Author Topic: Pc Problems (Read 55573 times)

thammondwis · « **Reply #30 on:** November 01, 2010, 04:17:04 PM »

Here is the log:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:15 on 01/11/2010 (Home)
Firefox version 3.0.19 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [10:36 13/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [11:45 19/06/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [01:07 29/08/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [00:22 18/11/2009]
{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [23:16 13/06/2010]
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [10:07 20/10/2010]

C:\Documents and Settings\Home\Application Data\Mozilla\Firefox\Profiles\ashxfdvz.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [11:05 25/06/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:46 01/04/2009]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext" [13:12 17/04/2010]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:05 20/12/2008]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG10\Firefox\" [02:39 21/10/2010]

-=E.O.F=-

SuperDave · « **Reply #31 on:** November 02, 2010, 12:53:02 PM »

Are you still getting redirects? Is it always to the same site?

thammondwis · « **Reply #32 on:** November 04, 2010, 07:57:51 PM »

Yes I am still getting the rediredts. I have not seen the pop ups in new tabs lately. The redirects seem to be happening only when clicking on a link in a yahoo search while using Firefox.

I am still having issues with internet explorer non responding, which tends to occur after it has been open for a while.

I am still getting the WIN32 error message. And I have been getting periodic issues with MagicJack software (internet phone) not running.

One other question. I did not install a 3rd party firewall software. I do have the firewall active on my router. Should I install one of the firewall's that were suggested in the intro thread? If so should I disable the firewall on the router?

thammondwis · « **Reply #33 on:** November 05, 2010, 03:40:00 AM »

Just after I posted my last message, I did have a new tab open up in FireFox. It opened up to google.

I also have not been able to print since I started this thread from my other computer. I have the two computers networked together. The printer is hooked up to this computer. I was troubleshooting the printer issue when I realized that all the network info/settings on this computer were gone/reset. There was no computer name or workgroup name assigned on this computer. I ended up running the network setup wizzard and it acted as though no network was ever set up on this computer.

After I had the network reset up correctly and could print from the other computer again, I cam back later to the following error message:

Hammond (workgroup name) is not accessable. You might not have permission to use this network resource.

SuperDave · « **Reply #34 on:** November 05, 2010, 12:45:05 PM »

Quote

One other question. I did not install a 3rd party firewall software. I do have the firewall active on my router. Should I install one of the firewall's that were suggested in the intro thread? If so should I disable the firewall on the router?

If you have a secure firewall there, that should be good.
Could you please try ComboFix again as detailed in Reply #25.
Do you have your OS disk?

thammondwis · « **Reply #35 on:** November 05, 2010, 04:52:53 PM »

OK ComboFix did not work again, but it was a bit different error than before. This time I received a message that ComboFix could not run with AVG installed and would need to uninstall AVG. I figured I would try that and then reinstall it afterwords. However, I am unable to uninstall AVG. I get a message that service AVG Watchdog (avgwd) can not be stopped. Verify that you have sufficient privileges to stop system services.

The user account I am using is not the administrator, but does have full admin privileges.

Yes I do have the Windows XP Pro OS CD.

thammondwis · « **Reply #36 on:** November 05, 2010, 06:31:34 PM »

I did get AVG uninstalled by downloading and running the installation file and selecting uninstall.

I was then able to run ComboFix...almost. It got all the way through the program and at the very end just after it said it was creating a log report the computer crashed (BSOD flashed) and then rebooted. I looked around and found a file called file called ComboFix.txt, but all that was in it is posted below.

ComboFix 10-11-03.04 - Home 11/05/2010 19:03:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.492 [GMT -5:00]
Running from: C:\Documents and Settings\Home\Desktop\ComboFix.exe
.

thammondwis · « **Reply #37 on:** November 06, 2010, 09:03:25 AM »

One other issue that I have found. I have noticed on occasion during bootup, I see the Windows update icon appear in the system tray. However it disappears soon after before the computer finishes booting up. I tried to go to the windows update site, but can't connect to it. I have tried to get to it via various methods and get different results, but can't get there.

SuperDave · « **Reply #38 on:** November 06, 2010, 01:34:44 PM »

* Go to Start > Run and type mrt.exe then press Enter on the keyboard).
* (Vista and Windows 7 users go to Start and type mrt.exe in the search box then press Enter on the keyboard.
* Click Next.
* Choose Full Scan and click Next.
* Once the scan is finished click View detailed results of the scan.

Look through the list and let me know if anything was found infected.
***************************************
Place the OS disk in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
***************************************

Delete your copy of ComboFix; download a fresh copy, except before you download it, rename it to blackpudding.bat

Navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\blackpudding.bat" /killall

See if ComboFix will run now

thammondwis · « **Reply #39 on:** November 06, 2010, 08:45:59 PM »

mrt.exe did not find any infected files.

I ran the system file checker as instructed. It seemed to work OK.

I uninstalled AVG and ran ComboFix as instructed and it worked!!! Log is below.

ComboFix 10-11-07.01 - Home 11/06/2010 21:13:54.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.699 [GMT -5:00]
Running from: c:\documents and settings\Home\desktop\blackpudding.bat
Command switches used :: /killall
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Home\Desktop\blackpudding.bat
.
---- Previous Run -------
.
c:\windows\system32\Cache

.
((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.

2010-11-07 01:51 . 2008-04-14 00:12   116224   -c--a-w-   c:\windows\system32\dllcache\xrxwiadr.dll
2010-11-07 01:51 . 2001-08-18 03:36   23040   -c--a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2010-11-07 01:51 . 2008-04-14 00:12   18944   -c--a-w-   c:\windows\system32\dllcache\xrxscnui.dll
2010-11-07 01:51 . 2001-08-18 03:37   27648   -c--a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2010-11-07 01:51 . 2001-08-18 03:37   4608   -c--a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2010-11-07 01:51 . 2001-08-18 03:37   99865   -c--a-w-   c:\windows\system32\dllcache\xlog.exe
2010-11-07 01:51 . 2001-08-17 17:11   16970   -c--a-w-   c:\windows\system32\dllcache\xem336n5.sys
2010-11-07 01:51 . 2004-08-04 03:29   19455   -c--a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2010-11-07 01:51 . 2008-04-13 18:46   19200   -c--a-w-   c:\windows\system32\dllcache\wstcodec.sys
2010-11-07 01:51 . 2004-08-04 03:29   12063   -c--a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2010-11-07 01:51 . 2008-04-14 00:12   8192   -c--a-w-   c:\windows\system32\dllcache\wshirda.dll
2010-11-07 01:49 . 2001-08-17 18:48   11520   -c--a-w-   c:\windows\system32\dllcache\twotrack.sys
2010-11-07 01:48 . 2001-08-17 17:50   50432   -c--a-w-   c:\windows\system32\dllcache\sisv.sys
2010-11-07 01:47 . 2008-04-13 18:41   17664   -c--a-w-   c:\windows\system32\dllcache\ppa3.sys
2010-11-07 01:46 . 2001-08-17 17:50   103296   -c--a-w-   c:\windows\system32\dllcache\mtxvideo.sys
2010-11-07 01:45 . 2008-04-14 00:11   48640   -c--a-w-   c:\windows\system32\dllcache\kdsui.dll
2010-11-07 01:44 . 2008-04-14 00:11   702845   -c--a-w-   c:\windows\system32\dllcache\i81xdnt5.dll
2010-11-07 01:43 . 2001-08-18 03:36   45568   -c--a-w-   c:\windows\system32\dllcache\esunib.dll
2010-11-07 01:42 . 2004-08-04 03:32   48640   -c--a-w-   c:\windows\system32\dllcache\cwrwdm.sys
2010-11-07 01:41 . 2001-08-17 18:51   13824   -c--a-w-   c:\windows\system32\dllcache\bulltlp3.sys
2010-11-07 01:40 . 2001-08-17 17:49   46464   -c--a-w-   c:\windows\system32\dllcache\atibt829.sys
2010-11-06 16:05 . 2009-06-25 18:20   1446264   ----a-w-   c:\program files\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
2010-11-06 16:02 . 2009-08-03 20:07   373104   ----a-w-   c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
2010-11-06 14:53 . 2010-11-06 14:53   --------   d-----w-   c:\documents and settings\Admin\Local Settings\Application Data\Mozilla
2010-11-02 11:11 . 2010-11-02 11:11   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-11-02 11:11 . 2010-11-02 11:11   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-11-02 10:28 . 2010-11-02 10:51   --------   d-----w-   c:\documents and settings\Home\Application Data\OnlineArmor
2010-10-31 19:38 . 2010-10-31 19:38   --------   d-----w-   c:\program files\ESET
2010-10-31 15:04 . 2010-07-09 18:18   20328   ----a-w-   c:\windows\system32\drivers\cpuz134_x32.sys
2010-10-31 15:04 . 2010-10-31 15:04   --------   d-----w-   c:\program files\CPUID
2010-10-28 22:57 . 2010-10-28 22:57   --------   d-----w-   C:\_OTL
2010-10-23 17:04 . 2010-10-23 17:04   --------   d-----w-   c:\documents and settings\Admin\Application Data\AVG10
2010-10-23 17:02 . 2010-10-23 17:02   --------   d-sh--w-   c:\documents and settings\Admin\IETldCache
2010-10-23 00:16 . 2010-10-23 00:16   388096   ----a-r-   c:\documents and settings\Home\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-23 00:16 . 2010-10-23 00:16   --------   d-----w-   c:\program files\Trend Micro
2010-10-22 02:39 . 2010-10-22 02:39   --------   d-----w-   c:\documents and settings\Home\Application Data\Malwarebytes
2010-10-22 02:38 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-22 02:38 . 2010-10-22 02:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-10-22 02:38 . 2010-10-22 02:38   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-22 02:38 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-10-21 23:12 . 2010-10-21 23:12   --------   d-----w-   c:\documents and settings\Home\Application Data\SUPERAntiSpyware.com
2010-10-21 23:12 . 2010-10-21 23:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-21 23:11 . 2010-10-21 23:12   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-10-21 11:49 . 2010-10-26 02:14   --------   d-----w-   c:\program files\CCleaner
2010-10-21 02:42 . 2010-10-21 02:42   --------   d-----w-   c:\documents and settings\Home\Application Data\AVG10
2010-10-21 02:41 . 2010-10-21 02:41   --------   d--h--w-   c:\documents and settings\All Users\Application Data\Common Files
2010-10-21 02:39 . 2010-11-07 02:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG10
2010-10-21 02:38 . 2010-11-05 23:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\MFAData
2010-10-19 07:26 . 2010-10-19 07:26   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-10-12 10:33 . 2010-10-12 10:33   --------   d-----w-   c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2004-08-03 20:07   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-03 20:07   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-03 20:07   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-03 20:07   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2010-09-15 09:50 . 2010-06-13 23:16   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2008-05-03 17:50   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2004-08-03 20:07   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-03 20:07   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-03 20:07   1469440   ----a-w-   c:\windows\system32\inetcpl.cpl
2010-08-23 16:12 . 2004-08-03 20:07   617472   ----a-w-   c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-03 20:07   58880   ----a-w-   c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-03 20:07   590848   ----a-w-   c:\windows\system32\rpcrt4.dll
2010-08-13 12:53 . 2009-04-16 21:40   5120   ----a-w-   c:\windows\system32\xpsp4res.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"cdloader"="c:\documents and settings\Home\Application Data\mjusbsp\cdloader2.exe" [2010-10-08 50592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 16062464]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"WinSys2"="c:\windows\system32\winsys2.exe" [2006-04-29 208896]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 92168]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-08-20 1164584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-17 202256]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\NetworkService\Application Data\mjusbsp\cdloader2.exe" [2010-10-08 50592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2008-4-17 192512]
E-Color.lnk - c:\program files\E-Color\Common\IconMgr.exe [2008-4-17 61440]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ     msv1_0 setuid

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Flight Simulator 9\\fs9.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Program Files\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Home\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\NetworkService\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"42019:TCP"= 42019:TCP:Azures
"42019:UDP"= 42019:UDP:Azures
"49152:TCP"= 49152:TCP:azures
"49152:UDP"= 49152:UDP:azures

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [10/31/2010 10:04 AM 20328]
R2 magicJack;magicJack;c:\mjusbsp\srvany.exe [4/25/2010 8:35 AM 8192]
R3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [4/17/2008 8:35 PM 28160]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/28/2008 8:35 PM 717296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ     p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-10-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-789336058-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-842925246-789336058-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-789336058-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-842925246-789336058-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-06 c:\windows\Tasks\User_Feed_Synchronization-{D1A74F21-8B46-4EC6-A0A8-9C369E7281DC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
FF - ProfilePath - c:\documents and settings\Home\Application Data\Mozilla\Firefox\Profiles\ashxfdvz.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Home\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-@OnlineArmor GUI - c:\program files\Emsisoft\Online Armor\oaui.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-06 21:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP2004C rev.VM100-49 -> \Device\00000032

device: opened successfully
user: MBR read successfully
error: Read Incorrect function.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006d -> \??\IDE#DiskSAMSUNG_SP2004C_________________________VM100-49#30534737314A4C55304332383830202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK

Registry trace:
called modules: ntkrnlpa.exe hal.dll

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(612)
c:\windows\system32\WININET.dll
c:\windows\system32\setuid.dll

- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\program files\TortoiseCVS\TortoiseShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\System32\snmp.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\E-Color\E-Color Indicator\TICIcon.exe
c:\program files\iPod\bin\iPodService.exe
c:\documents and settings\NetworkService\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2010-11-06 21:36:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-07 02:36

Pre-Run: 16,530,817,024 bytes free
Post-Run: 16,640,778,240 bytes free

- - End Of File - - 73DF11FB62FDDEE199732022B7623C5F

thammondwis · « **Reply #40 on:** November 07, 2010, 06:34:59 AM »

Hello,

Just to let you know what is currently going on with my computer. I tried to go to the Microsoft update website via Internet Explorer/Tools/Windows Update and still get a message that I can not connect. I then went to the google home page and before I typed anything into the search box, a new Intnernet Explorer window opened. I closed the pop up window before it loaded but AVG detected and blocked a threat - Exploit JavaScript Obfuscation (Type 1512), Process ID 1352. I clicked on more info link in the AVG threat window and a new Internet Explorer window opened but then Internet Explorer froze up and I needed to End Task with the Windows Task Manager to close out Internet Explorer.

SuperDave · « **Reply #41 on:** November 07, 2010, 11:07:18 AM »

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\program files\Real\RealUpgrade\realupgrade.exe
* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
********************************
Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

•Open the folder and run Dial-a-fix.exe
•2 windows will open. Close the one in the background labeled Restrictive Policies
•Check the box in section 1, Empty temp folders.

•Check the box in section 2, Fix Windows Installer.

•Check the box in section 3, Fix Windows Update.

•Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked

•Check all boxes in section 5, labeled Registration Center.

•Click Go

•OK any error messages if received, but write them down and post them here.

•Restart the computer when done.
***************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was

extracted to. Open the text file and copy/paste the log here.
[/list]

thammondwis · « **Reply #42 on:** November 07, 2010, 02:26:35 PM »

Here is the link to the scan per your instructions.

http://virusscan.jotti.org/en/scanresult/788727fcf467c78e77c5b66
887c9daf459a9c019/3e3553fe2c7a1792ce905423c40bc4fc921c59d7

thammondwis · « **Reply #43 on:** November 07, 2010, 03:41:33 PM »

I had an error in the dial-a-fix before the program started:

Dial-a-fix was unable to determine your version on Internet Explorer. Certain DLL registrations will be skipped.

There wasn't a 2nd window labeled Restrictive Policies that opened.

Below are the error messages that occurred while the program was running, at the end when I tried to restarted the computer I got an error message that realupgrade.exe is not responding and had to click on end now to get the computer to reboot.

Error 127: C:\Windows\System32\iesetup.dll is not registerable or the file is corrupted. Your version of iesetup.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\iesetup.dll is not DLLInstall-able or the file is corrupted. Your version of iesetup.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\imgutil.dll is not registerable or the file is corrupted. Your version of imgutil.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\inseng.dll is not registerable or the file is corrupted. Your version of inseng.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\inseng.dll is not DLLInstall-able or the file is corrupted. Your version of inseng.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\mshtml.dll is not registerable or the file is corrupted. Your version of mshtml.dll is 8.00.6001.18975(?). Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\mshtml.dll is not DLLInstall-able or the file is corrupted. Your version of mshtml.dll is 8.00.6001.18975(?). Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\msrating.dll is not registerable or the file is corrupted. Your version of msrating.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\occache.dll is not registerable or the file is corrupted. Your version of occache.dll is 8.00.6001.18968. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\occache.dll is not DLLInstall-able or the file is corrupted. Your version of occache.dll is 8.00.6001.18968. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\pngfilt.dll is not registerable or the file is corrupted. Your version of pngfilt.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\webcheck.dll is not registerable or the file is corrupted. Your version of webcheck.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

Error 127: C:\Windows\System32\webcheck.dll is not DLLInstall-able or the file is corrupted. Your version of webcheck.dll is 8.00.6001.18702. Please contact [email protected] so that an exception can be made for your version of this file.

thammondwis · « **Reply #44 on:** November 07, 2010, 04:44:25 PM »

Here is the Antirootkit Log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_nvata.sys
Service Name: ---
Module Base: F3CD2000
Module End: F3CEC000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79A5000
Module End: F79A7000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwOpenProcess
Address: F67356C0
Driver Base: F6733000
Driver End: F673D000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwTerminateProcess
Address: F6735770
Driver Base: F6733000
Driver End: F673D000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwTerminateThread
Address: F6735810
Driver Base: F6733000
Driver End: F673D000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwWriteVirtualMemory
Address: F67358B0
Driver Base: F6733000
Driver End: F673D000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Computer Hope Forum

News:

Author Topic: Pc Problems (Read 55573 times)

thammondwis

Re: Pc Problems

SuperDave

Re: Pc Problems

thammondwis

Re: Pc Problems

thammondwis

Re: Pc Problems

SuperDave

Re: Pc Problems

thammondwis

Re: Pc Problems

thammondwis

Re: Pc Problems

thammondwis

Re: Pc Problems

SuperDave

Re: Pc Problems

thammondwis

Re: Pc Problems

thammondwis

Re: Pc Problems

SuperDave

Re: Pc Problems

thammondwis

Re: Pc Problems

thammondwis

Re: Pc Problems

thammondwis

Re: Pc Problems