Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Min32:MalOB-EM [Cryp] Java:Agent-KN[Expl] Win32:Sirefef-O[Rtk]


  • Please log in to reply
20 replies to this topic

#1 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 11:14 AM

I have an infected computer running Windows XP Media Center Edition. I believe the problem to be a rootkit named Sirefef-O as it was discovered by Avast (before Avast was terminated). This infection is preventing any utilities from running once they discover and try to remove it. Malwarebytes and Avast have been disabled by the virus/malware.

Yesterday AM, I posted two "non-invasive" search logs with no response:
Malware Logs

Thank you for your assistance,
Ryan

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 12 October 2011 - 11:55 AM

It will take a few days for the DDS log analysis. We are getting 100's of logs a day.

We can try fixing it here but I then have to close that one as we are only alllowed one topic on the same issue..

What would you like to do?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 01:09 PM

I'll gladly move it here, but I thought there was a strict "no posting logs" in this section of the forum... If you want to move it over here and/or close the other one, I'm fine with it -- I just really want to get my friend's computer fixed. :o)

Thank you for your assistance!
Ryan

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:39 PM

Posted 12 October 2011 - 01:22 PM

Ok acually its. No DDS, HijackThis, or ComboFix logs should be posted in this forum. Those logs need to be in the other where you had posted. I will close that other one.

I think we can get this...
so

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



Finally,after this let me know how it's running.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 01:47 PM

I have no network availability on the infected machine.

I will reinstall malwarebytes, but as I mentioned it has been disabled by the malware once already.

I'll do what I can and post it here.

Ryan

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 12 October 2011 - 02:02 PM

Have you tried Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you

should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


OR
For the connection try these...

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.
Now check if the internet is working again.

OR

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.



Or doing a System Restore to date prior to the infection and see if you can connect.

Post what you can
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 02:24 PM

Here's the Toolbox log file... the Malwarebytes scan is running for the last 30 minutes.
There was no proxy server. I tried the netsh winsock reset and there was an error about no host information and the RPC server being unavailable.


MiniToolBox by Farbar
Ran by Administrator (administrator) on 12-10-2011 at 13:52:11
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com

There are 15074 more lines starting with "127.0.0.1"

========================= IP Configuration: ================================
WARNING: Could not obtain host information from machine: [BOVA]. Some commands may not be available.
The RPC server is unavailable.



# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : BOVA

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-18-8B-7E-F7-FE

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 8b 7e f7 fe ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 2 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/05/2011 02:28:17 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module explorer.exe, version 6.0.2900.5512, fault address 0x00009409.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/05/2011 01:48:43 PM) (Source: MBAMService) (User: )
Description: MBAMService13:48:43 PAUL ERROR StartServiceCtrlDispatcher failed with error code 1063

Error: (09/25/2011 09:02:17 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:43:17 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:37:23 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:36:24 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:36:15 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:36:02 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 00:48:51 PM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/24/2011 10:53:00 AM) (Source: Microsoft Security Client) (User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL


System errors:
=============
Error: (10/11/2011 10:03:38 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Aavmker4
AmdK8
aswSnx
aswSP
aswTdi
Fips
MpFilter
nvatabus
nvraid

Error: (10/11/2011 10:03:38 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%5

Error: (10/11/2011 09:20:23 AM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (10/11/2011 09:19:51 AM) (Source: System Error) (User: )
Description: Error code 1000008e, parameter1 c0000005, parameter2 805d80f1, parameter3 f717cc74, parameter4 00000000.

Error: (10/11/2011 09:19:39 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
nvatabus
nvraid

Error: (10/11/2011 09:19:39 AM) (Source: Service Control Manager) (User: )
Description: The avast! Antivirus service failed to start due to the following error:
%%1053

Error: (10/11/2011 09:19:39 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the avast! Antivirus service to connect.

Error: (10/11/2011 09:19:39 AM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%5

Error: (10/10/2011 03:48:14 PM) (Source: Service Control Manager) (User: )
Description: The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

Error: (10/10/2011 03:42:32 PM) (Source: 0) (User: )
Description: \Device\Ide\IdePort0


Microsoft Office Sessions:
=========================
Error: (10/05/2011 02:28:17 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512explorer.exe6.0.2900.551200009409

Error: (10/05/2011 01:48:43 PM) (Source: MBAMService)(User: )
Description: MBAMService13:48:43 PAUL ERROR StartServiceCtrlDispatcher failed with error code 1063

Error: (09/25/2011 09:02:17 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:43:17 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:37:23 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:36:24 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:36:15 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 08:36:02 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/25/2011 00:48:51 PM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL

Error: (09/24/2011 10:53:00 AM) (Source: Microsoft Security Client)(User: )
Description: mssecurityclientmsseces.exe2.1.1116.00x80070005startservicecmainwindow__onantimalwareenabled0security essentialsNILNILNIL


=========================== Installed Programs ============================

Adobe Flash Player 10 ActiveX (Version: 10.1.102.64)
Adobe Flash Player 10 Plugin (Version: 10.3.181.26)
Adobe Reader 9.4.6 (Version: 9.4.6)
Adobe® Photoshop® Album Starter Edition 3.2 (Version: 3.2.0)
Amazon MP3 Downloader 1.0.3
AOLIcon (Version: 1.00.0000)
Apple Application Support (Version: 1.4.1)
Apple Mobile Device Support (Version: 3.3.0.69)
Apple Software Update (Version: 2.1.1.116)
avast! Free Antivirus (Version: 6.0.1289.0)
BlackBerry Desktop Software 4.5 (Version: 4.5.0.15)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
Conexant D850 56K V.9x DFVc Modem
Dell CinePlayer (Version: 3.0)
Dell Support 3.2.1 (Version: 5.5.2087)
Dell System Restore (Version: 2.00.0000)
Digital Line Detect (Version: 1.10)
Documentation & Support Launcher (Version: 1.00.0000)
Games, Music, & Photos Launcher (Version: 1.00.0000)
Garmin MapSource (Version: 6.16.3)
GemMaster Mystic
Google Earth Plug-in (Version: 6.0.3.2197)
Google Update Helper (Version: 1.3.21.69)
HijackThis 2.0.2 (Version: 2.0.2)
iTunes (Version: 10.1.1.4)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Small Business Edition 2003 (Version: 11.0.8173.0)
Microsoft Office XP Professional with FrontPage (Version: 10.0.6626.0)
Microsoft Plus! Digital Media Edition Installer (Version: 1.1.0.3514)
Microsoft Plus! Photo Story 2 LE (Version: 1.1.0.3463)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 08.05.0818)
MobileMe Control Panel (Version: 3.1.2.0)
Modem Diagnostic Tool (Version: 1.0.17.2)
Mozilla Firefox 6.0.2 (x86 en-US) (Version: 6.0.2)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
NetWaiting (Version: 2.5.12)
NVIDIA Drivers
QuickTime (Version: 7.69.80.9)
RealPlayer Basic
Roxio Media Manager (Version: 9.4.023)
Safari (Version: 5.33.18.5)
Sonic Activation Module (Version: 1.0)
Sonic Encoders (Version: 1.00)
Sonic Update Manager (Version: 3.0.0)
Spybot - Search & Destroy (Version: 1.6.2)
Switch Sound File Converter
TWC Client ActiveX Controls (Version: 11)
WebCyberCoach 3.2 Dell
WebFldrs XP (Version: 9.50.7523)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 10 (Version: 9.00.3636)
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB2502898
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 39%
Total physical RAM: 958.42 MB
Available physical RAM: 577.7 MB
Total Pagefile: 2318.09 MB
Available Pagefile: 2066.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.34 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:69.82 GB) (Free:41.39 GB) NTFS
2 Drive e: (STORE N GO) (Removable) (Total:3.73 GB) (Free:3.59 GB) FAT32

========================= Users: ========================================

User accounts for \\BOVA

Administrator Guest HelpAssistant
PAUL SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini032910-01.dmp
C:\WINDOWS\Minidump\Mini040809-01.dmp
C:\WINDOWS\Minidump\Mini060810-01.dmp
C:\WINDOWS\Minidump\Mini092111-01.dmp
C:\WINDOWS\Minidump\Mini101011-01.dmp
C:\WINDOWS\Minidump\Mini123008-01.dmp

**** End of log ****

#8 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 02:38 PM

Malwarebytes had no discoveries. Odd... I will restart to see if the network comes back up.

#9 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 02:56 PM

No, the network is still unavailable. Same error messages.

ipconfig is blank as well

Local area connection says that a network cable is unplugged (although it is not). I cannot disable the Local Area Connection either... I can click disable, but it never disables.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:39 PM

Posted 12 October 2011 - 04:13 PM

Let's try to fix your internet connection...

Make sure, your computer is set to obtain IP address automatically.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties
6. Click Obtain an IP Address Automatically, and then click OK.

If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

If that doesn't work, bypass router, and connect computer straight to the modem.

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Restart computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 04:36 PM

holy crap, the internet is back up! I'm going to do the Free ESET Online Antivirus.

#12 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 12 October 2011 - 05:49 PM

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent23.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent33.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent63.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\12\52659e4c-73d958cd Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\41\e687269-345bb9fa a variant of Java/TrojanDownloader.OpenStream.NCM trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\59e884ef-446c8a2a multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\52\62385c74-6aaa565c multiple threats deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\6.0\13\65891f0d-14a91d47 multiple threats deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\6.0\13\db3550d-58645883 multiple threats deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\6.0\31\73769d5f-4baebde2 multiple threats deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\6.0\41\e687269-7b09a136 a variant of Java/TrojanDownloader.OpenStream.NCM trojan deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\6.0\49\388d1971-7a3dd2a2 multiple threats deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\5f68d79da98.jar-dcfe8ce-55724e3e.zip multiple threats deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\7909df6ac8d.jar-3a9580b4-694edff0.zip multiple threats deleted - quarantined
C:\Documents and Settings\PAUL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\7909df6ac8d.jar-609f2a5a-424145db.zip multiple threats deleted - quarantined
C:\WINDOWS\system32\drivers\redbook.sys Win32/Sirefef.DA trojan cleaned by deleting - quarantined

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 12 October 2011 - 08:13 PM

Ok that was really good ,got it and the bagle.
We have a few things to straighten out.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder (C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache) for quick execution later and better performance. Malicious applets are also stored in the Java cache directory and your anti-virus may detect them and provide alerts. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache to ensure everything is cleaned out:

You need to update Java one level and Adobe Reader.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Similarly Update to Adobe Reader X (10.1.0)
Note UN check the box so you do not install the toolbar,unless you really want it..

Free! Google Toolbar search Google from any web page, block pop-ups

Yes, install Google Toolbar - optional


How is it running now?

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 13 October 2011 - 03:53 PM

Thanks for all your help. I am still having residual problems now that the "active" threat may be taken care of. I am not in safemode, and I cannot reinstall Java or adobe updates... when I try to do any program installation or uninstallation I get the following error message:
"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safemode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

I tried taking a screenshot of the error message, but I get an error when trying to save a file in paint or even in wordpad! "Unable to register document. The document may already be open."

Thanks for your assistance!
Ryan

#15 Guest_Ryan Ziegler_*

Guest_Ryan Ziegler_*

  • Guests
  • OFFLINE
  •  

Posted 13 October 2011 - 04:28 PM

I am also getting the following errors in the system event log:

Event 7026:
The following boot-start or system-start drivers failed to load:

nvatabus
nvraid

Event ID 7000:
The Microsoft Antimalware Service service failed to start due to the following Error: Access is Denied

I re-enabled the Installation Service, and am now able to proceed with updates... I will post functionality tomorrow.

Edited by Ryan Ziegler, 13 October 2011 - 05:06 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users