Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Axwin Frame Google redirects


  • Please log in to reply
10 replies to this topic

#1 Mike lost in the NW

Mike lost in the NW

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 04 February 2010 - 12:14 PM

Hello,

I've seen similar problems discussed here and tried some of the same solutions with limited success. My computer is a little bit useable now.

The system is Windows XP Home Media Center edition. We have McAfee, Ad Aware, Spybot, and Malware Bytes trying but not suceeding.

The symptoms that we first noticed was that when you clicked on search results from Google page you didn't go to the right place. Then we started getting Axwin Frame errors where it said it tried to write memory location and failed and that the computer would soon shut down. I found the shutdown -a help and now I can try to fix the computer.

The first time in installed and ran Malware bytes it found some things but the computer is still infected. I'm running another scan now.

I was thinking of running Combofix but after reading this forum decided to follow the advice and wait for help.

I know I haven't included a lot of detailed error messages, but as I said others on this forum are reporting the exact same symptoms.

Thanks

Mike lost in the NW

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 04 February 2010 - 04:19 PM

Hello and welcome. Go into control panel and REmove anything ADOBE, we can get it back later.
If Teatimer is running in SpyBot ,it needs to be stopped for now.

Post the MBam scan log when done.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Mike lost in the NW

Mike lost in the NW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 05 February 2010 - 02:56 AM

Thanks.

I have three Adobe products. Adobe Air would not uninstall. Had an error. Other programs are Adobe Flash Player 10 ActiveX and Adobe Reader 7.1.0. After the error on the Adobe Air removal I sucessfully removed the Flash Player and then got an error message
when trying to remove Reader:

The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

I also updated the MBAM program to today's version and still didn't find anything. This is the Scan Log before attempting to remove the Adobe things or stopping the TeaTimer:

Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/4/2010 10:29:31 PM
mbam-log-2010-02-04 (22-29-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 362338
Time elapsed: 2 hour(s), 13 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 06 February 2010 - 03:00 PM

You're welcome try the 2 methods here under resolution:Reregister the Windows Installer

You can also try Revo Uninstaller:

1.Please download Revo Uninstaller.
2.Extract the ZIP file to a folder and run revouninstaller.exe from there! (You can copy that folder to an USB Mass storage drive and use it without any installation required!)
3.There are two ways to uninstall programs with Revo Uninstaller:
Important: Please, try to close the application you want to uninstall first!
Select the application in the list of installed applications and press the Uninstall button in the toolbar.
Right-click the application and click the Uninstall command in the displayed menu. Follow the instructions.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Mike lost in the NW

Mike lost in the NW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 08 February 2010 - 01:33 AM

I was able to load a new installer/uninstaller from Microsoft and deleted the Adobe programs. I completed all of the other instructions. I don't think the computer is fixed (still getting the Axwin Frame error and a bunch of processes getting killed by Microsoft) but here is the log file from Super Anti Spyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2010 at 10:58 AM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 0

Scan type : Complete Scan
Total Scan Time : 01:38:37

Memory items scanned : 292
Memory threats detected : 0
Registry items scanned : 7248
Registry threats detected : 0
File items scanned : 38626
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@fastclick[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad.yieldmanager[2].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@microsoftsto.112.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@advertising[2].txt

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B9823275-D858-498B-A4DC-C4EEDA322F67}\RP1072\A0097866.SCR

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 08 February 2010 - 08:49 PM

Haven't forgot you.. I am looking up info.

Hello I believe this will reveal it.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by boopme, 08 February 2010 - 09:02 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Mike lost in the NW

Mike lost in the NW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 February 2010 - 12:21 PM

I've tried quiet a few times to run GMER but it always gives me the BSOD. I have that computer not connected to the internet and ran it in Safe Mode and in normal mode. In normal mode it ran overnight but the CPU was at 100% trying to split time with Macagent at 48%. The computer was of course, unresponsive, and I never figured out how to stop Macagent as the Task Manager wouldn't even come to life.

Any tips to get GMER to run? Try something else? I really appreciate the help.

Mike still lost in the NW and frustrated with my computer even more

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 09 February 2010 - 03:20 PM

Did you try
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

If things still won't work. You will need to Download and Run DDS which will create a Pseudo HJT Report as part of its log..
If for some reason you cannot perform a step, move on to the next.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Mike lost in the NW

Mike lost in the NW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 February 2010 - 03:26 PM

You wrote:

Did you try
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

Actually, I started that method after I sent the reply and it was in process when I left the computer. I'll see if it completed later today and if not I'll try the steps you just suggested.

Thanks.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 09 February 2010 - 03:37 PM

Hi you can also try Un checking Sections on the right...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Mike lost in the NW

Mike lost in the NW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 10 February 2010 - 11:08 AM

I was able to get McAfee to stop and GMER completed the scan overnight with just Devices unchecked. The computer was in Safe Mode not connected to the internet. Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-10 07:47:04
Windows 5.1.2600 Service Pack 3
Running: random.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\agryypob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75E087E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75E0BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74097A4]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[476] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00BD000A

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

In the other times that GMER started it seems like there was more things found. I don't know if it fixes things as it goes, but that is all it found when it got all the way through.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users