Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP,


  • This topic is locked This topic is locked
13 replies to this topic

#1 philjj

philjj

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 17 October 2011 - 08:56 AM

Hi,
I have been reading a number of "fixes" that have been posted previously and followed some of the basics but don't seem to be able to resolve the problem.
I run XP Media Centre Edition on a Dell, SP3, with registered McAfee Security Centre which is constantly updated.
I have uninstalled Google Chrome and Firefox because whilst on the web, the mouse will suddenly become unresponsive and start opening windows of it's own accord, task manager showing a lot of cpu usage with some of the svchosts.
I often run process explorer in the background and when I try to bring the window up,the mouse appears to have a sticky function, as soon as you pass it over a process, it will open several instances of it.
I've downloaded Malwarebytes and that appears to have cleared up a few problems and I've run cc cleaner. Following the basics on your site, I ran a scan in safe mode but it didn't show any infection.
Windows updater doesn't appear to install the updates and I've deleted as many programs as possible that we no longer use.
I have found one reg key that will not delete, I think it's an adobe one, and McAfee reports 4 active x components that it cannot delete using quick clean.
Having spent an inordinate amount of time on this, I was hoping someone might be able to help as I am currently running IE with add-ons disabled and really do need to get a different browser reinstalled, preferable chrome.
Incidentally, the mouse is a logitech infra-red but I changed it back to a normal PnP one and the problem hasn't gone away. It's almost as if someone is remotely connected to the computer and takes control from time to time.
(On one game site, I may be in the middle of a game and the computer starts playing it by itself).

Any help that anyone can offer would be appreciated and I'll try to provide as much information as I can.
Thanks in anticipation,
Phil

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 AM

Posted 18 October 2011 - 10:56 PM

Hello, please run these and post the logs.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.6.4.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


[color="#8B0000"]NOTE: In some instances if no malware is found there will be no log produced.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 philjj

philjj
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 19 October 2011 - 07:48 AM

Hi and thanks for your help. First logfile is as follows:

MiniToolBox by Farbar
Ran by Sal (administrator) on 19-10-2011 at 13:45:30
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : D90SWP2J

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : cable.virginmedia.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : cable.virginmedia.net

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-18-8B-8A-DB-0B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 94.169.33.85

Subnet Mask . . . . . . . . . . . : 255.255.252.0

Default Gateway . . . . . . . . . : 94.169.32.1

DHCP Server . . . . . . . . . . . : 62.30.192.113

DNS Servers . . . . . . . . . . . : 194.168.4.100

194.168.8.100

Lease Obtained. . . . . . . . . . : 18 October 2011 11:59:55

Lease Expires . . . . . . . . . . : 23 October 2011 12:33:45

Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: google.com.cable.virginmedia.net
Address: 81.200.64.50



Pinging google.com [209.85.227.106] with 32 bytes of data:



Reply from 209.85.227.106: bytes=32 time=24ms TTL=51

Reply from 209.85.227.106: bytes=32 time=23ms TTL=51



Ping statistics for 209.85.227.106:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 23ms, Maximum = 24ms, Average = 23ms

Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: yahoo.com.cable.virginmedia.net
Address: 81.200.64.50



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=178ms TTL=52

Reply from 98.137.149.56: bytes=32 time=200ms TTL=52



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 178ms, Maximum = 200ms, Average = 189ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 8b 8a db 0b ...... Broadcom 440x 10/100 Integrated Controller - McAfee Core NDIS Intermediate Filter Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 94.169.32.1 94.169.33.85 20
94.169.32.0 255.255.252.0 94.169.33.85 94.169.33.85 20
94.169.33.85 255.255.255.255 127.0.0.1 127.0.0.1 20
94.255.255.255 255.255.255.255 94.169.33.85 94.169.33.85 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 94.169.33.85 94.169.33.85 20
255.255.255.255 255.255.255.255 94.169.33.85 94.169.33.85 1
Default Gateway: 94.169.32.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/12/2011 03:02:09 PM) (Source: Application Error) (User: )
Description: Faulting application set1d.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set1d.tmp!ws!]

Error: (10/12/2011 02:04:36 PM) (Source: Application Error) (User: )
Description: Faulting application set335.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set335.tmp!ws!]

Error: (10/12/2011 01:18:15 PM) (Source: Application Error) (User: )
Description: Faulting application set32b.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set32b.tmp!ws!]

Error: (10/12/2011 01:17:10 PM) (Source: Application Error) (User: )
Description: Faulting application set327.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set327.tmp!ws!]

Error: (10/11/2011 00:43:08 PM) (Source: Application Error) (User: )
Description: Faulting application set5c.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set5c.tmp!ws!]

Error: (10/11/2011 00:42:24 PM) (Source: Application Error) (User: )
Description: Faulting application set5b.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set5b.tmp!ws!]

Error: (10/11/2011 00:42:07 PM) (Source: Application Error) (User: )
Description: Faulting application set5a.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set5a.tmp!ws!]

Error: (10/05/2011 05:46:59 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Error: (10/05/2011 05:46:59 PM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Error: (09/26/2011 06:30:25 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


System errors:
=============
Error: (10/18/2011 00:00:18 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PxHelp20

Error: (10/18/2011 09:46:09 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PxHelp20

Error: (10/17/2011 09:37:14 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PxHelp20

Error: (10/17/2011 01:38:32 AM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (10/16/2011 07:34:38 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
AmdK8
Cdrom
Fips
IPSec
mfehidk
mfetdi2k
MRxSmb
NetBIOS
NetBT
PxHelp20
RapportKELL
RasAcd
Rdbss
StarOpen
Tcpip

Error: (10/16/2011 07:34:38 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error:
%%1068

Error: (10/16/2011 07:34:38 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error:
%%1068

Error: (10/16/2011 07:34:38 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error:
%%1068

Error: (10/16/2011 07:34:38 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error:
%%1068

Error: (10/16/2011 07:34:38 PM) (Source: Service Control Manager) (User: )
Description: The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (10/12/2011 03:02:09 PM) (Source: Application Error)(User: )
Description: set1d.tmp7.0.100.13420.0.0.000000000

Error: (10/12/2011 02:04:36 PM) (Source: Application Error)(User: )
Description: set335.tmp7.0.100.13420.0.0.000000000

Error: (10/12/2011 01:18:15 PM) (Source: Application Error)(User: )
Description: set32b.tmp7.0.100.13420.0.0.000000000

Error: (10/12/2011 01:17:10 PM) (Source: Application Error)(User: )
Description: set327.tmp7.0.100.13420.0.0.000000000

Error: (10/11/2011 00:43:08 PM) (Source: Application Error)(User: )
Description: set5c.tmp7.0.100.13420.0.0.000000000

Error: (10/11/2011 00:42:24 PM) (Source: Application Error)(User: )
Description: set5b.tmp7.0.100.13420.0.0.000000000

Error: (10/11/2011 00:42:07 PM) (Source: Application Error)(User: )
Description: set5a.tmp7.0.100.13420.0.0.000000000

Error: (10/05/2011 05:46:59 PM) (Source: VSS)(User: )
Description: CoCreateInstance0x80040206

Error: (10/05/2011 05:46:59 PM) (Source: EventSystem)(User: )
Description: d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp44800706BF

Error: (09/26/2011 06:30:25 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.


=========================== Installed Programs ============================

Alarm Clock 1.00
CCleaner (Version: 3.11)
Dell AIO 810
Dell Network Assistant (Version: 3.0.0.0)
Dell Resource CD (Version: 1.00.0000)
Dell System Restore (Version: 2.00.0000)
Digital Camera Driver
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.69)
ImTOO DVD Creator (Version: 3.0.36.0328)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 27 (Version: 6.0.270)
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.14.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
McAfee SecurityCenter (Version: 11.0.623)
McAfee Virtual Technician (Version: 5.5.1.0)
MCU (Version: 1.00.0000)
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft Office 97, Professional Edition
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 08.05.0818)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
NVIDIA Drivers
PokerStars
Rapport (Version: 3.5.1105.59)
Sonic Activation Module (Version: 1.0)
Sonic Encoders (Version: 1.00)
swMSM (Version: 12.0.0.1)
Ulead Photo Explorer 8.0 SE Basic (Version: 8.0)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebFldrs XP (Version: 9.50.7523)
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0) (Version: 02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0) (Version: 02/23/2007 2.5.0.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0017.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0036.0)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 83%
Total physical RAM: 446.42 MB
Available physical RAM: 75.72 MB
Total Pagefile: 1726.7 MB
Available Pagefile: 1034.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.95 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:107.08 GB) (Free:81.77 GB) NTFS
2 Drive d: (Backup) (Fixed) (Total:37.24 GB) (Free:28.05 GB) NTFS

========================= Users: ========================================

User accounts for \\D90SWP2J

Administrator HelpAssistant Sal
Sally SUPPORT_388945a0

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#4 philjj

philjj
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 19 October 2011 - 08:05 AM

TDDS found no threats, the link to ESET online scan opens a small window with an X in the top left hand corner and "done" in the notes line bottom left pane of window, nothing else happens.
Thanks again
Phil

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 AM

Posted 19 October 2011 - 01:57 PM

I do not think it is malware but a softwre issue,

Error: (10/16/2011 07:34:38 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
AmdK8
Cdrom
Fips
IPSec
mfehidk
mfetdi2k
MRxSmb
NetBIOS
NetBT
PxHelp20
RapportKELL
RasAcd
Rdbss
StarOpen
Tcpip

May be a repair install

you can run SFC... If no joy ask in the XP forum.


SFC

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 philjj

philjj
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 20 October 2011 - 04:39 PM

My apologies for the delay, as you will appreciate, there is a slight time lag between us.
Have tried to run sfc.exe but the disk supplied with the computer is a manufacturers copy rather than the original so will have to resort to the other outlined method. In saying that, I will not have access to the computer for a couple of days (I have to move my boat) so will post as soon as I can complete the other work suggested.
Once again, thanks for your help.
Phil

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 AM

Posted 20 October 2011 - 06:12 PM

We'll keep a light on :)
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 philjj

philjj
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 30 October 2011 - 03:57 PM

Well, have eventually managed to get back on the computer but my girlfriend has been using it and I don't know what stage we are at. She's installed something called FixIt from Microsoft but I don't understand what it does.
Going back to basics, the computer is still suffering on the browser front. I've decided to go back to where we first started to see if this helps so the following is the minitool log
MiniToolBox by Farbar
Ran by Sal (administrator) on 30-10-2011 at 20:52:55
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================


127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : D90SWP2J

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : cable.virginmedia.net



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : cable.virginmedia.net

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-18-8B-8A-DB-0B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 94.169.33.85

Subnet Mask . . . . . . . . . . . : 255.255.252.0

Default Gateway . . . . . . . . . : 94.169.32.1

DHCP Server . . . . . . . . . . . : 62.30.192.113

DNS Servers . . . . . . . . . . . : 194.168.4.100

194.168.8.100

Lease Obtained. . . . . . . . . . : 30 October 2011 19:07:14

Lease Expires . . . . . . . . . . : 04 November 2011 17:35:29

Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: google.com.cable.virginmedia.net
Address: 81.200.64.50



Pinging google.com [209.85.169.105] with 32 bytes of data:



Reply from 209.85.169.105: bytes=32 time=30ms TTL=51

Reply from 209.85.169.105: bytes=32 time=42ms TTL=51



Ping statistics for 209.85.169.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 30ms, Maximum = 42ms, Average = 36ms

Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: yahoo.com.cable.virginmedia.net
Address: 81.200.64.50



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=171ms TTL=53

Reply from 72.30.2.43: bytes=32 time=167ms TTL=53



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 167ms, Maximum = 171ms, Average = 169ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 18 8b 8a db 0b ...... Broadcom 440x 10/100 Integrated Controller - McAfee Core NDIS Intermediate Filter Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 94.169.32.1 94.169.33.85 20
94.169.32.0 255.255.252.0 94.169.33.85 94.169.33.85 20
94.169.33.85 255.255.255.255 127.0.0.1 127.0.0.1 20
94.255.255.255 255.255.255.255 94.169.33.85 94.169.33.85 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 94.169.33.85 94.169.33.85 20
255.255.255.255 255.255.255.255 94.169.33.85 94.169.33.85 1
Default Gateway: 94.169.32.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/29/2011 08:37:19 PM) (Source: SecurityCenter) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Error: (10/29/2011 08:33:59 PM) (Source: MatSvc) (User: )
Description: The MATS service encountered a web service failure. hr=0x80072EE7

Error: (10/29/2011 07:01:13 PM) (Source: SecurityCenter) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Error: (10/28/2011 11:55:36 PM) (Source: SecurityCenter) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus and Firewall.

Error: (10/25/2011 06:37:56 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

Error: (10/25/2011 06:37:56 PM) (Source: EventSystem) (User: )
Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Error: (10/25/2011 04:59:16 PM) (Source: Application Error) (User: )
Description: Faulting application set1d.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set1d.tmp!ws!]

Error: (10/23/2011 10:52:44 PM) (Source: MatSvc) (User: )
Description: The MATS service encountered a web service failure. hr=0x80072EE7

Error: (10/12/2011 02:02:09 PM) (Source: Application Error) (User: )
Description: Faulting application set1d.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set1d.tmp!ws!]

Error: (10/12/2011 01:04:36 PM) (Source: Application Error) (User: )
Description: Faulting application set335.tmp, version 7.0.100.1342, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [set335.tmp!ws!]


System errors:
=============
Error: (10/29/2011 08:09:23 PM) (Source: Service Control Manager) (User: )
Description: The Wireless Zero Configuration service terminated unexpectedly. It has done this 1 time(s).

Error: (10/29/2011 08:07:05 PM) (Source: Service Control Manager) (User: )
Description: The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (10/29/2011 08:02:32 PM) (Source: Service Control Manager) (User: )
Description: The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (10/29/2011 06:59:22 PM) (Source: Service Control Manager) (User: )
Description: The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).

Error: (10/28/2011 05:36:35 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (10/26/2011 00:42:19 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PxHelp20

Error: (10/25/2011 06:52:57 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PxHelp20

Error: (10/25/2011 06:40:10 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PxHelp20

Error: (10/25/2011 04:31:50 PM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.100.10 on the
Network Card with network address 00188B8ADB0B.

Error: (10/25/2011 04:27:33 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.


Microsoft Office Sessions:
=========================
Error: (10/29/2011 08:37:19 PM) (Source: SecurityCenter)(User: )
Description:

Error: (10/29/2011 08:33:59 PM) (Source: MatSvc)(User: )
Description: hr=0x80072EE7ISapCatalogService::GetFullSapCatalog

Error: (10/29/2011 07:01:13 PM) (Source: SecurityCenter)(User: )
Description:

Error: (10/28/2011 11:55:36 PM) (Source: SecurityCenter)(User: )
Description:

Error: (10/25/2011 06:37:56 PM) (Source: VSS)(User: )
Description: CoCreateInstance0x80040206

Error: (10/25/2011 06:37:56 PM) (Source: EventSystem)(User: )
Description: d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp4480070005

Error: (10/25/2011 04:59:16 PM) (Source: Application Error)(User: )
Description: set1d.tmp7.0.100.13420.0.0.000000000

Error: (10/23/2011 10:52:44 PM) (Source: MatSvc)(User: )
Description: hr=0x80072EE7ISapCatalogService::GetFullSapCatalog

Error: (10/12/2011 02:02:09 PM) (Source: Application Error)(User: )
Description: set1d.tmp7.0.100.13420.0.0.000000000

Error: (10/12/2011 01:04:36 PM) (Source: Application Error)(User: )
Description: set335.tmp7.0.100.13420.0.0.000000000


=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.0.1.152)
Alarm Clock 1.00
CCleaner (Version: 3.11)
Dell AIO 810
Dell Network Assistant (Version: 3.0.0.0)
Dell Resource CD (Version: 1.00.0000)
Dell System Restore (Version: 2.00.0000)
Digital Camera Driver
Google Update Helper (Version: 1.3.21.69)
ImTOO DVD Creator (Version: 3.0.36.0328)
Internet Explorer (Enable DEP)
LiveUpdate 2.6 (Symantec Corporation) (Version: 2.6.14.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
McAfee SecurityCenter (Version: 11.0.623)
McAfee Virtual Technician (Version: 5.5.1.0)
MCU (Version: 1.00.0000)
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Automated Troubleshooting Services Shim
Microsoft Fix it Center (Version: 1.0.0100)
Microsoft Office 97, Professional Edition
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 08.05.0818)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
NVIDIA Drivers
PokerStars
Rapport (Version: 3.5.1105.59)
Sonic Activation Module (Version: 1.0)
Sonic Encoders (Version: 1.00)
swMSM (Version: 12.0.0.1)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebFldrs XP (Version: 9.50.7523)
Windows Driver Package - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0) (Version: 02/23/2007 2.5.0.0)
Windows Driver Package - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0) (Version: 02/23/2007 2.5.0.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0017.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0036.0)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows PowerShell™ 1.0 (Version: 2)
Windows XP Media Center Edition 2005 KB908246
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 85%
Total physical RAM: 446.42 MB
Available physical RAM: 65.75 MB
Total Pagefile: 1726.7 MB
Available Pagefile: 1001.65 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.95 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:107.08 GB) (Free:81.84 GB) NTFS
2 Drive d: (Backup) (Fixed) (Total:37.24 GB) (Free:28.05 GB) NTFS

========================= Users: ========================================

User accounts for \\D90SWP2J

Administrator HelpAssistant Sal
Sally SUPPORT_388945a0

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#9 philjj

philjj
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 30 October 2011 - 06:21 PM

Have rerun tddskiller, nothing found, managed to get ESET scanner working which took approx 2 hours, nothing found........ hmmmm, this gets curiouser and curiouser.
I KNOW something's wrong but it seems a bit evasive, IE keeps running slowly and then hangs after a while, according to process explorer, it's using 97% CPU and 100% memory.
Any other suggestions please?
Phil

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 AM

Posted 31 October 2011 - 02:39 PM

Most likely the rootkit I mentioned.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Include a link back to this topic.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 philjj

philjj
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 01 November 2011 - 09:11 AM

Am in the process of following the above, many thanks for your help and patience. For some reason, I can't access desktop items so will have to find a workaround. DDS done. Initial GMER file wouldn't work but exe is so am running that and will post in the other forum.
Once again, thanks
Phil

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 AM

Posted 01 November 2011 - 11:20 AM

his infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 philjj

philjj
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 01 November 2011 - 01:50 PM

Have the unhide program but shortcuts still not active, have posted new virus topic at
http://www.bleepingcomputer.com/forums/topic425890.html/page__p__2460607#entry2460607

I didn't see your last post prior to posting the above, will DDS and GMER need to be run again?

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:52 AM

Posted 01 November 2011 - 03:21 PM

No you are OK... MRL topic
http://www.bleepingcomputer.com/forums/topic425890.html/page__p__2460607#entry2460607

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 3 - 5 days and ALL logs are amswered.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users