "addition" file there are thousands of "restricted sites" listed.  Are these standard for IE?  I very rarely use IE so I have no idea.  These don't show up in the IE browser.  Seems odd.

Thanks

Link to post
Share on other sites

Those restricted sites in Internet Explorer will probably be there as a result of a security program, they just mean those sites are restricted and cannot connect to your system....

Lets have a look and see if we can see what is causing your system to freeze:

Run the following:

Please download VEW by Vino Rosso  from HERE and save it to your Desktop.

  • Double-click VEW.exe. to start, Vista and Windows 7/8 users Right Click and select "Run as Administrator"
  • Under 'Select log to query...check the boxes for both Application and System.
  • Under 'Select type to list... select both Error and Critical.
  • Click the radio button for 'Number of events...Type 15 in the 1 to 20 box.
  • Then click the Run button.
  • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.


 
Please post the Output log in your next reply.
 

Next,

Zip up and attach the following folder..

C:\WINDOWS\Minidump

Thank you,

Kevin...

 

 

Link to post
Share on other sites

Here is the VEW log and the zip file is attached.  Thanks!

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 15/11/2016 2:02:27 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 24/08/2016 12:02:33 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application plugin-container.exe, version 47.0.0.5999, faulting module mozglue.dll, version 47.0.0.5999, fault address 0x0000f3ad.

Log: 'Application' Date/Time: 20/08/2016 1:58:14 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application mbam.exe, version 2.3.125.0, faulting module msvcr100.dll, version 10.0.40219.325, fault address 0x0008d6fd.

Log: 'Application' Date/Time: 30/06/2016 10:01:25 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application plugin-container.exe, version 47.0.0.5999, faulting module mozglue.dll, version 47.0.0.5999, fault address 0x0000f3ad.

Log: 'Application' Date/Time: 30/06/2016 7:56:10 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application plugin-container.exe, version 47.0.0.5999, faulting module mozglue.dll, version 47.0.0.5999, fault address 0x0000f3ad.

Log: 'Application' Date/Time: 10/03/2016 1:58:30 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office XP Professional with FrontPage -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.

Log: 'Application' Date/Time: 10/03/2016 1:58:18 AM
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office XP Professional with FrontPage -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.

Log: 'Application' Date/Time: 23/02/2016 7:51:56 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application mbam.exe, version 2.3.125.0, faulting module mbamcore.dll, version 1.3.24.0, fault address 0x000ee697.

Log: 'Application' Date/Time: 17/02/2016 2:10:09 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x0001101a.

Log: 'Application' Date/Time: 17/02/2016 1:53:42 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application steamwebhelper.exe, version 3.17.73.86, faulting module libcef.dll, version 3.2526.1348.0, fault address 0x00084133.

Log: 'Application' Date/Time: 17/02/2016 1:52:52 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application steamwebhelper.exe, version 3.17.73.86, faulting module libcef.dll, version 3.2526.1348.0, fault address 0x00084133.

Log: 'Application' Date/Time: 17/02/2016 1:52:28 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application steamwebhelper.exe, version 3.17.73.86, faulting module libcef.dll, version 3.2526.1348.0, fault address 0x00084133.

Log: 'Application' Date/Time: 17/02/2016 1:50:27 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application steamwebhelper.exe, version 3.17.73.86, faulting module libcef.dll, version 3.2526.1348.0, fault address 0x00084133.

Log: 'Application' Date/Time: 17/02/2016 1:49:28 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application steamwebhelper.exe, version 3.17.73.86, faulting module libcef.dll, version 3.2526.1348.0, fault address 0x00084133.

Log: 'Application' Date/Time: 17/02/2016 1:48:57 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application steamwebhelper.exe, version 3.17.73.86, faulting module libcef.dll, version 3.2526.1348.0, fault address 0x00084133.

Log: 'Application' Date/Time: 17/02/2016 1:48:46 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application steamwebhelper.exe, version 3.17.73.86, faulting module libcef.dll, version 3.2526.1348.0, fault address 0x00084133.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 14/11/2016 2:19:39 PM
Type: error Category: 0
Event: 10000 Source: DCOM
Unable to start a DCOM Server: {E0B8F398-BB08-4298-87F0-34502693902E}. The error: "%2" Happened while starting this command: C:\Program Files\Messenger\msmsgs.exe -Embedding

Log: 'System' Date/Time: 14/11/2016 9:16:17 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.  

Log: 'System' Date/Time: 14/11/2016 9:16:17 AM
Type: error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired.   To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 14/11/2016 9:04:08 AM
Type: error Category: 0
Event: 7011 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Log: 'System' Date/Time: 14/11/2016 9:03:46 AM
Type: error Category: 0
Event: 7011 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Log: 'System' Date/Time: 14/11/2016 9:02:44 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.  

Log: 'System' Date/Time: 14/11/2016 9:02:44 AM
Type: error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired.   To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 13/11/2016 2:37:24 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.  

Log: 'System' Date/Time: 13/11/2016 2:37:24 PM
Type: error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired.   To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 12/11/2016 4:38:21 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.  

Log: 'System' Date/Time: 12/11/2016 4:38:21 PM
Type: error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired.   To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 12/11/2016 4:55:22 AM
Type: error Category: 0
Event: 7011 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Log: 'System' Date/Time: 12/11/2016 4:54:21 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.  

Log: 'System' Date/Time: 12/11/2016 4:54:21 AM
Type: error Category: 0
Event: 7038 Source: Service Control Manager
The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error:  Logon failure: the specified account password has expired.   To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Log: 'System' Date/Time: 12/11/2016 4:49:46 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The NVIDIA Update Service Daemon service failed to start due to the following error:  The service did not start due to a logon failure.  

 

Minidump.zip

Link to post
Share on other sites

Download and save Avast AV installer from here: https://www.avast.com/en-gb/free-antivirus-download

Go to the following link: https://www.avast.com/uninstall-utility Run the uninstaller tool to remove Avast....

Run the installer to install Avast ....

Next,

Can you open Device manager, expand Display Adapters and check if the graphics driver needs updating....
Link to post
Share on other sites

I received a message stating that there may be a compliance issue with this driver and XP.  I aborted the installation.  However, I specified, or at least it was defaulted for XP on the download screen.  I tried to install an older driver and it caused my control panel to quit working (NVIDIA CP).  Should I just install the newest one anyway?

TIA

Link to post
Share on other sites

Here is the screenshot.  I'm not sure if this is what the manufacturer recommends, but this is what comes up when you put in the specs.  I selected the newest one.  Well it won't show up.  Should I attach?

 

Edited by tqh
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Okay.  I apologize for having to put the thread on hold, but the holidays were crazy.  Thank you for your patience.  Trying to update the driver did not lead to a good outcome.  I tried three different options and only one of them even allowed me to open the NVIDIA control panel.  Once I opened it, it would not allow me to resize the desktop to fit my television.  I finally was able to roll it back to the origninal driver 6.14.12.8026 released 8/3/2011.  I assume this is the original since it won't let me roll it back anymore.  I think it is older than the one that was installed when I started the thread.  The computer is still unstable as it froze again upon boot and I had to reboot.  Generally slow as well.  2 days ago, I had a crash and it looked like a blue screen before it rebooted on its own. I kinda missed it as I wasn't paying close attention.  This was the error after reboot:

 

Error Signature

BCCode : 24     BCP1 : 001902FE     BCP2 : B289E2A8     BCP3 : B289DFA4     
BCP4 : 8054BFCB     OSVer : 5_1_2600     SP : 3_0     Product : 256_1     

The following files will be included in this error report:

C:\DOCUME~1\poi\LOCALS~1\Temp\WERd9e9.dir00\Mini120116-01.dmp
C:\DOCUME~1\poi\LOCALS~1\Temp\WERd9e9.dir00\sysdata.xml

Firefox crashed after this as well.  I've never had a computer so unstable and I have had bad infections before.

Thanks

Link to post
Share on other sites

Do you believe an infection is to blame, previous scans we have used did not show obvious malware or infection...

Can you zip upload the minidump folder again, lets see if there is any new files to check.. Also run the following indepth online AV scan, it will take several hours to complete..

user posted imageScan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:
 
  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:
 
  • Select "Enable detection of potentially unwanted applications"
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.



Please include this logfile in your next reply.

Don't forget to re-enable security software!

Thank you,

Kevin....

Link to post
Share on other sites

No, I don't think there is an infection.  I am just trying to give a comparison because it is so unstable.  When the ESET scanner was running, my display was really bizarre.  I attached a screenshot, but it is not as bizarre as the other one I had.  The whole "inside" of the ESET box was my desktop at one point.  And then when I went to save the log, you could see the icons "through" the ESET box.  This is the log:

 

C:\Documents and Settings\poi\Desktop\CouponPrinter.exe      a variant of Win32/Adware.Coupons.AA application   

C:\Documents and Settings\poi\My Documents\Downloads\CuteWriter.exe       a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application    

 

Thanks for all your continued help.

 

 

Screenshot2.doc

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.