Computer shutsdown when using anivirus program [Solved] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Computer shutsdown when using anivirus program [Solved]

#1 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 21 February 2012 - 01:07 AM

Guys need help! I've been having some problems on a computer I was trying to fix. Suppose to be the main issue was the printer not printing the usual time, I mean it takes about 30 seconds to print a single document containing texts. Failure to resolve this issue, I figured that I should scan the system for virus, and there I encountered a serious problem. Whenever I try to scan it with avast the computer turns off itself not reboot but no power at all.

I thought that avast might be corrupted, so I uninstalled it. Downloaded free Avira and when I was trying to install it the computer turns off again. I've tried online scanning, same thing happens, blackout. I've used lots of virus/malware removal tools sometimes if turns off and sometimes it doesn't. The list of successful scan was from malwarebytes and combofix. But I had problems regarding combofix. It took me about 15 times before I could run it.

The reason why I opted for scanning the machine was it was not overheating, voltage reading from the psu is normal, the hard drive status is ok. The machine can be used for 8 straight hours. Blackout only happens when using antivirus programs so thats why I'm a confused.

Its an old pentium 4 machine, running windows xp pro sp3 with 512mb of memory, a built-in video, 80gb hard drive. I'm using an Epson T13 printer. Reinstalling windows or reformatting the hard drive is not an option as of now because it contains a program used for printing clearances for people. The programmer who developed the program migrated to the US and had no chance of finishing it nor creating an installer for us, but the said program is being use as of now even with glitches.

I followed the malware removing guide and here is the log from OTL: thanks and hope someone with look unto this.
oh and another thing when running combofix I have to end the grep.3xe process for it to continue.


OTL logfile created on: 2/21/2012 02:38:32 PM - Run 2
OTL by OldTimer - Version 3.2.33.1 Folder = C:\Documents and Settings\Barangay Pandayan\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

446.48 Mb Total Physical Memory | 201.41 Mb Available Physical Memory | 45.11% Memory free
1.03 Gb Paging File | 0.84 Gb Available in Paging File | 82.16% Paging File free
Paging file location(s): C:\pagefile.sys 672 1344 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.25 Gb Total Space | 10.50 Gb Free Space | 28.18% Space Free | Partition Type: NTFS
Drive D: | 37.27 Gb Total Space | 36.15 Gb Free Space | 96.99% Space Free | Partition Type: FAT32
Drive F: | 955.16 Mb Total Space | 60.94 Mb Free Space | 6.38% Space Free | Partition Type: FAT

Computer Name: BARANGAY-C570ED | User Name: Barangay Pandayan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/21 13:53:28 | 000,583,168 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Barangay Pandayan\Desktop\OTL.exe
PRC - [2011/11/28 10:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/04 12:52:54 | 002,048,928 | ---- | M] (Zbshareware Lab) -- C:\Program Files\USB Disk Security\USBGuard.exe
PRC - [2010/05/08 03:48:36 | 000,229,376 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DataCardService\DCService.exe
PRC - [2009/09/14 08:00:00 | 000,217,600 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FARNGEI.EXE
PRC - [2008/04/14 04:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/05 20:58:16 | 004,554,752 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
PRC - [2006/11/16 13:42:52 | 000,577,536 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2006/08/30 09:58:38 | 000,049,152 | R--- | M] (ZSMCSNAP) -- C:\WINDOWS\VMSnap3.EXE
PRC - [2006/06/28 16:54:06 | 000,049,152 | R--- | M] (Vimicro) -- C:\WINDOWS\Domino.EXE
PRC - [2005/10/31 12:15:12 | 000,163,840 | ---- | M] (S3 Graphics Co., Ltd.) -- C:\WINDOWS\system32\VTTrayp.exe
PRC - [2005/03/07 11:33:28 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2004/12/14 01:12:02 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe


========== Modules (No Company Name) ==========

MOD - [2010/05/08 03:48:36 | 000,229,376 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\DataCardService\DCService.exe
MOD - [2008/04/14 04:42:00 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/14 04:41:52 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/09/20 18:34:58 | 000,129,024 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2007/03/05 20:58:16 | 004,554,752 | ---- | M] () -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (PIU)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Disabled | Stopped] -- -- (AviraUpgradeService)
SRV - File not found [Disabled | Stopped] -- -- (AntiVirService)
SRV - File not found [Disabled | Stopped] -- -- (AntiVirSchedulerService)
SRV - [2010/06/28 13:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 13:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 13:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/05/08 03:48:36 | 000,229,376 | ---- | M] () [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\DataCardService\DCService.exe -- (DCService.exe)
SRV - [2009/11/24 23:42:18 | 000,583,640 | ---- | M] (PC Tools) [Disabled | Stopped] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc)
SRV - [2007/03/05 20:58:16 | 004,554,752 | ---- | M] () [Auto | Running] -- C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe -- (MySQL)
SRV - [1998/06/05 23:00:00 | 000,034,036 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE -- (Visual Studio Analyzer RPC bridge)


========== Driver Services (SafeList) ==========

DRV - [2011/11/28 09:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 09:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 09:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 09:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/11/28 09:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/11/17 09:57:25 | 000,133,208 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\09032868.sys -- (09032868)
DRV - [2010/07/29 21:04:26 | 000,005,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\giveio.sys -- (giveio)
DRV - [2010/06/01 13:07:00 | 000,117,504 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbnet.sys -- (ewusbnet)
DRV - [2010/05/22 13:48:20 | 000,070,656 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ew_jubusenum.sys -- (huawei_enumerator)
DRV - [2010/03/25 09:08:30 | 000,105,728 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2010/03/20 10:56:04 | 000,101,504 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ew_hwusbdev.sys -- (ew_hwusbdev)
DRV - [2007/03/07 22:34:46 | 004,027,840 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2006/12/01 13:23:58 | 000,392,122 | R--- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbVM303.sys -- (ZSMC303)
DRV - [2006/10/18 01:39:58 | 000,017,920 | R--- | M] (VIA Technologies,Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\xfilt.sys -- (xfilt)
DRV - [2006/10/17 04:22:26 | 000,009,216 | R--- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\videX32.sys -- (videX32)
DRV - [2006/04/25 09:57:42 | 000,428,160 | R--- | M] (Vimicro Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\vmfilter303.sys -- (vmfilter303)
DRV - [2004/02/24 10:08:52 | 000,400,384 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)


[2008/05/29 05:49:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2008/11/04 09:30:45 | 000,000,000 | ---D | M] (Talkback) -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2008/05/29 06:03:30 | 000,060,516 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2008/05/29 06:03:32 | 000,049,246 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2008/05/29 06:03:30 | 000,165,990 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2008/05/29 06:03:38 | 000,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png
[2008/05/29 06:03:38 | 000,000,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src
[2008/05/29 06:03:38 | 000,001,150 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.png
[2008/05/29 06:03:38 | 000,000,556 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.src
[2008/05/29 06:03:38 | 000,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png
[2008/05/29 06:03:38 | 000,001,045 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src
[2008/05/29 06:03:38 | 000,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif
[2008/05/29 06:03:38 | 000,001,093 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src
[2008/05/29 06:03:38 | 000,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif
[2008/05/29 06:03:38 | 000,000,749 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src
[2008/05/29 06:03:38 | 000,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif
[2008/05/29 06:03:38 | 000,001,167 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Chrome\Application\12.0.742.100\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Chrome\Application\12.0.742.100\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Chrome\Application\12.0.742.100\gcswf32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: avast! WebRep = C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\6.0.1367_0\
CHR - Extension: Bitdefender QuickScan = C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pdnkcidphdcakpkheohlhocaicfamjie\0.9.9.108_0\

O1 HOSTS File: ([2012/02/20 21:03:21 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\DAP\dapieloader.dll (SpeedBit Ltd.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH) File not found
O4 - HKLM..\Run: [Domino] C:\WINDOWS\Domino.EXE (Vimicro)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [USB Security] C:\Program Files\USB Disk Security\USBGuard.exe (Zbshareware Lab)
O4 - HKLM..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE (ZSMCSNAP)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKLM..\Run: [VTTrayp] C:\WINDOWS\System32\VTTrayp.exe (S3 Graphics Co., Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 124.217.127.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{08F00442-AC04-453E-AFB6-B0C4BC9400D3}: DhcpNameServer = 192.168.2.1 124.217.127.234
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/11/17 08:53:52 | 000,000,007 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/21 14:38:19 | 000,583,168 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Barangay Pandayan\Desktop\OTL.exe
[2012/02/20 22:35:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/02/20 22:35:34 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/02/20 22:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/02/20 22:24:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Barangay Pandayan\Application Data\QuickScan
[2012/02/20 22:07:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/02/20 22:07:04 | 000,435,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/02/20 22:06:07 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/02/20 22:06:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/02/20 21:34:12 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Barangay Pandayan\Recent
[2012/02/20 21:15:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2012/02/20 21:05:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/02/20 20:59:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/01/28 12:29:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Barangay Pandayan\My Documents\minutesboard 2012
[2007/09/18 15:52:32 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/04/17 05:04:44 | 004,847,514 | -H-- | C] () -- C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\IconCache.db
[2007/04/17 05:03:46 | 000,069,160 | ---- | C] () -- C:\Documents and Settings\Barangay Pandayan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\Barangay Pandayan\Desktop\*.tmp files -> C:\Documents and Settings\Barangay Pandayan\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Barangay Pandayan\My Documents\*.tmp files -> C:\Documents and Settings\Barangay Pandayan\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/21 14:27:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/21 14:27:09 | 468,242,432 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/21 13:53:28 | 000,583,168 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Barangay Pandayan\Desktop\OTL.exe
[2012/02/21 13:50:10 | 000,001,026 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-838170752-682003330-1003UA.job
[2012/02/21 09:16:19 | 468,287,488 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP
[2012/02/20 22:35:41 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Barangay Pandayan\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/20 22:35:41 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Barangay Pandayan\Desktop\Spybot - Search & Destroy.lnk
[2012/02/20 22:27:41 | 000,002,350 | ---- | M] () -- C:\Documents and Settings\Barangay Pandayan\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/02/20 22:27:40 | 000,002,372 | ---- | M] () -- C:\Documents and Settings\Barangay Pandayan\Desktop\Google Chrome.lnk
[2012/02/20 22:07:07 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/02/20 22:07:04 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/02/20 21:45:25 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-838170752-682003330-1003Core.job
[2012/02/20 21:03:25 | 000,002,082 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2012/02/20 21:03:21 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/02/20 16:48:04 | 000,000,211 | -H-- | M] () -- C:\boot.ini
[2012/02/20 16:13:45 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\Barangay Pandayan\Desktop\Microsoft Office Word 2003.lnk
[2012/02/20 08:16:40 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/15 15:35:20 | 000,002,495 | ---- | M] () -- C:\Documents and Settings\Barangay Pandayan\Desktop\Microsoft Office Excel 2003.lnk
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\Barangay Pandayan\Desktop\*.tmp files -> C:\Documents and Settings\Barangay Pandayan\Desktop\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Barangay Pandayan\My Documents\*.tmp files -> C:\Documents and Settings\Barangay Pandayan\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/20 22:35:41 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Barangay Pandayan\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/02/20 22:35:41 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Barangay Pandayan\Desktop\Spybot - Search & Destroy.lnk
[2012/02/20 22:07:07 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/02/20 21:13:48 | 468,242,432 | -HS- | C] () -- C:\hiberfil.sys
[2012/02/20 21:00:46 | 000,002,082 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2012/01/24 18:40:01 | 000,053,517 | ---- | C] () -- C:\Documents and Settings\Barangay Pandayan\My Documents\229026_10150190079264144_826164143_6714962_96840_n.jpg
[2011/11/17 16:28:36 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/11/17 16:28:36 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/11/17 16:28:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/11/17 16:28:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/11/17 16:28:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/06/15 08:14:37 | 000,000,025 | ---- | C] () -- C:\WINDOWS\CDE C59Asia.ini
[2010/08/11 22:44:55 | 000,000,736 | ---- | C] () -- C:\WINDOWS\System32\Shortcut to spoolsv.exe.lnk
[2010/07/31 00:49:48 | 000,000,164 | R--- | C] () -- C:\WINDOWS\avrack.ini
[2010/07/29 21:04:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2011/11/22 16:08:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2012/02/20 22:06:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2010/02/11 13:13:32 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/06/02 15:44:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DataCardService
[2011/02/20 17:50:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON
[2008/05/11 09:52:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2009/10/19 11:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2008/05/11 09:54:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2008/06/04 06:18:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\sentinel
[2010/08/11 12:32:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpeedBit
[2012/02/20 21:39:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/06/15 08:20:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2011/05/18 11:10:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zbshareware Lab
[2011/07/26 09:43:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\EPSON
[2007/10/04 16:34:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\InterTrust
[2008/05/11 09:52:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\PlayFirst
[2012/02/20 22:24:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\QuickScan
[2011/01/28 22:45:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\Registry Mechanic
[2011/11/22 17:17:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\Thinstall
[2011/01/11 10:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\URSoft
[2012/02/18 09:48:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\Wildfire
[2011/05/18 11:14:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Barangay Pandayan\Application Data\Zbshareware Lab

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 190 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CE11B51
@Alternate Data Stream - 166 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

#2 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 22 February 2012 - 09:13 PM

Additional info, the computer is running a little bit slower than usual, and now we can't print anymore because the pc is not detecting the printer and yet it has been installed properly. And also the tray logo for the epson printer is no longer visible. It has been infected by a virus a few months earlier but managed to recover it. Pls, can someone take a loot at this, TNX in advance.

#3 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 29 February 2012 - 12:09 AM

It seems that nobody is even interested in taking my post.

#4 Render

  • Group: Malware Removal
  • Posts: 4,144
  • Joined: 29-November 09

Posted 29 February 2012 - 12:47 PM

Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • Please tell me if you have your original Windows CD/DVD available
  • When in doubt, please stop and ask first. There's no harm in asking questions!


If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image

  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start scan.

    Posted Image

  • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here


How to add an attachment to a new topic or reply

#5 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 01 March 2012 - 08:31 PM

Ok I will do these asap. One question, the pc has no internet connection as of now, is it ok to download the programs on other machine? the transfer on the infected one? THANK YOU VERY MUCH.

#6 Render

  • Group: Malware Removal
  • Posts: 4,144
  • Joined: 29-November 09

Posted 02 March 2012 - 04:13 AM

Yes, you can. But on clean computer please install this:

  • Please download Panda USB Vaccine here (you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
  • Install and run it.
  • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

#7 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 06 March 2012 - 10:47 PM

Sorry for the late reply, we had some issues regarding our ISP. I already did what you said on your last post the problem is during the scan of awsMBR.exe the computer shuts down about a minute during the process so there's no log files saved, the scan did not finish. It seems that is only infecting the printers. I recently installed the older printer c59 and now its not printing again. And I also remember that the printer icon on taskbar is missing whenever the printer does not print. The pc only turns off when I'm running any antivirus scanning programs.

additional info:

-We do not have the cd with us because this pc is 7 years old. I was just assigned to this pc about a year ago.
-I can only use the internet during saturdays. its a building away from my current location which have internet and they do not allow it to be connected during weekdays.

Sorry if this problems to be as for me a "severe one" Hope you can help further. Thank you very much ^_^

ps. sir what do you mean by subscribe to this topic? how can I do that. tnx again.

#8 Render

  • Group: Malware Removal
  • Posts: 4,144
  • Joined: 29-November 09

Posted 07 March 2012 - 07:44 AM

Quote

sir what do you mean by subscribe to this topic? how can I do that. tnx again.

Actually you are automatically subscribed to your topic so don't worry.

Try to run this:

Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image

  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK button.

    Posted Image

  • Click the Start Scan button.

    Posted Image

  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image

  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image

  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".
Please copy and paste its contents on your next reply.

#9 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 12 March 2012 - 01:49 AM

got bad news, whenever I check those 2 options "verify and detect" the machine turns off again. Do I need to run tdsskiller using the default option without checking those 2 boxes?

#10 Render

  • Group: Malware Removal
  • Posts: 4,144
  • Joined: 29-November 09

Posted 12 March 2012 - 05:30 AM

Are you getting some message when computer turns off?

#11 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 13 March 2012 - 08:28 PM

none, I'm not getting any messages during shutdown. But I'm getting a loading box during startup. I'll take a snapshot of it as soon as I get on the machine. I'll post it this afternoon. tnx again!

#12 Render

  • Group: Malware Removal
  • Posts: 4,144
  • Joined: 29-November 09

Posted 14 March 2012 - 06:54 AM

OK. Then try run this:

  • Please download on the desktop RogueKiller (by tigzy).
  • Quit all programs.
  • Run RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan.
    Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop. We can also open it with the Report button.
  • Please copy content of report and post it in your next reply.

#13 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 17 March 2012 - 07:44 PM

sorry to kept you waiting... The system has halted and is in major hardware repair now but it will be operational tomorrow. I have to replace the capacitors and clone the hard drive to make a backup of the system just in case something goes wrong, I will be surely be back tomorrow, Tnx again!

#14 Render

  • Group: Malware Removal
  • Posts: 4,144
  • Joined: 29-November 09

Posted 18 March 2012 - 06:47 AM

OK. You are replacing capacitors on motherboard?

#15 chickmazta

  • Group: Member
  • Posts: 123
  • Joined: 23-January 08

Posted 25 March 2012 - 08:39 PM

yes, I did and it's all up and running now, but the shutting down is still present, this malware is so extreme. I've encountered one of these a few years back but a simple combofix fixed the problem. I'll try rogue killer after the stability tests, maybe tomorrow. I'll be back soon, tnx again!

Share this topic:


  • 2 Pages +
  • 1
  • 2