Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer freezing, google redirecting, etc


  • Please log in to reply
5 replies to this topic

#1 meghans57

meghans57

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 29 December 2011 - 11:30 PM

Hi,
I've been trying to rid my computer a virus with no luck, and now its gotten so bad that I can only use it in safe mode. I have Windows 7 and I use Firefox. It started out with Google redirecting all of my searches, with the occasional Firefox window popping up randomly. Then it started popping up so many windows, each with a ton of tabs, that I couldn't close them fast enough. After that, it started to take an unusually long time to start up. Now the computer acts normal for 2 or 3 minutes after start up and then it just freezes. The only way to do anything is through safe mode. I ran quite a few security programs, including Malwarebytes, Trend Micro Titanium, and Adaware, they all found things but weren't able to remove them all. Also, Windows Security Center won't open. Thanks for the help!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:06 PM

Posted 30 December 2011 - 05:43 PM

While in Safe Mode with Networking...

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 meghans57

meghans57
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 01 January 2012 - 10:14 AM

Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Sophos Anti-Virus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
Java™ 6 Update 24
Out of date Java installed!
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
``````````End of Log````````````




Farbar Service Scanner
Ran by Meg (administrator) on 01-01-2012 at 07:50:24
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Nerwork
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of MpsSvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of MpsSvc. The value does not exist.
Unable to retrieve ServiceDll of MpsSvc. The value does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of bfe. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of bfe. The value does not exist.
Unable to retrieve ServiceDll of bfe. The value does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of wscsvc. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of wscsvc. The value does not exist.
Unable to retrieve ServiceDll of wscsvc. The value does not exist.


Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****





MiniToolBox by Farbar
Ran by Meg (administrator) on 01-01-2012 at 07:51:36
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Nerwork
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Atheros AR9285 Wireless Network Adapter = Wireless Network Connection (Connected)
Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20) = Local Area Connection (Media disconnected)
The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Meg-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ok.cox.net

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
Physical Address. . . . . . . . . : F4-6D-04-42-1D-64
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : ok.cox.net
Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
Physical Address. . . . . . . . . : E0-B9-A5-AE-3E-E8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::2c52:60ca:6090:9bde%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, December 30, 2011 4:12:26 PM
Lease Expires . . . . . . . . . . : Sunday, January 01, 2012 10:57:26 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 249608613
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-64-8C-7F-E0-B9-A5-AE-3E-E8
DNS Servers . . . . . . . . . . . : 68.105.28.11
68.105.29.11
68.105.28.12
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{1D81184F-1A1B-4543-AE06-3AD3342286A8}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.ok.cox.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging google.com [74.125.227.49] with 32 bytes of data:
Reply from 74.125.227.49: bytes=32 time=13ms TTL=56
Reply from 74.125.227.49: bytes=32 time=25ms TTL=56

Ping statistics for 74.125.227.49:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 25ms, Average = 19ms

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=170ms TTL=55
Reply from 98.137.149.56: bytes=32 time=62ms TTL=55

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 62ms, Maximum = 170ms, Average = 116ms

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...f4 6d 04 42 1d 64 ......Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20)
10...e0 b9 a5 ae 3e e8 ......Atheros AR9285 Wireless Network Adapter
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.100 281
192.168.1.100 255.255.255.255 On-link 192.168.1.100 281
192.168.1.255 255.255.255.255 On-link 192.168.1.100 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.100 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.100 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 281 fe80::/64 On-link
10 281 fe80::2c52:60ca:6090:9bde/128
On-link
1 306 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation)
Catalog5 06 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 09 mswsock.dll [File Not found] ()
Catalog5 10 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation)
x64-Catalog5 06 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171392] (Microsoft Corp.)
x64-Catalog5 09 mswsock.dll [File Not found] ()
x64-Catalog5 10 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog9 11 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/30/2011 01:00:37 AM) (Source: PerfNet) (User: )
Description:

Error: (12/30/2011 00:54:38 AM) (Source: PerfNet) (User: )
Description:

Error: (12/30/2011 00:52:35 AM) (Source: PerfNet) (User: )
Description:

Error: (12/29/2011 10:14:13 PM) (Source: SignInAssistant) (User: )
Description: StartService failed with hr = 0x8007043c

Error: (12/29/2011 05:50:34 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 177030

Error: (12/29/2011 05:50:34 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 177030

Error: (12/29/2011 05:50:34 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (12/29/2011 05:50:33 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 176032

Error: (12/29/2011 05:50:33 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 176032

Error: (12/29/2011 05:50:33 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second


System errors:
=============
Error: (01/01/2012 07:48:48 AM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (01/01/2012 07:47:42 AM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (01/01/2012 04:15:59 AM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (12/31/2011 04:22:33 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/31/2011 10:57:28 AM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (12/31/2011 09:24:28 AM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (12/31/2011 08:27:23 AM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (12/31/2011 08:03:23 AM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (12/31/2011 06:42:08 AM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (12/30/2011 11:41:43 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.


Microsoft Office Sessions:
=========================
Error: (12/30/2011 01:00:37 AM) (Source: PerfNet)(User: )
Description:

Error: (12/30/2011 00:54:38 AM) (Source: PerfNet)(User: )
Description:

Error: (12/30/2011 00:52:35 AM) (Source: PerfNet)(User: )
Description:

Error: (12/29/2011 10:14:13 PM) (Source: SignInAssistant)(User: )
Description: StartService failed with hr = 0x8007043c

Error: (12/29/2011 05:50:34 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 177030

Error: (12/29/2011 05:50:34 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 177030

Error: (12/29/2011 05:50:34 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (12/29/2011 05:50:33 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 176032

Error: (12/29/2011 05:50:33 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 176032

Error: (12/29/2011 05:50:33 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second


=========================== Installed Programs ============================

??????? Windows Live Mesh ActiveX ??(????) (Version: 15.4.5722.2)
??????? Windows Live Mesh ActiveX ??? (Version: 15.4.5722.2)
µTorrent (Version: 3.0.0)
Ad-Aware (Version: 9.0.7)
Adobe AIR (Version: 1.5.3.9120)
Adobe Community Help (Version: 3.0.0)
Adobe Community Help (Version: 3.0.0.400)
Adobe Flash Player 10 ActiveX (Version: 10.0.42.34)
Adobe Flash Player 11 Plugin 64-bit (Version: 11.1.102.55)
Adobe Media Player (Version: 1.8)
Adobe Photoshop CS5 (Version: 12.0)
Alcor Micro USB Card Reader (Version: 1.2.0117.08443)
Apple Application Support (Version: 2.1.5)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
ASUS AI Recovery (Version: 1.0.13)
ASUS FancyStart (Version: 1.1.0)
ASUS LifeFrame3 (Version: 3.0.22)
ASUS Live Update (Version: 3.0.6)
ASUS Power4Gear Hybrid (Version: 1.1.43)
ASUS SmartLogon (Version: 1.0.0009)
ASUS Splendid Video Enhancement Technology (Version: 1.02.0031)
ASUS Virtual Camera (Version: 1.0.21)
ASUS WebStorage (Version: 2.0.46.1429)
AsusScr_K3 Series_ENG (Version: 1.0.0001)
AsusVibe2.0 (Version: 2.0.3.585)
ATK Package (Version: 1.0.0008)
Bonjour (Version: 3.0.0.10)
BookSmart® 3.2.2 3.2.2
CCleaner (Version: 3.14)
Complemento Messenger (Version: 15.4.3502.0922)
Complément Messenger (Version: 15.4.3502.0922)
Contrôle ActiveX Windows Live Mesh pour connexions à distance (Version: 15.4.5722.2)
Control ActiveX de Windows Live Mesh para conexiones remotas (Version: 15.4.5722.2)
Controlo ActiveX do Windows Live Mesh para Ligações Remotas (Version: 15.4.5722.2)
CyberLink LabelPrint (Version: 2.5.1908)
CyberLink Power2Go (Version: 6.1.3602c)
D3DX10 (Version: 15.4.2368.0902)
ETDWare PS/2-X64 8.0.5.1_WHQL (Version: 8.0.5.1)
Fast Boot (Version: 1.0.9)
FrostWire 5.1.5 (Version: 5.1.5.0)
Galeria de Fotografias do Windows Live (Version: 15.4.3502.0922)
Galerie de photos Windows Live (Version: 15.4.3502.0922)
Galería fotográfica de Windows Live (Version: 15.4.3502.0922)
Google Chrome (Version: 16.0.912.63)
Google Talk Plugin (Version: 2.5.8.4958)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Update Helper (Version: 1.3.21.79)
Intel® Control Center (Version: 1.2.1.1007)
Intel® Management Engine Components (Version: 7.0.0.1118)
Intel® Processor Graphics (Version: 8.15.10.2321)
Intel® Turbo Boost Technology Monitor (Version: 1.0.400.4)
iTunes (Version: 10.5.1.42)
Java Auto Updater (Version: 2.0.3.1)
Java™ 6 Update 24 (Version: 6.0.240)
Junk Mail filter update (Version: 15.4.3502.0922)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
Mesh Runtime (Version: 15.4.5722.2)
Messenger ???? (Version: 15.4.3502.0922)
Messenger ????? (Version: 15.4.3502.0922)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Office 32-bit Components 2010 (Version: 14.0.4734.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared 32-bit MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_ATL_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86_x64 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86_x64 (Version: 80.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000)
Mozilla Firefox 8.0 (x86 en-US) (Version: 8.0)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
Nuance PDF Reader (Version: 6.00.0041)
PDF Settings CS5 (Version: 10.0)
PeerBlock 1.1 (r518) (Version: 1.1.0.518)
QuickTime (Version: 7.70.80.34)
Realtek High Definition Audio Driver (Version: 6.0.1.6304)
Skype Click to Call (Version: 5.6.8442)
Skype™ 5.5 (Version: 5.5.124)
Sonic Focus (Version: 1.00.0000)
Sophos Anti-Virus (Version: 9.5.4)
Sophos AutoUpdate (Version: 2.5.7)
syncables desktop SE (Version: 5.5.746.11492)
Trend Micro Titanium Internet Security (Version: 3.00)
Trend Micro Titanium Internet Security (Version: 3.1.1109)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
VirtualCloneDrive
VLC (Version: 1.0.0.0)
VLC media player 1.1.5 (Version: 1.1.5)
Windows Live ??? (Version: 15.4.3502.0922)
Windows Live ???? (Version: 15.4.3502.0922)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3538.0513)
Windows Live Family Safety (Version: 15.4.3538.0513)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3538.0513)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
WinFlash (Version: 2.31.1)
Wireless Console 3 (Version: 3.0.19)

========================= Memory info: ===================================

Percentage of memory in use: 16%
Total physical RAM: 5928.23 MB
Available physical RAM: 4974.58 MB
Total Pagefile: 11854.66 MB
Available Pagefile: 10985.61 MB
Total Virtual: 4095.88 MB
Available Virtual: 3970.98 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:238.47 GB) (Free:153.71 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:332.7 GB) (Free:332.6 GB) NTFS

========================= Users: ========================================

User accounts for \\MEG-PC

Administrator Guest Meg
SophosSAUMEG-PC0


**** End of log ****






Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.01.01

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Meg :: MEG-PC [administrator]

1/1/2012 7:55:31 AM
mbam-log-2012-01-01 (07-55-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 172717
Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)






1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-01 09:07:57
Windows 6.1.7601 Service Pack 1
Running: tbpojslc.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d7288d
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d7288d (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\Users\Meg\AppData\Local\Temp\NAlwPsG2.exe.part (size mismatch) 229376/0 bytes executable

---- EOF - GMER 1.0.15 ----

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:06 PM

Posted 01 January 2012 - 11:47 AM

We have several issues there...

1. Windows Firewall is not running (assuming your Sophos AV doesn't include firewall - let me know)
2. Security Center is disabled.
3. Windows updates are not running (did you disable it?)
4. "hosts" file is missing.

==============================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===============================================================

Open Notepad.
Paste the following text into it:

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handle within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. File is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

Posted Image

NOTE.
If you receive You don't have permission to save in this location message take ownership of C:\windows\system32\drivers\etc folder: http://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/
If the above doesn't work save the file to some known location, like your desktop, copy it from there and paste it to "etc" folder.

=================================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 meghans57

meghans57
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:06 PM

Posted 01 January 2012 - 09:56 PM

Sophos doesn't include firewall, and I didn't disable Windows Updates.


aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-01 19:55:12
-----------------------------
19:55:12.258 OS Version: Windows x64 6.1.7601 Service Pack 1
19:55:12.258 Number of processors: 4 586 0x2A07
19:55:12.258 ComputerName: MEG-PC UserName: Meg
19:55:13.038 Initialize success
19:57:22.175 AVAST engine defs: 12010101
20:00:42.917 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:00:42.917 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
20:00:42.932 Disk 0 MBR read successfully
20:00:42.963 Disk 0 MBR scan
20:00:42.979 Disk 0 Windows 7 default MBR code
20:00:43.010 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 25600 MB offset 2048
20:00:43.026 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 244192 MB offset 52430848
20:00:43.088 Disk 0 Partition - 00 0F Extended LBA 340686 MB offset 552536064
20:00:43.135 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 340685 MB offset 552538112
20:00:43.135 Service scanning
20:00:44.539 Modules scanning
20:00:44.539 Disk 0 trace - called modules:
20:00:44.555 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
20:00:44.555 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006de5060]
20:00:44.555 3 CLASSPNP.SYS[fffff8800185143f] -> nt!IofCallDriver -> [0xfffffa8005fbab20]
20:00:44.555 5 ACPI.sys[fffff88000d847a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8006be5050]
20:00:45.179 AVAST engine scan C:\Windows
20:00:47.456 AVAST engine scan C:\Windows\system32
20:00:55.272 File: C:\Windows\system32\consrv.dll **INFECTED** Win64:Sirefef-C [Drp]
20:02:01.603 AVAST engine scan C:\Windows\system32\drivers
20:02:09.653 AVAST engine scan C:\Users\Meg
20:05:54.995 AVAST engine scan C:\ProgramData
20:06:51.342 Scan finished successfully
20:23:45.620 Disk 0 MBR has been saved successfully to "C:\Users\Meg\Desktop\MBR.dat"
20:23:45.624 The log file has been saved successfully to "C:\Users\Meg\Desktop\aswMBR.txt"




SystemLook 30.07.11 by jpshortstuff
Log created at 20:32 on 01/01/2012 by Meg
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== dir ==========

C:\WINDOWS\SYSTEM32\DRIVERS\ETC - Parameters: "(none)"

---Files---
hosts --a---- 760 bytes [02:26 02/01/2012] [02:26 02/01/2012]
lmhosts.sam --a---- 3683 bytes [02:35 14/07/2009] [21:00 10/06/2009]
networks --a---- 407 bytes [02:34 14/07/2009] [21:00 10/06/2009]
protocol --a---- 1358 bytes [02:34 14/07/2009] [21:00 10/06/2009]
services --a---- 17463 bytes [02:34 14/07/2009] [21:00 10/06/2009]

---Folders---
None found.

-= EOF =-

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:01:06 PM

Posted 01 January 2012 - 10:40 PM

You have more serious issues there:

0:00:55.272 File: C:\Windows\system32\consrv.dll **INFECTED** Win64:Sirefef-C [Drp]


Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users