Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Variety of scary behaviors!


  • This topic is locked This topic is locked
14 replies to this topic

#1 mbradley

mbradley

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 01 March 2009 - 05:51 PM

Here is an account of what has recently been experienced:
1. McAfee cannot update or scan. When launching scan, get error: unable to create gObjHelper {....hex....}, then unable to create gObjRegHelper{....hex}. When trying update, message is ".......there is no internet connection".

2. Cannot update Malwarebte Anti-Mlware. Message is: no internet connection.

3. Unable to boot in Safe Mode. Tried msconfig setting for reboot, tried F8....either way boot appears to almost go in to Safe Mode but then reverts to normal mode.

3. Downloaded DDS fine but when executing, caused syatem to reboot and then multiple instances of Windows Installer launched after windows restart upcompleted.

Scary to me. I am posting here before doing anything else.




Process list saved on 2:48:58 PM, on 3/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
620 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
708 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
752 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
772 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
944 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1220 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1644 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1912 C:\WINDOWS\Explorer.EXE 6.0.2900.3156 Microsoft Corporation
152 C:\WINDOWS\system32\S3tray2.exe 1.0.11.1004 S3 Graphics, Inc.
248 C:\Program Files\Scansoft\PaperPort\pptd40nt.exe 8.10.1.330 ScanSoft, Inc.
296 C:\Program Files\McAfee.com\Agent\mcagent.exe 9.3.137.0 McAfee, Inc.
304 C:\HP\KBD\KBD.EXE 1.0.2.0 Hewlett-Packard Company
424 C:\Program Files\iTunes\iTunesHelper.exe 8.0.1.11 Apple Inc.
456 C:\windows\system\hpsysdrv.exe 1.7.0.0 Hewlett-Packard Company
472 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe 2.335.2.0 HP
480 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe 5.0.0.0 Hewlett-Packard Company
500 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe 2.1.1.0 Hewlett-Packard Company
372 C:\Program Files\Common Files\AOL\1235445774\ee\AOLSoftware.exe 16.2.3.1 AOL LLC
776 C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe 1.0.0.38 WildTangent
1100 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe 5.3.5.10 Roxio
1108 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe 6.0.70.6 Sun Microsystems, Inc.
1136 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.2180 Microsoft Corporation
1148 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe 2.0.301.1654 Google Inc.
1164 C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe 4.5.2.0 Motive Communications, Inc.
1208 C:\Program Files\E-Color\Colorific\hgcctl95.exe 99.30.0.28 E-Color, Inc. formerly Sonnetech Ltd.
1436 C:\Program Files\E-Color\True Internet Color\TICIcon.exe 2.0.0.39 E-Color, Inc.
216 C:\WINDOWS\system32\PackethSvc.exe 6.0.0.6 America Online, Inc.
444 C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe 4.6.1.2 AOL LLC
496 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 2.11.32.0 Apple Inc.
332 C:\Program Files\Bonjour\mDNSResponder.exe 1.0.5.11 Apple Inc.
576 C:\WINDOWS\System32\drivers\CDAC11BA.EXE 4.16.50.0 Macrovision
520 C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe 2.4.1368.5602 Google
2020 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe 9.3.137.0 McAfee, Inc.
2112 c:\program files\common files\mcafee\mna\mcnasvc.exe 3.3.104.0 McAfee, Inc.
2220 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe 3.3.104.0 McAfee, Inc.
2300 C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe 14.0.0.405 McAfee, Inc.
2328 C:\Program Files\McAfee\MPF\MPFSrv.exe 10.3.106.0 McAfee, Inc.
2416 C:\WINDOWS\System32\nvsvc32.exe 5.13.1.1570 NVIDIA Corporation
2612 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2792 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2992 C:\Program Files\iPod\bin\iPodService.exe 8.0.1.11 Apple Inc.
3676 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe 13.3.123.0 McAfee, Inc.
2736 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
3476 C:\Program Files\Internet Explorer\iexplore.exe 7.0.6000.16791 Microsoft Corporation
4088 C:\WINDOWS\system32\hpbpro.exe 1.0.45.0 Hewlett-Packard Company
988 C:\WINDOWS\system32\hpboid.exe 1.0.45.0 Hewlett-Packard Company
4024 C:\Program Files\Internet Explorer\iexplore.exe 7.0.6000.16791 Microsoft Corporation
3932 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.
3012 C:\WINDOWS\notepad.exe 5.1.2600.2180 Microsoft Corporation

Attached Files


Edited by mbradley, 01 March 2009 - 06:20 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 01 March 2009 - 06:48 PM

Hello mbradley,

Posted Image

Have a run with MBAM even though you cannot update it and post the report in your reply, if you can. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 01 March 2009 - 08:08 PM

Hello,

I think I see what you did. PLEASE do not edit your posts, but rather use the Add Reply button. I am just now seeing this, and that's why I asked you where you posted it. Can you please also tell me if you were able to run MBAM? And I need to see a new HijackThis log if you were, not the Process List. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 mbradley

mbradley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 02 March 2009 - 01:19 AM

Sorry for confusion.... I am new to the site and am a bit punchy from trying to fix this for so many many hours.

McAfee started a scan on its own (could not manually get scan to run) so I have been waiting for that to conclude.

I can probably get both the MBAM and new Hijackthis reports as soon as McAfee finishes.

Thank you lots.

MB

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 02 March 2009 - 04:44 AM

You're welcome lots, and don't worry about it. I know it's frustrating.

Post when you're ready. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 mbradley

mbradley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 02 March 2009 - 05:13 PM

Hi,

Attached new MBAM report and one from 2 days ago, also latest HijackThis.

Symptoms remain.

Attached Files



#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 03 March 2009 - 01:30 AM

Hello,

This computer had some very old infections on it. :thumbup2:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplu...ptdmgainads.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following file(s)(if they exist):

C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
AutoPlay.exe <----you'll have to do a Windows search for this one.

Reboot your computer.

How is it running now please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 mbradley

mbradley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 03 March 2009 - 02:06 AM

Hi Tea,

I will reboot and see. Found all but HKLM\..\RUN KernalFaultCheck with HiJackThis scan. Fixed/deleted.

I have 3 AutoPlay.exe. Deleting.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 03 March 2009 - 02:11 AM

Okay...let me know how it goes, and how it's running. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 03 March 2009 - 02:15 AM

ADDITION: Can you tell me if these problems have gone away?

1. McAfee cannot update or scan. When launching scan, get error: unable to create gObjHelper {....hex....}, then unable to create gObjRegHelper{....hex}. When trying update, message is ".......there is no internet connection".

2. Cannot update Malwarebte Anti-Mlware. Message is: no internet connection.

3. Unable to boot in Safe Mode.


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 mbradley

mbradley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 03 March 2009 - 08:53 PM

Hi,

Seems to be much improved. McAfee or MBAM still cannot connect to internet for updates.

I would like to run a scan with updated virus, spyware, malware tools.

Should I disable System Restore and boot in safe mode to run some more scans? I rolled the System back a few days first thing after the wierdness started. That means my new install of TurboTax has probably been copied somewhare but is no longer showing. How can I uninstall all that TurboTax that must be sitting there (doesn't show in Add/Remove programs) before I reinstall it?

Trying to figure.

Thank you!

MB

#12 mbradley

mbradley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 03 March 2009 - 09:43 PM

Hi,

Attached is a new HiJackThis log if handy for a look.

Thank you! MB

Attached Files



#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 04 March 2009 - 02:50 AM

Hello,

Please do not disable System Restore. If something goes awry somewhere, then you'll have nothing to go back to next time. :thumbup2: Do a Windows Search for your tax program. If it doesn't show up, then it went away when you did the system restore.

Might seem like a silly question, but have you tried uninstalling MBAM and McAfee and reinstalling since we've done these fixes? Sometimes the malware corrupts them. You originally said you couldn't boot into Safe Mode....but in your last post you asked if I wanted you to. Does that mean that you can now boot into Safe Mode? :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 mbradley

mbradley
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 04 March 2009 - 11:21 PM

Hi,

I must read your questions more carefully so I will actually answer what you ask....

I was able to boot into Safe Mode by messing around a lot and it still does not boot from F8 on start. When I go to msconfig and set it for Diagnostic Start, I get a message " An Access Denied error was returned while attempting to change a service. You may need to log on using an administrator account to make slecified changes". Well, My login is the administrator. Even with that messaage, when I reboot it will start in safe mode. When I go to change it back in msconfig, I get the same message but it makes the change anyway. So, that's the safe mode story for now.

The other 2 original problems I cited are still present.

I will go ahead and uninstall/reinstall MBAM and McAfee and see if I am good. Finding the taxprogram files was doable. I wondered if a utility to do that was recommended but I just deleted what I found for the 2008 program I had recently installed, which had been renamed by system restore with a (2) after the originalfile names).

Oh, another thing,....the browser is noticable slower than normal, it takes longer to follow a link, go to another page and generally acts like it is busy handling malware chores (paranoid now?).

Another item occurred where at startup Windows Installer kept launching and wanted PhotoGallery. I used the Windows Install Clean Up program and just deleted PhotoGalley fron the list. That fixed that but I don't know if that means I have a less than complete application somewhere now.

Thank you!

MB

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:46 AM

Posted 15 March 2009 - 09:20 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users