Computer Hope
Software => Computer viruses and spyware => Topic started by: shag on August 23, 2011, 01:30:07 AM
-
Not sure if this is even a malware issue--but here goes.
I'm trying to set up a router on my dad's computer, but it requires a service pack for Windows Vista. I've been having no luck getting windows to update. (Same error message as Clifford's, I noticed.) I've also noticed that the computer often seems slow/unstable.
It crashed when I ran MBAM tonight, but I ran it a month or two ago, found some items, cleaned them, and ran another scan. That log is posted.
Ran SAS. That log's attached too. Got the HJT log too.
Like I said, this machine runs Windows Vista. 32 bit.
[regaining space - attachment deleted by admin]
-
Hi, this is your Computer Hope hijackthis log overview (http://www.computerhope.com/cgi-bin/process.pl?o=2322424). Follow the cleaning steps there.
Oh by the way, next time, before you do any virus scan, I suggest you do house cleaning first. Check the Step 2 (http://www.computerhope.com/forum/index.php/topic,46313.msg290095.html#msg290095) here for house cleaning. :)
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
****************************************************
Download DDS from HERE (http://download.bleepingcomputer.com/sUBs/dds.scr) or HERE (http://www.forospyware.com/sUBs/dds) and save it to your desktop.
Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)
* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.
(http://i424.photobucket.com/albums/pp322/digistar/DDS.jpg)
1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread
Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.
•Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE (http://www.bleepingcomputer.com/forums/topic114351.html).Then post your DDS logs. (DDS.txt and Attach.txt )
-
ok, i've followed all the steps given me.
security check report is attached.
from the instructions i believe i was to copy-and-paste the dds logs...here they are.
thanks for your help!
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 6/16/2007 1:19:25 PM
System Uptime: 8/24/2011 3:47:27 PM (7 hours ago)
.
Motherboard: ASUSTek Computer INC. | | NODUSM3
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 227 GiB total, 176.381 GiB free.
D: is FIXED (NTFS) - 6 GiB total, 0.883 GiB free.
E: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1220: 8/14/2011 6:14:09 PM - Windows Update
RP1221: 8/14/2011 6:24:52 PM - Windows Update
RP1222: 8/15/2011 3:51:16 PM - Windows Update
RP1223: 8/16/2011 2:52:24 PM - Windows Update
RP1224: 8/16/2011 3:11:17 PM - Windows Update
RP1225: 8/17/2011 3:01:31 PM - Windows Update
RP1226: 8/18/2011 3:20:30 PM - Windows Update
RP1227: 8/18/2011 3:27:51 PM - Windows Update
RP1228: 8/19/2011 4:46:01 PM - Windows Update
RP1229: 8/19/2011 4:56:41 PM - Windows Update
RP1230: 8/20/2011 3:00:14 AM - Windows Update
RP1231: 8/20/2011 4:49:11 PM - Windows Update
RP1232: 8/21/2011 1:44:05 AM - Windows Update
RP1233: 8/21/2011 3:00:16 AM - Windows Update
RP1234: 8/21/2011 4:49:20 PM - Windows Update
RP1235: 8/22/2011 6:53:19 AM - Windows Update
RP1236: 8/22/2011 7:52:19 PM - Windows Update
RP1237: 8/22/2011 8:11:43 PM - Windows Update
RP1238: 8/22/2011 8:16:39 PM - Windows Update
RP1239: 8/22/2011 10:32:10 PM - Windows Update
RP1240: 8/22/2011 10:37:07 PM - Windows Update
RP1241: 8/22/2011 10:54:48 PM - Windows Update
RP1242: 8/22/2011 11:00:44 PM - Windows Update
RP1243: 8/23/2011 1:33:49 AM - Installed Java(TM) 6 Update 26
RP1244: 8/23/2011 2:13:20 AM - Installed HiJackThis
RP1245: 8/23/2011 2:21:34 AM - Installed HiJackThis
RP1246: 8/23/2011 2:31:27 AM - Windows Update
RP1247: 8/23/2011 6:15:32 PM - Scheduled Checkpoint
RP1248: 8/24/2011 9:19:05 PM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.8
AnswerWorks 4.0 Runtime - English
att.net Toolbar
AutoUpdate
CCleaner
Compatibility Pack for the 2007 Office system
DivX
Enhanced Multimedia Keyboard Solution
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
H&R Block Deluxe + Efile + State 2009
H&R Block Deluxe + Efile + State 2010
H&R Block Kentucky 2009
H&R Block Kentucky 2010
Hardware Diagnostic Tools
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Picasso Media Center Add-In
HP Update
Java Auto Updater
Java(TM) 6 Update 26
LightScribe 1.4.124.1
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Office Small Business Edition 2003
Microsoft Office Word Viewer 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 5.0
My HP Games
NVIDIA Drivers
OcxSetup
OGA Notifier 2.0.0048.0
PolderbitS Sound Recorder and Editor
Python 2.4.3
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Security Update for CAPICOM (KB931906)
Soft Data Fax Modem with SmartCP
SUPERAntiSpyware
TaxCut Basic + Efile 2008
TaxCut Kentucky 2008
TurboTax Basic 2007
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinRAR archiver
Yahoo! Detect
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
8/24/2011 4:01:37 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.111.463.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
8/24/2011 3:48:26 PM, Error: EventLog [6008] - The previous system shutdown at 3:36:06 PM on 8/24/2011 was unexpected.
8/23/2011 2:57:42 PM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/23/2011 2:57:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
8/23/2011 2:53:00 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ckgqshre
8/23/2011 2:53:00 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
8/22/2011 8:23:53 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume HP.
8/21/2011 10:48:28 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 209.33.21.227 for the Network Card with network address 002127D75B5B has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
8/17/2011 4:42:36 PM, Error: Schannel [36874] - An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
8/17/2011 3:13:06 PM, Error: Microsoft-Windows-LanguagePackSetup [1001] - Application initialization failed. Last error: 0x80070032
8/17/2011 3:09:50 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070663: Security Update for Microsoft Office 2003 (KB982311).
8/17/2011 3:09:49 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070490: Update for Windows Vista (KB973917).
8/17/2011 2:57:43 PM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 4, function 0. Please contact your system vendor for technical assistance.
8/17/2011 2:57:43 PM, Error: ACPI [6] - IRQARB: ACPI BIOS does not contain an IRQ for the device in PCI slot 2, function 0. Please contact your system vendor for technical assistance.
.
==== End Of File ===========================
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.6000.16916
Run by del107 at 22:01:05 on 2011-08-24
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\del107\Desktop\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://att.net
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.55.5.10 209.55.5.11
TCP: Interfaces\{567D9322-267E-44C8-85A0-AD77D16BB6F8} : DhcpNameServer = 209.55.5.10 209.55.5.11
TCP: Interfaces\{BC64D18A-5F16-4724-997A-E64E40333055} : DhcpNameServer = 192.168.1.254 192.168.1.254
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R? ckgqshre;ckgqshre
R? gupdate1c9f15354c042d8;Google Update Service (gupdate1c9f15354c042d8)
R? gupdatem;Google Update Service (gupdatem)
R? MpKsl4feff612;MpKsl4feff612
R? MpKsl60dcaba3;MpKsl60dcaba3
R? MpKsl652a4a97;MpKsl652a4a97
R? MpKsl83f62c97;MpKsl83f62c97
R? MpKsl8459eddb;MpKsl8459eddb
R? MpKsl9484ccc1;MpKsl9484ccc1
R? MpKslc405c3d3;MpKslc405c3d3
R? MpKsleb20a6ea;MpKsleb20a6ea
S? !SASCORE;SAS Core Service
S? MpFilter;Microsoft Malware Protection Driver
S? MpKsl4bbbdb86;MpKsl4bbbdb86
S? MpKsl548b5a4e;MpKsl548b5a4e
S? MpNWMon;Microsoft Malware Protection Network Driver
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2011-08-24 20:48:38 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{81c4a5fb-8dce-4326-8136-efc7a93094dc}\MpKsl548b5a4e.sys
2011-08-24 20:20:25 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{81c4a5fb-8dce-4326-8136-efc7a93094dc}\MpKsl4bbbdb86.sys
2011-08-23 07:22:02 388096 ----a-r- c:\users\del107\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-23 07:21:59 -------- d-----w- c:\program files\Trend Micro
2011-08-23 06:41:45 -------- d-----w- c:\program files\CCleaner
2011-08-23 06:35:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-08-23 04:03:24 7152464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{81c4a5fb-8dce-4326-8136-efc7a93094dc}\mpengine.dll
2011-08-23 01:26:29 -------- d-----w- c:\users\del107\appdata\roaming\SUPERAntiSpyware.com
2011-08-23 01:25:52 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-08-23 01:25:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-23 00:50:31 -------- d-----w- c:\programdata\Cisco Systems
2011-08-09 20:03:41 6881616 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
.
==================== Find3M ====================
.
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-17 01:48:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 22:01:43.14 ===============
[regaining space - attachment deleted by admin]
-
•Please download Dial-A-Fix from one of the following mirrors:
Primary mirror (http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip)
Secondary mirror (http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip)
•Extract the zip file to your desktop.
•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click
(http://i424.photobucket.com/albums/pp322/digistar/OK.jpg) to continue.
•Press the green double checkmark box (Looks like this:
(http://i424.photobucket.com/albums/pp322/digistar/checkmark.png)
UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:
(http://i424.photobucket.com/albums/pp322/digistar/ncheck.png)
(http://i424.photobucket.com/albums/pp322/digistar/Window.png)
•Click on Go
•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)
•Close Dial-A-Fix
***************************************************
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
link # 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link # 2 (http://subs.geekstogo.com/ComboFix.exe)
If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix login your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
Dial-a-fix looks like a handy program, but when I try to run the program, it says it does not work with Vista.
I did run combofix. Log attached.
[regaining space - attachment deleted by admin]
-
Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and links posted for each one)
* Copy the file path in the below Code box:
c:\windows\System32\drivers\oovou.sys
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
*********************************************************
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
KillAll::
Firefox::
Trusted Zone: turbotax.com
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i424.photobucket.com/albums/pp322/digistar/cfscriptb4.gif)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- I don't need to see the log from this script.
**********************************************************
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
followed your instructions on jotti's and got this message:
File is empty (0 bytes)!
there was nothing new in the address bar to copy and paste.
ran combofix again without issue.
ran sysprot, here's the log.
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_diskdump.sys
Service Name: ---
Module Base: 85EDE000
Module End: 85EE8000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_nvstor32.sys
Service Name: ---
Module Base: 8B076000
Module End: 8B093000
Hidden: Yes
******************************************************************************************
******************************************************************************************
No SSDT Hooks found
******************************************************************************************
******************************************************************************************
Ports:
Local Address: DEL107-PC:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: DEL107-PC:49158
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\services.exe
State: LISTENING
Local Address: DEL107-PC:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING
Local Address: DEL107-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\lsass.exe
State: LISTENING
Local Address: DEL107-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING
Local Address: DEL107-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING
Local Address: DEL107-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING
Local Address: DEL107-PC:49152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\wininit.exe
State: LISTENING
Local Address: DEL107-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\System32\svchost.exe
State: LISTENING
Local Address: DEL107-PC:49462
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: DEL107-PC:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: DEL107-PC:49463
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:SSDP
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:64974
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:LLMNR
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:UPNP-DISCOVERY
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
Local Address: DEL107-PC:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\System32\svchost.exe
State: NA
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied
Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied
Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied
Object: C:\WINDOWS\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied
-
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Scan complete. "No threats found."
The log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
That's it.
-
That looks good. Just one more scan. How's your computer running now?
Download Security Check by screen317 from one of the following links and save it to your desktop.
Link 1 (http://screen317.spywareinfoforum.org/SecurityCheck.exe)
Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
-
Unfortunately, windows is still failing to update and it is still running slowly/crashing. But it looks like we're going to be ruling out a malware problem.
Here's the security check.
Results of screen317's Security Check version 0.99.18
Windows Vista (UAC is enabled)
Out of date service pack!! (http://support.microsoft.com/kb/935791)[/b]
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 26
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````
-
Update Your Java (JRE)
Old versions of Java have vulnerabilities that malware can use to infect your system.
First Verify your Java Version (http://www.java.com/en/download/installed.jsp)
If there are any other version(s) installed then update now.
Get the new version (if needed)
If your version is out of date install the newest version of the Sun Java Runtime Environment (http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html).
Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
Be sure to close ALL open web browsers before starting the installation.
Remove any old versions
1. Download JavaRa (http://raproducts.org/click/click.php?id=1) and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
Additional Note: The Java Quick Starter (JQS.exe) (http://java.sun.com/javase/6/docs/technotes/guides/jweb/otherFeatures/jqs.html) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
***************************************************
NOTE. Please run this even if you don't have the OS disk.
Do you have your OS CD/DVD?
If so,
1/ Click the Start button.
2/ From the Start Menu, Click All programs followed by Accessories.
3/ In the Accessories menu, Right Click on the Command Prompt option.
4/ From the drop down menu that appears, Click on the Run as administrator option.
5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.
6/ In the Command Prompt window, type: sfc /scannow and then press Enter.
7/ A message will appear stating that the system scan will begin.
8/ Be patient because the scan may take some time.
9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.
10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.
11/ After the scan has completed, Close the command prompt window.
**************************************************
Do you get any errors when you try to get your updates?
-
Java won't update--the installer can't download whatever it needs to begin the installation.
I don't have the Vista CD (aargh!), but I ran sfc /scannow as instructed. When it finished, it said that there had been corrupt files found, but that it was unable to fix some of them. There's a log file (CBS.txt) which I can find but can't open--when I click on it it says "Access denied".
-
When it finished, it said that there had been corrupt files found, but that it was unable to fix some of them.
I believe that is the problem. Can you borrow a Vista CD? It must be the same as what's on your computer; Windows Vista™ Home Premium
-
I'll try to find someone that has the CD, but apparently it's becoming pretty common to not receive a Windows CD with a new computer. Do I have other routes to getting a CD, or other options entirely?
-
I'll try to find someone that has the CD, but apparently it's becoming pretty common to not receive a Windows CD with a new computer.
Right, but manufacturers put a recovery partition on the hard drive as a substitute for a Windows CD. Open Computer, where you see your drives listed. What is D on your computer? If you have a partition lettered D, how large is that partition and how much space is used on it? Or, is D a partition you use for other purposes or is D assigned to an optical drive? This info provides a fairly clear indication of whether your computer has a recovery partition.
Also, what is the make and model of your computer?
Edit: SuperDave: I hope my comments here are not out of line. I'll avoid posting on the actual virus of malware issues.
-
Thanks Soybean. I went back and checked and the C drive is partitioned with, what I assume is, the Recovery Console. Please try this.
1. Eject and remove any discs or memory cards from your computer.
2. Click the "Start" button on the desktop to open the Start menu, click the small arrow icon to the right of the lock icon and select "Restart".
3. Hold the "F8" key on your computer's keyboard as Windows Vista reboots.
4. Highlight and select "Repair your computer" choose your keyboard type and click "Next".
5. Choose your user name, type your password if prompted and click "OK" to access the System Recovery Options menu.
-
Yep, the hard drive is partitioned with a D: Recovery. I was able to re-load windows from the Recovery Console.
Windows Update found 103 updates for my reloaded Vista, but Update still doesn't seem to work right. I ran it once and after ~15 minutes it still said 0% downloaded. I restarted and tried to run it again and this time the program froze before ever starting up.
-
I was able to re-load windows from the Recovery Console.
Did you do a Recovery or just a repair?
Did you try going to the MS site and getting your updates?
-
I did a recovery.
All of those updates that wouldn't install a couple days ago--Windows Update now reports them as installed. I can't even venture a guess as to what went down there.
I guess it is not necessary to try the manual downloading of updates now.
There's still times when I wonder why this machine runs so slowly. Might there be a way to check processor speed/other hardware and make sure it is performing as it should?
-
Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.