Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 Antivirus 2012


  • Please log in to reply
9 replies to this topic

#1 JenniBee

JenniBee

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:02:49 PM

Posted 03 January 2012 - 06:55 PM

Hello,

I'm new to this forum, have been receiving help @ the Seven Forum and was referred
to Bleeping Computer by one of their Senior Members.

I have I think removed the Win 7 Fake Virus but I'm still having some issues.

Here's where I am with my progress

Originally got the virus, had all the POP-UP's going on and that's as far as it got.
I immediately opened Task Manager and killed the process without clicking on the program.
I also shut down and restarted in Safe Mode wNetworking.
Downloaded the Malwarebytes program and ran it, it founds several things which I quarantined.
Went back and ran the quick scan which showed I was okay.
Next day the pop-up reappeared ..
Ran a thorough scan using Malwarebytes, again found a couple of things
with essentially the same name, .exe file name changed but I could tell it was reinventing itself.
Here is a screenshot of the items in Malwarebytes Quarantine,

Posted Image


Went to the SevenForum and searched, found a help thread there and followed those directions.
Downloaded and ran TDSSkill, no rootkits found.
Downloaded and ran Rkill.exe, said process's terminated while running
Accepted the Trial of Malwarebytes and ran the Flash Scan, showed no issues.

Thought everything was okay but found 3 things in the Control Panel > Notification Area Icons,
These aren't suppose to be there.
Found ::: proxychecker.exe > gud.exe > and a dwx.exe

Here is the screenshot for that
.
Posted Image
Next » Viewing 3 of 14



Yesterday ran a thorough scan using both Avast (my normal antivirus) and Malwarebytes this time
came up CLEAN.

Still I would LOVE to remove those 3 things that I found in my Control Panel.

Today, I opened Regedit, searched for the .gud.exe and dwx.exe found both of them in the Registry
under this key ..HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

As I'm new to prowling around in the Registry I just backed back out of it but wondered what would
happen if I deleted those two values in the MuiCache key ??

Also, I never did find the proxychecker.exe and have NO CLUE what it is either.

In viewing the Malwarebytes Quarantine screenshot, it shows Firefox (which is the browser I use)
and Explorer to be somehow indicated in this.

Anybody that can help me with these issues I would be eternally grateful.

Thank YOU for your time in reading this message.

Posted ImageJenn

Edited by JenniBee, 03 January 2012 - 07:00 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 03 January 2012 - 08:59 PM

Hello Jenn,it appears you are still infected, let's double check.
Those are Keylogers.


Before you change anythig in the Registry you should Backup Your Registry. A small error here can render you unbooteable.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

>>>>>>>>>>>>>>>>>
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Run RKill....


Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.

Please ask any needed questions,post logs and Let us know how the PC is running now.

Edited by boopme, 03 January 2012 - 09:04 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 JenniBee

JenniBee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:02:49 PM

Posted 03 January 2012 - 10:12 PM

Quick question .....

Right off the bat I screwed up ...
When I started to run the Mini Tool Box I had Firefox open ...
I wanted to make sure I checked everything you listed.

While it was running and I was sitting here watching it, I saw your note "FF should be closed",
I literally said "OHHH CRAP" but then I was unsure what to do so ..

I closed Firefox and re-ran the Mini Tool Box, I saved both of them numbering them #1 and #2.
I can share either or both, I seriously hope I didn't mess anything up.

Should I proceed on with Rkill.scr or do you want me to post the Results of MiniToolBox first.

Btw, I downloaded the Erunt program to my Desktop and will definitely run it before
making any changes to my Registry. I read just enough today to open and look around
knowing as long as I didn't make any changes nothing would happen.

I think I'm kind of brain dead, been working on all of this since the 31st.
Again, I apologize for the slip, I'll be more careful as I proceed.

Thank YOU so much for your time and in helping me.

Posted Image Jenn


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 03 January 2012 - 10:30 PM

Hiya,I know it is not all that easy. Take your time and we'll get this. Posy the mini and move on,if needed we will do it again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 JenniBee

JenniBee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:02:49 PM

Posted 03 January 2012 - 10:39 PM

Hiya,I know it is not all that easy. Take your time and we'll get this. Posy the mini and move on,if needed we will do it again.



Posted Image I ran it twice already ...

Which one would you like, the second one where FF was closed or the original ??






#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 03 January 2012 - 10:48 PM

2nd please. I think I saw your starfish on my beach :snorkle:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 JenniBee

JenniBee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:02:49 PM

Posted 03 January 2012 - 11:50 PM

2nd please. I think I saw your starfish on my beach :snorkle:


Posted Image
Yep, I put it there for you ..
Posted Image

Okay, off to find #2 and copy it.

#8 JenniBee

JenniBee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:02:49 PM

Posted 03 January 2012 - 11:58 PM

Okay, Here is my 2nd Run @ Mini Tool Box ...
Again so sorry, like I said been working on this until I'm BRAIN DEAD Posted Image


MiniToolBox by Farbar
Ran by Jennifer Burnette (administrator) on 03-01-2012 at 21:17:03
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================



========================= IP Configuration: ================================

Intel® Wireless WiFi Link 4965AGN = Wireless Network Connection (Connected)
Realtek RTL8168B/8111B Family PCI-E Gigabit Ethernet NIC (NDIS 6.20) = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : JenniferBurnett
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : hsd1.tn.comcast.net.

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : hsd1.tn.comcast.net.
Description . . . . . . . . . . . : Intel® Wireless WiFi Link 4965AGN
Physical Address. . . . . . . . . : 00-13-E8-AC-A2-B1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::11e3:66be:5d1:5131%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 03 January, 2012 4:49:57 PM
Lease Expires . . . . . . . . . . : 04 January, 2012 4:49:56 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 218108904
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-87-87-ED-00-1B-24-AC-57-53
DNS Servers . . . . . . . . . . . : 68.87.68.166
68.87.74.166
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : wp.comcast.net
Description . . . . . . . . . . . : Realtek RTL8168B/8111B Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
Physical Address. . . . . . . . . : 00-1B-24-AC-57-53
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:7f:224c:bbcb:687a(Preferred)
Link-local IPv6 Address . . . . . : fe80::7f:224c:bbcb:687a%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.hsd1.tn.comcast.net.:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 14:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 17:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.tn.comcast.net.
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.wp.comcast.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #8
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: cns.s3woodstock.ga.atlanta.comcast.net
Address: 68.87.68.166

Name: google.com
Addresses: 74.125.47.104
74.125.47.105
74.125.47.103
74.125.47.106
74.125.47.147
74.125.47.99


Pinging google.com [74.125.65.104] with 32 bytes of data:
Reply from 74.125.65.104: bytes=32 time=42ms TTL=53
Reply from 74.125.65.104: bytes=32 time=38ms TTL=53

Ping statistics for 74.125.65.104:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 38ms, Maximum = 42ms, Average = 40ms
Server: cns.s3woodstock.ga.atlanta.comcast.net
Address: 68.87.68.166

DNS request timed out.
timeout was 2 seconds.
Name: yahoo.com
Addresses: 98.139.180.149
209.191.122.70
72.30.2.43
98.137.149.56


Pinging yahoo.com [98.139.180.149] with 32 bytes of data:
Reply from 98.139.180.149: bytes=32 time=74ms TTL=50
Reply from 98.139.180.149: bytes=32 time=110ms TTL=49

Ping statistics for 98.139.180.149:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 110ms, Average = 92ms
Server: cns.s3woodstock.ga.atlanta.comcast.net
Address: 68.87.68.166

Name: bleepingcomputer.com
Address: 208.43.87.2


Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time=6ms TTL=128
Reply from 127.0.0.1: bytes=32 time=2ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 6ms, Average = 4ms
===========================================================================
Interface List
11...00 13 e8 ac a2 b1 ......Intel® Wireless WiFi Link 4965AGN
10...00 1b 24 ac 57 53 ......Realtek RTL8168B/8111B Family PCI-E Gigabit Ethernet NIC (NDIS 6.20)
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
31...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #8
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.100 281
192.168.1.100 255.255.255.255 On-link 192.168.1.100 281
192.168.1.255 255.255.255.255 On-link 192.168.1.100 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.100 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.100 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:7f:224c:bbcb:687a/128
On-link
11 281 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::7f:224c:bbcb:687a/128
On-link
11 281 fe80::11e3:66be:5d1:5131/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [232448] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [326144] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 04:25:00 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.

Error: (01/03/2012 02:32:18 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.


System errors:
=============
Error: (01/03/2012 04:50:11 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
UBHelper

Error: (01/03/2012 04:49:47 PM) (Source: volmgr) (User: )
Description: Crash dump initialization failed!

Error: (01/03/2012 04:49:44 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\DRIVERS\NTIDrvr.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (01/03/2012 04:49:44 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\UBHelper.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (01/03/2012 04:49:39 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\UBHelper.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (01/03/2012 04:49:38 PM) (Source: volmgr) (User: )
Description: Crash dump initialization failed!

Error: (01/03/2012 01:36:26 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
UBHelper

Error: (01/03/2012 01:35:59 PM) (Source: volmgr) (User: )
Description: Crash dump initialization failed!

Error: (01/03/2012 01:35:56 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\DRIVERS\NTIDrvr.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (01/03/2012 01:35:56 PM) (Source: Application Popup) (User: )
Description: \SystemRoot\SysWow64\Drivers\UBHelper.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
µTorrent (Version: 2.2.0)
7-Zip 4.65 (x64 edition) (Version: 4.65.00.0)
Adobe Download Manager (Version: 1.6.2.63)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.0.1.152)
Adobe Flash Player 11 Plugin 64-bit (Version: 11.1.102.55)
AIM 7
Alien Skin Eye Candy 6
avast! Free Antivirus (Version: 6.0.1367.0)
Bejeweled 1.23
Broadcom 802.11 Wireless LAN Adapter (Version: 5.10.38.26)
calibre (Version: 0.8.29)
CCleaner (Version: 3.13)
ConvertXtoDVD 4.0.9.322 (Version: 4.0.9.322)
Cooliris for Internet Explorer (Version: 1.11.6.31225)
D3DX10 (Version: 15.4.2368.0902)
Download Updater (AOL LLC)
EVEREST Ultimate Edition v4.60 (Version: 4.60)
File Splitter and Joiner (FFSJ v3.3)
FontExpert 2009
GetDiz 4.5 (Version: 4.5)
High-Definition Video Playback 10 (Version: 7.0.11400.29.0)
HP Quick Launch Buttons 6.40 H2 (Version: 6.40 H2)
Image Resizer Powertoy Clone for Windows (64 bit) (Version: 2.1)
IncrediMail (Version: 6.2.8.4953)
IncrediMail 2.0 (Version: 6.2.8.4953)
IrfanView (remove only) (Version: 4.28)
Jasc Animation Shop 3 (Version: 3.11)
Jasc Animation Shop 3 20041030_07 Help file Patch
Jasc Paint Shop Pro 9 (Version: 9.00.0000)
Java Auto Updater (Version: 2.0.4.1)
Java™ 6 Update 25 (Version: 6.0.250)
Java™ 6 Update 26 (64-bit) (Version: 6.0.260)
LightScribe System Software (Version: 1.18.6.1)
Macromedia Fireworks 8 (Version: 8.0.0.777)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
Mega Manager (Version: 3.4.0.9)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6425.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Primary Interoperability Assemblies 2005 (Version: 8.0.50727.42)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
MiPony 1.5.3 (Version: 1.5.3)
Motorola SM56 Speakerphone Modem (Version: 6.12.25.06)
Mozilla Firefox 8.0 (x86 en-US) (Version: 8.0)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 and SOAP Toolkit 3.0 (Version: 1.0.0.0)
Nero 10 Menu TemplatePack Basic (Version: 10.0.10600.6.0)
Nero 10 Movie ThemePack Basic (Version: 10.0.10600.6.0)
Nero BackItUp 10 (Version: 5.4.11800.21.100)
Nero BackItUp 10 Help (CHM) (Version: 1.0.10700)
Nero Burning ROM 10 (Version: 10.0.11100.10.100)
Nero BurningROM 10 Help (CHM) (Version: 1.0.10700)
Nero BurnRights 10 Help (CHM) (Version: 1.0.10600)
Nero Control Center 10 (Version: 10.0.12000.1.4)
Nero ControlCenter 10 Help (CHM) (Version: 1.0.10700)
Nero Core Components 10 (Version: 2.0.13700.0.1)
Nero CoverDesigner 10 Help (CHM) (Version: 1.0.10600)
Nero DiscSpeed 10 Help (CHM) (Version: 1.0.10600)
Nero Dolby Files 10 (Version: 2.0.11000.0.10)
Nero Express 10 (Version: 10.0.11000.10.100)
Nero Express 10 Help (CHM) (Version: 1.0.10700)
Nero InfoTool 10 Help (CHM) (Version: 1.0.10600)
Nero MediaHub 10 Help (CHM) (Version: 1.0.10700)
Nero Multimedia Suite 10 (Version: 10.0.13200)
Nero Recode 10 (Version: 4.6.10900.4.100)
Nero Recode 10 Help (CHM) (Version: 1.0.10600)
Nero RescueAgent 10 Help (CHM) (Version: 1.0.10700)
Nero SoundTrax 10 Help (CHM) (Version: 1.0.10600)
Nero StartSmart 10 (Version: 10.0.11200.12.100)
Nero StartSmart 10 Help (CHM) (Version: 1.0.10700)
Nero Vision 10 Help (CHM) (Version: 1.0.10600)
Nero WaveEditor 10 Help (CHM) (Version: 1.0.10600)
NTI DVD-Maker (Version: 7)
NVIDIA Drivers (Version: 1.10)
NVIDIA PhysX (Version: 9.09.0428)
OpenOffice.org 3.1 (Version: 3.1.9399)
Pando (Version: 2.5.1.11)
PDF-XChange Viewer (Version: 2.5.195.0)
Photo Notifier and Animation Creator (Version: 1.0.0.1009)
PowerDVD
PSP Thumbnail Handler (Version: 2.10.49)
PVSonyDll (Version: 1.00.0001)
Rainbow Folders (Version: 2.05)
Realtek High Definition Audio Driver
Revo Uninstaller Pro 2.5.0 (Version: 2.5.0)
Skype web features (Version: 1.0.3971)
Skype™ 4.1 (Version: 4.1.179)
Smileycons 6.0.1 (Version: 6.0.1)
Snagit 9.1.2 (Version: 9.1.2.304)
Switch Sound File Converter
Synaptics Pointing Device Driver (Version: 15.0.17.4)
System Requirements Lab
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 8.0.0.35)
Visual C++ 8.0 Runtime Setup Package (x64) (Version: 9.0.0.623)
VLC media player 1.1.10 (Version: 1.1.10)
VSO Image Resizer 4.0.0.54 (Version: 4.0.0.54)
Win7codecs (Version: 2.7.5)
Winamp (Version: 5.572 )
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
WinRAR archiver
WinZip 11.1 (Version: 11.1.7466)
WordWeb (Version: 6)
x64 Components v2.7.9 (Version: 2.7.9)
Yahoo! Messenger
Zentimo PRO 1.4

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 36%
Total physical RAM: 4094.43 MB
Available physical RAM: 2597.05 MB
Total Pagefile: 8187.05 MB
Available Pagefile: 6608.04 MB
Total Virtual: 4095.88 MB
Available Virtual: 3964.64 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:111.69 GB) (Free:66.4 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:111.79 GB) (Free:79.04 GB) NTFS

========================= Users: ========================================

User accounts for \\JENNIFERBURNETT

Administrator Guest Jennifer Burnette
Melanie

========================= Minidump Files ==================================

No minidump file found

**** End of log ****



#9 JenniBee

JenniBee
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Tennessee
  • Local time:02:49 PM

Posted 04 January 2012 - 12:38 AM

Hello again,

Okay, I've regrouped, took the dogs out, fresh air always helps my brain.

Downloaded Rkill, link #1 didn't work, #2 was a .scr, #3 was a .com and #4 was the .exe.

I shut down/closed Avast and Malwarebytes.

Since I'm using Windows 7, I right clicked the .exe and ran as Administrator ..

Here is the log :::


This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/04/2012 at 0:05:50.
Operating System: Windows 7 Professional


Processes terminated by Rkill or while it was running:



Rkill completed on 01/04/2012 at 0:06:01.


Is that normal or weird that nothing is really on the log ??

Next I restarted Malwarebytes, ran quick scan per your instruction.
Still showing NO THREATS, same as Yesterday.
Posted Image


Next I restarted Avast.

I still have not rebooted thought I'd see if I hear back from you.

Here in TN it's 12:30 am but I'll be up for a little while.

Posted Image Jenn


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,440 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:49 PM

Posted 04 January 2012 - 02:55 PM

Ok,reboot.. Did you run the ESET scan?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users