Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DEP Services and Controller app


  • Please log in to reply
4 replies to this topic

#1 Too Much Pron

Too Much Pron

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 10 November 2009 - 09:27 AM

At this time, the only problem I see is that when starting my account, a "Data Execution Prevention" box comes up. Name: "Services and Controller app", Publisher: Microsoft Corporation. If I close it, it reappears, if I close it a second time, it appears to be done.

This started when a file in windows/sa23sl.exe was trying to access the internet, when I blocked it, the computer would start a timer and then shutdown.

In safe mode, I deleted this file. Then I ran full scan with Malwarebytes Anti-Malware (though the database was a little outdated 8/1/09). It found a bunch of viruses that I deleted. I then updated the database and ran a quick scan, for which it found one virus (I removed that as well).

Any advice would be greatly appreciated.

Here are the logs for the Malwarebytes scans

First Scan Log with 8/1/09 database (full scan)

Malwarebytes' Anti-Malware 1.39
Database version: 2546
Windows 5.1.2600 Service Pack 3

11/10/2009 8:38:22 AM
mbam-log-2009-11-10 (08-38-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 278513
Time elapsed: 1 hour(s), 17 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 8
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{37b85a2a-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{37b85a2c-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43382522-a846-46f4-ac57-1f71ae6e1086} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72a836d1-bc00-43c0-a941-17960e4fb842} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ef281620-a3a3-4f08-874f-d68cfc9b7945} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{37b85a20-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09f1adac-76d8-4d0f-99a5-5c907dadb988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyGlobalSearch (Adware.BookedSpace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ACM.dll (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Save (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\Program Files\winupdates (Worm.P2P) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\DivX\divx converter\pS2Xx.ddc (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Cache\00204E53 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Cache\0020517F (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Cache\0020522B.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Cache\00205E9F.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Cache\00205F0C.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\History\search (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\myglobalsearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\program files\Save\ffext.mod (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\program files\Save\save.db (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\program files\Save\save.htm (Adware.WhenUSave) -> Quarantined and deleted successfully.
c:\program files\Save\store.db (Adware.WhenUSave) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\regedit.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\cmd.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ping.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\netstat.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tasklist.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tracert.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\taskkill.com (Worm.P2P) -> Quarantined and deleted successfully.
C:\Program Files\ICQToolbar\toolbaru.dll (Adware.BHO) -> Quarantined and deleted successfully.


Second Scan Log with current database (quick scan)

Malwarebytes' Anti-Malware 1.41
Database version: 3138
Windows 5.1.2600 Service Pack 3

11/10/2009 9:02:05 AM
mbam-log-2009-11-10 (09-02-05).txt

Scan type: Quick Scan
Objects scanned: 148452
Time elapsed: 10 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 Ken-in-West-Seattle

Ken-in-West-Seattle

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 10 November 2009 - 10:15 AM

Every time I have had that serious an infestation to fix, even with heroic measures to remove the viruses and malware, I ended up doing a nuke and reload. I sometimes get by with a repair install for a while until I locate all the stuff needed and update the file backups. Odd errors and inexplicable command line failures can sometimes be fixed with ccleaner.

Start thinking about the state of your backups and the disks and serial numbers needed to do a complete reinstall.

The moderators will decide if you need to be moved to a malware fix thread.

Good luck

The alcra worm is especially bad and hard to be sure all the stuff it might have downloaded is cleaned up. It also shares your directories in limewire so make sure that is blocked right away.

#3 joseibarra

joseibarra

  • Members
  • 1,186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:02:58 PM

Posted 10 November 2009 - 11:36 AM

DEP error messages occur when Windows feels threatened by some application, so it is obviously not a good thing. XP knows what it needs to protect, so XP is doing it's job of trying to protect your system. You should figure out what the deal is and fix it.

The DEP error and the whole timer countdown thing sounds like your system has been compromised, and MBAM is trying to help.

I do not see the logic in ever letting MBAM do a quick scan unless you are in some kind of big hurry - why skip files? Just do the full scan and get it over with and not wonder later if the quick scan might have missing something. I know it sometimes wants to do a quick scan after a full, but always run a full again yourself. I would include a reboot in the process.

I like MBAM and SAS in that order and will always try to run them both once in a while and alternate since no one program can know about everything.

Download, install, update and do a full scan with these free malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

If the scans are clean and you still have issues, then they can be addressed.

If MBAM will not run clean with a full scan, you need to post in the Am I Infected forum.

If you run CCleaner, I would stay away from the Registry tool.

Edited by joseibarra, 10 November 2009 - 11:37 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#4 Too Much Pron

Too Much Pron
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:58 PM

Posted 10 November 2009 - 03:39 PM

Ran both full scans. MBAM nothing. SAS a few items. When rebooted, the problem with DEP did not show up.

Thanks both of you guys!

#5 joseibarra

joseibarra

  • Members
  • 1,186 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:02:58 PM

Posted 10 November 2009 - 03:48 PM

That's good :thumbsup:

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users