Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible malware problem?


  • Please log in to reply
15 replies to this topic

#1 Application

Application

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 07 January 2012 - 07:22 PM

Hi guys,

I've got a bit of a computer problem, and that may be an understatement. My desktop computer hasn't been its usual self for weeks, and I never really got around to doing something about it until now. The other night, I went to turn it on for the first time in a while, I found myself with a blue screen - "unmountable root volume"? Something like that. I couldn't find my Windows Recovery Console CD, so I ended up finding a packaged Windows XP version that I burned to a DVD and ran on the desktop. It seemed to work well enough, as I was able to run a bootfix thing and got to the point where I could log on and get on the internet.

So, from there, I downloaded SuperAntiSpyware and ran a scan. Well, I ended up with 1246 "threats", including like a dozen trojans. I quarantined and removed them, and went to restart. Of course, when I was rebooting, I got another blue screen - "driver unloaded without cancelling pending operations". Now I figured I'd deleted some infected file or driver or something that was critical to the operation of my computer, and I set about fixing it once more. The driver in question, tmtdi.sys, was found easily enough. I renamed it to tmtdi.old and got past the blue screen. When I went to get on the internet, however, I got a "IE cannot display the webpage" error.

And so, here I sit. What do you guys think, do I still have some sort of infection? Did I delete more things that I should not have? How do I proceed? This probably isn't the right forum for getting this sorted out, so if anyone can point me in the right direction, I'd be very appreciative.

Thanks for any help anyone can offer!

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:18 AM

Posted 07 January 2012 - 11:32 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Application

Application
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 09 January 2012 - 07:16 PM

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
SUPERAntiSpyware
Java™ 6 Update 3
Java™ 6 Update 7
Out of date Java installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Farbar Service Scanner
Ran by jtm (administrator) on 08-01-2012 at 19:21:16
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
IE proxy is enabled.
ProxyServer: http=127.0.0.1:47392


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0700000004000000010000000200000003000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****


MiniToolBox by Farbar
Ran by jtm (administrator) on 08-01-2012 at 19:21:58
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is enabled.
ProxyServer: http=127.0.0.1:47392
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Dell Wireless 1390 WLAN Mini-Card = Wireless Network Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : LT03

Primary Dns Suffix . . . . . . . : caldwellkearns.com

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : caldwellkearns.com

home



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-1C-23-A4-B8-7B



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : home

Description . . . . . . . . . . . : Dell Wireless 1390 WLAN Mini-Card

Physical Address. . . . . . . . . : 00-1D-60-58-C9-0E

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Sunday, January 08, 2012 7:11:11 PM

Lease Expires . . . . . . . . . . : Monday, January 09, 2012 7:11:11 PM

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: google.com.caldwellkearns.com
Address: 167.68.8.41



Pinging google.com [74.125.115.105] with 32 bytes of data:



Reply from 74.125.115.105: bytes=32 time=30ms TTL=53

Reply from 74.125.115.105: bytes=32 time=30ms TTL=53



Ping statistics for 74.125.115.105:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 30ms, Maximum = 30ms, Average = 30ms

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: yahoo.com.caldwellkearns.com
Address: 167.68.8.41



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:



Reply from 209.191.122.70: bytes=32 time=60ms TTL=56

Reply from 209.191.122.70: bytes=32 time=63ms TTL=56



Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 60ms, Maximum = 63ms, Average = 61ms

Server: Wireless_Broadband_Router.home
Address: 192.168.1.1

Name: bleepingcomputer.com.caldwellkearns.com
Address: 167.68.8.41



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1c 23 a4 b8 7b ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x3 ...00 1d 60 58 c9 0e ...... Dell Wireless 1390 WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.5 192.168.1.5 20
192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 25
192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 25
224.0.0.0 240.0.0.0 192.168.1.5 192.168.1.5 25
255.255.255.255 255.255.255.255 192.168.1.5 2 1
255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/08/2012 07:11:41 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1690.5016kb25720671033643finstallx865.1.2600.2.3.0.2560

Error: (01/08/2012 07:11:40 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft .NET Framework 1.1 - Update '{EFCE7BE0-510E-4932-9475-F44CD90DE16A}' could not be installed. Error code 1603. Additional information is available in the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB2572067-X86\NDP1.1sp1-KB2572067-X86-msi.0.log.

Error: (01/08/2012 07:11:39 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source could be found for product Microsoft .NET Framework 1.1. The Windows installer cannot continue.

Error: (01/08/2012 07:11:06 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (01/07/2012 10:45:21 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (01/07/2012 02:14:53 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1690.5016kb25720671033643finstallx865.1.2600.2.3.0.2560

Error: (01/07/2012 02:14:53 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft .NET Framework 1.1 - Update '{EFCE7BE0-510E-4932-9475-F44CD90DE16A}' could not be installed. Error code 1603. Additional information is available in the log file C:\WINDOWS\TEMP\NDP1.1sp1-KB2572067-X86\NDP1.1sp1-KB2572067-X86-msi.0.log.

Error: (01/07/2012 02:14:51 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source could be found for product Microsoft .NET Framework 1.1. The Windows installer cannot continue.

Error: (01/07/2012 02:14:18 PM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Error: (01/06/2012 08:11:56 PM) (Source: NativeWrapper) (User: )
Description: visualstudio7x80updatemsiexec.exe1.0.1690.5016kb25720671033643finstallx865.1.2600.2.3.0.2560


System errors:
=============
Error: (01/08/2012 07:11:53 PM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2572067).

Error: (01/08/2012 07:11:18 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (01/08/2012 07:11:01 PM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain CK due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (01/07/2012 11:30:30 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 60 minutes.
NtpClient has no source of accurate time.

Error: (01/07/2012 11:00:30 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 30 minutes.
NtpClient has no source of accurate time.

Error: (01/07/2012 10:45:29 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (01/07/2012 10:45:17 PM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain CK due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (01/07/2012 03:59:33 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 120 minutes.
NtpClient has no source of accurate time.

Error: (01/07/2012 02:59:32 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 60 minutes.
NtpClient has no source of accurate time.

Error: (01/07/2012 02:29:31 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 30 minutes.
NtpClient has no source of accurate time.


Microsoft Office Sessions:
=========================
Error: (12/08/2010 08:22:04 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 332 seconds with 180 seconds of active time. This session ended with a crash.

Error: (12/03/2010 00:49:24 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 18619 seconds with 840 seconds of active time. This session ended with a crash.

Error: (12/02/2010 11:41:02 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4893 seconds with 1200 seconds of active time. This session ended with a crash.

Error: (12/02/2010 10:19:16 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4415 seconds with 480 seconds of active time. This session ended with a crash.

Error: (11/29/2010 00:54:21 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 15988 seconds with 2040 seconds of active time. This session ended with a crash.

Error: (11/24/2010 03:34:25 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 25897 seconds with 1560 seconds of active time. This session ended with a crash.

Error: (11/19/2010 04:32:55 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 19232 seconds with 2940 seconds of active time. This session ended with a crash.

Error: (11/19/2010 08:21:11 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1465 seconds with 240 seconds of active time. This session ended with a crash.

Error: (11/16/2010 06:38:12 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1421 seconds with 180 seconds of active time. This session ended with a crash.

Error: (11/16/2010 03:44:47 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6423.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 17114 seconds with 2760 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

2007 Microsoft Office Suite Service Pack 2 (SP2)
32 Bit HP CIO Components Installer (Version: 6.1.2)
Adobe AIR (Version: 1.5.3.9120)
Adobe Flash Player 10 ActiveX (Version: 10.1.85.3)
Adobe Reader 8.2.5 (Version: 8.2.5)
Amazon MP3 Downloader 1.0.3
AnswerWorks 4.0 Runtime - English (Version: 4.0.101)
Apple Mobile Device Support (Version: 2.1.2.7)
Apple Software Update (Version: 2.1.1.116)
BlackBerry Desktop Software 5.0.1 (Version: 5.0.1.37)
BlackBerry Device Software Updater (Version: 6.0.0.36)
BlackBerry® Media Sync (Version: 2.0.28)
Bonjour (Version: 1.0.105)
Broadcom Management Programs (Version: 10.15.03)
BufferChm (Version: 140.0.212.000)
Bynari, Inc. Insight Connector 4.0.8-1006670
C4700 (Version: 140.0.690.000)
CA Internet Security Suite (Version: 5.0.0.628)
Citrix XenApp Plugin for Hosted Apps (Version: 11.0.0.5357)
ClamAV for Windows (Version: 1.0.26)
Comcast Access (Version: 1.48)
Comcast Access (Version: ComcastAccess-1.48)
Conexant HDA D330 MDC V.92 Modem
Dell Touchpad (Version: 9.1.18.6)
Dell Wireless WLAN Card (Version: 4.100.15.8)
DellSupport (Version: 6.0.3075)
Digital Line Detect (Version: 1.21)
Disney Pirates of the Caribbean Online (Version: )
GnuPG For Windows (Version: 1.1.3)
Google Earth (Version: 6.1.0.5001)
Google Toolbar for Internet Explorer
Google Update Helper (Version: 1.3.21.79)
GroupWise (Version: 7.0.0)
GroupWise Tip of the Day C3PO
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
HP Business Inkjet 1200
HP Business Inkjet 1200 (Version: 1.00.0000)
HP Photosmart C4700 All-in-One Driver Software 14.0 Rel. 6 (Version: 14.0)
IntelliSonic Speech Enhancement (Version: 2.1.37)
iTunes (Version: 8.0.2.20)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
Java™ 6 Update 3 (Version: 1.6.0.30)
Java™ 6 Update 7 (Version: 1.6.0.70)
LexisNexis PCLaw
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Office Basic 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Silverlight (Version: 2.0.30523.8)
Microsoft User-Mode Driver Framework Feature Pack 1.0
MobileMe Control Panel (Version: 2.1.1.13)
Modem Diagnostic Tool (Version: 1.0.20.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
NetWaiting (Version: 2.5.44)
Network (Version: 140.0.215.000)
NVIDIA Drivers
PS_AIO_06_C4700_SW_Min (Version: 140.0.690.000)
QuickSet (Version: 8.1.12)
QuickTime (Version: 7.55.90.70)
QuickTransfer (Version: 140.0.98.000)
Roxio Creator BDAV Plugin (Version: 3.3.0)
Roxio Creator Tools (Version: 3.3.0)
Roxio Drag-to-Disc (Version: 9.0)
Roxio Express Labeler (Version: 2.1.0)
Roxio Media Manager (Version: 9.4.067)
Roxio Update Manager (Version: 3.0.0)
runtime (Version: 1.0.0)
Safari (Version: 3.525.21.0)
Scan (Version: 140.0.80.000)
Sonic CinePlayer DVD Pack (Version: 2.3.1)
Spybot - Search & Destroy (Version: 1.6.2)
SUPERAntiSpyware (Version: 5.0.1142)
Toolbox (Version: 140.0.428.000)
TurboTax 2008
TurboTax 2008 WinPerFedFormset (Version: 008.000.0338)
TurboTax 2008 WinPerProgramHelp (Version: 008.000.0218)
TurboTax 2008 WinPerReleaseEngine (Version: 008.000.0190)
TurboTax 2008 WinPerTaxSupport (Version: 008.000.1000)
TurboTax 2008 WinPerUserEducation (Version: 008.000.0428)
TurboTax 2008 wpaiper (Version: 008.000.0113)
TurboTax 2008 wrapper (Version: 008.000.0065)
TurboTax 2009
TurboTax 2009 WinPerFedFormset (Version: 009.000.2163)
TurboTax 2009 WinPerReleaseEngine (Version: 009.000.0328)
TurboTax 2009 WinPerTaxSupport (Version: 009.000.0238)
TurboTax 2009 wpaiper (Version: 009.000.0778)
TurboTax 2009 wrapper (Version: 009.000.0145)
TurboTax Deluxe 2007
VZAccess Manager for RIM (Version: 6.2.1)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 140.0.212.017)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0036.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 11
Windows NT Messaging
Windows XP Service Pack 3 (Version: 20080414.031525)

========================= Memory info: ===================================

Percentage of memory in use: 22%
Total physical RAM: 2046.11 MB
Available physical RAM: 1576.24 MB
Total Pagefile: 3938.11 MB
Available Pagefile: 3513.61 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.96 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:109.21 GB) (Free:70.68 GB) NTFS
3 Drive e: (USB MEMORY) (Removable) (Total:0.01 GB) (Free:0 GB) FAT

========================= Users: ========================================

User accounts for \\LT03

Administrator Guest HelpAssistant
JTM SUPPORT_388945a0


**** End of log ****


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jtm :: LT03 [administrator]

1/8/2012 7:31:14 PM
mbam-log-2012-01-08 (19-31-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240081
Time elapsed: 23 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\exqonczctruceg (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http=127.0.0.1:47392 -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|nqeielek (Trojan.FakeAlertR.Gen) -> Data: C:\DOCUME~1\jtm\LOCALS~1\Temp\rycnqyjjr\kwqrojhxsik.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-08 22:35:53
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e FUJITSU_MHW2120BH rev.00850012
Running: exuxs9e0.exe; Driver: C:\DOCUME~1\jtm\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwCreateKey [0xBA498EA6]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwDeleteKey [0xBA4991C2]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwDeleteValueKey [0xBA4992CC]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwOpenKey [0xBA499038]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwOpenProcess [0xBA498CCE]
SSDT \SystemRoot\system32\DRIVERS\ImmunetSelfProtect.sys (Immunet Self Protect Driver/Windows ® Codename Longhorn DDK provider) ZwSetValueKey [0xBA499410]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB75B0640]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8D5B380, 0x2F18C7, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

Sorry for the delay in getting these logs. Any help or advice would be spectacular, as I'm completely at a loss. Thanks!

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:18 AM

Posted 09 January 2012 - 07:32 PM

You're not running any AV program.
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.

When done post new FSS log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Application

Application
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 09 January 2012 - 08:01 PM

Wow, thanks so much. The internet has been restored, and Avast! has been successfully installed. I'm in the midst of a full system scan at the moment, and afterward I'll post the new FSS log as requested.

Thank you so much for all of your help!

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:18 AM

Posted 09 January 2012 - 08:03 PM

Very well :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Application

Application
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 09 January 2012 - 10:53 PM

Farbar Service Scanner
Ran by jtm (administrator) on 09-01-2012 at 22:44:40
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

--

That looks good to me, but Avast! did pick up six threats, all classified as "High" in severity. I can't seem to copy the log file, is there somewhere else I can find it and copy it here? Do you know without seeing the log file what the appropriate action would be? Move to chest, repair, or delete? Hopefully I'll have a clean bill of health soon!

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:18 AM

Posted 09 January 2012 - 11:00 PM

It's always safer to move all items to chest.

FSS log is incomplete.
Check all boxes.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Application

Application
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 09 January 2012 - 11:07 PM

All boxes were and are checked, the problem I suppose is that I'm getting an "Autolt Error". It says, "Line 2468 (File "E:\FSS.exe"): Error: Variable used without being declared." All I can do is hit "Ok", and then I end up with the log that I pasted here a few minutes ago.

Any ideas?

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:18 AM

Posted 09 January 2012 - 11:15 PM

Delete your FSS file, download new one and try again.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 Application

Application
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 09 January 2012 - 11:20 PM

Getting the same error, even though the new downloaded file is saved in a different location now. Is there another download link that I could try?

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:18 AM

Posted 09 January 2012 - 11:31 PM

I just ran it on my computer and it runs fine.
We won't worry about it now.
In your previous log all settings were fine.

Any current issues?

Last scans....

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 Application

Application
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 10 January 2012 - 12:01 AM

TFC ran no problem, I rebooted and am in the process of downloading the virus signature database for the ESET scanner. May not be able to post the log file until tomorrow.

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:18 AM

Posted 10 January 2012 - 12:03 AM

No problem :)

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 Application

Application
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 10 January 2012 - 09:52 PM

No threats found by the ESET scanner. Am I good to go?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users