Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

questionable malwarebites results


  • Please log in to reply
19 replies to this topic

#1 kristjan b

kristjan b

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 19 July 2009 - 06:56 PM

Hello

I was have been trying to install a window's update(update I'm trying to download) for quite awhile and am having some trouble doing so.

It seems to install fine, but when I restart my computer, the yellow shield says I have more updates to install, and it turns out to be the same one.

I decided to run malware bites in safe mode to see if it could find anything.

the results:

Malwarebytes' Anti-Malware 1.39
Database version: 2464
Windows 5.1.2600 Service Pack 3

19/07/2009 5:54:39 PM
mbam-log-2009-07-19 (17-54-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 183743
Time elapsed: 1 hour(s), 12 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> No action taken.
c:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> No action taken.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.

now normally I would just remove these things but I thought I should ask someone more knowledgeable then myself, considering that avg and spybot didn't find anything. ( although I don't think teatimer is working too well) and I thought winantivirus might have some popups, which I am not getting.

let me know what you think

kris

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 AM

Posted 19 July 2009 - 08:59 PM

Hello kristjan b,

Please update Malwarebytes, then run a quick scan in Normal Mode and select to remove all entries found. Then please post the log back here for my review.

~Blade

In your next reply, please include the following:
Malwarebytes log

Edited by Blade Zephon, 19 July 2009 - 08:59 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 kristjan b

kristjan b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 20 July 2009 - 02:03 PM

okay here's the log
Malwarebytes' Anti-Malware 1.39
Database version: 2465
Windows 5.1.2600 Service Pack 3

19/07/2009 10:58:00 PM
mbam-log-2009-07-19 (22-58-00).txt

Scan type: Quick Scan
Objects scanned: 95780
Time elapsed: 16 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.


okay so then restarted my computer and did another scan to make sure it was clean
Malwarebytes' Anti-Malware 1.39
Database version: 2465
Windows 5.1.2600 Service Pack 3

19/07/2009 11:39:19 PM
mbam-log-2009-07-19 (23-39-19).txt

Scan type: Quick Scan
Objects scanned: 95560
Time elapsed: 15 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I tried to install the windows update again and it still wouldn't let me. And shouldn't teatimer have popped up telling me there is changes to the registry after the scan was done? Because it hasn't been doing that for a while.

kris

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 AM

Posted 20 July 2009 - 10:33 PM

Whatever is on your system may have rendered TeaTimer nonfunctional. Something is still hiding, Lets dig deeper with a rootkit scan

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

~Blade

In your next reply, please include the following:
RootRepeal log

Edited by Blade Zephon, 20 July 2009 - 10:35 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 kristjan b

kristjan b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 21 July 2009 - 04:40 PM

Here you are my good Sir

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:			2009/07/21 16:29
Program Version:		Version 1.3.2.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEF85E000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BCB000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE669000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_498.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\kathy  borgfjord\application data\apple computer\preferences\com.apple.safari.plist
Status: Size mismatch (API: 2514, Raw: 2519)

Path: C:\Documents and Settings\Kathy  Borgfjord\Application Data\Apple Computer\Safari\com.apple.Safari.plist
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kathy  Borgfjord\Local Settings\Temporary Internet Files\Content.IE5\CXUC4IT3\flash[1].vbs
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kathy  Borgfjord\Local Settings\Temporary Internet Files\Content.IE5\EQ70T8AW\flash_activex[1].vbs
Status: Locked to the Windows API!

SSDT
-------------------
#: 011	Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaee2a0

#: 031	Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaed7c2

#: 037	Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaede5c

#: 041	Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaeea6a

#: 046	Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaed51c

#: 050	Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaef776

#: 052	Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaee486

#: 053	Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaed0ea

#: 063	Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaee6d4

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaee884

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaece4c

#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaef3f8

#: 105	Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaeda46

#: 116	Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaee094

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaecb7c

#: 125	Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaedcd6

#: 128	Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaeccf4

#: 192	Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaeee30

#: 200	Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaed63a

#: 210	Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaef194

#: 240	Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaef5a6

#: 247	Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaeec30

#: 249	Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaed9e0

#: 255	Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaedbca

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaed3e6

#: 258	Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xefaed2b4

==EOF==


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 AM

Posted 21 July 2009 - 11:06 PM

Nothing suspicious there... Try uninstalling and reinstalling Spybot and see if that fixes the TeaTimer problem. Before you do that though, please do the following:

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
~Blade

In your next reply, please include the following:
SUPERAntiSpyware log

Edited by Blade Zephon, 21 July 2009 - 11:06 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 kristjan b

kristjan b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 22 July 2009 - 09:44 PM

I reinstalled spybot s&d and scanned with superantispyware.

log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2009 at 09:23 PM

Application Version : 4.26.1006

Core Rules Database Version : 4012
Trace Rules Database Version: 1952

Scan type	   : Complete Scan
Total Scan Time : 01:20:46

Memory items scanned	  : 218
Memory threats detected   : 0
Registry items scanned	: 6343
Registry threats detected : 2
File items scanned		: 23523
File threats detected	 : 11

Adware.MyWebSearch
	HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
	HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}

Adware.Tracking Cookie
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@ads.addesktop[1].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@findaperson.canada411[1].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@bizrate[1].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@adknowledge[2].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@apmebf[2].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@mywebsearch[1].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@maxserving[1].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@mailtrack.rnm[2].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@partypoker[2].txt
	C:\Deckard\System Scanner\20080306160756\backup\DOCUME~1\KATHYB~1\LOCALS~1\Temp\Cookies\kathy  borgfjord@counter.rewardsnetwork[1].txt
	C:\Deckard\System Scanner\20080306160756\backup\WINDOWS\temp\Cookies\kathy  borgfjord@mywebsearch[1].txt


I'm starting to think it's not a virus and might be something else. I looked up my problem and found a program called dial-a-fix. dial-a-fix @ cnet. what do you think about that? also do you know of a way I could test teatimer?

kris

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 AM

Posted 22 July 2009 - 10:39 PM

Well you did have malware on your machine. We appear to have gotten rid of it now though. Everything SUPERAntiSpyware found just looks like remnants.

Good job on research! Dial-a-Fix was actually the next step I had planned. It does a fantastic job of fixing issues with Windows Update. Only thing that should be kept in mind is that this program is only for XP. Using it on Vista will not work and may cause further damage to your system. (This was said primarily for the benefit of others who may be reading this topic.)

So download Dial-a-Fix and use it to repair Windows Update. Here is a link to some instructions How To Use Dial-a-fix To Repair Windows Internals Problems

For testing TeaTimer, we need to do something that causes changes to be made to the registry. Dial-a-Fix may cause it to throw up a flag, but if it doesn't the easiest way to do that in my opinion would be installing a program. But let's uninstall and reinstall something you're already using so you don't end up with any extra junk on your machine. How about Malwarebytes? Uninstall Malwarebytes via Add/Remove Programs and then Reboot the computer. Then go and download a new copy from Malwarebytes Anti-Malware and reinstall it. If TeaTimer still doesn't go off after this, let me know!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 kristjan b

kristjan b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 23 July 2009 - 01:07 PM

errors:

it said that it couldn't tell which version of ie I had, I imagine it's because I have the newest version.


c:\windows\system32\iesetup.dll is not registered or is corrupted
------------ is not dllinstall-able or the file is corrupted. your version is 8.00.6001.18702
c:\windows\system32\imgutil.dll is not registered or is corrupted. your version is 8.00.6001.18702
c:\windows\system32\inseng.dll is not registered or is corrupted. ....
------------ is not dllinstall-able or the file is corrupted. your version is 8.00.6001.18702
...mshtml.dll is not registered or is corrupted. .... and is also not dllinstall-able

okay, I think that's enough errors for today

maybe I should have just used it to repair widow's update :thumbsup:

okay in my next post i'll see if the windows updates and teatimer are working

Edited by kristjan b, 23 July 2009 - 01:13 PM.


#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 AM

Posted 23 July 2009 - 01:17 PM

alrighty. . . I'll watch for your next reply

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 kristjan b

kristjan b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 23 July 2009 - 03:12 PM

alright....well, It looks like dial-a-fix didn't fix my problem... and teatimer isn't working still...
I reinstalled malwarebytes and didn't get anything from teatimer. I thought It might be my firewall(comodo) blocking teatimer,
so I opened up spybot and removed the startup entry for msn. I know that msn re-adds itself to the start up every time it runs, so I ran msn again, and it put the startup entry back, but there was still no message from teatimer.

what do you think?

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 AM

Posted 23 July 2009 - 06:14 PM

can you look in the spybot settings and see if TeaTimer is currently enabled? You may have to switch to advanced mode to do this.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 kristjan b

kristjan b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 24 July 2009 - 02:36 PM

yes, it is enabled. I found out spybot has a log of everything teatimer does (I think) and, well just look for your self.

23/07/2009 2:18:15 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
23/07/2009 3:02:55 PM Allowed (based on lassh blacklist) value "msnmsgr" (new data: "") deleted in System Startup user entry!
23/07/2009 3:03:49 PM Allowed (based on lassh blacklist) value "msnmsgr" (new data: ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background") added in System Startup user entry!

so it's keeping track of things, but I'm not seeing a pop up....
also, somthing weird happened. I tried to download the update for windows, and it didn't work, but then like 4 hours later it popped up and said it was ready to install them, which hasn't happened yet. I clicked install and that was the last of saw of the yellow shield, although when I go to restart my computer, it doesn't show that I can install updates like it did before.

also, I'm probably going away for the weekend.

I have no idea what to do next
kris

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:31 AM

Posted 24 July 2009 - 10:13 PM

I think I know what's going on with TeaTimer, and I'm pretty sure we can fix it. I'll have to do a bit of research to get the exact process together though. I should have something ready for you when you return from your weekend away. Have a safe trip!

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 kristjan b

kristjan b
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 26 July 2009 - 02:14 PM

well I didn't end up going on that trip because my dad had work and I had to help him. that sounds like good news to me, I look forward to hearing your response.

kris




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users