Pc Problems

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[thammondwis]

Here is the ESET scan log:

C:\Documents and Settings\Home\Application Data\Sun\Java\Deployment\cache\6.0\1\db986c1-5cc26034   a variant of Java/TrojanDownloader.OpenStream.NAU trojan   deleted - quarantined
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\63\79a5627f-4abe2570   a variant of Java/TrojanDownloader.OpenStream.NAU trojan   deleted - quarantined
C:\System Volume Information\_restore{52DDFAA4-0645-4506-922B-F89A2F601219}\RP423\A0059779.lnk   Win32/Adware.ADON application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{52DDFAA4-0645-4506-922B-F89A2F601219}\RP423\A0059780.lnk   Win32/Adware.ADON application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{52DDFAA4-0645-4506-922B-F89A2F601219}\RP423\A0059781.lnk   Win32/Adware.ADON application   cleaned by deleting - quarantined

[thammondwis]

SuperDave,

I inadvertently updated FireFox.  I have been getting messages that there is a new version of FireFox available.  I figured I would wait until my computer gets cleaned up before updating, but I accidentally hit the upgrade button today instead of the wait button.  After it downloaded the upgrade, I was told that when I restart FireFox the upgrade would be installed.  So I closed FireFox and restarted it.  I got a message that the upgrade could not occur because FireFox was still running (there wasn't anything running that I could see).  So I rebooted windows (needed to hard reboot).  When windows restarted I tried starting FireFox and got the same message about FireFox was still running but shortly after that it installed the upgrade.  However after the upgrade 4 tabs opened in FireFox and a popup window saying my computer was infected.  I did not click on anything but closed FireFox via the task manager.  When I restarted FireFox again the 4 tabs opened up again.  I quickly closed the extra 3 before the pages loaded.

Also of note, I typically have to double click on the desktop FireFox icon 2 or 3 times before FireFox will open up.

[SuperDave]

You should uninstall FireFox then get the newest version and install it. Please update and run SAS and MBAM again and post the logs.

[thammondwis]

I uninstalled FireFox.  Ran SAS and MBAM.  Internet Explorer has become totally unresponsive now.  When I open the program it does not load a web page (just a blank white screen), when I click on anything it locks up and I need to end task with the task manager.  However while I was setting up SAS to run, I think it was when I was checking for updates, SAS opened up a Internet Explorer window.  I was able to use Internet Explorer normally from this window and downloaded the FireFox installation file at this point.  After I ran the scans, I installed FireFox.  However after the installation, I needed to double click on the FireFox icon about 4 times before it started and I've received a number of pop up windows.

Also as I have been typing this, the light to the 3.5" floppy drive has come on a couple of times which is unusal.

The SAS scan is below.  The MBAM scan did not find anything and I will add that log in my next post.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/09/2010 at 09:36 PM

Application Version : 4.45.1000

Core Rules Database Version : 5836
Trace Rules Database Version: 3648

Scan type       : Complete Scan
Total Scan Time : 03:16:03

Memory items scanned      : 503
Memory threats detected   : 0
Registry items scanned    : 6731
Registry threats detected : 0
File items scanned        : 233199
File threats detected     : 52

Adware.Tracking Cookie
   C:\Documents and Settings\Home\Cookies\home@atdmt[2].txt
   C:\Documents and Settings\Home\Cookies\[email protected][2].txt
   C:\Documents and Settings\Home\Cookies\home@hitbox[3].txt
   C:\Documents and Settings\Home\Cookies\home@n-traffic[1].txt
   C:\Documents and Settings\Home\Cookies\home@advertising[1].txt
   C:\Documents and Settings\Home\Cookies\[email protected][2].txt
   C:\Documents and Settings\Home\Cookies\[email protected][3].txt
   C:\Documents and Settings\Home\Cookies\home@doubleclick[2].txt
   C:\Documents and Settings\Home\Cookies\home@specificclick[2].txt
   C:\Documents and Settings\Home\Cookies\[email protected][3].txt
   C:\Documents and Settings\Home\Cookies\[email protected][3].txt
   C:\Documents and Settings\Home\Cookies\home@advertise[1].txt
   C:\Documents and Settings\Home\Cookies\home@questionmarket[2].txt
   C:\Documents and Settings\Home\Cookies\home@interclick[3].txt
   C:\Documents and Settings\Home\Cookies\home@insightexpressai[2].txt
   C:\Documents and Settings\Home\Cookies\home@adbrite[3].txt
   C:\Documents and Settings\Home\Cookies\home@trafficmp[2].txt
   C:\Documents and Settings\Home\Cookies\home@revsci[2].txt
   C:\Documents and Settings\Home\Cookies\[email protected][1].txt
   C:\Documents and Settings\Home\Cookies\home@pointroll[3].txt
   C:\Documents and Settings\Home\Cookies\[email protected][1].txt
   a.ads2.msads.net [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   ads2.msads.net [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   adsatt.espn.go.com [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   b.ads2.msads.net [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   convoad.technoratimedia.com [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   core.insightexpressai.com [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   media.mtvnservices.com [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   msnbcmedia.msn.com [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\Home\Application Data\Macromedia\Flash Player\#SharedObjects\D3Y5NHFK ]
   core.insightexpressai.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   crackle.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   media.heavy.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   media.mtvnservices.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   media1.break.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   objects.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   s0.2mdn.net [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\Y3QQDMF2 ]
   core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]
   crackle.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]
   media.heavy.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]
   media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]
   media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]
   media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]
   objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\W83AQ88H ]

Trojan.Agent/Gen-Koobface[Bonkers]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{52DDFAA4-0645-4506-922B-F89A2F601219}\RP420\A0045048.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{52DDFAA4-0645-4506-922B-F89A2F601219}\RP420\A0045049.EXE
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{52DDFAA4-0645-4506-922B-F89A2F601219}\RP420\A0045050.EXE

Trojan.Agent/Gen-Nullo[Short]
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{52DDFAA4-0645-4506-922B-F89A2F601219}\RP430\A0070576.EXE

Trojan.Agent/Gen
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{52DDFAA4-0645-4506-922B-F89A2F601219}\RP430\A0073208.EXE

[thammondwis]

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5086

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/9/2010 11:20:57 PM
mbam-log-2010-11-09 (23-20-57).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 378758
Time elapsed: 1 hour(s), 28 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[thammondwis]

I tried opening up Internet Explorer one more time, I was going to see if I would be able to reset IE to the default settings.  Everytime I would start IE lately, I would get a message to restore previous session or go to home page.  Without thinking about it I had always been selecting go tho home page.  This time I figured I would try selecting restore previous session.  Now both IE and FireFox appear to be working normal.

[SuperDave]

Ok. Let's give it a few days to see if they stay that way.

[thammondwis]

OK after using both IE and FireFox a bit I am not getting the unresponsive issues with IE anymore or needing to double click multiple times to start FireFox.  However I am still getting redirects in both IE and FireFox and an occasional pop up after a redirect.  The redirects so far are occurring when clicking on a link from a Yahoo or Google search.

[thammondwis]

I am also still getting a Generic Host Process For Win32 Services needs to close message every time I reboot (sometimes right away and sometimes an hour or so after I reboot).

I am also still not able to connect to the windows update site.

[SuperDave]

Ok. Let's see if we can fix that update problem.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

•Open the folder and run Dial-a-fix.exe
•2 windows will open. Close the one in the background labeled Restrictive Policies
•Check the box in section 1, Empty temp folders.

•Check the box in section 2, Fix Windows Installer.

•Check the box in section 3, Fix Windows Update.

•Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked

•Check all boxes in section 5, labeled Registration Center.

•Click Go

•OK any error messages if received, but write them down and post them here.

•Restart the computer when done.
*************************************
You can check out that Generic Host process here.

[thammondwis]

OK I ran the Dial-a-fix program and the error messages are listed below.  I tried to get to the windows update site to see if anything has changed and still can't connect.  The microsoft  solution link you provided for the Generic Host Process error did not help because that fix is only for SP2 and I am running SP3.  I did notice something interesting in the microsft link it mentioned something about the Generic Host Process error is related to a problem with the previous shutdown.  For the last week or so I have not been able to perform a soft shut down or reboot.  I have to shut down or reboot with a hard reboot.

I had an error in the dial-a-fix before the program started:

Dial-a-fix was unable to determine your version on Internet Explorer.  Certain DLL registrations will be skipped.

There wasn't a 2nd window labeled Restrictive Policies that opened.

Below are the error messages that occurred while the program was running.

Error 127: C:\Windows\System32\iesetup.dll is not registerable or the file is corrupted. Your version of iesetup.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\iesetup.dll is not DLLInstall-able or the file is corrupted. Your version of iesetup.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\imgutil.dll is not registerable or the file is corrupted. Your version of imgutil.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\inseng.dll is not registerable or the file is corrupted. Your version of inseng.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\inseng.dll is not DLLInstall-able or the file is corrupted. Your version of inseng.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\mshtml.dll is not registerable or the file is corrupted. Your version of mshtml.dll is 8.00.6001.18975(?). Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\mshtml.dll is not DLLInstall-able or the file is corrupted. Your version of mshtml.dll is 8.00.6001.18975(?). Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\msrating.dll is not registerable or the file is corrupted. Your version of msrating.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\occache.dll is not registerable or the file is corrupted. Your version of occache.dll is 8.00.6001.18968. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\occache.dll is not DLLInstall-able or the file is corrupted. Your version of occache.dll is 8.00.6001.18968. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\pngfilt.dll is not registerable or the file is corrupted. Your version of pngfilt.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\webcheck.dll is not registerable or the file is corrupted. Your version of webcheck.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\webcheck.dll is not DLLInstall-able or the file is corrupted. Your version of webcheck.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

[thammondwis]

I am able to perform a "soft" shutdown of the computer if I click on shutdown right after the computer starts up.  I also reviewed the program lists in the Add/Remove program listing.  There is one program that I was not sure about called CouponBar.  I decided to remove it based on some internet research, but clicking on the remove button does not do anything.

[SuperDave]

Ok. Please try to uninstall it with HJT.

Delete An Uninstall Entry

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove.
•Click Delete this entry

******************************
Do you get any errors when trying to get your updates?
When was the last time you defragged your harddrive?

[thammondwis]

OK I was able to get rid of CouponBar with HJT.

The message I get when trying to connect to the Windows update site is:

With FireFox the tab says: "Problem Loading Page"  and the error message on the page is:

The connection was reset
The connection to the server was reset while the page was loading
Then it has some suggestions to what the problem could be and a button to try again which results in the same thing.

IE is hung up right now so I will need to reboot the computer.