Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems with Pup.Bitminer, ad.yieldmanager and other malware


  • Please log in to reply
17 replies to this topic

#1 Smurf-Slayer

Smurf-Slayer

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 08 January 2012 - 10:24 PM

Mod Edit; different computer than oyher topic :)

Hi!

I've been trying to clean up a friends computer for about two weeks. The machine has CCleaner, SpyBot, Trendmico Titanium and Malwarebytes Pro on it.

The machine had "System Fix" on it as well as a rootkit. They appear to be gone, but there are still problems. Possibly additional malware or residual effects of the previous problems.

The system is a Windows 7 machine that was upgraded from Windows Vista. The startmenu is still not right even after running the "unhide" programs and other tools that are supposed to fix it. No matter what, pup.bitminer comes back. In Firefox, it keeps getting the proxy turned on to 127.0.0.1 to a high port which doesn't work. I'm guessing a piece of the malware for it is missing.

We have also run the Kaspersky TDSSKiller and it did find some stuff, but it is currently clean.

Also, MBAM sometimes doesn't find pup.bitminer in normal mode, but always finds it in safe mode. It does not remove it.

We have also run rkill too. It is currently showing clean.

In addition to the above, Trendmicro also reports the following items, and says they were removed. However they come back. In addition, this does not happen in Safe Mode, only in a normal boot up.

TROJ_FAKEAV.DAM
TROJ_SIREFEF.BZ
TROJ_SIREFEF.BW

The .BZ and .BW change a lot also.

Files named 80000032.@ where "32" changes all the time, but the 32 is common. Some examples are c0.@, 64.@, cb.@, cf.@

Frequently after booting up normally, the computer locks up. Some things kinda work but for the most part it never recovers.

Please help me cleanup this laptop.

Thanks,
Smurf-Slayer

Edited by boopme, 14 January 2012 - 08:45 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 PM

Posted 14 January 2012 - 08:50 PM

Hello, please run these next..


Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 14 January 2012 - 09:36 PM

Boopme -

Thank you sir!

I'm beginning this on the problem computer now. I presume that I should do these steps in normal mode?

Thanks,
Smurf-Slayer

#4 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 14 January 2012 - 09:53 PM

Boopme -

Looks like my only option is Safe Mode. It appears that I can not log in to the computer in normal mode. It never comes back after I enter the password. Is this okay?

Thanks,
Smurf-Slayer

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 PM

Posted 14 January 2012 - 09:58 PM

Then use Safe with Networking
Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 14 January 2012 - 10:03 PM

Boopme -

Below is the output from Minitoolbox. There where some 1108 erros about nslookup while it ran.

Smurf-Slayer

MiniToolBox by Farbar
Ran by AIR SYSTEM ANALYZERS (administrator) on 14-01-2012 at 20:59:11
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Nerwork
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 63172
"network.proxy.no_proxies_on", ""
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

Intel® WiFi Link 5100 AGN = Wireless Network Connection (Connected)
Realtek PCIe FE Family Controller = Local Area Connection (Media disconnected)
The following helper DLL cannot be loaded: WSHELPER.DLL.


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : AIRSYSTEMS-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
Physical Address. . . . . . . . . : 00-1E-33-75-7D-89
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-21-5D-3D-55-70
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4499:f0df:a105:2668%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.112(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, January 14, 2012 8:55:30 PM
Lease Expires . . . . . . . . . . : Saturday, January 14, 2012 9:01:14 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 285221227
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-94-3D-83-00-1E-33-75-1C-E0
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{F3B89352-1B2D-46DE-A5FD-C38DD04FB43D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Pinging google.com [74.125.225.52] with 32 bytes of data:
Reply from 74.125.225.52: bytes=32 time=129ms TTL=55
Reply from 74.125.225.52: bytes=32 time=117ms TTL=55

Ping statistics for 74.125.225.52:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 117ms, Maximum = 129ms, Average = 123ms

Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=180ms TTL=53
Reply from 72.30.2.43: bytes=32 time=117ms TTL=53

Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 117ms, Maximum = 180ms, Average = 148ms

Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:
Reply from 208.43.87.2: Destination host unreachable.
Reply from 208.43.87.2: Destination host unreachable.

Ping statistics for 208.43.87.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...00 1e 33 75 7d 89 ......Realtek PCIe FE Family Controller
10...00 21 5d 3d 55 70 ......Intel® WiFi Link 5100 AGN
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.112 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.112 281
192.168.1.112 255.255.255.255 On-link 192.168.1.112 281
192.168.1.255 255.255.255.255 On-link 192.168.1.112 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.112 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.112 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 281 fe80::/64 On-link
10 281 fe80::4499:f0df:a105:2668/128
On-link
1 306 ff00::/8 On-link
10 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 mswsock.dll [File Not found] ()
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
x64-Catalog5 01 mswsock.dll [File Not found] ()
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 mswsock.dll [File Not found] ()
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog9 01 mswsock.dll [File Not found] ()
x64-Catalog9 02 mswsock.dll [File Not found] ()
x64-Catalog9 03 mswsock.dll [File Not found] ()
x64-Catalog9 04 mswsock.dll [File Not found] ()
x64-Catalog9 05 mswsock.dll [File Not found] ()
x64-Catalog9 06 mswsock.dll [File Not found] ()
x64-Catalog9 07 mswsock.dll [File Not found] ()
x64-Catalog9 08 mswsock.dll [File Not found] ()
x64-Catalog9 09 mswsock.dll [File Not found] ()
x64-Catalog9 10 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/14/2012 08:56:58 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/14/2012 08:46:30 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/14/2012 08:33:03 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/07/2012 07:01:10 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/07/2012 06:47:40 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/07/2012 04:39:48 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/07/2012 04:31:28 PM) (Source: MsiInstaller) (User: AIR SYSTEM ANALYZERS)AIR SYSTEM ANALYZERS
Description: Product: Nuance PaperPort 12 -- Error 1706.No valid source could be found for product Nuance PaperPort 12. The Windows Installer cannot continue.

Error: (01/07/2012 04:30:10 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/07/2012 03:53:47 PM) (Source: MsiInstaller) (User: AIR SYSTEM ANALYZERS)AIR SYSTEM ANALYZERS
Description: Product: Nuance PaperPort 12 -- Error 1706.No valid source could be found for product Nuance PaperPort 12. The Windows Installer cannot continue.

Error: (01/07/2012 03:53:42 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (01/14/2012 08:59:43 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/14/2012 08:58:40 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/14/2012 08:57:23 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/14/2012 08:56:41 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/14/2012 08:56:06 PM) (Source: Microsoft-Windows-DNS-Client) (User: NETWORK SERVICE)
Description: There was an error while attempting to read the local hosts file.

Error: (01/14/2012 08:56:05 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (01/14/2012 08:56:05 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (01/14/2012 08:56:03 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (01/14/2012 08:55:58 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (01/14/2012 08:55:19 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
discache
SASDIFSV
SASKUTIL
spldr
tmtdi
Wanarpv6


Microsoft Office Sessions:
=========================

=========================== Installed Programs ============================

Update for Microsoft Office 2007 (KB2508958)
Adobe Flash Player 11 ActiveX 64-bit (Version: 11.1.102.55)
Adobe Flash Player 11 Plugin (Version: 11.1.102.55)
Adobe Reader 8.1.2 (Version: 8.1.2)
Akamai NetSession Interface
Autodesk Design Review 2011 (Version: 11.0.0.86)
Bing Bar (Version: 7.0.609.0)
Brother P-touch Editor 5.0 (Version: 5.0.1210)
Camera Assistant Software for Toshiba (Version: 1.7.193.0508L)
CCleaner (Version: 3.14)
CD/DVD Drive Acoustic Silencer (Version: 3.01.04)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Coupon Printer for Windows (Version: 5.0.0.0)
DVD MovieFactory for TOSHIBA (Version: 5.51)
DWG TrueView 2010 (Version: 18.0.55.0)
Face Theme (Version: 1.0)
GIMP 2.6.4
HP Deskjet 1000 J110 series Basic Device Software (Version: 22.0.334.0)
HP Deskjet 1000 J110 series Help (Version: 140.0.65.65)
HP Deskjet 1000 J110 series Product Improvement Study (Version: 22.0.334.0)
HP Photo Creations (Version: 1.0.0.3341)
HP Update (Version: 5.002.005.003)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 22 (Version: 6.0.220)
Java™ 6 Update 6 (Version: 1.6.0.60)
Java™ 6 Update 7 (Version: 1.6.0.70)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Easy Assist v2 (Version: 8.1.6416.0)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works (Version: 9.7.0621)
Microsoft XML Parser (Version: 8.20.8730.4)
Moto Helper Service (Version: 5.5)
MotoHelper 2.0.46 Driver 5.0.0 (Version: 2.0.46)
MotoHelper MergeModules (Version: 1.2.0)
Motorola Mobile Drivers Installation 5.0.0 (Version: 5.0.0)
Motorola Phone Tools (Version: 5.00)
Motorola Phone Tools (Version: 5.10a 7/8/2008)
Mototools Software Update (Version: 3.3.6)
Mozilla Firefox 8.0 (x86 en-US) (Version: 8.0)
Mozilla Thunderbird (8.0) (Version: 8.0 (en-US))
MSXML 4.0 SP2 (KB941833) (Version: 4.20.9849.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
Nuance PaperPort 12 (Version: 12.1.0000)
Nuance PDF Viewer Plus (Version: 5.30.3290)
OpenOffice.org 3.1 (Version: 3.1.9420)
PaperPort Image Printer 64-bit (Version: 1.00.0001)
PL-2303 USB-to-Serial
PL-2303 Vista Driver Installer (Version: 3.2.0.0)
QuickBooks Financial Center (Version: 1.10.0000)
Qwest Installer (Version: 1.1)
Realtek 8169 8168 8101E 8102E Ethernet Driver (Version: 1.00.0000)
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader (Version: )
Scansoft PDF Professional
Skype Toolbars (Version: 1.0.4051)
Skype™ 4.2 (Version: 4.2.187)
Spybot - Search & Destroy (Version: 1.6.2)
SUPERAntiSpyware (Version: 5.0.1142)
Synaptics Pointing Device Driver (Version: 11.2.4.0)
TOSHIBA Application Disc Creator (Version: 2.0.0.2 for x64)
TOSHIBA Assist (Version: 3.00.06)
TOSHIBA ConfigFree (Version: 7.2.20)
TOSHIBA Desktop Links (Version: 1.7)
TOSHIBA Disc Creator (Version: 2.0.1.3 for x64)
TOSHIBA DVD PLAYER (Version: 1.31.14)
TOSHIBA Extended Tiles for Windows Mobility Center (Version: )
TOSHIBA Extended Tiles for Windows Mobility Center (Version: 1.01.00)
TOSHIBA Face Recognition (Version: 2.0.2.64)
TOSHIBA Hardware Setup (Version: 2.00.08)
Toshiba Registration (Version: 1.00.0000)
TOSHIBA Service Station (Version: 2.1.51)
TOSHIBA Software Modem (Version: 2.1.87 (SM2187ALS04))
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password (Version: 2.00.04)
TOSHIBA Value Added Package (Version: 1.1.24.64)
Trend Micro Titanium (Version: 3.1.1109)
Trend Micro™ Titanium™ (Version: 3.00)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update Installer for WildTangent Games App
WildTangent Games (Version: 1.0.0.62)
WildTangent Games App (Toshiba Games) (Version: 4.0.4.9)
Windows Driver Package - TOSHIBA (FwLnk) System (11/19/2006 1.0.0.3) (Version: 11/19/2006 1.0.0.3)
Windows Live ID Sign-in Assistant (Version: 6.500.3165.0)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series (Version: 9.00.3374)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)

========================= Devices: ================================

Name: Windows Firewall Authorization Driver
Description: Windows Firewall Authorization Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: mpsdrv
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


========================= Memory info: ===================================

Percentage of memory in use: 24%
Total physical RAM: 3964 MB
Available physical RAM: 3005.61 MB
Total Pagefile: 7926.19 MB
Available Pagefile: 6987.83 MB
Total Virtual: 4095.88 MB
Available Virtual: 3975.46 MB

========================= Partitions: =====================================

1 Drive c: (SQ004817V03) (Fixed) (Total:296.62 GB) (Free:249.62 GB) NTFS

========================= Users: ========================================

User accounts for \\AIRSYSTEMS-PC

Administrator AIR SYSTEM ANALYZERS CINDY
Guest

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

#7 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 14 January 2012 - 11:46 PM

Boopme -

Below is the eset log.

Thanks,
Smurf-Slayer


C:\Program Files (x86)\Loaris\Trojan Remover 1.2\ltr12.exe a variant of Win32/1AntiVirus application cleaned by deleting - quarantined
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\1837af12-6bc3d397 multiple threats deleted - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5767092-1146bb5b a variant of Java/TrojanDownloader.OpenStream.NCI trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5767092-196de1ea a variant of Java/TrojanDownloader.OpenStream.NCI trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5767092-2b956093 a variant of Java/TrojanDownloader.OpenStream.NCI trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5767092-3814ca86 a variant of Java/TrojanDownloader.OpenStream.NCI trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5767092-3bdff9bb a variant of Java/TrojanDownloader.OpenStream.NCI trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\5767092-6a866619 a variant of Java/TrojanDownloader.OpenStream.NCI trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-1cc6c0c0 a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-21a5092d a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-3126c7a5 a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-36ae7879 a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-4cd05c23 a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\2cc07e61-6926aca0 a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d358f61-2849fc81 a variant of Java/TrojanDownloader.OpenStream.NCM trojan cleaned by deleting - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\26ac7ea2-41c106e4 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\4d809ea6-5e0ffa6d a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\4d809ea6-6c319a1c a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\ef0ef68-713efbdf Java/TrojanDownloader.OpenStream.NCM trojan deleted - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-36a24596 Java/TrojanDownloader.OpenStream.NCM trojan deleted - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\62\56f963be-28aca98d a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Users\AIR SYSTEM ANALYZERS\AppData\Roaming\Mozilla\Firefox\Profiles\mfhpf41r.default\extensions\{d503e0bc-c8f3-490e-b55d-a735be5a8bca}\chrome\xulcache.jar JS/Agent.NDO trojan cleaned by deleting - quarantined
C:\Users\CINDY\AppData\Roaming\Mozilla\Firefox\Profiles\2kkdvzhk.default\extensions\{d503e0bc-c8f3-490e-b55d-a735be5a8bca}\chrome\xulcache.jar JS/Agent.NDO trojan cleaned by deleting - quarantined
C:\Windows\assembly\tmp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\3e90c6dc-34387157 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\7d82661-4047cd45 a variant of Java/Agent.DU trojan deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\41\3d3fb229-555a0e0e a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\1a03c108-36364cc4 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Windows\system64\consrv.dll probably a variant of Win32/Agent.ILLJSHB trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/Sirefef.DN trojan

#8 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 15 January 2012 - 12:11 AM

Boopme -

GMER didn't find anything, so the log was blank.

Thanks,
Smurf-Slayer

Edited by Smurf-Slayer, 15 January 2012 - 02:41 PM.


#9 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 15 January 2012 - 01:49 PM

Boopme -

This computer won't boot up. I let it try the auto repair and it says it can't fix it automatically.

During the Safe Mode boot it said it couldn't access %sh or %bh. It wasn't on the screen very long and the "Blue Screen" it was on only had one line on it, and then it would restart. It would not boot normal at all, it would just restart and try to boot into safe mode.

What should I do?

Thanks,
Smurf-Slayer

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 PM

Posted 15 January 2012 - 01:57 PM

No boot on safe or normal mode?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 15 January 2012 - 02:00 PM

Boopme -

I'm seriously confused now...

It said it couldn't automatically fix it. So I rebooted. It booted up normally, and it let me log in. I couldn't log in normally yesterday? Remember that it would just hang after entering the password? I could only get on the machine in Safe Mode....

It looks like the restore point thing did work, because it is back at a point that Malware Bytes is no longer "pro".

Now I don't want to turn it off...

Please advise.

Thank you,
Smurf-Slayer

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,026 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 PM

Posted 15 January 2012 - 03:27 PM

Hello, looks like you should run CHKDSK.
As you issues are getting more serious you should back up any important documents.

1.Open the "Computer" window
2.Right-click on the drive in question
3.Select the "Tools" tab
4.In the Error-checking area, click <Check Now>.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 15 January 2012 - 03:48 PM

Boopme -

There should be a step 2a "Click Properties".

It said it can't do it while it is in use, and asked if I wanted to "schedule" the scan for the next reboot. I said yes, and I am rebooting now.

Thanks,
Smurf-Slayer

Edited by Smurf-Slayer, 15 January 2012 - 03:49 PM.


#14 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 15 January 2012 - 04:56 PM

Boopme -

The checkdisk ran, and the computer rebooted.

Thanks,
Smurf-Slayer

#15 Smurf-Slayer

Smurf-Slayer
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 20 January 2012 - 01:29 PM

Boopme -

Just checking in...

Smurf-Slayer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users