Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this a virus or trojan?


  • Please log in to reply
12 replies to this topic

#1 EducatedGuess

EducatedGuess

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 13 December 2011 - 10:58 PM

Hi. I run both IE and Mozilla Firefox on an older Gateway laptop. IE still works fine but all the sudden Firefox won't open or load, and a bunch of other applications also failed to open. When this happens, I get several error messages.

One Error Message is: "Windows cannot access the specified device, path or file. You may not have the appropiate permission to access the item."

Another common error message is: "C:\WINDOWS/system32\rundll32.exe Application Not Found"

I posted this in another Forum on here, and someone said to post it in here, and this problem might be due to ROOTKITS.

Would somebody be so kind as to send me a link to troubleshoot and fix this? I know how to reformat my computer, but would prefer not to.



Thanks Much,
Educated Guess

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 14 December 2011 - 09:21 PM

Hello Educated Guess

Use Inherit.exe to fix inappropriate permissions.
Use this fix, when you see a box that states “Windows cannot not access the specified device, path, or file. You may have inappropriate permissions to access the item”.

Download This File
Save it next to mbam.exe (this file is located in the Malwarebytes Anti-malware home folder). Once done, drag and drop mbam.exe into Inherit.exe. Click OK and attempt to run Malwarebytes Anti-malware once again.




Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware



Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 EducatedGuess

EducatedGuess
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 14 December 2011 - 09:31 PM

Boopme, thanks, I'll try this and let you know.

Appreciate it!

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 15 December 2011 - 02:17 PM

OK, will wait for the logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 EducatedGuess

EducatedGuess
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 16 December 2011 - 12:06 PM

Boopme, I've been using MALWAREBYTES for years. It is already loaded on my computer. Can I run it from its current position (it is now open and able to run), or do I need to uninstall it and reinstall per your instructions?

Please advise. Obviously, I would prefer not to uninstall and reinstall, if possible, but it sure beats a reformat.

I will wait to hear back from you before doing anything further. No rush....

Thanks Again for all your great input,
Educated Guess

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 16 December 2011 - 08:22 PM

Yes use yours ,just update first.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 EducatedGuess

EducatedGuess
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 16 December 2011 - 10:16 PM

Here is the MalwareBytes log. It found six infections. I'm going to restart and see if this fixed the problem, then we'll go from there.

Thanks!


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8383

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/16/2011 7:12:11 PM
mbam-log-2011-12-16 (19-12-00).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 251932
Time elapsed: 1 hour(s), 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AH (Rogue.MultipleAV) -> No action taken.

Registry Values Infected:
HKEY_CLASSES_ROOT\ah\Content Type (Rogue.MultipleAV) -> Value: Content Type -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (PUM.HijackExefiles) -> Bad: (ah) Good: (exefile) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\application data\Sun\Java\deployment\cache\6.0\41\176687e9-14e41751-temp (Trojan.Agent) -> No action taken.
c:\documents and settings\Owner\local settings\temp\jar_cache9031282684591607381.tmp (Trojan.Agent) -> No action taken.
c:\documents and settings\Owner\local settings\temp\156.9086.exe (Trojan.Agent) -> No action taken.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 16 December 2011 - 11:10 PM

Yes, let me know so we can either mop up or continue on.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 EducatedGuess

EducatedGuess
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 18 December 2011 - 10:48 PM

Boopme, thanks! MB took care of it and it's running great now. As far as I can tell all the applications are now opening normally. We can consider this case closed. Thank You!

Educated Guess

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 18 December 2011 - 11:17 PM

Excellent!! Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 EducatedGuess

EducatedGuess
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 04 January 2012 - 10:51 PM

Boopme:

I appreciate your help from this thread from several weeks ago. Unfortunately, ever since the "fix" the laptop is running terribly slow. I have posted below the entire log from Mini Tool Box.

I'm going to run MB again looking for a new infection and create a new restore point.

Question though: Am I possibly looking at a complete restore here, or can a run an OS fix or something? My experience from the past tells me that when a unit gets this slow it is usually just time to throw in the towel and do a full reformat.

Please take a look at this log and tell me if you see anything unusual. I will keep you posted, and thanks once again.

Best,
Educated Guess




MiniToolBox by Farbar
Ran by Owner (administrator) on 04-01-2012 at 19:44:35
Microsoft Windows XP Home Edition Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Broadcom 802.11g Network Adapter = Wireless Network Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : SCOTTGATEWAY

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : westell.com



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-E0-B8-A7-65-F8



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : westell.com

Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter

Physical Address. . . . . . . . . : 00-14-A5-40-0C-0E

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.10.10.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.10.10.1

DHCP Server . . . . . . . . . . . : 10.10.10.1

DNS Servers . . . . . . . . . . . : 10.10.10.1

192.168.1.1

Lease Obtained. . . . . . . . . . : Wednesday, January 04, 2012 6:07:34 PM

Lease Expires . . . . . . . . . . : Thursday, January 05, 2012 6:07:34 PM

Server: dslrouter.westell.com
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.224.209, 74.125.224.212, 74.125.224.211, 74.125.224.210
74.125.224.208



Pinging google.com [74.125.224.208] with 32 bytes of data:



Reply from 74.125.224.208: bytes=32 time=49ms TTL=54

Reply from 74.125.224.208: bytes=32 time=50ms TTL=54



Ping statistics for 74.125.224.208:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 49ms, Maximum = 50ms, Average = 49ms

Server: dslrouter.westell.com
Address: 192.168.1.1

Name: yahoo.com
Addresses: 98.139.180.149, 209.191.122.70, 72.30.2.43, 98.137.149.56



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=71ms TTL=55

Reply from 98.137.149.56: bytes=32 time=64ms TTL=55



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 64ms, Maximum = 71ms, Average = 67ms

Server: dslrouter.westell.com
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time=1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 e0 b8 a7 65 f8 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x3 ...00 14 a5 40 0c 0e ...... Broadcom 802.11g Network Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.10.1 10.10.10.101 25
10.10.10.0 255.255.255.0 10.10.10.101 10.10.10.101 25
10.10.10.101 255.255.255.255 127.0.0.1 127.0.0.1 25
10.255.255.255 255.255.255.255 10.10.10.101 10.10.10.101 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.10.10.101 10.10.10.101 25
255.255.255.255 255.255.255.255 10.10.10.101 2 1
255.255.255.255 255.255.255.255 10.10.10.101 10.10.10.101 1
Default Gateway: 10.10.10.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/03/2012 01:44:21 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Error in creating result PEAP-TLV in response to received PEAP-TLV (svchost.exe!ld!)

Error: (01/03/2012 01:25:56 PM) (Source: Application Error) (User: )
Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Error: (01/02/2012 06:26:49 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Error in creating result PEAP-TLV in response to received PEAP-TLV (svchost.exe!ld!)

Error: (12/30/2011 01:59:29 PM) (Source: Application Error) (User: )
Description: Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [!ws!]

Error: (12/26/2011 11:19:11 AM) (Source: Application Hang) (User: )
Description: Hanging application WINWORD.EXE, version 10.0.2627.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (12/18/2011 10:19:23 PM) (Source: Lavasoft Ad-Aware Service) (User: )
Description: Only one instance of service process is allowed.

Error: (12/14/2011 05:40:03 PM) (Source: Application Error) (User: )
Description: Faulting application acrord32.exe, version 7.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x240075f9.
Processing media-specific event for [acrord32.exe!ws!]

Error: (12/09/2011 09:00:12 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2180, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/02/2011 08:12:34 AM) (Source: MsiInstaller) (User: Owner)Owner
Description: Product: Microsoft Office XP Professional with FrontPage -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.

Error: (11/28/2011 08:57:48 PM) (Source: ESENT) (User: )
Description: svchost (1432) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).


System errors:
=============
Error: (01/04/2012 06:13:01 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (01/04/2012 07:41:59 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (01/03/2012 05:43:48 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (01/03/2012 01:48:28 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (01/03/2012 01:19:15 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (01/02/2012 06:39:30 PM) (Source: Print) (User: Owner)
Description: The document Microsoft Word - 102 HONORS syllabus SPRING 2012 F.doc owned by Owner failed to print on printer HP LaserJet 5. Data type: NT EMF 1.008. Size of the spool file in bytes: 625364. Number of bytes printed: 0. Total number of pages in the document: 8. Number of pages printed: 0. Client machine: \\SCOTTGATEWAY. Win32 error code returned by the print processor: Microsoft Word - 102 HONORS syllabus SPRING 2012 F.doc0. Microsoft Word - 102 HONORS syllabus SPRING 2012 F.doc1

Error: (01/02/2012 06:30:35 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1460

Error: (12/30/2011 02:01:21 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.

Error: (12/30/2011 02:01:21 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.

Error: (12/30/2011 02:01:21 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.


Microsoft Office Sessions:
=========================
Error: (01/03/2012 01:44:21 PM) (Source: Application Error)(User: )
Description: svchost.exe0.0.0.0unknown0.0.0.000000000

Error: (01/03/2012 01:25:56 PM) (Source: Application Error)(User: )
Description: 0.0.0.0unknown0.0.0.000000000

Error: (01/02/2012 06:26:49 PM) (Source: Application Error)(User: )
Description: svchost.exe0.0.0.0unknown0.0.0.000000000

Error: (12/30/2011 01:59:29 PM) (Source: Application Error)(User: )
Description: 0.0.0.0unknown0.0.0.000000000

Error: (12/26/2011 11:19:11 AM) (Source: Application Hang)(User: )
Description: WINWORD.EXE10.0.2627.0hungapp0.0.0.000000000

Error: (12/18/2011 10:19:23 PM) (Source: Lavasoft Ad-Aware Service)(User: )
Description: Only one instance of service process is allowed.

Error: (12/14/2011 05:40:03 PM) (Source: Application Error)(User: )
Description: acrord32.exe7.0.0.0unknown0.0.0.0240075f9

Error: (12/09/2011 09:00:12 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.21800.0.0.000000000

Error: (12/02/2011 08:12:34 AM) (Source: MsiInstaller)(User: Owner)Owner
Description: Product: Microsoft Office XP Professional with FrontPage -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.(NULL)(NULL)(NULL)

Error: (11/28/2011 08:57:48 PM) (Source: ESENT)(User: )
Description: svchost1432C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb-1032 (0xfffffbf8)32 (0x00000020)The process cannot access the file because it is being used by another process.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 1.0.0)
4500_Help (Version: 1.00.0000)
5600 (Version: 50.0.206.000)
5600_Help (Version: 50.0.206.000)
5600Trb (Version: 50.0.206.000)
Ad-Aware (Version: 9.5.0)
Adobe AIR (Version: 1.5.2.8870)
Adobe Flash Player 10 Plugin (Version: 10.3.181.34)
Adobe Flash Player 11 ActiveX (Version: 11.0.1.152)
Adobe Photoshop.com Inspiration Browser (Version: 3.02)
Adobe Premiere Elements 8.0 (Version: 8.0)
Adobe Premiere Elements 8.0 Templates (Version: 8.0)
Adobe Reader 7.0 (Version: 7.0.0)
AiO_Scan (Version: 50.0.227.000)
AiOSoftware (Version: 50.0.206.000)
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection (Version: 1.0.76)
AOL You've Got Pictures Screensaver
ASPCA TriMini Reminder by We-Care.com v5.0.2.1 (Version: 5.0.2.1)
AVG 2012 (Version: 12.0.1901)
AVG 2012 (Version: 12.0.2109)
AVG 2012 (Version: 2012.0.1901)
AVS Update Manager 1.0
AVS Video Converter 8
AVS4YOU Software Navigator 1.4
BigFix
BPD_HPSU (Version: 1.00.0000)
bpd_scan (Version: 3.00.0000)
BPDSoftware (Version: 50.0.165.000)
BPDSoftware_Ini (Version: 1.00.0000)
BufferChm (Version: 53.0.13.000)
CC_ccProxyExt (Version: 103.0.2.10)
ccCommon (Version: 103.0.2.10)
CCleaner (Version: 3.09)
ccPxyCore (Version: 103.0.2.10)
Cisco Network Magic (Version: 5.5.09195.0)
Conexant AC-Link Audio
Coupon Printer for Windows (Version: 5.0.0.1)
CP_AtenaShokunin1Config (Version: 53.0.13.000)
CP_CalendarTemplates1 (Version: 53.0.13.000)
CP_Package_Basic1 (Version: 53.0.13.000)
CP_Package_Variety1 (Version: 53.0.13.000)
CP_Package_Variety2 (Version: 53.0.13.000)
CP_Package_Variety3 (Version: 53.0.13.000)
CP_Panorama1Config (Version: 53.0.13.000)
CueTour (Version: 53.0.13.000)
CustomerResearchQFolder (Version: 1.00.0000)
Destinations (Version: 53.0.13.000)
DeviceFunctionQFolder (Version: 1.00.0000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 5.2.0.0)
DocumentViewer (Version: 53.0.13.000)
DocumentViewerQFolder (Version: 1.00.0000)
DVD Decrypter (Remove Only)
DVDFab 8.1.2.6 (12/10/2011) Qt
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 100.0.272.000)
FullDPAppQFolder (Version: 1.00.0000)
Garmin Lifetime Updater (Version: 2.0.11)
Google Toolbar for Internet Explorer
HP Document Viewer 5.3 (Version: 5.3)
HP Extended Capabilities 5.3 (Version: 5.3)
HP Image Zone 5.3 (Version: 5.3)
HP Imaging Device Functions 5.3 (Version: 5.3)
HP Officejet J4500 Series (Version: 1.0)
HP PSC & OfficeJet 5.3.B
HP Software Update (Version: 3.0.5.001)
HP Solution Center & Imaging Support Tools 5.3 (Version: 5.3)
HPProductAssistant (Version: 53.0.13.000)
ImgBurn (Version: 2.5.6.0)
InstantShareDevices (Version: 53.0.13.000)
Intel® Extreme Graphics 2 Driver
J2SE Runtime Environment 5.0 Update 2 (Version: 1.5.0.20)
J4500 (Version: 50.0.165.000)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
LiveReg (Symantec Corporation) (Version: 3.0.0)
LiveUpdate 2.5 (Symantec Corporation) (Version: 2.5.55.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
MarketResearch (Version: 53.0.13.000)
Media Player Codec Pack 4.1.1
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Digital Image Library 9 - Blocker (Version: 9.00.0000)
Microsoft Digital Image Starter Edition 2006 (Version: 11.0.0422)
Microsoft Digital Image Starter Edition 2006 Editor (Version: 11.0.0422)
Microsoft Digital Image Starter Edition 2006 Library (Version: 11.0.0422)
Microsoft Money 2005 (Version: 14)
Microsoft Office XP Professional with FrontPage (Version: 10.0.2627.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Works (Version: 08.04.0623)
Mozilla Firefox 8.0 (x86 en-US) (Version: 8.0)
MSRedist (Version: 1.0.0.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
Musicnotes Software Suite 1.5.5 (Version: 1.5.5)
Napster (Version: 3.0.3.7)
Napster Burn Engine (Version: 2.5.0000)
Nero BurnRights
Nero OEM
Network Magic (Version: 5.5.9195.0)
NewCopy (Version: 50.0.206.000)
Norton AntiSpam (Version: 2005.1.0.163)
Norton AntiVirus 2005 (Version: 11.0.2)
Norton Internet Security (Version: 1.0.0)
Norton Internet Security (Version: 8.0.0.64)
Norton Internet Security 2005 (Symantec Corporation) (Version: 8.0.0.64)
Norton Security Center (Version: 2005.1.0.111)
Norton WMI Update (Version: 2005.1.0.111)
PanoStandAlone (Version: 53.0.13.000)
PhotoGallery (Version: 53.0.13.000)
ProductContext (Version: 50.0.165.000)
ProductContext (Version: 50.0.206.000)
Pure Networks Platform (Version: 11.2.09195.1)
Pure Networks Port Magic (Version: 1.2.1393.0)
QuickTime
RandMap (Version: 53.0.13.000)
Readme (Version: 50.0.206.000)
RealPlayer Basic
Recovery Software Suite Gateway (Version: 1.00.0000)
Sandboxie 3.56 (32-bit)
Scan (Version: 10.1.0.0)
ScannerCopy (Version: 5.2.0.0)
SkinsHP1 (Version: 53.0.13.000)
SmartSound Quicktracks for Premiere Elements 8.0 (Version: 3.11.3090)
Soft Data Fax Modem with SmartCP
Solid YouTube Downloader and Converter DB Toolbar
SolutionCenter (Version: 50.0.152.000)
Sonic_PrimoSDK (Version: 53.0.13.000)
SPBBC (Version: 1.00.0000)
Spotify (Version: 0.5.2)
Status (Version: 53.0.13.000)
Symantec Script Blocking Installer (Version: 11.0.2)
SymNet (Version: 5.4.2.17)
Synaptics Pointing Device Driver (Version: 7.12.3.0)
Texas Instruments PCIxx21/x515 drivers. (Version: 1.09.0000)
TIxx21 (Version: 1.09.0000)
Toolbox (Version: 100.0.170.000)
TrayApp (Version: 53.0.13.000)
Unload (Version: 5.0.0)
Viewpoint Media Player
VOB2MPG v3 (Version: 3.2.2000)
WebEx Support Manager for Internet Explorer (Version: 6.5.4917)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 100.0.170.000)
Windows Backup Utility (Version: 5.1)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Movie Maker 6.1
Windows XP Hotfix - KB834707 (Version: 20040929.110854)
Windows XP Hotfix - KB867282 (Version: 20050127.090417)
Windows XP Hotfix - KB873333 (Version: 20050114.005213)
Windows XP Hotfix - KB873339 (Version: 20041117.092459)
Windows XP Hotfix - KB884020 (Version: 20040813.164454)
Windows XP Hotfix - KB885250 (Version: 20050118.202711)
Windows XP Hotfix - KB885835 (Version: 20041027.181713)
Windows XP Hotfix - KB885836 (Version: 20041028.173203)
Windows XP Hotfix - KB885884 (Version: 20040924.025457)
Windows XP Hotfix - KB888113 (Version: 20041116.131036)
Windows XP Hotfix - KB888239 (Version: 20041124.162528)
Windows XP Hotfix - KB888302 (Version: 20041207.111426)
Windows XP Hotfix - KB890047 (Version: 20041221.124506)
Windows XP Hotfix - KB890175 (Version: 20041201.233338)
Windows XP Hotfix - KB890859 (Version: 1)
Windows XP Hotfix - KB890923 (Version: 1)
Windows XP Hotfix - KB891781 (Version: 20050110.165439)
Windows XP Hotfix - KB893086 (Version: 1)
Wondershare DVD Creator(Build 2.5.1.4)
Yahoo! Software Update
Yahoo! Toolbar

========================= Devices: ================================

Name: PHILIPS CDRW/DVD SCB5265
Description: CD-ROM Drive
Class Guid: {4D36E965-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard CD-ROM drives)
Service: cdrom
Problem: : Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41)
Resolution: A driver was loaded but Windows cannot find the device. This happens when Windows does not detect a non-Plug and Play device.
If the device was removed, uninstall the driver, install the device, and then click "Scan for hardware changes" to reinstall the driver. If the hardware was not removed, obtain a new or updated driver for the device.
If the device is a non-Plug and Play device, a newer version of the driver might be needed. To install non-Plug and Play devices, use the Add Hardware wizard.
Click "Performance and Maintenance" on "Control Panel", click "System", and on the "Hardware" tab, click "Add Hardware Wizard".


========================= Memory info: ===================================

Percentage of memory in use: 41%
Total physical RAM: 758.41 MB
Available physical RAM: 446.06 MB
Total Pagefile: 1854.27 MB
Available Pagefile: 859.3 MB
Total Virtual: 2047.88 MB
Available Virtual: 1969.84 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:69.89 GB) (Free:9.2 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:4.63 GB) (Free:1.87 GB) FAT32

========================= Users: ========================================

User accounts for \\SCOTTGATEWAY

Administrator ASPNET Guest
HelpAssistant Owner SUPPORT_388945a0

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#12 EducatedGuess

EducatedGuess
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:03:06 AM

Posted 05 January 2012 - 01:12 AM

Boopme:

It looks like, as you stated, the system might have become reinfected. I have posted below a new MB log that shows 15 infections I removed. I am going to create a new restore point right now. Do I need to run the Mini Tool Box again?

Thanks!
Educated Guess


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.05.01

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: SCOTTGATEWAY [administrator]

1/4/2012 8:01:55 PM
mbam-log-2012-01-04 (20-01-55).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281889
Time elapsed: 1 hour(s), 46 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 15
C:\Documents and Settings\Owner\My Documents\Downloads\cnet2_ComboFix_exe.exe (PUP.CNET.Adware.Bundle) -> No action taken.
C:\WINDOWS\Temp\wera0.8098365168386539.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wera0.9456783925148189.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wera0.35625345225674077.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.745423477152792.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\fsdfdsf0.1859994762632733.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.3664900234532795.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.6022275678343835.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.6364234689839594.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.6873087882353984.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.8852992392741906.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.9778321088210126.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.38131666994100866.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\oiu0.46280274478050165.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.

(end)

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:06 AM

Posted 05 January 2012 - 04:22 PM

Hello again,, A few things,, Looks like you installed a bogus ComboFix and that needs to go. It carries a backdoor worm. Now here the deal. It's a worm that can spread via instant messaging programs, which may include MSN Messenger, Yahoo Messenger and Skype. It may also spread via removable drives or exploiting the MS06-040 vulnerability. This worm spreads automatically via shares, but must be ordered to spread via exploit or instant messaging by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


Your hard drive is nearly full. At 15% remaining your will experience slowness issues as the Page (Swap) file competes for space to operate smoothly.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users