Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected. Can only type numbers!


  • Please log in to reply
7 replies to this topic

#1 whatsuprobert

whatsuprobert

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 23 July 2011 - 01:30 AM

Dear Bleeping Computer Technicians, Can you please help me regain control over my computer?


My computer is infected and my antivirus protection (norton security suite) seems to be tampered. Norton found infected software installed on both of the computers on my network. This computer went to a blue screen that said something like "if this is the first time your computer has crashed, restart your computer; If this has happened before...." Since then, Norton will not stay updated and it allows me to download programs that are showing up as spyware or malware(See Post #1 Below).

For 3 days I could not use my keyboard b/c everything I typed came out as "1234567890123" over and over again. My hijackthis report lists several programs with no name and seems to indicate that my hardrive is corrupted. Something is not right. Please help!



Dell Dimension Desktop
Windows XP Home SP3
Norton Security Suite 5.1 (vended by Comcast), IE 8


Post#1
|Name|Type|Description|ID|
Trojan.Adware, FILE, C:\Program Files\Adobe\Photoshop Elements 8.0\amtservices.dll, 4062731
Trojan.Adware, FILE, C:\Program Files\Adobe\Elements Organizer 8.0\amtservices.dll, 4062731
Unwanted.Bazooka Scanner, FOLDER, C:\Documents and Settings\Student H\Start Menu\Programs\Bazooka Scanner, 302781
Unwanted.Bazooka Scanner, FOLDER, C:\Program Files\Bazooka Scanner, 302782
Unwanted.Bazooka Scanner, REG, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls, 2008921
Unwanted.Bazooka Scanner, REG, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0888EE-96D8-4713-84DC-36462C33AEB4}, 2009145
Post#2

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:12 AM

Posted 23 July 2011 - 11:21 AM

Welcome aboard Posted Image

Restart computer in Safe Mode and see if it's more usable there.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 whatsuprobert

whatsuprobert
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 23 July 2011 - 01:47 PM

Dear Broni,

Thanks for getting back with me so soon! My pc has actually been doing better every day for the last 3-4 days but it still has its setbacks. Last night the numbers came back and I was briefly unable to type any letters again (just numbers). So I started up my pc in safe mode, like you asked, I ran a spyware scan, and my keyboard is working again.

There are programs that continue to find their way into my start menu (ctfmon.exe) and my software seems to be corrupted. I tried to run system restore, but it doesn't work even in safe mode.

I cannot figure out how to insert a pictures onto this page, but the link to my scan results are posted below (see Post#1).It says that it has found Trojan Adware, Trojan Generic, and IRCbot on my pc since 07/02/2011

I also went into the windows event viewer and found a lot of error messages. I only posted two instances (See Post#2) but I can post more if that will help you. I deleted every unessential program on my computer that was listed as having errors.

Thanks again for contacting me so promptly Broni,

Robert


Post#1 [url="https://skydrive.live.com/redir.aspxcid=0db3ce707acde292&page=play&resid=DB3CE707ACDE292!231&authkey=3T4uyXp*LG4%24"]Orbit Scan Results

Post#2

Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Setup
Event ID: 1020
Date: 6/22/2011
Time: 11:42:15 PM
User: N/A
Computer: DESKTOP
Description:
Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 11706
Date: 7/14/2011
Time: 2:20:36 PM

Description:
Product: Microsoft Office File Validation Add-In -- Error 1706. An installation package for the product Microsoft Office File Validation Add-In cannot be found. Try the installation again using a valid copy of the installation package 'OFV.msi'.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 39 30 31 34 30 30 30 {9014000
0008: 30 2d 32 30 30 35 2d 30 0-2005-0
0010: 30 30 30 2d 30 30 30 30 000-0000
0018: 2d 30 30 30 30 30 30 30 -0000000
0020: 46 46 31 43 45 7d FF1CE}

Event Type: Error
Event Source: IDVault
Event Category: None
Event ID: 0
Date: 7/22/2011
Time: 7:20:46 PM
User: N/A
Computer: DESKTOP
Description:
IsStrikeForceAlreadyRunning failed Cannot process request because the process (2288) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ˆ_.‡_.__()

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:12 AM

Posted 23 July 2011 - 01:56 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 whatsuprobert

whatsuprobert
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 24 July 2011 - 12:00 AM

Thanks Broni,

I really appreciate all of your help. Here are the results you asked for in the order you requested. If I can do anything else just shoot!

Robert


Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 25
Out of date Java installed!
Adobe Flash Player 10.3.181.34
Adobe Reader 9.4.5
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
IObit IObit Malware Fighter IMFsrv.exe
``````````End of Log````````````


MiniToolBox by Farbar
Ran by on 23-07-2011 at 20:59:51
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration


Windows IP Configuration Host Name . . . . . . . . . . . . : DESKTOP Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller Physical Address. . . . . . . . . : 00-13-72-2F-FB-51 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.20 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.1 Lease Obtained. . . . . . . . . . : Saturday, July 23, 2011 5:09:21 PM Lease Expires . . . . . . . . . . : Sunday, July 24, 2011 5:09:21 PM Server: UnKnown
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.93.106, 74.125.93.147, 74.125.93.105, 74.125.93.99
74.125.93.103, 74.125.93.104

Pinging google.com [74.125.91.105] with 32 bytes of data: Reply from 74.125.91.105: bytes=32 time=52ms TTL=51 Reply from 74.125.91.105: bytes=32 time=51ms TTL=51 Ping statistics for 74.125.91.105: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 51ms, Maximum = 52ms, Average = 51ms Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43

Pinging yahoo.com [69.147.125.65] with 32 bytes of data: Reply from 69.147.125.65: bytes=32 time=48ms TTL=50 Reply from 69.147.125.65: bytes=32 time=48ms TTL=50 Ping statistics for 69.147.125.65: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 48ms, Maximum = 48ms, Average = 48ms Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=64 Reply from 127.0.0.1: bytes=32 time<1ms TTL=64 Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms ===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 13 72 2f fb 51 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.20 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.20 192.168.1.20 20
192.168.1.0 255.255.255.0 192.168.1.20 192.168.1.20 20
192.168.1.20 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.20 192.168.1.20 20
224.0.0.0 240.0.0.0 192.168.1.20 192.168.1.20 20
255.255.255.255 255.255.255.255 192.168.1.20 192.168.1.20 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/23/2011 05:51:02 AM) (Source: MsiInstaller) (User: Student H)Student H
Description: Product: Microsoft Office Professional Edition 2003 -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM.

Error: (07/23/2011 05:09:22 AM) (Source: AntiSpywareService) (User: )
Description: Service failed on stop: Access violation at address 0047E52D in module 'ComcastAntiSpyService.exe'. Read of address 0000000C

Error: (07/23/2011 04:57:19 AM) (Source: AntiSpywareService) (User: )
Description: Service failed on stop: Access violation at address 0047E52D in module 'ComcastAntiSpyService.exe'. Read of address 0000000C

Error: (07/23/2011 04:24:06 AM) (Source: Application Error) (User: )
Description: Faulting application chrome.exe, version 0.0.0.0, faulting module chrome.dll, version 12.0.742.122, fault address 0x005a6a9a.
Processing media-specific event for [chrome.exe!ws!]

Error: (07/22/2011 07:20:46 PM) (Source: IDVault) (User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (3376) has exited. at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 07:20:46 PM) (Source: IDVault) (User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (2288) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 07:20:46 PM) (Source: IDVault) (User: )
Description: IsStrikeForceAlreadyRunning MainModule.FileName; failed Only part of a ReadProcessMemory or WriteProcessMemory request was completed at System.Diagnostics.NtProcessManager.GetModuleInfos(Int32 processId, Boolean firstModuleOnly)
at System.Diagnostics.NtProcessManager.GetFirstModuleInfo(Int32 processId)
at System.Diagnostics.Process.get_MainModule()
at (Object )
at ?_.?_.__()

Error: (07/22/2011 06:30:13 PM) (Source: IDVault) (User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (1056) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 03:52:03 PM) (Source: IDVault) (User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (1056) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 03:52:03 PM) (Source: IDVault) (User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (3952) has exited. at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()


System errors:
=============
Error: (07/23/2011 05:00:48 AM) (Source: 0) (User: )
Description: \Device\LanmanDatagramReceiverREADYSHARENetBT_Tcpip_{5617D635-FAF3-46B

Error: (07/23/2011 04:57:31 AM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (07/23/2011 04:52:43 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (07/23/2011 04:25:07 AM) (Source: DCOM) (User: Student H)
Description: DCOM got error "%%1084" attempting to start the service MSIServer with arguments ""
in order to run the server:
{000C101C-0000-0000-C000-000000000046}

Error: (07/23/2011 04:23:52 AM) (Source: DCOM) (User: Student H)
Description: DCOM got error "%%1084" attempting to start the service MSIServer with arguments ""
in order to run the server:
{000C101C-0000-0000-C000-000000000046}

Error: (07/23/2011 04:20:59 AM) (Source: DCOM) (User: Student H)
Description: DCOM got error "%%1084" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error: (07/23/2011 04:19:58 AM) (Source: DCOM) (User: Student H)
Description: DCOM got error "%%1084" attempting to start the service COMSysApp with arguments ""
in order to run the server:
{182C40F0-32E4-11D0-818B-00A0C9231C29}

Error: (07/23/2011 04:19:58 AM) (Source: DCOM) (User: Student H)
Description: DCOM got error "%%1084" attempting to start the service COMSysApp with arguments ""
in order to run the server:
{182C40F0-32E4-11D0-818B-00A0C9231C29}

Error: (07/23/2011 04:19:47 AM) (Source: DCOM) (User: Student H)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (07/23/2011 03:44:50 AM) (Source: DCOM) (User: Student H)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}


Microsoft Office Sessions:
=========================
Error: (07/23/2011 05:51:02 AM) (Source: MsiInstaller)(User: Student H)Student H
Description: Product: Microsoft Office Professional Edition 2003 -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM.(NULL)(NULL)(NULL)

Error: (07/23/2011 05:09:22 AM) (Source: AntiSpywareService)(User: )
Description: Service failed on stop: Access violation at address 0047E52D in module 'ComcastAntiSpyService.exe'. Read of address 0000000C

Error: (07/23/2011 04:57:19 AM) (Source: AntiSpywareService)(User: )
Description: Service failed on stop: Access violation at address 0047E52D in module 'ComcastAntiSpyService.exe'. Read of address 0000000C

Error: (07/23/2011 04:24:06 AM) (Source: Application Error)(User: )
Description: chrome.exe0.0.0.0chrome.dll12.0.742.122005a6a9a

Error: (07/22/2011 07:20:46 PM) (Source: IDVault)(User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (3376) has exited. at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 07:20:46 PM) (Source: IDVault)(User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (2288) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 07:20:46 PM) (Source: IDVault)(User: )
Description: IsStrikeForceAlreadyRunning MainModule.FileName; failed Only part of a ReadProcessMemory or WriteProcessMemory request was completed at System.Diagnostics.NtProcessManager.GetModuleInfos(Int32 processId, Boolean firstModuleOnly)
at System.Diagnostics.NtProcessManager.GetFirstModuleInfo(Int32 processId)
at System.Diagnostics.Process.get_MainModule()
at (Object )
at ?_.?_.__()

Error: (07/22/2011 06:30:13 PM) (Source: IDVault)(User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (1056) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 03:52:03 PM) (Source: IDVault)(User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (1056) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()

Error: (07/22/2011 03:52:03 PM) (Source: IDVault)(User: )
Description: IsStrikeForceAlreadyRunning failed Cannot process request because the process (3952) has exited. at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.OpenProcessHandle()
at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value)
at (Object , Boolean )
at ?_.?_.__()


========================= Memory info: ===================================

Percentage of memory in use: 64%
Total physical RAM: 958.42 MB
Available physical RAM: 339.34 MB
Total Pagefile: 2313.62 MB
Available Pagefile: 1472.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.89 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:74.5 GB) (Free:12.24 GB) NTFS
2 Drive d: (PSE 8) (CDROM) (Total:1.55 GB) (Free:0 GB) CDFS

========================= Users: ========================================

User accounts for \\DESKTOP

Administrator Guest HelpAssistant
Student H SUPPORT_388945a0


== End of Mini Toolbar by Farbar log ==


Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7256

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/23/2011 9:10:21 PM
mbam-log-2011-07-23 (21-10-21).txt

Scan type: Quick scan
Objects scanned: 166627
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-23 23:37:00
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HDS728080PLA380 rev.PF2OA63A
Running: jsyy91xh.exe; Driver: C:\DOCUME~1\STUDEN~1\LOCALS~1\Temp\fxddapoc.sys


---- System - GMER 1.0.15 ----

SSDT 85DA90E8 ZwAlertResumeThread
SSDT 85B221E0 ZwAlertThread
SSDT 85B2A0A8 ZwAllocateVirtualMemory
SSDT 85AD00A8 ZwAssignProcessToJobObject
SSDT 85EC5648 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF33D8710]
SSDT 85B4F400 ZwCreateMutant
SSDT 85A530C8 ZwCreateSymbolicLinkObject
SSDT 85C0DE40 ZwCreateThread
SSDT 85B420A8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF33D8990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF33D8EF0]
SSDT 85B080E8 ZwDuplicateObject
SSDT 85B0C0A8 ZwFreeVirtualMemory
SSDT 85DB4148 ZwImpersonateAnonymousToken
SSDT 85DAB108 ZwImpersonateThread
SSDT 85F74B78 ZwLoadDriver
SSDT 85BF40E8 ZwMapViewOfSection
SSDT 85778328 ZwOpenEvent
SSDT 85D39778 ZwOpenProcess
SSDT 85B17C70 ZwOpenProcessToken
SSDT 85A65E08 ZwOpenSection
SSDT 85C44320 ZwOpenThread
SSDT 85A55160 ZwProtectVirtualMemory
SSDT 85A19108 ZwResumeThread
SSDT 85AE0428 ZwSetContextThread
SSDT 85A4E0E8 ZwSetInformationProcess
SSDT 85BA7278 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF33D9140]
SSDT 85B8F108 ZwSuspendProcess
SSDT 85A991E0 ZwSuspendThread
SSDT 85AC70B0 ZwTerminateProcess
SSDT 85A65148 ZwTerminateThread
SSDT 85C03B58 ZwUnmapViewOfSection
SSDT 85B0E0A8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23B4 80501BEC 8 Bytes [E8, 90, DA, 85, E0, 21, B2, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2494 80501CCC 4 Bytes [E8, 80, B0, 85]
.text ntkrnlpa.exe!ZwCallbackReturn + 2534 80501D6C 4 Bytes CALL 98D5DCB1
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6C6A360, 0x2456AE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[732] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044C771 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Steven D. Levitt & Stephen J.\Freakonomics_ A Rogue Economist Explores the Hidden Side of Ever 0 bytes
File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Steven D. Levitt & Stephen J.\Freakonomics_ A Rogue Economist Explores the Hidden Side of Ever\Freakonomics_ A Rogue Economist Explores the Hidden Side of Everything - Steven D. Levitt & Ste. Dubner.jpg 49806 bytes
File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Steven D. Levitt & Stephen J.\Freakonomics_ A Rogue Economist Explores the Hidden Side of Ever\Freakonomics_ A Rogue Economist Explores the Hidden Side of Everything - Steven D. Levitt & Ste. Dubner.mobi 1244300 bytes
File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Steven D. Levitt & Stephen J.\Freakonomics_ A Rogue Economist Explores the Hidden Side of Ever\Freakonomics_ A Rogue Economist Explores the Hidden Side of Everything - Steven D. Levitt & Ste. Dubner.opf 6875 bytes
File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Noah J. Goldstein & Steve J. Martin & Robert B.\Yes!_ 50 Scientifically Proven Ways to Be Pe 0 bytes
File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Noah J. Goldstein & Steve J. Martin & Robert B.\Yes!_ 50 Scientifically Proven Ways to Be Pe\Yes!_ 50 Scientifically Proven Ways to Be Persuasive - Noah J. Goldstein & Steve J. Martin & . Cialdini.jpg 39304 bytes
File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Noah J. Goldstein & Steve J. Martin & Robert B.\Yes!_ 50 Scientifically Proven Ways to Be Pe\Yes!_ 50 Scientifically Proven Ways to Be Persuasive - Noah J. Goldstein & Steve J. Martin & . Cialdini.mobi 324671 bytes
File C:\Documents and Settings\Student H\My Documents\FIve Star Books (MOBI)\MOBI\Noah J. Goldstein & Steve J. Martin & Robert B.\Yes!_ 50 Scientifically Proven Ways to Be Pe\Yes!_ 50 Scientifically Proven Ways to Be Persuasive - Noah J. Goldstein & Steve J. Martin & . Cialdini.opf 5993 bytes

---- EOF - GMER 1.0.15 ----

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:12 AM

Posted 24 July 2011 - 12:08 AM

Those logs look fine.

What are the current issues?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 whatsuprobert

whatsuprobert
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 25 July 2011 - 06:00 PM

Dear Broni,


I just finished my eset scan and everything is OK. My computer is running fine and I am one happy little boy right now. I don't want to put up my "mission accomplished" sign right now but, thanks for all of your help! I was wondering if you would send me an email so I can get your email address (give me a reply if you don't have my email address already). Just in case I need your help in the future. It has been a pleasure working with you and I can't thank you enough.

Bravo! :clapping: Bravo! :thumbsup:


Robert

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:12 AM

Posted 25 July 2011 - 08:14 PM

Good news :)

Last steps...

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

=================================================================

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

================================================================

Your computer is clean Posted Image

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users