Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I'm Infected Again Because I Can't get Java to show updated in Security Check


  • Please log in to reply
5 replies to this topic

#1 tomkay44

tomkay44

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lumberton, Texas
  • Local time:02:25 PM

Posted 27 September 2011 - 08:33 AM

I've got a Toshiba Satellite M115-S3094 that came with XP MCE 2005 although now System Properties tells me I'm running XP MCE 2002 SP3. I'm running Security Essentials and WinPatrol Pro resident and scan frequently with MBAM and SAS. Although I have a paid up subscription of Avast Internet Security's latest version, I'm not using it on the latest factory setting reinstall (reformatting of my hard drive for around the 30th time) and update because the sandbox thing had corrupted my sound drivers. I have CCleaner and Defraggler (replacing Windows Defragmenter) and I also run them regularly.

I've had to reinstall factory setting enough times to know that it changes from MCE 2005 to 2002 somewhere between factory settings and fully updated SP3 (think it happens in the SP3 install). As we all know XP MCE is MS illegitimate child and they don't want to support the kid. It seems to be the baby they wish they didn't make but I'm stuck with it on this laptop.

One reason I think I might be infected is because I'm getting the following two notifications from crypt in the Event Viewer:

1)
Event Type: Information
Event Source: crypt32
Event Category: None
Event ID: 7
Date: 9/25/2011
Time: 10:41:10 PM
User: N/A
Computer: TOSHIBA-USER
Description:
Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
2)
Event Type: Information
Event Source: crypt32
Event Category: None
Event ID: 1
Date: 9/25/2011
Time: 4:12:04 PM
User: N/A
Computer: TOSHIBA-USER
Description:
Successful auto update of third-party root certificate:: Subject: <CN=GeoTrust Global CA, O=GeoTrust Inc., C=US> Sha1 thumbprint: <DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212>
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

When I Google them I get pointed to the Google Redirect Virus.

I'm also getting this error from the source MPSampleSubmission:


Event Type: Error
Event Source: MPSampleSubmission
Event Category: None
Event ID: 5000
Date: 9/24/2011
Time: 5:25:06 PM
User: N/A
Computer: TOSHIBA-USER
Description:
EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 6d 00 70 00 74 00 65 00 m.p.t.e.
0008: 6c 00 65 00 6d 00 65 00 l.e.m.e.
0010: 74 00 72 00 79 00 2c 00 t.r.y.,.
0018: 20 00 38 00 30 00 32 00 .8.0.2.
0020: 34 00 34 00 30 00 32 00 4.4.0.2.
0028: 63 00 2c 00 20 00 65 00 c.,. .e.
0030: 6e 00 64 00 73 00 65 00 n.d.s.e.
0038: 61 00 72 00 63 00 68 00 a.r.c.h.
0040: 2c 00 20 00 73 00 65 00 ,. .s.e.
0048: 61 00 72 00 63 00 68 00 a.r.c.h.
0050: 2c 00 20 00 33 00 2e 00 ,. .3...
0058: 30 00 2e 00 38 00 34 00 0...8.4.
0060: 30 00 32 00 2e 00 30 00 0.2...0.
0068: 2c 00 20 00 6d 00 70 00 ,. .m.p.
0070: 73 00 69 00 67 00 64 00 s.i.g.d.
0078: 77 00 6e 00 2e 00 64 00 w.n...d.
0080: 6c 00 6c 00 2c 00 20 00 l.l.,. .
0088: 33 00 2e 00 30 00 2e 00 3...0...
0090: 38 00 34 00 30 00 32 00 8.4.0.2.
0098: 2e 00 30 00 2c 00 20 00 ..0.,. .
00a0: 6d 00 69 00 63 00 72 00 m.i.c.r.
00a8: 6f 00 73 00 6f 00 66 00 o.s.o.f.
00b0: 74 00 20 00 73 00 65 00 t. .s.e.
00b8: 63 00 75 00 72 00 69 00 c.u.r.i.
00c0: 74 00 79 00 20 00 65 00 t.y. .e.
00c8: 73 00 73 00 65 00 6e 00 s.s.e.n.
00d0: 74 00 69 00 61 00 6c 00 t.i.a.l.
00d8: 73 00 20 00 28 00 65 00 s. .(.e.
00e0: 64 00 62 00 34 00 66 00 d.b.4.f.
00e8: 61 00 32 00 33 00 2d 00 a.2.3.-.
00f0: 35 00 33 00 62 00 38 00 5.3.b.8.
00f8: 2d 00 34 00 61 00 66 00 -.4.a.f.
0100: 61 00 2d 00 38 00 63 00 a.-.8.c.
0108: 35 00 64 00 2d 00 39 00 5.d.-.9.
0110: 39 00 37 00 35 00 32 00 9.7.5.2.
0118: 63 00 63 00 61 00 37 00 c.c.a.7.
0120: 30 00 39 00 34 00 29 00 0.9.4.).
0128: 2c 00 20 00 4e 00 49 00 ,. .N.I.
0130: 4c 00 2c 00 20 00 4e 00 L.,. .N.
0138: 49 00 4c 00 20 00 4e 00 I.L. .N.
0140: 49 00 4c 00 0d 00 0a 00 I.L.....

Also, this it part of the notification when I run a disk check:

Cleaning up 18 unused index entries from index $SII of file 0x9.
Cleaning up 18 unused index entries from index $SDH of file 0x9.
Cleaning up 18 unused security descriptors.

(The rest of the disk check looks all right.)

No matter what I do to uninstall Java and reinstall Java, Security Check will tell me it's out of date even though it displays the latest version number and Java seems to act just fine (I guess.). Please see Security Check Report below.

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 27
Out of date Java installed!
Adobe Flash Player
Adobe Reader X (10.1.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
WinPatrol winpatrol.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
BillP Studios WinPatrol winpatrol.exe
``````````End of Log````````````

The Windows Task Manager allways shows that the "Base Pri" for csrss.exe and Winlogon.exe is high with gobs of handles and objects listed.

The reason I think I'm getting infected and having to do all these reformats of my HD is because my InterVideo ® WinDVD Creator for Toshiba Version 2.0B014.400C33-NEN02 and WinDVD version 5 for Toshiba is not up to date and I can't get it updated.

Secunia PSI reports the packages as being at their end of life. It can't find patches for them. When I uninstall them to remedy the vulnerability of my system I lose my DVD decoders so I have to reinstall from the factory disk.

WinDVD is owner by Corel now. They won't provide updates for more than two version back so when I reinstall factory settings I'm more than two behind. If I uninstall I lose my DVD decoders. I've tried writing (emailing) them but you can't get though without a serial number. I guess they didn't have serial numbers till Corel bought them so I can't even send an email to Corel support. Help!

Please help me 1) check my system for viruses/vulnerabilities and 2) give me help on my WinDVD/Corel update situation.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 PM

Posted 27 September 2011 - 09:19 AM

Hello, I moved this to the Am I Infected forum.

Java is at Java 7 now.

Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 tomkay44

tomkay44
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lumberton, Texas
  • Local time:02:25 PM

Posted 27 September 2011 - 10:15 PM

Thanks SO much for responding to my post Boopme.

Did you notice I mentioned I was scanning with MBAM and SAS frequently? Should I have uninstalled MBAM before downloading to my desktop and installing? Also, should I have disabled WinPatrol and MS Security Essentials before installing?

I just did as you said so I installed over the MBAM non-resident install I already had. Is that OK?

Here is the MBAM scan log you requested. Nothing was found


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7811

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/27/2011 9:50:25 PM
mbam-log-2011-09-27 (21-50-25).txt

Scan type: Quick scan
Objects scanned: 175051
Time elapsed: 5 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 PM

Posted 28 September 2011 - 11:06 AM

I don't thik it is malware. but we'll do a rootkit check to be sure

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by boopme, 28 September 2011 - 11:06 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 tomkay44

tomkay44
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lumberton, Texas
  • Local time:02:25 PM

Posted 29 September 2011 - 01:25 AM

Gmer didn't find anything but my laptops touch pad and the keyboard I've got plugged into the USB port.

When you wrote "I don't think it is malware." do you think that I may have a problem but it just isn't malware or do you think there isn't any problem at all?

Either way I sure appreciate you help Boopme. Thank you.

Here's the Gmer log


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-28 23:51:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8032GSX rev.AS111G
Running: vi3umtp0.exe; Driver: C:\DOCUME~1\K\LOCALS~1\Temp\pwrdyfob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 PM

Posted 29 September 2011 - 02:14 PM

Hello, I am saying it's not a malware caused issue. I think its a problem with your proxy and you should re ask this in XP as they would know better than I.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users