Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsers keep crashing/closing unexpectedly


  • This topic is locked This topic is locked
15 replies to this topic

#1 carra23

carra23

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 05 April 2011 - 07:54 PM

Really doing my head in this. Any help appreciated as I need my laptop functional for my job!

Continuation of this problem...
http://www.bleepingcomputer.com/forums/topic388684.html

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:12 PM

Posted 05 April 2011 - 08:52 PM

Which browsers are we talking about here?
Any other issues?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 carra23

carra23
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 April 2011 - 05:56 AM

Which browsers are we talking about here?
Any other issues?

Firefox/Chrome/Photoshop have all crashed on me.

#4 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 PM

Posted 06 April 2011 - 11:04 AM

Due to the keygens you downloaded and c:\Users\Matt\AppData\Local\Temp\ncmwroaxes.exe (Trojan.Hiloti)
Your computer has become quite compromised.

Trojan.Hiloti will enter into a computer system covertly, to perform the function it was designed to do: to download and install additional and various malware, badware, adware, etc, so as to ensure that the Trojan, as well as the hacker in control of this whole operation, are equip with the full control of the infiltrated machine.

Trojan.Hiloti allows for a hacker from a remote location to change the infiltrated systemsí settings, delete important files, steal passwords and watch the userís computer activity.
Trojan.Hiloti is designed to open up large security exploits through which hundreds of malicious adware and spyware will be able to infiltrate a system. In addition, Trojan.Hiloti opens a backdoor that allows the remote attacker to get full control over the infected computer.

This in turn leads to the hacker having full access to the userís financial or banking information stored on the computer. Obviously this puts the userís personal information in severe jeopardy and represents a serious security risk


MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#5 carra23

carra23
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 April 2011 - 11:16 AM

Due to the keygens you downloaded and c:\Users\Matt\AppData\Local\Temp\ncmwroaxes.exe (Trojan.Hiloti)
Your computer has become quite compromised.

Trojan.Hiloti will enter into a computer system covertly, to perform the function it was designed to do: to download and install additional and various malware, badware, adware, etc, so as to ensure that the Trojan, as well as the hacker in control of this whole operation, are equip with the full control of the infiltrated machine.

Trojan.Hiloti allows for a hacker from a remote location to change the infiltrated systemsí settings, delete important files, steal passwords and watch the userís computer activity.
Trojan.Hiloti is designed to open up large security exploits through which hundreds of malicious adware and spyware will be able to infiltrate a system. In addition, Trojan.Hiloti opens a backdoor that allows the remote attacker to get full control over the infected computer.

This in turn leads to the hacker having full access to the userís financial or banking information stored on the computer. Obviously this puts the userís personal information in severe jeopardy and represents a serious security risk

Are you bleep kidding me?

What shall I do?

#6 carra23

carra23
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 April 2011 - 11:18 AM

I don't get this because I was told my machine was clean.

#7 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 PM

Posted 06 April 2011 - 12:11 PM

Let's see what, if anything, VEW reveals.

Download VEW by Vino Rosso http://images.malwareremoval.com/vino/VEW.exe
and save it to your desktop

Double click it to start it Note: If running Windows Vista or Windows 7 you will need to right click the file and select Run as administrator and click Continue or Allow at the User Account Control Prompt.

Click the check boxes next to Application and System located under Select log to query on the upper left

Under Select type to list on the right click the boxes next to Error and Warning Note: If running Windows Vista or Windows 7 also click the box next to Critical (not XP).

Under Number or date of events select Number of events and type 20 in the box next to 1 to 20 and click Run

Once it finishes it will display a log file in notepad

Please copy and paste its entire contents into your next reply

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#8 carra23

carra23
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 April 2011 - 12:42 PM

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 06/04/2011 18:40:21

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 06/04/2011 17:37:45
Type: Error Category: 0
Event: 80 Source: SideBySide
Activation context generation failed for "C:\Users\Matt\Downloads\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_fa62ad231704eab7.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd.manifest.

Log: 'Application' Date/Time: 06/04/2011 15:24:33
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 17254

Log: 'Application' Date/Time: 06/04/2011 15:24:33
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 17254

Log: 'Application' Date/Time: 06/04/2011 15:24:33
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 06/04/2011 15:24:30
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 14555

Log: 'Application' Date/Time: 06/04/2011 15:24:30
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 14555

Log: 'Application' Date/Time: 06/04/2011 15:24:30
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 06/04/2011 15:24:29
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 13557

Log: 'Application' Date/Time: 06/04/2011 15:24:29
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 13557

Log: 'Application' Date/Time: 06/04/2011 15:24:29
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 06/04/2011 15:24:28
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 12558

Log: 'Application' Date/Time: 06/04/2011 15:24:28
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 12558

Log: 'Application' Date/Time: 06/04/2011 15:24:28
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 06/04/2011 15:24:27
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 11560

Log: 'Application' Date/Time: 06/04/2011 15:24:27
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 11560

Log: 'Application' Date/Time: 06/04/2011 15:24:27
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 06/04/2011 15:24:26
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 10561

Log: 'Application' Date/Time: 06/04/2011 15:24:26
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledEvent 10561

Log: 'Application' Date/Time: 06/04/2011 15:24:26
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: Continuously busy for more than a second

Log: 'Application' Date/Time: 06/04/2011 15:24:25
Type: Error Category: 0
Event: 100 Source: Bonjour Service
Task Scheduling Error: m->NextScheduledSPRetry 9563

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 06/04/2011 01:54:44
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-4138411495-1376951992-2689177530-1001:
Process 1592 (\Device\HarddiskVolume3\Program Files\SUPERAntiSpyware\SASCore64.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\SUPERAntiSpyware.com\SUPERAntiSpyware


Log: 'Application' Date/Time: 05/04/2011 21:20:31
Type: Warning Category: 0
Event: 1032 Source: MsiInstaller
An error occured while refreshing environment variables updated during the installation of ''. Some users logged on to the machine may not see these changes until they log off and then log back on.

Log: 'Application' Date/Time: 05/04/2011 18:22:08
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 6 user registry handles leaked from \Registry\User\S-1-5-21-4138411495-1376951992-2689177530-1001:
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 1588 (\Device\HarddiskVolume3\Program Files\SUPERAntiSpyware\SASCore64.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\SUPERAntiSpyware.com\SUPERAntiSpyware
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\trust
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\Root


Log: 'Application' Date/Time: 05/04/2011 00:59:00
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-4138411495-1376951992-2689177530-1001:
Process 1572 (\Device\HarddiskVolume3\Program Files\SUPERAntiSpyware\SASCore64.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\SUPERAntiSpyware.com\SUPERAntiSpyware


Log: 'Application' Date/Time: 04/04/2011 01:13:34
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 12 user registry handles leaked from \Registry\User\S-1-5-21-4138411495-1376951992-2689177530-1001:
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\trust
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\My
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\CA
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 288 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\Root


Log: 'Application' Date/Time: 03/04/2011 17:14:32
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 5 user registry handles leaked from \Registry\User\S-1-5-21-4138411495-1376951992-2689177530-1001:
Process 296 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 296 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 296 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\trust
Process 296 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 296 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\Root


Log: 'Application' Date/Time: 02/04/2011 22:44:43
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 22:44:42
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 22:35:50
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 22:34:15
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 22:34:15
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:52:20
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:49:52
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:49:51
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:33:39
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:32:42
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:32:41
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:29:06
Type: Warning Category: 0
Event: 6000 Source: Microsoft-Windows-Winlogon
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

Log: 'Application' Date/Time: 02/04/2011 21:23:21
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 15 user registry handles leaked from \Registry\User\S-1-5-21-4138411495-1376951992-2689177530-1001:
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Policies\Microsoft\SystemCertificates
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\trust
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\My
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\CA
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\Root
Process 112 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\SystemCertificates\TrustedPeople


Log: 'Application' Date/Time: 23/03/2011 04:16:22
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-4138411495-1376951992-2689177530-1001:
Process 6316 (\Device\HarddiskVolume3\Windows\System32\wuauclt.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001
Process 6316 (\Device\HarddiskVolume3\Windows\System32\wuauclt.exe) has opened key \REGISTRY\USER\S-1-5-21-4138411495-1376951992-2689177530-1001\Software\Microsoft\Windows\CurrentVersion\Explorer


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 25/02/2011 13:13:32
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 29/12/2010 21:59:37
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

Log: 'System' Date/Time: 29/12/2010 21:57:53
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 05/04/2011 21:21:37
Type: Error Category: 0
Event: 7032 Source: Service Control Manager
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Apple Mobile Device service, but this action failed with the following error: An instance of the service is already running.

Log: 'System' Date/Time: 05/04/2011 21:20:37
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Log: 'System' Date/Time: 05/04/2011 21:20:03
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Log: 'System' Date/Time: 05/04/2011 18:18:18
Type: Error Category: 0
Event: 7011 Source: Service Control Manager
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.

Log: 'System' Date/Time: 04/04/2011 10:59:51
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The SAS Core Service service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 04/04/2011 10:06:11
Type: Error Category: 0
Event: 1 Source: VDS Basic Provider
Unexpected failure. Error code: D@01010004

Log: 'System' Date/Time: 04/04/2011 10:05:52
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The SAS Core Service service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 03/04/2011 19:00:20
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The SAS Core Service service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 03/04/2011 10:29:58
Type: Error Category: 0
Event: 1 Source: VDS Basic Provider
Unexpected failure. Error code: D@01010004

Log: 'System' Date/Time: 03/04/2011 10:29:58
Type: Error Category: 0
Event: 1 Source: VDS Basic Provider
Unexpected failure. Error code: D@01010004

Log: 'System' Date/Time: 03/04/2011 10:29:31
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The SAS Core Service service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 02/04/2011 22:45:42
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The SAS Core Service service failed to start due to the following error: The system cannot find the file specified.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

Log: 'System' Date/Time: 02/04/2011 22:44:43
Type: Error Category: 0
Event: 7001 Source: Service Control Manager
The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 06/04/2011 17:37:26
Type: Warning Category: 256
Event: 516 Source: mfehidk
Process **\MCSVHOST.EXE pid (2192) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Log: 'System' Date/Time: 06/04/2011 16:32:07
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 06/04/2011 16:32:04
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll

Log: 'System' Date/Time: 06/04/2011 10:56:21
Type: Warning Category: 256
Event: 516 Source: mfehidk
Process **\MCSVHOST.EXE pid (2372) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver.

Log: 'System' Date/Time: 06/04/2011 01:55:15
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 06/04/2011 01:55:08
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 06/04/2011 01:55:06
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll

Log: 'System' Date/Time: 05/04/2011 18:22:38
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 05/04/2011 18:22:36
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll

Log: 'System' Date/Time: 05/04/2011 14:27:47
Type: Warning Category: 0
Event: 10004 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has timed out. Module Path: C:\Windows\System32\bcmihvsrv64.dll

Log: 'System' Date/Time: 05/04/2011 11:23:05
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name minenasa.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 05/04/2011 00:59:29
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 05/04/2011 00:59:27
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll

Log: 'System' Date/Time: 04/04/2011 20:49:47
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name moviesgateway.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 04/04/2011 13:56:09
Type: Warning Category: 256
Event: 514 Source: mfehidk
Process **\MCSVHOST.EXE pid (2208) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver.

Log: 'System' Date/Time: 04/04/2011 11:20:13
Type: Warning Category: 0
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name minenasa.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 04/04/2011 10:59:16
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 04/04/2011 10:59:16
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll

Log: 'System' Date/Time: 04/04/2011 10:08:27
Type: Warning Category: 256
Event: 514 Source: mfehidk
Process **\MCSVHOST.EXE pid (2268) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver.

Log: 'System' Date/Time: 04/04/2011 01:14:16
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

#9 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 PM

Posted 06 April 2011 - 02:01 PM

Do you recognize this Domain name? ... minenasa.net

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#10 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:12 PM

Posted 06 April 2011 - 02:01 PM

I'm pretty sure you're still infected.

Edit ... WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll

Common causes of bcmihvsrv64.dll and other Registry errors:

Trojan and malware
Mis-deleting registry entries
Downloading dubious files
Hard shutdown PC
File becomes corrupted or accidentally moved or deleted


Edited by Jacee, 06 April 2011 - 02:07 PM.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#11 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:12 PM

Posted 06 April 2011 - 04:28 PM

If I'm not mistaken bcmihvsrv64.dll is Dell Wireless 1397 WLAN Mini-Card driver.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#12 carra23

carra23
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 06 April 2011 - 05:03 PM

Do you recognize this Domain name? ... minenasa.net

No, I don't

If I'm not mistaken bcmihvsrv64.dll is Dell Wireless 1397 WLAN Mini-Card driver.

Ah ok, so where do I go from here?

#13 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:05:12 PM

Posted 06 April 2011 - 05:13 PM

Jacee is a malware expert, so I'd go along with his opinion.
There are several error in Event log, which definitely look suspicious.
PM your malware helper.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#14 carra23

carra23
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:12 AM

Posted 07 April 2011 - 08:43 AM

I've PM'd Malware Helper but no response yet.

Just got this when I started up...

Attached Files



#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,528 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:12 PM

Posted 07 April 2011 - 10:56 AM

OK ,it appears therei s a malware that I could not see or remove with the tools we had.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users