Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Event Viewer Info & More-Am I Infected?


  • This topic is locked This topic is locked
22 replies to this topic

#1 Bub12

Bub12

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 12 November 2009 - 02:32 PM

Hi,

So as not to make this post any longer than it already is, here are the two links from other threads that I started pertaining to my issues which led me here per the suggestion of Hamluis. The following is a post that was initially directed for him. BTW, I am sorry for making it necessary to jump around to other threads.

I've been doing some fiddling in areas of which I know little & am causing myself various levels of panic :thumbsup: & I thought you might be able to help.

Anyway, I have been continuing to look in my event viewer for signs of issues pertaining to the following threads:

http://www.bleepingcomputer.com/forums/ind...=270180&hl=

http://www.bleepingcomputer.com/forums/t/269492/dr-watson-post-mortum-debugging-error/

A couple days ago I noticed a couple of warnings that I thought I would investigate which led me here,

http://www.microsoft.com/technet/support/e...p&LCID=1033

Well, I did not have any "TCP state SYN_SENT in the State column of the Active Connections information" so I figured I was ok but I started to poke around & searched for some of the IP addresses that did appear in the command prompt after typing in "Netstat -no" & the results made me nervous, although I do not understand what the results mean. Some IP's were Google, which I assumed were ok but one IP, for example, led me to the following:

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

Seems to be a large, reputable company but some folks at McAfee Site Advisor have negative things to say, which is common with large companies.

So, would you be able to clarify some of this for me? Any help would be greatly appreciated as I have yet to get a reply from the Avast forum, so I am still a bit concerned about all of the issues I have been experiencing. I am still thinking that I am not infected but just having some Windows & program issues. What do you think?

UPDATE: AVAST SAYS THEIR WARNING & ERRORS MESSAGES DO NOT SEEM TO BE SIGNS OF INFECTIONS BUT SUGGESTED THAT I SUBMIT THE YAHOO ERROR TO AVAST FOR FURTHER ANALYSIS ALTHOUGH THAT FILE SEEMS TO BE A NORMAL YAHOO WIDGET FILE. THAT ERROR IS NOW GONE AFTER AM UNINSTALL & REINSTALL OF MESSENGER.

But I still have confusion pertaining to the above info in this post. I am assuming that the Postmortem Debugger issue worked itself out & were related to the spooler error however, I am not sure & may never be. Any thoughts would be appreciated. I take that back...any thoughts that are not insulting & are pertinent would be appreciated :flowers: I don't think I am infected but, taking Louis' suggestion, I am posting this here too.

Thanks!

Edited by Bub12, 12 November 2009 - 02:33 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:35 AM

Posted 14 November 2009 - 08:40 PM

THAT FILE SEEMS TO BE A NORMAL YAHOO WIDGET FILE.


If you have a specific file in question, you can submit it for a Jottiscan
http://virusscan.jotti.org/en
http://www.virustotal.com/

Edited by garmanma, 14 November 2009 - 08:40 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 15 November 2009 - 12:18 AM

garmanma,

Thanks....I did submit it to Avast as well..we'll see.

What about my other questions pertaining to my original problems with the Postmortem Debugger & the info I pasted from the Event Viewer? Is this just all normal Windows issues & situations as opposed to possible infections? Any ideas?

Thanks!

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:35 AM

Posted 15 November 2009 - 05:37 PM

I do not believe it to be an infection
We can run a couple of quick scans to double-check

:trumpet:

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.



------------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

========================

:flowers:
SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

===============================

:thumbsup:

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 15 November 2009 - 08:50 PM

Hey Mark,

I don't think I am infected either but it was suggested that I post here. I believe my questions are more OS, software & hardware related but I can't seem to get any clarity on some of my questions.

As far as the scans, I certainly could try some more but I have already scanned with Avast, MBAM & AdAware. I also use Spyware Blaster for added protection & McAfee Site Advisor to check new sites.

I would like to better understand the my questions pertaining to the Event Viewer at least. Any ideas or should I post that back again in the XP forum?

Thanks!

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:35 AM

Posted 16 November 2009 - 07:02 PM

I recommend posting back in XP
Here's a couple of guides to help you

http://www.bleepingcomputer.com/forums/t/176011/how-to-receive-help-diagnosing-blue-screens-and-windows-crashes/
http://www.bleepingcomputer.com/forums/t/74712/how-to-find-bsod-error-messages/
http://www.bleepingcomputer.com/forums/t/40108/how-to-use-event-viewer/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 16 November 2009 - 09:50 PM

Thanks Mark!

#8 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 18 November 2009 - 01:40 PM

Hi...I am back in this forum again. It's been a lot of back & forth, per suggestions, between the XP forum & this one, as well as the Avast forum, where I cannot always get answers.

Lets me keep this simple by posting some recent & a few not so recent Avast logs as well as a summary of some issues. I will post the links to the other threads I started here, which may or may not pertain to this thread. If you are really bored, you may want to read how all this started. Anyway, to summarize, I noticed some Avast errors & warning that I typically do not receive. One I never received was the "unable to scan this file" message that appeared after a couple of scans. I did get some response in the Avast forum about these saying that 2 of the files must have been in use or temp files. But why did I never receive such a message from Avast in the prior 7 months that I have been using them? Received no answer for that yet. The other file, which was Yahoo Messenger related, was sent to Avast for evaluation but they will not reply, which doesn't do me much good. I do think the file is ok from my research.

For the past week or two, although I have not received any more "unable to scan" errors, there are still a lot of error & warning messages showing up in the logs of which I will post below. None of which are considered infections or of a critical nature, according to Avast. FYI, I have done countless full scans with Avast, MBAM & AdAware, all of which come up clean. If I can avoid downloading more software that will do basically the same thing, I would prefer it. I have used SAS many times in the past, although not recently, and it has never picked up anything that my other scans have not & it leaves a lot of files behind after uninstalling. If you need more details, please see the other links in the order in which they are posted here. Thanks & here you go...
-----------------------------------
WARNINGS

07/23/2009 2:47:31 PM SYSTEM 1356 Sign of "JS:Redirector-E [Trj]" has been found in "http://www.hudsoncountry.org/newsletterjan08c.html" file.

07/23/2009 2:47:33 PM SYSTEM 1356 Sign of "JS:Redirector-E [Trj]" has been found in "C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\Cache\2A9E2060d01" file.

07/25/2009 3:19:35 AM Owner 3692 Sign of "Win32:Bifrose-EGW [Trj]" has been found in "C:\WINDOWS\Installer\d221ed1.msp" file.

08/05/2009 9:52:52 PM SYSTEM 1436 Sign of "JS:Pdfka-MQ [Trj]" has been found in "http://pansdale.com/nic/p11.php\{gzip}" file.

10/10/2009 9:09:32 AM SYSTEM 1428 Sign of "JS:Pdfka-JR [Expl]" has been found in "http://wmdaly.com/flash/pdf.php" file.

10/12/2009 11:29:15 AM SYSTEM 1412 Sign of "JS:Pdfka-JR [Expl]" has been found in "http://modloaded.com/flash/pdf.php" file.

11/05/2009 7:49:44 AM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/05/2009 11:58:11 AM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/05/2009 2:57:20 PM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://ads.blogherads.com/static/bottomtxt2.js (C:\WINDOWS\TEMP\_avast4_\unp6316365.tmp) returning error, 0000A413.

11/05/2009 6:31:51 PM SYSTEM 1392 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://api.facebook.com/restserver.php?v=1...at=json&cal (C:\WINDOWS\TEMP\_avast4_\unp20623191.tmp) returning error, 0000A413.

11/06/2009 2:21:19 AM SYSTEM 1344 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://clients1.google.com/complete/search...P3QZj&cp=13 (C:\WINDOWS\TEMP\_avast4_\unp212433553.tmp) returning error, 0000A413.

11/07/2009 12:44:13 AM SYSTEM 1400 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://help.twitter.com/javascripts/tiny_m...ditor_plugin.js (C:\WINDOWS\TEMP\_avast4_\unp221421909.tmp) returning error, 0000A413.

11/07/2009 3:07:11 PM SYSTEM 1412 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/08/2009 12:35:13 PM SYSTEM 1412 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/08/2009 1:46:22 PM SYSTEM 1412 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js) returning error, 0000A413.

11/16/2009 10:30:42 AM SYSTEM 1460 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0wir55g9.default\sessionstore-1.js (C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0wir55g9.default\sessionstore-1.js) returning error, 0000A413.

11/17/2009 11:08:48 PM SYSTEM 1460 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://www.gazellethemes.com/wp-content/th...azelle/js/tt.js (C:\WINDOWS\TEMP\_avast4_\unp17426775.tmp) returning error, 0000A413.
--------------------------------
ERRORS

11/05/2009 7:49:44 AM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/05/2009 11:58:11 AM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/05/2009 2:57:20 PM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://ads.blogherads.com/static/bottomtxt2.js failed, 0000A413.

11/05/2009 6:31:51 PM SYSTEM 1392 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://api.facebook.com/restserver.php?v=1...at=json&cal failed, 0000A413.

11/06/2009 2:21:19 AM SYSTEM 1344 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://clients1.google.com/complete/search...P3QZj&cp=13 failed, 0000A413.

11/07/2009 12:44:13 AM SYSTEM 1400 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://help.twitter.com/javascripts/tiny_m...ditor_plugin.js failed, 0000A413.

11/07/2009 3:07:11 PM SYSTEM 1412 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/08/2009 12:35:13 PM SYSTEM 1412 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/08/2009 1:46:22 PM SYSTEM 1412 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\m29i26zi.default\sessionstore-1.js failed, 0000A413.

11/16/2009 10:30:42 AM SYSTEM 1460 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\0wir55g9.default\sessionstore-1.js failed, 0000A413.

11/17/2009 11:08:48 PM SYSTEM 1460 AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://www.gazellethemes.com/wp-content/th...azelle/js/tt.js failed, 0000A413.
-------------------------

http://www.bleepingcomputer.com/forums/ind...=269492&hl=

http://www.bleepingcomputer.com/forums/ind...=270180&hl=

http://www.bleepingcomputer.com/forums/t/270992/event-viewer-info-more-am-i-infected/

http://www.bleepingcomputer.com/forums/ind...=271992&hl=

#9 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 20 November 2009 - 02:08 AM

Hi,

I hope there is a simple explanation for this as I have been posting in this & am I infected for over a week for various issues as my machine has been acting up for about that long. Its latest is this...

I recently changed what programs run on start-up & when I restarted my machine, I was prompted with the window that said something to the effect of System Config was changed...that I altered the way in which the system starts, change back to normal start-up mode if I wish...or, I can check the box that says not to run this tool on start-up & do not show this message again. Well, I have clicked this option more than once, yet the window still sometimes appears on start-up, as if I have again changed how the machine starts, but I have not. Now, I will say that the last time I did this & restarted, the window did not again appear, so we'll see...

Is there a reason this continues to occur? I have had a few other ddities occur so I thought perhaps infection but I do seem to be clean as per my thoughts & those in the "Am I Infected forum". Any help would be appreciated. I will include a link to another thread of mine below, just in case. Thanks!

http://www.bleepingcomputer.com/forums/t/269492/dr-watson-post-mortum-debugging-error/

#10 joseibarra

joseibarra

  • Members
  • 1,180 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:06:35 AM

Posted 20 November 2009 - 07:24 AM

There is a reason the box appears and if you tell it not to and it keeps coming back, there is some problem.

What about your original issue (which I read). Was that resolved to your satisfaction?

We could fix the msconfig reminder so it doesn't show up, but your description sounds like it wants to come back on it's own for some reason and if that is the case, something is still wrong.

I know you ran some scans, but humor us and run these:

Perform some scans for malicious software first, then fix any remaining issues:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

After scanning, we can look at your msconfig issue.

Edited by joseibarra, 20 November 2009 - 07:26 AM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#11 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 20 November 2009 - 01:29 PM

Jose,

Thanks for the reply.

Well, the last two times I restarted it has not reappeared. Hmmm...

As far as the AV/AS scans, I already scanned with both & all is well. Also scanned with Avast & AdAware.

In regards to the Postmortem Debugger issue...it has not resurfaced so I am still assuming it was a result of the printer spooler going awry.

Ever since that day when the spooler had problems, I have noticed a barrage of other issues. (I have seen happen before when trying to print from certain websites although I do not understand why this happens. On rare occasion I have seen certain sites cause such a spooler error requiring a reinstall of the printer) Maybe I only noticed certain issues because I was looking for something. I am still working with Avast to see if all the new found errors & warnings are a problem.

If you read all the threads to which I linked in this thread, you will see how one question/issue lead to another. This new issue, where the msconfig reminder keeps reappearing had me concerned yet again. Still not sure if I have been compromised.

#12 joseibarra

joseibarra

  • Members
  • 1,180 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:06:35 AM

Posted 20 November 2009 - 02:11 PM

Here is how it works "normally" when you make a change with msconfig and click OK.

A new entry gets put in the registry here:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

which looks like this:

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

That registry key (is one place that) tells Windows what to run when you restart. The /auto switch tells msconfig to ask you that question and if you tell it not to remind you, that entire entry should get deleted from the registry so nothing about msconfig will run next time.

If that registry entry does not go away or shows up by itself for no reason, you have another problem. It may just be an annoying occasional problem but it is a problem.

Run the command yourself manually. Click Start, Run and in the box enter:

msconfig /auto

Click OK. Look familiar?

If you tell msconfig on a restart not to show the message again and it is still in the registry, additional troubleshooting is required. There are reasons that could happen, but let's wait until it happens again.

If you see it again, don't click the don't remind me again box. Check the registry and see if it is there and goes away when you do check the box. It could be someplace else if something is broken.

Sometime merely threatening to fix things will fix them :thumbsup: .

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#13 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 20 November 2009 - 02:34 PM

Jose,

Good answer :-)

BUT WAIT...THERE IS MORE!

I did not scan scan with SAS recently. I did not want to download it as it has never found any malware that my other programs haven't found & it leaves files & folders behind, even after uninstalling so....I decided not to scan with it. But, as you suggested, to humor you, I bit the bullet & downloaded SAS again & am scanning now. So far, it has found 5 registry items!! !$%#@%&! Not sure yet what exactly they are so please stay tuned... I will post the logs soon.

Edited by Bub12, 20 November 2009 - 02:34 PM.


#14 Bub12

Bub12
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 20 November 2009 - 02:58 PM

Jose,

I do realize that I am not in the "Am I Infected" forum & may need to go back there yet again but here are the log results. FP's maybe?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/20/2009 at 02:42 PM

Application Version : 4.30.1004

Core Rules Database Version : 4297
Trace Rules Database Version: 2167

Scan type : Complete Scan
Total Scan Time : 00:28:53

Memory items scanned : 426
Memory threats detected : 0
Registry items scanned : 5920
Registry threats detected : 5
File items scanned : 45626
File threats detected : 0

Rogue.Component/Trace
HKLM\Software\Microsoft\A8FFF9A5
HKLM\Software\Microsoft\A8FFF9A5#a8fff9a5
HKLM\Software\Microsoft\A8FFF9A5#Version
HKLM\Software\Microsoft\A8FFF9A5#a8ff5425
HKLM\Software\Microsoft\A8FFF9A5#a8ff3dc0

UPDATE: I have searched MS & the web via Google for any & all of these results & find nothing!!!! Not one result.

Edited by Bub12, 20 November 2009 - 03:04 PM.


#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:35 AM

Posted 20 November 2009 - 04:15 PM

:trumpet:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

==============================

:flowers:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users