Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MatrixSSL problem?


  • Please log in to reply
22 replies to this topic

#1 Five Circles

Five Circles

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 18 September 2011 - 11:32 PM

Hello. I think I have a virus, but I'm not sure what is going on exactly, much less how to fix. So I'm hoping someone here can help.

This started with a problem I found with the Trend Micro spam filter. The problem started on two computers at about the same time, and the other one isn't suffering from the virus issue - if it is one.

After a couple of hours with Trend support, including escalation, Hitman Pro was installed and found a problem with MatrixSSL.DLL. The Trend support person suggested there was likely to be a problem with out of date software that was vulnerable. This seemed a bit far fetched for the anti-spam as I'd been keeping up to date after a recent rebuild, and the symptoms for anti-spam on the two machines didn't match, but I wanted to clean up the problem in any case.

I deleted the problem file with HitMan, but the scan found it again after a restart. Eventually I got a little smarter thanks to some advice and ran HitMan in safe mode. After that the scan showed nothing, but after a couple of days another scan showed the problem again.

I've also tried MalwareBytes - it doesn't find an issue.

I know a little about MatrixSSL, but not how it might have been installed. I thought it might have come with PogoPlug, but I uninstalled it to eliminate it.

The symptoms I'm seeing are slowing down, and some websites not being found. The issue with Trend was reporting spam and getting emails rejected as having an attachment.

I'd rather not, but worst case I can system restore to about a week ago before I installed Office 2010. I'm running Windows 7 64-bit, with Office 2010 32-bit. When the problem started, I was running Trend Micro Titanium Maximum Security 2011, since updated to 2012. The other computer, with the same email rejection issue, was running Trend Micro Internet Security Pro 2011, since updated to Titanium Maximum Security 2012.

I would very much appreciate any advice or steps I should take.

Thanks
Mike

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:31 AM

Posted 18 September 2011 - 11:53 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 Five Circles

Five Circles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 19 September 2011 - 02:34 PM

Thanks Broni.

Some of the sources for downloads were flagged as problems by Trend Micro, but I downloaded from a Linux computer and then checked the files.

Logs included (I don't think I can attach files - or did I miss something?):
1. Checkup from SecurityCheck run in Safe Mode.
2. Checkup from SecurityCheck run in Normal mode.
3. MiniToolBox log
4. Malware Bytes Log
5. GMER Log

Observations:
  • SecurityCheck thinks Internet Explorer is at version 8. I don't use it, but it is at version 9
  • SecurityCheck thinks Java is out of date. I haven't see any warnings to update.
  • Adobe reader is out of date. I'll update it now.
  • SecurityCheck thinks Firefox is out of date. I'm running the latest - 6.02.
  • Malware Bytes didn't find anything - just like before
  • GMER finds some issues with BTHPORT.
  • The system seems more unstable now, with Windows Explorer hanging.

Does this help to figure out what the problem is and how to fix it?
Mike
Does


SecurityCheck Safe:
Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.183.7
Adobe Reader 9.4.6
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Security Check Normal
Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.183.7
Adobe Reader 9.4.6
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro Titanium Plugin TMAS\TMAS_WLM\TMAS_WLMMon.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
``````````End of Log````````````


MiniToolBox log
MiniToolBox by Farbar
Ran by mikep (administrator) on 19-09-2011 at 09:57:47
Windows 7 Professional Service Pack 1 (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Rosebank
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 90-00-4E-E5-D9-85
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : 78-2B-CB-D0-C8-66
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ec2a:262d:9e5e:39a4%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.246(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, September 19, 2011 9:40:17 AM
Lease Expires . . . . . . . . . . : Tuesday, September 20, 2011 9:40:18 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 300961186
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-B8-DF-E8-F0-4D-A2-C0-23-DE
DNS Servers . . . . . . . . . . . : 192.168.1.1
184.16.4.22
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : DW1501 Wireless-N WLAN Half-Mini Card
Physical Address. . . . . . . . . : 1C-65-9D-E1-B2-87
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::ac56:7a0e:75de:9910%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.106(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, September 19, 2011 9:40:21 AM
Lease Expires . . . . . . . . . . : Tuesday, September 20, 2011 9:40:22 AM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 186410397
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-B8-DF-E8-F0-4D-A2-C0-23-DE
DNS Servers . . . . . . . . . . . : 192.168.1.1
184.16.4.22
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{95570435-BB2E-4EB1-8906-C0C5E890A0F2}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:4b1:3be8:3f57:fd09(Preferred)
Link-local IPv6 Address . . . . . : fe80::4b1:3be8:3f57:fd09%21(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{98DA7AC9-9A1F-4A42-AFA6-857884D354A7}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: Wireless_Broadband_Router.ftrdhcpuser.net
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.225.80
74.125.225.81
74.125.225.82
74.125.225.83
74.125.225.84


Pinging google.com [74.125.225.84] with 32 bytes of data:
Reply from 74.125.225.84: bytes=32 time=58ms TTL=52
Reply from 74.125.225.84: bytes=32 time=57ms TTL=52

Ping statistics for 74.125.225.84:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 57ms, Maximum = 58ms, Average = 57ms
Server: Wireless_Broadband_Router.ftrdhcpuser.net
Address: 192.168.1.1

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=71ms TTL=49
Reply from 209.191.122.70: bytes=32 time=71ms TTL=49

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 71ms, Maximum = 71ms, Average = 71ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
13...90 00 4e e5 d9 85 ......Bluetooth Device (Personal Area Network)
11...78 2b cb d0 c8 66 ......Realtek PCIe GBE Family Controller
10...1c 65 9d e1 b2 87 ......DW1501 Wireless-N WLAN Half-Mini Card
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
23...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
21...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.246 20
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.106 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.246 276
192.168.2.0 255.255.255.0 On-link 192.168.2.106 281
192.168.2.106 255.255.255.255 On-link 192.168.2.106 281
192.168.2.246 255.255.255.255 On-link 192.168.2.246 276
192.168.2.255 255.255.255.255 On-link 192.168.2.246 276
192.168.2.255 255.255.255.255 On-link 192.168.2.106 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.246 276
224.0.0.0 240.0.0.0 On-link 192.168.2.106 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.246 276
255.255.255.255 255.255.255.255 On-link 192.168.2.106 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
21 58 ::/0 On-link
1 306 ::1/128 On-link
21 58 2001::/32 On-link
21 306 2001:0:4137:9e76:4b1:3be8:3f57:fd09/128
On-link
11 276 fe80::/64 On-link
10 281 fe80::/64 On-link
21 306 fe80::/64 On-link
21 306 fe80::4b1:3be8:3f57:fd09/128
On-link
10 281 fe80::ac56:7a0e:75de:9910/128
On-link
11 276 fe80::ec2a:262d:9e5e:39a4/128
On-link
1 306 ff00::/8 On-link
21 306 ff00::/8 On-link
11 276 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/19/2011 09:55:03 AM) (Source: Application Hang) (User: )
Description: The program explorer.exe version 6.1.7601.17567 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 140c

Start Time: 01cc76eafbc9fdf2

Termination Time: 265

Application Path: C:\Windows\explorer.exe

Report Id:

Error: (09/19/2011 09:53:44 AM) (Source: Application Hang) (User: )
Description: The program Explorer.EXE version 6.1.7601.17567 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: c0c

Start Time: 01cc76eae106d83b

Termination Time: 16

Application Path: C:\Windows\Explorer.EXE

Report Id: ed3b302b-e2df-11e0-8871-782bcbd0c866

Error: (09/19/2011 09:43:15 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/19/2011 09:43:15 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/19/2011 09:43:15 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/19/2011 09:40:59 AM) (Source: Sage ACT! Scheduler) (User: )
Description: Service cannot be started. System.Exception: Unable to start scheduler service. ScheduledItems count is less than or equal to 0.
at Act.Scheduler.SchedulerService.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (09/19/2011 09:35:41 AM) (Source: Sage ACT! Scheduler) (User: )
Description: Service cannot be started. System.Exception: Unable to start scheduler service. ScheduledItems count is less than or equal to 0.
at Act.Scheduler.SchedulerService.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (09/19/2011 09:30:42 AM) (Source: Application Hang) (User: )
Description: The program Explorer.EXE version 6.1.7601.17567 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1014

Start Time: 01cc76e785aed3e7

Termination Time: 0

Application Path: C:\Windows\Explorer.EXE

Report Id: a1299c34-e2dc-11e0-b5e8-782bcbd0c866

Error: (09/19/2011 09:18:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/19/2011 09:18:54 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle


System errors:
=============
Error: (09/19/2011 09:40:57 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSISER.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:23 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSISTRMX.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:14 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSIKBF5.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:14 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSIMSF5.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:14 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSIMSF5.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:13 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSIKBF5.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:09 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSIKBF5.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:09 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\TSIMSF5.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:40:05 AM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\tsircmir.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/19/2011 09:39:19 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (09/19/2011 09:55:03 AM) (Source: Application Hang)(User: )
Description: explorer.exe6.1.7601.17567140c01cc76eafbc9fdf2265C:\Windows\explorer.exe

Error: (09/19/2011 09:53:44 AM) (Source: Application Hang)(User: )
Description: Explorer.EXE6.1.7601.17567c0c01cc76eae106d83b16C:\Windows\Explorer.EXEed3b302b-e2df-11e0-8871-782bcbd0c866

Error: (09/19/2011 09:43:15 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/19/2011 09:43:15 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/19/2011 09:43:15 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/19/2011 09:40:59 AM) (Source: Sage ACT! Scheduler)(User: )
Description: Service cannot be started. System.Exception: Unable to start scheduler service. ScheduledItems count is less than or equal to 0.
at Act.Scheduler.SchedulerService.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (09/19/2011 09:35:41 AM) (Source: Sage ACT! Scheduler)(User: )
Description: Service cannot be started. System.Exception: Unable to start scheduler service. ScheduledItems count is less than or equal to 0.
at Act.Scheduler.SchedulerService.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (09/19/2011 09:30:42 AM) (Source: Application Hang)(User: )
Description: Explorer.EXE6.1.7601.17567101401cc76e785aed3e70C:\Windows\Explorer.EXEa1299c34-e2dc-11e0-b5e8-782bcbd0c866

Error: (09/19/2011 09:18:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/19/2011 09:18:54 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle


=========================== Installed Programs ============================

7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
AccelerometerP11 (Version: 2.00.10.17)
ActiveTracker (Version: 110718)
Adobe Digital Editions
Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)
Adobe Flash Player 10 Plugin (Version: 10.3.183.7)
Adobe Reader 9.4.6 (Version: 9.4.6)
Advanced Audio FX Engine (Version: 1.12.05)
Bing Bar (Version: 6.0.2282.0)
Brother HL-5370DW (Version: 1.00)
Brother MFL-Pro Suite MFC-795CW (Version: 1.0.3.0)
CCleaner (Version: 3.10)
CDex - Open Source Digital Audio CD Extractor (Version: 1.70.4.2009)
Cisco EAP-FAST Module (Version: 2.2.14)
Cisco LEAP Module (Version: 1.0.19)
Cisco PEAP Module (Version: 1.1.6)
D3DX10 (Version: 15.4.2368.0902)
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Backup and Recovery Manager (Version: 1.3)
Dell Edoc Viewer (Version: 1.0.0)
Dell Support Center (Version: 3.1.5830.17)
Dell Touchpad (Version: 15.0.2.0)
Dell Webcam Central (Version: 2.00.35)
DigitalPersona Personal 4.01 (Version: 4.01.3765)
DW WLAN Card Utility (Version: 5.60.48.35)
Google Calendar Sync
IDT Audio (Version: 1.0.6277.0)
Intel PROSet Wireless
Intel® Control Center (Version: 1.2.1.1007)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® PROSet/Wireless WiFi Software (Version: 13.00.0000)
Intel® Rapid Storage Technology (Version: 9.6.0.1014)
Intel® Turbo Boost Technology Driver (Version: 01.00.01.1002)
Ipswitch WS_Ping ProPack Uninstall
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 22 (64-bit) (Version: 6.0.220)
Java™ 6 Update 26 (Version: 6.0.260)
Junk Mail filter update (Version: 15.4.3502.0922)
Laplink DiskImage Professional (Version: 5.0.127)
Laplink Gold (Version: 14.01.0016)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Mesh Runtime (Version: 15.4.5722.2)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Easy Assist v2 (Version: 8.1.6416.0)
Microsoft IntelliPoint 8.2 (Version: 8.20.468.0)
Microsoft IntelliType Pro 8.2 (Version: 8.20.469.0)
Microsoft Office 2007 Primary Interop Assemblies (Version: 12.0.4518.1014)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft SQL Server 2008 R2 (64-bit)
Microsoft SQL Server 2008 R2 Native Client (Version: 10.51.2500.0)
Microsoft SQL Server 2008 R2 RsFx Driver (Version: 10.51.2500.0)
Microsoft SQL Server 2008 R2 Setup (English) (Version: 10.51.2500.0)
Microsoft SQL Server 2008 Setup Support Files (Version: 10.1.2731.0)
Microsoft SQL Server Browser (Version: 10.51.2500.0)
Microsoft SQL Server VSS Writer (Version: 10.51.2500.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Mozilla Firefox 6.0.2 (x86 en-US) (Version: 6.0.2)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
Notepad++ (Version: 5.9.3)
NVIDIA Drivers (Version: 1.10.62.40)
Olympus Sonority (Version: 1.3.2)
OverDrive Media Console (Version: 3.2.5)
QuickBooks (Version: 21.0.4008.904)
QuickBooks Pro 2011 (Version: 21.0.4008.904)
Quickset64 (Version: 1.3.3)
Realtek Ethernet Controller Driver For Windows 7 (Version: 7.17.304.2010)
Realtek USB 2.0 Card Reader (Version: 6.1.7600.30102)
Roxio Creator Audio (Version: 3.7.0)
Roxio Creator Copy (Version: 3.7.0)
Roxio Creator Data (Version: 3.7.0)
Roxio Creator DE 10.3 (Version: 10.3)
Roxio Creator DE 10.3 (Version: 3.7.0)
Roxio Creator Tools (Version: 3.7.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio Update Manager (Version: 6.0.0)
Sage ACT! Pro 2011 (Version: 13.1.0.0)
Seagate Replica v3.0.1801.8554
Search and Replace (x64) (Version: 6.6)
Service Pack 1 for SQL Server 2008 R2 (KB2528583) (64-bit) (Version: 10.51.2500.0)
SPSS Statistics 17.0 (Version: 17.0.1)
SQL Server 2008 R2 SP1 Common Files (Version: 10.51.2500.0)
SQL Server 2008 R2 SP1 Database Engine Services (Version: 10.51.2500.0)
SQL Server 2008 R2 SP1 Database Engine Shared (Version: 10.51.2500.0)
Sql Server Customer Experience Improvement Program (Version: 10.50.1600.1)
Titanium Maximum Security (Version: 5.0)
TreeSize Professional 5.2.3
Trend Micro Titanium (Version: 5.00)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Outlook Social Connector (KB2583935)
Validity Sensors DDK (Version: 3.1.379)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
VNC Free Edition 4.1.2 (Version: 4.1.2)
WIDCOMM Bluetooth Software (Version: 6.2.1.900)
WinCross 11.0 Desktop Edition (Version: 11.0.11.301)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3502.0922)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3502.0922)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Yahoo! Detect

========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 5942.6 MB
Available physical RAM: 3876.66 MB
Total Pagefile: 11883.39 MB
Available Pagefile: 9188.54 MB
Total Virtual: 4095.88 MB
Available Virtual: 3975.41 MB

========================= Partitions: =====================================

1 Drive c: (Rosebank_Drive_C) (Fixed) (Total:454.57 GB) (Free:324.57 GB) NTFS
3 Drive f: (Seagate Replica) (Fixed) (Total:1374.73 GB) (Free:554.13 GB) NTFS
4 Drive g: (Rosebank_Old_Drive_C) (Fixed) (Total:454.57 GB) (Free:219.4 GB) NTFS

========================= Users: ========================================

User accounts for \\ROSEBANK

Administrator Guest mikep


**** End of log ****

Malware Bytes Log
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7749

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

9/19/2011 10:19:22 AM
mbam-log-2011-09-19 (10-19-22).txt

Scan type: Quick scan
Objects scanned: 198624
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-19 10:56:19
Windows 6.1.7601 Service Pack 1
Running: tuzt22lz(GMER).exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158306c9e6
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004ee5d985
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004ee5d985@f4fc323bf4f8 0xC5 0x15 0x72 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38bf84c0
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158306c9e6 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004ee5d985 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004ee5d985@f4fc323bf4f8 0xC5 0x15 0x72 0xB7 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38bf84c0 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:31 AM

Posted 19 September 2011 - 07:16 PM

All looks clean.

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 Five Circles

Five Circles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 20 September 2011 - 10:07 AM

Nothing found from either Temp File Cleaner or ESET.

I got some errors from Microsoft iPoint (apparently). ipoint.exe - no disk. There is no disk in the drive. Please insert a disk into drive \Device\Harddisk2\DR2. I thought the program had either been hijacked or just had a problem because of something one of the tools had done, although the disk message was ominous. So I uninstalled, and haven't seen the message since.

I also have some yellow warnings in the device manager for bluetooth devices that don't have drivers. I uninstalled the devices, but they came back after a reboot. Isn't this something to do with BTHPORT - and wasn't this a real issue? I won't reinstall the driver yet.

Thanks
Mike

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:31 AM

Posted 20 September 2011 - 07:39 PM

I uninstalled the devices, but they came back after a reboot

Is the yellow warning back?

Also, if you look at Event Viewer errors you can see bunch of these:
TSISER.SYS
TSISTRMX.SYS
TSIKBF5.SYS has been blocked from loading due to incompatibility with this system

Those files are part of:
Laplink DiskImage Professional (Version: 5.0.127)
Laplink Gold (Version: 14.01.0016)

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 Five Circles

Five Circles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 20 September 2011 - 09:18 PM

The Yellow warnings in the device manager are back - sorry I wasn't clear. They are in Other Devices - both "Bluetooth peripheral devices". The two Bluetooth Radios (Dell Wireless 365 Bluetooth Module, and Microsoft Bluetooth Enumerator) are OK. I'm not sure if this is a red herring, as I haven't tried connecting any bluetooth devices since this started.

The Laplink programs are used, and I think OK. Laplink Gold isn't fully compatible with Windows 7, but I'm only using functionality that is. Support told me it was OK, but they of course want me to upgrade. Laplink Disk image is (I think) fully compatible.

Mike

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:31 AM

Posted 20 September 2011 - 09:24 PM

Did you try to go Dell site to see if they have drivers?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 Five Circles

Five Circles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 20 September 2011 - 11:19 PM

Did you try to go Dell site to see if they have drivers?

Yes, I've spent hours with Dell support and had the computer in (I thought) good shape before this problem. I have all the latest drivers that can be reinstalled.

I'm beginning to think it would be better to rebuild. Is this MatrixSSL flagged by Hitman pro anything important? Hitman is the only program that flags it. I'm feeling like a lot of time (and your valued help) is being taken while things only get worse. I might be able to go back to an image that's before Office 2010, run through the same tests and then move forward. That won't be for a few days though.

Mike

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:31 AM

Posted 20 September 2011 - 11:23 PM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :filefind
    MatrixSSL.DLL
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 Five Circles

Five Circles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 21 September 2011 - 09:47 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 07:37 on 21/09/2011 by mikep
Administrator - Elevation successful

========== filefind ==========

Searching for "MatrixSSL.DLL"
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-4908\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [15:55 20/09/2011] [15:55 20/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-5164\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [03:57 20/09/2011] [03:57 20/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-5220\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [00:01 21/09/2011] [00:01 21/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-5256\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [21:18 20/09/2011] [21:18 20/09/2011] 62021BEE2A3C77A1A7316037E8F651F5

-= EOF =-


These files keep getting added. It looks like they are on some schedule independent of human activity. The computer shutdown on its own last night. I wasn't in front of it, so I don't know if there was a BSOD first.

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:31 AM

Posted 21 September 2011 - 07:25 PM

Re-run System Look with this code:

:file
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-4908\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 Five Circles

Five Circles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 21 September 2011 - 07:47 PM

The original Matrix SSL files disappeared - probably due to the computer doing Startup Repair and going back a way.

I ran the original command again

:filefind
MatrixSSL.DLL

SystemLook 30.07.11 by jpshortstuff
Log created at 17:38 on 21/09/2011 by mikep
Administrator - Elevation successful

========== filefind ==========

Searching for "MatrixSSL.DLL"
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-2496\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [02:18 20/09/2011] [02:18 20/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-4204\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [20:39 19/09/2011] [20:39 19/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-4336\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [22:21 19/09/2011] [22:21 19/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-4480\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [20:31 21/09/2011] [20:31 21/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-4644\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [18:49 21/09/2011] [18:49 21/09/2011] 62021BEE2A3C77A1A7316037E8F651F5
C:\Users\mikep\AppData\Local\Temp\pdk-mikep-4784\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll -ra---- 82021 bytes [21:18 21/09/2011] [21:18 21/09/2011] 62021BEE2A3C77A1A7316037E8F651F5

-= EOF =-


And then ran :file on each of them. All came up with the same result:
SystemLook 30.07.11 by jpshortstuff
Log created at 17:42 on 21/09/2011 by mikep
Administrator - Elevation successful

========== file ==========

C:\Users\mikep\AppData\Local\Temp\pdk-mikep-2496\62021bee2a3c77a1a7316037e8f651f5\MatrixSSL.dll - File found and opened.
MD5: 62021BEE2A3C77A1A7316037E8F651F5
Created at 02:18 on 20/09/2011
Modified at 02:18 on 20/09/2011
Size: 82021 bytes
Attributes: -ra----
No version information available.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:31 AM

Posted 21 September 2011 - 08:15 PM

Upload one of those files files to http://www.virustotal.com/ for security check:
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#15 Five Circles

Five Circles
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 21 September 2011 - 08:22 PM

Antivirus Version Last Update Result
AhnLab-V3 2011.09.21.02 2011.09.21 -
AntiVir 7.11.15.3 2011.09.21 -
Antiy-AVL 2.0.3.7 2011.09.21 -
Avast 4.8.1351.0 2011.09.18 -
Avast5 5.0.677.0 2011.09.18 -
AVG 10.0.0.1190 2011.09.21 -
BitDefender 7.2 2011.09.22 -
ByteHero 1.0.0.1 2011.09.13 -
CAT-QuickHeal 11.00 2011.09.21 -
ClamAV 0.97.0.0 2011.09.22 -
Commtouch 5.3.2.6 2011.09.22 -
Comodo 10198 2011.09.22 -
DrWeb 5.0.2.03300 2011.09.22 -
Emsisoft 5.1.0.11 2011.09.22 Win32.SuspectCrc!IK
eSafe 7.0.17.0 2011.09.20 -
eTrust-Vet 36.1.8574 2011.09.21 -
F-Prot 4.6.2.117 2011.09.21 -
F-Secure 9.0.16440.0 2011.09.22 -
Fortinet 4.3.370.0 2011.09.22 -
GData 22 2011.09.22 -
Ikarus T3.1.1.107.0 2011.09.22 Win32.SuspectCrc
Jiangmin 13.0.900 2011.09.21 -
K7AntiVirus 9.113.5173 2011.09.21 -
Kaspersky 9.0.0.837 2011.09.22 -
McAfee 5.400.0.1158 2011.09.22 -
McAfee-GW-Edition 2010.1D 2011.09.21 -
Microsoft 1.7702 2011.09.21 -
NOD32 6483 2011.09.22 -
Norman 6.07.11 2011.09.21 -
nProtect 2011-09-21.02 2011.09.21 -
Panda 10.0.3.5 2011.09.21 -
PCTools 8.0.0.5 2011.09.22 -
Prevx 3.0 2011.09.22 -
Rising 23.76.02.03 2011.09.21 -
Sophos 4.69.0 2011.09.22 -
SUPERAntiSpyware 4.40.0.1006 2011.09.21 -
Symantec 20111.2.0.82 2011.09.22 -
TheHacker 6.7.0.1.305 2011.09.21 -
TrendMicro 9.500.0.1008 2011.09.22 -
TrendMicro-HouseCall 9.500.0.1008 2011.09.22 -
VBA32 3.12.16.4 2011.09.21 -
VIPRE 10546 2011.09.21 -
ViRobot 2011.9.21.4681 2011.09.21 -
VirusBuster 14.0.225.0 2011.09.21 -
Additional information
MD5 : 62021bee2a3c77a1a7316037e8f651f5
SHA1 : 3708c02667d4b885dfa0d56bf951ff8ede833853
SHA256: 3eb1021e0a1d9cbf40cf728a0dbb93977113a4815a0e7743ff6b06e2f095098d
ssdeep: 1536:DqUjULG1D6ykjO0T0CtTo/PaWwcjSTUZqCD9Q+1NrNv4d:OiBDojOK0oTo/PrcUo+9q
File size : 82021 bytes
First seen: 2010-10-20 04:29:48
Last seen : 2011-09-22 01:16:16
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: Armadillo v1.xx - v2.xx
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xE671
timedatestamp....: 0x49AF325B (Thu Mar 05 02:00:59 2009)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0xD734, 0xE000, 6.24, 24ef8c8f788ad5ad73de9cc599dd6282
.rdata, 0xF000, 0x2DEA, 0x3000, 5.58, d0b02c77a5b1d891a2604cd5a18b9246
.data, 0x12000, 0xF48, 0x1000, 0.46, aa5fe0bbf8cbf10b214016eebf0865bf
.reloc, 0x13000, 0x5CC, 0x1000, 2.99, 5d0e6b7c628d3569337f94474f7a942f

[[ 4 import(s) ]]
perl58.dll: Perl_mg_set, Perl_sv_setiv, Perl_Isv_undef_ptr, Perl_newSVpvf_nocontext, Perl_sv_2pv_flags, Perl_sv_newmortal, Perl_Tcurpad_ptr, Perl_Top_ptr, Perl_croak, Perl_hv_delete_ent, Perl_hv_exists_ent, Perl_get_context, Perl_sv_setpvn_mg, Perl_sv_catpvn_mg, Perl_sv_2uv, Perl_hv_store_ent, Perl_sv_setpvn, Perl_Isv_yes_ptr, Perl_sv_setpv, Perl_newXS, Perl_get_sv, Perl_form, Perl_Tstack_sp_ptr, Perl_push_scope, Perl_Ttmps_floor_ptr, Perl_save_int, Perl_Ttmps_ix_ptr, Perl_av_len, Perl_croak_nocontext, Perl_av_fetch, Perl_newAV, Perl_sv_2mortal, Perl_newHV, Perl_newSVpv, Perl_hv_store, Perl_newSViv, Perl_newRV, Perl_av_push, Perl_Tmarkstack_ptr_ptr, Perl_Tmarkstack_max_ptr, Perl_markstack_grow, Perl_Tstack_base_ptr, Perl_Tstack_max_ptr, Perl_stack_grow, Perl_call_sv, Perl_Ierrgv_ptr, Perl_TXpv_ptr, Perl_TSv_ptr, Perl_sv_2bool, Perl_sv_2pv_nolen, Perl_warn_nocontext, Perl_sv_2iv, Perl_free_tmps, Perl_sv_setuv, Perl_pop_scope
KERNEL32.dll: DeleteCriticalSection, InitializeCriticalSection, QueryPerformanceFrequency, EnterCriticalSection, LeaveCriticalSection, DisableThreadLibraryCalls, QueryPerformanceCounter
ADVAPI32.dll: CryptReleaseContext, CryptAcquireContextA, CryptGenRandom
MSVCRT.dll: fread, fclose, memset, realloc, fopen, malloc, _iob, fprintf, memcpy, strlen, strstr, memcmp, time, strcmp, _stat, _initterm, _adjust_fdiv, free

[[ 58 export(s) ]]
_boot_Crypt__MatrixSSL, boot_Crypt__MatrixSSL, generate3DESKey, matrix3desDecrypt, matrix3desEncrypt, matrix3desInit, matrixArc4, matrixArc4Init, matrixGetRandomBytes, matrixMd5Final, matrixMd5Init, matrixMd5Update, matrixPkiClose, matrixPkiOpen, matrixRsaDecryptPriv, matrixRsaDecryptPub, matrixRsaEncryptPub, matrixRsaFreeKey, matrixRsaFreeKeys, matrixRsaParseKeysMem, matrixRsaParsePrivKey, matrixRsaParsePubKey, matrixRsaReadKeys, matrixRsaReadKeysEx, matrixRsaReadKeysMem, matrixRsaReadPrivKey, matrixSha1Final, matrixSha1Init, matrixSha1Update, matrixSslAssignNewKeys, matrixSslClose, matrixSslDecode, matrixSslDeleteSession, matrixSslEncode, matrixSslEncodeClientHello, matrixSslEncodeClosureAlert, matrixSslEncodeHelloRequest, matrixSslFreeKeys, matrixSslFreeSessionId, matrixSslGetAnonStatus, matrixSslGetResumptionFlag, matrixSslGetSessionId, matrixSslHandshakeIsComplete, matrixSslNewSession, matrixSslOpen, matrixSslReadKeys, matrixSslReadKeysMem, matrixSslSetCertValidator, matrixSslSetResumptionFlag, matrixSslSetSessionOption, matrixX509FreeCert, matrixX509ParseCert, matrixX509ParsePubKey, matrixX509ReadCert, matrixX509ReadPubKey, matrixX509UserValidator, matrixX509ValidateCert, matrixX509ValidateCertChain
ExifTool:
file metadata
CodeSize: 57344
EntryPoint: 0xe671
FileSize: 80 kB
FileType: Win32 DLL
ImageVersion: 0.0
InitializedDataSize: 20480
LinkerVersion: 6.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2009:03:05 03:00:59+01:00
UninitializedDataSize: 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users