Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

UKASH Virus on Microsoft XP [Closed]


  • This topic is locked This topic is locked

#16
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Can you run any tools on the PC now? Does the same thing happen in Safe Mode?
  • 0

Advertisements


#17
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
I can't run a thing when I boot up normally. The desktop icons appears but nothing down on the toolbar - no zone alarm, or avast etc.

When I open in safe mode with networking I can open software.
  • 0

#18
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Sorry I can't definitely say what has happened yet as computers can be unpredictable.
Please run an OTL scan in Safe Mode with Networking and post the log.
  • 0

#19
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
ETA: I was gonna add - the only other thing I did before was update FoxIt reader - you mentioned adobe but we don't use that but i figured update software. Oh and I did one MS update for XP.

Also - after running the OTL scan and installing foxit reader ... as it went to restart a pop up asked it i wanted to remove the old version on restart - I clicked yes but wasn't sure what program it referred to as it didn't say. Could have been fox it or maybe we had an old zone alarm on pc??

Anyway - log file: I'm off to bed so no rush. Can't believe we just fixed it and it's broke again. :( lol. Thanks for the ongoing help.


OTL logfile created on: 11/01/2013 23:59:15 - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\MCE!\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.97 Gb Total Physical Memory | 1.70 Gb Available Physical Memory | 86.63% Memory free
3.82 Gb Paging File | 3.73 Gb Available in Paging File | 97.53% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 51.22 Gb Free Space | 68.74% Space Free | Partition Type: NTFS
Drive E: | 29.29 Gb Total Space | 16.00 Gb Free Space | 54.63% Space Free | Partition Type: NTFS
Drive F: | 902.22 Gb Total Space | 389.11 Gb Free Space | 43.13% Space Free | Partition Type: NTFS

Computer Name: MCE | User Name: MCE! | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/04 20:06:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MCE!\Desktop\OTL.exe
PRC - [2013/01/02 14:10:28 | 002,448,032 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - [2013/01/11 20:33:49 | 000,115,760 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/01/08 21:13:12 | 000,251,400 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/01/02 14:10:28 | 002,448,032 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2012/12/01 11:49:52 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/11/22 14:33:18 | 000,497,320 | ---- | M] (Check Point Software Technologies) [Auto | Stopped] -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe -- (IswSvc)
SRV - [2012/10/23 10:17:40 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/09/08 17:25:52 | 000,096,334 | ---- | M] (Canon Inc.) [Auto | Stopped] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2009/04/30 11:23:26 | 000,090,112 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/01/02 13:38:52 | 000,528,000 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (Vsdatant)
DRV - [2012/11/22 14:33:30 | 000,027,056 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Stopped] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2012/10/23 10:18:34 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/10/23 10:18:34 | 000,360,392 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/10/23 10:18:34 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/10/23 10:18:34 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/10/23 10:18:33 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/10/23 10:18:32 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/10/23 10:18:32 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/09/02 10:05:00 | 000,131,584 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hcw99bda.sys -- (HCW99BDA)
DRV - [2009/03/25 15:48:00 | 000,114,728 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdm.sys -- (s1018mdm)
DRV - [2009/03/25 15:48:00 | 000,109,864 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018unic.sys -- (s1018unic)
DRV - [2009/03/25 15:48:00 | 000,106,208 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mgmt.sys -- (s1018mgmt)
DRV - [2009/03/25 15:48:00 | 000,104,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018obex.sys -- (s1018obex)
DRV - [2009/03/25 15:48:00 | 000,086,824 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018bus.sys -- (s1018bus)
DRV - [2009/03/25 15:48:00 | 000,026,024 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018nd5.sys -- (s1018nd5)
DRV - [2009/03/25 15:48:00 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s1018mdfl.sys -- (s1018mdfl)
DRV - [2008/09/16 03:40:16 | 001,343,584 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2008/08/01 17:36:26 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2008/08/01 17:36:20 | 000,054,784 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2008/04/13 18:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2008/04/13 18:45:34 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2008/04/13 18:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/04/16 20:46:00 | 000,033,792 | ---- | M] (Advanced Micro Devices) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\AmdPPM.sys -- (AmdPPM)
DRV - [2006/09/18 15:59:08 | 000,090,800 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se27unic.sys -- (se27unic)
DRV - [2006/09/18 15:59:02 | 000,086,560 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27obex.sys -- (SE27obex)
DRV - [2006/09/18 15:59:00 | 000,018,704 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\se27nd5.sys -- (se27nd5)
DRV - [2006/09/18 15:58:58 | 000,088,688 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mgmt.sys -- (SE27mgmt)
DRV - [2006/09/18 15:58:54 | 000,097,184 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mdm.sys -- (SE27mdm)
DRV - [2006/09/18 15:58:52 | 000,009,360 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27mdfl.sys -- (SE27mdfl)
DRV - [2006/09/18 15:58:48 | 000,061,600 | R--- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SE27bus.sys -- (SE27bus)
DRV - [2006/03/17 16:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/01/27 13:04:16 | 000,099,584 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvata.sys -- (nvata)
DRV - [2005/01/07 16:07:16 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/08/13 02:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2001/08/17 14:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledAddons: %7B8b86149f-01fb-4842-9dd8-4d7eb02fd055%7D:0.24
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:7.0.1473
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.4: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101753.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/10/25 20:38:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2013/01/11 23:22:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/11 20:33:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/06/18 14:26:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MCE!\Application Data\Mozilla\Extensions
[2012/12/14 09:16:39 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\MCE!\Application Data\Mozilla\Firefox\Profiles\eexs0nuo.default\extensions
[2012/12/14 09:16:39 | 000,000,000 | ---D | M] (All-in-One Gestures) -- C:\Documents and Settings\MCE!\Application Data\Mozilla\Firefox\Profiles\eexs0nuo.default\extensions\{8b86149f-01fb-4842-9dd8-4d7eb02fd055}
[2011/07/25 13:25:20 | 000,001,504 | ---- | M] () -- C:\Documents and Settings\MCE!\Application Data\Mozilla\Firefox\Profiles\eexs0nuo.default\searchplugins\imdb.xml
[2013/01/11 20:33:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/10/25 20:38:57 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2013/01/11 20:33:50 | 000,262,704 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/12/11 15:36:03 | 000,001,738 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/09/17 16:11:19 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/12/11 15:36:03 | 000,001,148 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/12/11 15:36:03 | 000,001,379 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/10/13 01:11:08 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml
[2012/12/11 15:36:03 | 000,001,334 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2004/08/10 12:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Spotify Web Helper] C:\Documents and Settings\MCE!\Application Data\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1357046535593 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_09)
O16 - DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_09)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 76.14.0.9 64.127.100.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1513DA53-28CB-4C37-A340-3E30F27DF5DF}: DhcpNameServer = 76.14.0.9 64.127.100.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\MCE!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\MCE!\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/06/18 13:28:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/01/15 20:34:36 | 000,000,000 | ---- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{fce0df5a-352f-11e1-9944-001731cb1bea}\Shell - "" = AutoRun
O33 - MountPoints2\{fce0df5a-352f-11e1-9944-001731cb1bea}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{fce0df5a-352f-11e1-9944-001731cb1bea}\Shell\AutoRun\command - "" = G:\Startme.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/11 23:51:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2013/01/11 23:24:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxit Reader
[2013/01/11 23:22:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MCE!\My Documents\ForceField Shared Files
[2013/01/11 23:22:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MCE!\Application Data\CheckPoint
[2013/01/11 23:22:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Check Point
[2013/01/11 23:19:25 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2013/01/11 23:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2013/01/11 20:33:35 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/01/09 15:19:50 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/01/06 04:39:46 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/01/04 20:19:14 | 004,732,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\MCE!\Desktop\aswMBR.exe
[2013/01/04 20:06:35 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\MCE!\Desktop\OTL.exe
[2013/01/02 13:38:52 | 000,528,000 | ---- | C] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2013/01/01 21:58:29 | 000,000,000 | ---D | C] -- C:\Program Files\Appnimi
[2013/01/01 21:35:46 | 000,000,000 | ---D | C] -- C:\Program Files\FDRLab
[2013/01/01 21:34:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\MCE!\Application Data\GetRightToGo
[2013/01/01 13:17:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\VideoLAN
[2012/12/24 02:12:27 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\MCE!\Recent
[2012/12/21 11:04:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2012/01/02 11:03:27 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\Documents and Settings\All Users\Application Data\hpe3B.dll

========== Files - Modified Within 30 Days ==========

[2013/01/11 23:51:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/11 23:44:30 | 000,000,364 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013/01/11 23:27:43 | 000,417,468 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2013/01/11 23:24:44 | 000,000,791 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2013/01/11 23:22:14 | 000,000,539 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoneAlarm Security.lnk
[2013/01/11 23:11:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/11 23:06:15 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/10 03:09:32 | 000,441,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/01/10 03:09:32 | 000,071,488 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/01/10 03:04:24 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/01/08 21:13:11 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/01/08 21:13:11 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/01/04 20:36:20 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\MCE!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/01/04 20:36:20 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2013/01/04 20:20:06 | 004,732,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\MCE!\Desktop\aswMBR.exe
[2013/01/04 20:06:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\MCE!\Desktop\OTL.exe
[2013/01/02 13:38:52 | 000,528,000 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\System32\vsdatant.sys
[2013/01/01 13:17:47 | 000,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2012/12/24 02:00:14 | 000,125,320 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/12/24 01:51:50 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/21 11:04:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/12/16 12:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\dllcache\atmfd.dll
[2012/12/16 12:23:59 | 000,290,560 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\atmfd.dll
[2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2013/01/11 23:24:44 | 000,000,791 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2013/01/11 23:22:35 | 000,417,468 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2013/01/11 23:22:14 | 000,000,539 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ZoneAlarm Security.lnk
[2013/01/10 03:03:36 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2013/01/01 13:17:47 | 000,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2012/12/21 11:04:36 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/08/01 20:39:28 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\MCE!\.recently-used.xbel
[2012/02/20 19:03:40 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/01 12:39:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\mngui.INI
[2011/10/29 16:50:07 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/06/19 19:14:58 | 000,019,892 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/06/18 20:00:48 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\MCE!\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/18 18:18:18 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2011/06/18 16:54:01 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\MCE!\Local Settings\Application Data\fusioncache.dat
[2011/06/18 16:10:07 | 000,253,180 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/06/18 16:08:47 | 000,253,188 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/06/18 16:08:47 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/06/18 15:58:10 | 000,004,984 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2011/06/18 14:26:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/06/18 13:57:48 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2011/06/18 13:57:47 | 000,021,375 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2011/06/18 13:57:34 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2011/06/18 13:45:57 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/06/18 13:45:27 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2011/06/18 13:44:36 | 000,125,320 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/18 13:37:46 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2011/06/18 13:37:46 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2011/06/18 13:31:06 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/06/18 13:03:44 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/02/23 01:57:00 | 002,292,678 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin

========== ZeroAccess Check ==========

[2011/06/18 13:04:03 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2011/04/25 14:47:19 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 12:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 00:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Edited by jems, 11 January 2013 - 06:12 PM.

  • 0

#20
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)


Step 1

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


IMPORTANT!!! You need to save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you are still unsure on how to do this, see here.
  • Double click on ComboFix.exe & follow the prompts.

    Posted Image
  • Please be patient and don't use the PC whilst it is scanning.
  • When finished, it shall produce a log for you. Please copy & paste the contents of this log at C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get this error "Illegal operation attempted on a registry key that has been marked for deletion" then reboot, that will cure it.



Things I want to see in your next reply

  • ComboFix.txt

  • 0

#21
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hi,

You said to turn off the anti virus etc - but they don't sit in the tray in safe mode - are they switched off already? I can only use the PC in safe mode currently.
  • 0

#22
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Just go ahead and try to run ComboFix.
  • 0

#23
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Okay. I started running it and it looks like it's at about 40 or 50% and has been stuck on a line saying output folder c:\32788R22FWJFW for about ten minutes and doesn't seem to be doing anything.
  • 0

#24
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hi Again - am I okay to shutdown my PC - it's 1am and I really have to go to sleep - this combofix scan appears to have frozen ....

Any idea what to try in the morning?

ETA: It wouldn't shut down. I had to force shutdown. :( Am off to bed. Hopefully catch you tomorrow.

Edited by jems, 11 January 2013 - 07:02 PM.

  • 0

#25
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Morning,

I tried again to run combo fix this morning in safe mode and it is still stalling in the same place.

Any ideas? Can we undo the OTL scan somehow?

Note: Can still only start up PC in safe mode.

ETA: I just remembered - last time I had an infection on the MCE PC it went wonky after running this OTL clean up restore point scan. Last time it caused the media center software to stop working. This time it has just killed the PC totally. Very weird. Anyway - I won't do anything until I hear form you.

Edited by jems, 12 January 2013 - 03:38 PM.

  • 0

Advertisements


#26
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
As ComboFix isn't working, we will use another tool to decide if malware is causing the problem.


Step 1

Download AVPTool from here to your desktop.

Run the programme you have just downloaded to your desktop (it will be randomly named).


First we will run a virus scan

Click the cog in the upper right.

Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan.

Posted Image

Allow AVP to delete all infections found.
Once it has finished select report tab (last tab).
Select Detected threads report from the left and press Save button.
Save it to your desktop and attach to your next post.


Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information.

Posted Image


On completion click the link to locate the zip file to upload and attach to your next post.

Posted Image


Things I want to see in your next reply

  • AVPTool report
  • avptool_sysinfo.zip

  • 0

#27
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hi there,

There were no detectable threats so nothing in the detected threats tab to save. I did save the scan so if you want me to upload that let me know.

The avptool_sysinfo.zip is attached.

Can I ask why do you think there is another Malware issue? I thought the logs were clean.

Attached Files


  • 0

#28
Nedklaw

Nedklaw

    Trusted Helper

  • Malware Removal
  • 1,652 posts
Hi. :)
Not all malware present appears in a log sometimes so we need to check if there is more hiding.

After seeking some advice, it seems that ZoneAlarm might be conflicting with some other programs on your machine. The likely reason you couldn't turn on Windows Firewall is because there is already a firewall on the system which has turned off the Windows one.

Try uninstalling ZoneAlarm via Control Panel > Add/Remove Programs and see if that fixes the problem.
  • 0

#29
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
It won't let me uninstall in safe mode and I can't boot up the PC in normal mode.
Ideas?

And a question - didn't the logs show I wasn't running a firewall? :unsure: The Windows Firewall says that the ICS (internet connection sharing) isnt running and hence Firewall wont work. What is that?

Edited by jems, 13 January 2013 - 04:05 PM.

  • 0

#30
jems

jems

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts
Hi There,

I thought I'd have a wee fiddle myself .....

Since I couldn't uninstall Zone Alarm in Safe Mode I had the idea to stop Zone Alarm from running when I boot up using msconfig and disabling 2 options which seemed to be related to ZA .... after a restart the PC did boot up in normal mode but it was incredibly slow! I mean the PC is slow to boot up in general but this was reeeeeally slow. Strangely - Zone Alarm did end up starting itself and appeared on the task bar ... sneaky thing (maybe I missed something). Anyway, so I right clicked and exited Zone Alarm down on the task bar and got into add/remove programs but when I click to remove Zone Alarm the add/remove programs feature crashed. At this stage I couldn't even bring up task manager or click the start menu to re-try getting into control panel. However, I could right click on my desktop .... and click icons on the desktop .... but nothing ever opened (just got an egg timer).

Rebooted again - right click and exited Zone Alarm down on the task bar - this time went into task manager and disabled anything which looked related to ZA. I saw issues on another forum regarding ISWSVC.exe and tried to turn it off in task manager - but it wouldn't switch off. ( I did manage to change it's name to something else though in C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe.) Instead of using add / remove programs - this time I tried going into the ZA ForceField folder in program files to use the uninstall.exe - that crashed too. Task manager was already open but the window disappeared as soon as the not responding message appeared on the ZA window.

Third time I started wondering if Windows was wonky - so I went and did windows updates - 2 security updates one for XP and one for IE. Installed and rebooted again.

Fourth start up - and did right click exit Zone Alarm. Then I tried to remove ZA in add / remove programs. This time it allowed me to uninstall.

Rebooted again. Still slow to start up. Updated Avast Free Anti Virus and Malwarebytes and ran both - no threats found.

Okay - so zone alarm is gone and the PC will boot up - still slow but at this point I can't remember how slow it usually is - I'll watch it the next few days and see how it's working.

I found information that said Private Firewall works well with Avast so I have installed it as I don't want to be without a firewall. PC started up okay after installing the new Firewall - which I need to learn to use. I also updated to the new Java version Version 7 update 11 as Avast was warning of issues - old versions have gone from add/remove programs?

What should I do next to check my system (if anything)?

Thanks.


Note: A side note - my clock is wrong every time my PC starts up - I have to keep manually updating - and it screws up my MCE guide. Any clue?

Edited by jems, 15 January 2013 - 01:08 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP